我今天一直在为这个问题绞尽脑汁。

我在主站点 (Site1) 和辅助站点 (Site2) 之间建立了站点到站点 VPN 连接。每个站点都使用不同的子网/网络范围。隧道已启动并正在运行。

Site1 正在使用 WatchGuard M200。站点 2 使用 Cisco ASA 5500。

Site1子网为：192.168.100.0/24

Site2子网为：192.168.1.0/24

我可以从 Site1 的客户端访问托管在 Site2 服务器上的网页。但是，我无法从 Site2 的客户端访问 Site1 的服务器上的网页。

当我运行 Cisco Packet Tracer 工具测试时，它在外部接口的访问列表部分失败。

192.168.1.3 是 Site2 客户端的 IP 地址。192.168.100.2 是在 Site1 的 443 端口上托管一个简单网站的服务器的 IP 地址。

我可以从数据包跟踪器的结果中看到，由于隐式拒绝规则，连接正在被丢弃。

思科站点 2 上的防火墙访问规则为：

我无法弄清楚我需要添加什么规则才能允许从 Site2 到 Site1 的通信（而不是目前的 Site1 到 Site2）。

非常感谢任何帮助。

编辑： ASA 配置：

: Saved
: 
: Serial Number: [HIDDEN]
: Hardware:   ASA5505, 512 MB RAM, CPU Geode 500 MHz
:
ASA Version 9.2(4) 
!
hostname IS-49133
enable password [HIDDEN] encrypted
xlate per-session deny tcp any4 any4
xlate per-session deny tcp any4 any6
xlate per-session deny tcp any6 any4
xlate per-session deny tcp any6 any6
xlate per-session deny udp any4 any4 eq domain
xlate per-session deny udp any4 any6 eq domain
xlate per-session deny udp any6 any4 eq domain
xlate per-session deny udp any6 any6 eq domain
passwd [HIDDEN] encrypted
names
!
interface Ethernet0/0
 switchport access vlan 2
 speed 100
 duplex full
!
interface Ethernet0/1
!
interface Ethernet0/2
 shutdown
!
interface Ethernet0/3
 shutdown
!
interface Ethernet0/4
 shutdown
!
interface Ethernet0/5
 shutdown
!
interface Ethernet0/6
 shutdown
!
interface Ethernet0/7
 shutdown
!
interface Vlan1
 nameif Inside
 security-level 100
 ip address 192.168.1.1 255.255.255.0 
!
interface Vlan2
 nameif Outside
 security-level 0
 ip address [SITE2 IP] 255.255.255.248 
!
boot system disk0:/asa924-k8.bin
ftp mode passive
clock timezone GMT/BST 0
clock summer-time GMT/BDT recurring last Sun Mar 1:00 last Sun Oct 2:00
dns server-group DefaultDNS
 name-server 8.8.8.8
 name-server 8.8.4.4
same-security-traffic permit inter-interface
object network IS-49110-ipmi-p
 host 192.168.1.2
object network IS-49110-p
 host 192.168.1.3
object network IS-49109-ipmi-p
 host 192.168.1.4
object network IS-49109-p
 host 192.168.1.5
object network IS-491010-ipmi-v
 host [Public IP 2]
object network IS-49110-v
 host 109.169.52.132
object network IS-49109-ipmi-v
 host [Public IP 3]
object network IS-49109-v
 host [Public IP 5]
object network InsideNetworkRange
 range 192.168.1.21 192.168.1.254
object network 192.168.1.10
 host 192.168.1.10
object network 192.168.1.11
 host 192.168.1.11
object network 192.168.1.12
 host 192.168.1.12
object network 192.168.1.13
 host 192.168.1.13
object network 192.168.1.14
 host 192.168.1.14
object network [Public IP 6]
 host [Public IP 6]
object network [Public IP 7]
 host [Public IP 7]
object network [Public IP 8]
 host [Public IP 8]
object network [Public IP 9]
 host [Public IP 9]
object network [Public IP 10]
 host [Public IP 10]
object network 192.168.1.15
 host 192.168.1.15
object network [Public IP 11]
 host [Public IP 11]
object network WG-HONetwork
 subnet 192.168.100.0 255.255.254.0
object network NETWORK_OBJ_192.168.1.0_24
 subnet 192.168.1.0 255.255.255.0
object network NETWORK_OBJ_192.168.100.0_23
 subnet 192.168.100.0 255.255.254.0
object-group protocol TCPUDP
 protocol-object udp
 protocol-object tcp
object-group network DM_INLINE_NETWORK_1
 network-object host 192.168.1.4
 network-object host 192.168.1.5
object-group network DM_INLINE_NETWORK_2
 network-object host 192.168.1.4
 network-object host 192.168.1.5
object-group network DM_INLINE_NETWORK_3
 network-object host [EXT IP]
 network-object host [SITE1 IP]
access-list basic extended permit tcp object-group DM_INLINE_NETWORK_3 any4 eq 3*** 
access-list basic extended permit tcp any4 any4 eq 3389 inactive 
access-list basic extended permit tcp host [SITE1 IP] any4 eq ssh 
