网络工程 - Cisco ASA 丢弃与加密 acl 匹配的数据包。VPN没有启动 - 吾爱随笔录

我对 Cisco ASA 和 Fortigate 之间的 IPSEC 隧道有一些问题。出于某种原因，数据包 10.12.4.0/12 到 192.168.0.0/16 被 ASA 丢弃，尽管 192.168.0.0/16 存在于加密 ACL 中。你能帮我找出问题的原因吗？为什么 scr 10.12.4.0/24 dst 192.168.0.0/16 数据包被丢弃？

您可以从数据包跟踪器输出中看到数据包丢弃：

packet-tracer input inside icmp 10.12.4.100 0 8 192.168.2.30 detailed 

Phase: 10
Type: VPN
Subtype: encrypt
Result: **DROP**
Config:
Additional Information:
 Forward Flow based lookup yields rule:
 out id=0xccc567c8, priority=70, domain=encrypt, deny=false
        hits=4, user_data=0x0, cs_id=0xccc53c18, reverse, flags=0x0, protocol=0
        src ip/id=10.12.7.0, mask=255.255.255.0, port=0, tag=0
        dst ip/id=192.168.0.0, mask=255.255.0.0, port=0, tag=0, dscp=0x0
        input_ifc=any, output_ifc=outside

但是，如果我对存在于加密 ACL 中的另一个 dst ip 地址进行数据包跟踪，则该数据包允许：

packet-tracer input inside icmp 10.12.4.100 0 8 172.16.213.1 detailed 

Phase: 9
Type: VPN
Subtype: encrypt
Result: ALLOW
Config:
Additional Information:
 Forward Flow based lookup yields rule:
 out id=0xcc201ca0, priority=70, domain=encrypt, deny=false
        hits=2259, user_data=0x7cd824, cs_id=0xccc4b3f0, reverse, flags=0x0, protocol=0
        src ip/id=10.12.4.0, mask=255.255.255.0, port=0, tag=0
        dst ip/id=172.16.0.0, mask=255.255.0.0, port=0, tag=0, dscp=0x0
        input_ifc=any, output_ifc=outside

整个 sh 运行加密是：

object-group network GO-nets
 network-object 172.16.0.0 255.255.0.0
 network-object 172.17.0.0 255.255.0.0
 network-object 10.12.0.0 255.255.255.0
 network-object 172.18.114.0 255.255.255.0
 network-object 192.168.0.0 255.255.0.0

object network inside-net
 subnet 10.12.4.0 255.255.255.0

access-list 100 extended permit ip object inside-net object-group GO-nets

crypto ipsec ikev1 transform-set myset esp-3des esp-md5-hmac 
crypto ipsec security-association pmtu-aging infinite
crypto map outside_map 20 match address 100
crypto map outside_map 20 set peer xxx 
crypto map outside_map 20 set ikev1 transform-set myset
crypto map outside_map 23 match address 103
crypto map outside_map 23 set peer xxx 
crypto map outside_map 23 set ikev1 transform-set myset
crypto map outside_map interface outside
crypto ca trustpool policy
crypto ikev1 enable outside
crypto ikev1 policy 10
 authentication pre-share
 encryption 3des
 hash md5
 group 5
 lifetime 28800
tunnel-group xxx type ipsec-l2l
tunnel-group xxx ipsec-attributes
 ikev1 pre-shared-key *****
tunnel-group xxx type ipsec-l2l
tunnel-group xxx ipsec-attributes
 ikev1 pre-shared-key *****
!