Amazon AWS VPN 双向设备访问

网络工程 思科 虚拟专用网 思科-ios 个人电脑 aws
2022-02-18 14:20:04

设置 Amazon VPN 连接并使用下载的配置配置我的网关后,我可以直接 ssh 到我的 VPC 中 EC2 实例的私有 IP。但是,EC2 实例和 AppStream 实例都无法访问我这边的本地网络资源。我使用的网关是运行 IOS 12.4+ 的 Cisco 1941。

访问客户网关 (10.0.0.2) 适用于 VPC (192.168.170.72) 中的 EC2 实例:

traceroute to 10.0.0.2 (10.0.0.2), 64 hops max
1 169.254.45.190 40.357ms * 21.617ms
PING 10.0.0.2 (10.0.0.2) 56(84) bytes of data.
64 bytes from 10.0.0.2: icmp_seq=1 ttl=254 time=21.2 ms
64 bytes from 10.0.0.2: icmp_seq=2 ttl=254 time=24.9 ms
64 bytes from 10.0.0.2: icmp_seq=3 ttl=254 time=21.3 ms
64 bytes from 10.0.0.2: icmp_seq=4 ttl=254 time=46.9 ms

但不能访问允许内部网络访问的本地机器:

traceroute to 10.0.0.80 (10.0.0.80), 64 hops max
1 169.254.45.190 21.508ms 23.094ms 21.671ms
2 * * *
3 * * *
...
PING 10.0.0.80 (10.0.0.80) 56(84) bytes of data.
10.0.0.80 ping statistics ---
19 packets transmitted, 0 received, 100% packet loss, time 17999ms

在 10.0.0.80 上运行的数据包捕获显示收到了 ping 请求并回复了:10.0.0.80(本机)抓包

来自隧道接口的数据包捕获显示数据包被路由到隧道: Tunnel1 Tunnel1接口抓包Tunnel2Tunnel2接口抓包

这是 Cisco 1941w 网关的配置:

no ipv6 cef
ip source-route
ip cef
!
!
!
ip dhcp excluded-address 10.0.0.0 10.0.0.10
ip dhcp excluded-address 10.0.0.66
ip dhcp excluded-address 10.0.0.93
ip dhcp excluded-address 10.0.0.97
ip dhcp excluded-address 10.0.0.231
!
ip dhcp pool embedded-router-pool
 network 10.0.0.0 255.255.255.0
 dns-server 8.8.8.8 8.8.4.4
!
!
!
multilink bundle-name authenticated
!
crypto pki token default removal timeout 0
!
!
redundancy
!
track 100 ip sla 100 reachability
!
track 200 ip sla 200 reachability
!
crypto keyring keyring-vpn-39bea158-1
  local-address PUBLIC_IP
  pre-shared-key address PUBLIC_VPN_IP_1 key KEY1
crypto keyring keyring-vpn-39bea158-0
  local-address PUBLIC_IP
  pre-shared-key address PUBLIC_VPN_IP_2 key KEY2
!
crypto isakmp policy 1
!
crypto isakmp policy 200
 encr aes
 authentication pre-share
 group 2
 lifetime 28800
!
crypto isakmp policy 201
 encr aes
 authentication pre-share
 group 2
 lifetime 28800
crypto isakmp keepalive 10 10
crypto isakmp profile isakmp-vpn-39bea158-0
   keyring keyring-vpn-39bea158-0
   match identity address PUBLIC_VPN_IP_2 255.255.255.255
   local-address PUBLIC_IP
crypto isakmp profile isakmp-vpn-39bea158-1
   keyring keyring-vpn-39bea158-1
   match identity address PUBLIC_VPN_IP_1 255.255.255.255
   local-address PUBLIC_IP
!
crypto ipsec security-association replay window-size 128
!
crypto ipsec transform-set ipsec-prop-vpn-39bea158-0 esp-aes esp-sha-hmac
crypto ipsec transform-set ipsec-prop-vpn-39bea158-1 esp-aes esp-sha-hmac
crypto ipsec df-bit clear
!
crypto ipsec profile ipsec-vpn-39bea158-0
 set transform-set ipsec-prop-vpn-39bea158-0
 set pfs group2
!
crypto ipsec profile ipsec-vpn-39bea158-1
 set transform-set ipsec-prop-vpn-39bea158-1
 set pfs group2
!
!
bridge irb
!
!
!
!
interface Tunnel1
 ip address 169.254.46.162 255.255.255.252
 ip virtual-reassembly in
 ip tcp adjust-mss 1379
 tunnel source PUBLIC_IP
 tunnel mode ipsec ipv4
 tunnel destination PUBLIC_VPN_IP_2
 tunnel protection ipsec profile ipsec-vpn-39bea158-0
!
interface Tunnel2
 ip address 169.254.45.190 255.255.255.252
 ip virtual-reassembly in
 ip tcp adjust-mss 1379
 tunnel source PUBLIC_IP
 tunnel mode ipsec ipv4
 tunnel destination PUBLIC_VPN_IP_1
 tunnel protection ipsec profile ipsec-vpn-39bea158-1
!
interface Embedded-Service-Engine0/0
 no ip address
!
interface GigabitEthernet0/0
 no ip address
 ip nat inside
 ip virtual-reassembly in
 duplex auto
 speed auto
 no mop enabled
 bridge-group 1
!
interface wlan-ap0
 description Service module interface to manage the embedded AP
 ip unnumbered BVI1
 arp timeout 0
 no mop enabled
 no mop sysid
!
interface GigabitEthernet0/1
 ip address PUBLIC_IP 255.255.255.248
 ip nat outside
 ip virtual-reassembly in
 duplex auto
 speed auto
!
interface Wlan-GigabitEthernet0/0
 description Internal switch interface connecting to the embedded AP
 switchport mode trunk
 no ip address
!
interface FastEthernet0/0/0
 ip address PUBLIC_T1_IP 255.255.255.248
 duplex auto
 speed auto
!
interface Vlan1
 no ip address
 ip nat inside
 ip virtual-reassembly in
 bridge-group 1
 bridge-group 1 spanning-disabled
!
interface Vlan10
 no ip address
!
interface BVI1
 ip address 10.0.0.2 255.0.0.0
 ip nat inside
 ip virtual-reassembly in
!
ip forward-protocol nd
!
no ip http server
no ip http secure-server
!
ip nat inside source list 1 interface GigabitEthernet0/1 overload
ip route 192.168.0.0 255.255.0.0 Tunnel1 track 100
ip route 192.168.0.0 255.255.0.0 Tunnel2 track 200
ip route 0.0.0.0 0.0.0.0 PUBLIC_IP_2
!
ip sla 100
 icmp-echo 169.254.46.161 source-interface Tunnel1
 frequency 5
ip sla schedule 100 life forever start-time now
ip sla 200
 icmp-echo 169.254.45.189 source-interface Tunnel2
 frequency 5
ip sla schedule 200 life forever start-time now
access-list 1 permit 10.0.0.0 0.0.0.255
access-list 1 permit 192.168.0.0 0.0.255.255

有一点让我印象深刻:

ip route 0.0.0.0 0.0.0.0 PUBLIC_IP_2

PUBLIC_IP_2 与 PUBLIC_IP 不同。PUBLIC_IP_2 以 250 结尾,而 PUBLIC_IP 以 248 结尾。

0个回答
没有发现任何回复~
其它你可能感兴趣的问题
上一篇CISCO ISE 2.3:端点未出现在活动端点列表中 下一篇Packet Tracer 帮助、丢包和连接问题