access-list basic extended permit tcp any4 any4 eq www 
access-list basic extended permit tcp any4 any4 eq https 
access-list basic extended permit icmp any4 any4 
access-list basic extended permit object-group TCPUDP any4 object-group DM_INLINE_NETWORK_1 eq 5*** 
access-list basic extended permit object-group TCPUDP any4 object-group DM_INLINE_NETWORK_2 eq 5*** 
access-list allow extended permit ip any4 any4 
access-list allow extended permit icmp any4 any4 
access-list Outside_cryptomap_2 extended permit ip 192.168.1.0 255.255.255.0 192.168.100.0 255.255.254.0 
pager lines 24
logging enable
logging asdm informational
mtu Inside 1500
mtu Outside 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-752-153.bin
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
nat (Inside,Outside) source static IS-49110-ipmi-p IS-491010-ipmi-v
nat (Inside,Outside) source static IS-49110-p IS-49110-v
nat (Inside,Outside) source static IS-49109-ipmi-p IS-49109-ipmi-v
nat (Inside,Outside) source static IS-49109-p IS-49109-v
nat (Inside,Outside) source static 192.168.1.10 [Public IP 6]
nat (Inside,Outside) source static 192.168.1.11 [Public IP 7]
nat (Inside,Outside) source static 192.168.1.12 [Public IP 8]
nat (Inside,Outside) source static 192.168.1.13 [Public IP 9]
nat (Inside,Outside) source static 192.168.1.14 [Public IP 10]
nat (Inside,Outside) source static 192.168.1.15 [Public IP 11]
nat (Inside,Outside) source dynamic InsideNetworkRange interface
nat (Inside,Outside) source static NETWORK_OBJ_192.168.1.0_24 NETWORK_OBJ_192.168.1.0_24 destination static NETWORK_OBJ_192.168.100.0_23 NETWORK_OBJ_192.168.100.0_23 no-proxy-arp route-lookup
access-group allow in interface Inside
access-group allow out interface Inside
access-group basic in interface Outside
access-group allow out interface Outside
route Outside 0.0.0.0 0.0.0.0 [Gateway IP] 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
aaa authentication enable console LOCAL 
aaa authentication ssh console LOCAL 
http server enable
http 0.0.0.0 0.0.0.0 Outside
http 0.0.0.0 0.0.0.0 Inside
no snmp-server location
no snmp-server contact
crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac 
crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac 
crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac 
crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac 
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac 
crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac 
crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS esp-aes esp-sha-hmac 
crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS esp-aes esp-md5-hmac 
crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS esp-aes-192 esp-sha-hmac 
crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS esp-aes-192 esp-md5-hmac 
crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS esp-aes-256 esp-sha-hmac 
crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS esp-aes-256 esp-md5-hmac 
crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac 
crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac 
crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS esp-3des esp-sha-hmac 
crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS esp-3des esp-md5-hmac 
crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac 
crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac 
crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS esp-des esp-sha-hmac 
crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS esp-des esp-md5-hmac 
crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS mode transport
crypto ipsec ikev2 ipsec-proposal 3DES-MD5
 protocol esp encryption 3des
 protocol esp integrity md5
crypto ipsec ikev2 ipsec-proposal DES
 protocol esp encryption des
 protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal 3DES
 protocol esp encryption 3des
 protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES
 protocol esp encryption aes
 protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES192
 protocol esp encryption aes-192
 protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES256
 protocol esp encryption aes-256
 protocol esp integrity sha-1 md5
crypto ipsec security-association pmtu-aging infinite
crypto map Outside_map0 1 match address Outside_cryptomap_2
crypto map Outside_map0 1 set peer [SITE1 IP] 
crypto map Outside_map0 1 set ikev1 transform-set ESP-AES-256-SHA
crypto map Outside_map0 interface Outside
crypto ca trustpoint _SmartCallHome_ServerCA
 no validation-usage
 crl configure
crypto ca trustpool policy
crypto ca certificate chain _SmartCallHome_ServerCA
 certificate ca 6ecc7aa5a7032009b8cebcf4e952d491
    308205ec 308204d4 a0030201 0202106e cc7aa5a7 032009b8 cebcf4e9 52d49130 
    6119b5dd cdb50b26 058ec36e c4c875b8 46cfe218 065ea9ae a8819a47 16de0c28 
    6c2527b9 deb78458 c61f381e a4c4cb66
  quit
crypto ikev2 policy 1
 encryption 3des
 integrity md5
 group 5
 prf md5
 lifetime seconds 86400
crypto ikev2 policy 2
 encryption aes
 integrity sha
 group 5
 prf sha
 lifetime seconds 86400
crypto ikev2 enable Outside
crypto ikev1 enable Outside
crypto ikev1 policy 1
 authentication pre-share
 encryption 3des
 hash md5
 group 5
 lifetime 86400
crypto ikev1 policy 10
 authentication crack
 encryption aes-256
 hash sha
 group 5
 lifetime 86400
crypto ikev1 policy 20
 authentication rsa-sig
 encryption aes-256
 hash sha
 group 5
 lifetime 86400
crypto ikev1 policy 30
 authentication pre-share
 encryption aes-256
 hash sha
 group 5
 lifetime 86400
crypto ikev1 policy 40
 authentication crack
 encryption aes-192
 hash sha
 group 5
 lifetime 86400
crypto ikev1 policy 50
 authentication rsa-sig
 encryption aes-192
 hash sha
 group 5
 lifetime 86400
crypto ikev1 policy 60
 authentication pre-share
 encryption aes-192
 hash sha
 group 5
 lifetime 86400
crypto ikev1 policy 70
 authentication crack
 encryption aes
 hash sha
 group 5
 lifetime 86400
crypto ikev1 policy 80
 authentication rsa-sig
 encryption aes
 hash sha
 group 5
 lifetime 86400
crypto ikev1 policy 90
 authentication pre-share
 encryption aes
 hash sha
 group 5
 lifetime 86400
crypto ikev1 policy 100
 authentication crack
 encryption 3des
 hash sha
 group 5
 lifetime 86400
crypto ikev1 policy 110
 authentication rsa-sig
 encryption 3des
 hash sha
 group 5
 lifetime 86400
crypto ikev1 policy 130
 authentication crack
 encryption des
 hash sha
 group 5
 lifetime 86400
crypto ikev1 policy 140
 authentication rsa-sig
 encryption des
 hash sha
 group 5
 lifetime 86400
crypto ikev1 policy 150
 authentication pre-share
 encryption des
 hash sha
 group 5
 lifetime 86400
telnet timeout 5
ssh stricthostkeycheck
ssh 0.0.0.0 0.0.0.0 Inside
ssh 0.0.0.0 0.0.0.0 Outside
ssh timeout 60
ssh version 2
ssh key-exchange group dh-group1-sha1
console timeout 0

threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
group-policy DfltGrpPolicy attributes
 vpn-tunnel-protocol ikev1 l2tp-ipsec ssl-clientless
group-policy GroupPolicy_[SITE1 IP] internal
group-policy GroupPolicy_[SITE1 IP] attributes
 vpn-tunnel-protocol ikev1 
username admin password Gq4Kud5aGC668/VE encrypted privilege 15
tunnel-group [SITE1 IP] type ipsec-l2l
tunnel-group [SITE1 IP] general-attributes
 default-group-policy GroupPolicy_[SITE1 IP]
tunnel-group [SITE1 IP] ipsec-attributes
 ikev1 pre-shared-key *****
!
Cryptochecksum:cb42c61d05f6a55ebb5e5e94805f7e04
: end