Cisco ASA 5505 远程用户无法访问站点到站点隧道

网络工程 思科 虚拟专用网
2021-07-29 04:37:13

我(终于)建立并运行了一个通向 AWS VPC 的 VPN 隧道。我不是网络工程师。

它从办公室到 VPC 工作正常,但远程用户无法通过此站点到站点隧道访问任何内容。只是为了消除 AWS 端的任何内容,我设置了 #1 ACL 规则以允许所有流量,并且我有一个带有允许所有流量的安全组的测试虚拟机。

我们真正关心的是办公室和远程 (10.0.0.0/8) 到 VPC (172.17.0.0/16) 的流量。

我会尝试发布相关的配置信息,但如果您需要更多信息,请告诉我,我很乐意分享。我编辑的唯一内容是 AWS 隧道 IP 和我们办公室的外部 IP 地址:

访问列表

ciscoasa(config)# show run access-list
access-list inside_nat0_outbound extended permit ip any 10.0.0.0 255.255.255.192 
access-list Split_Tunnel_List standard permit 10.0.0.0 255.255.255.0 
access-list Split_Tunnel_List standard permit 172.17.0.0 255.255.0.0 
access-list acl-amzn extended permit ip any 172.17.0.0 255.255.0.0 
access-list amzn-filter extended permit ip 172.17.0.0 255.255.0.0 10.0.0.0 255.0.0.0 
access-list amzn-filter extended deny ip any any 
access-list outside_access_in extended permit ip host AWS_TUNNEL_IP_1 host OFFICE_OUTSIDE_IP
access-list outside_access_in extended permit ip host AWS_TUNNEL_IP_2 host OFFICE_OUTSIDE_IP
ciscoasa(config)#

组策略

ciscoasa(config)# show run group-policy
group-policy RA_GROUP internal
group-policy RA_GROUP attributes
 dns-server value 8.8.8.8 8.8.4.4
 vpn-tunnel-protocol IPSec 
 split-tunnel-network-list value Split_Tunnel_List
group-policy filter internal
group-policy filter attributes
 vpn-filter value amzn-filter
ciscoasa(config)#

加密映射

ciscoasa(config)# show run crypto map
crypto map outside_map 1 match address acl-amzn
crypto map outside_map 1 set pfs 
crypto map outside_map 1 set peer AWS_TUNNEL_IP_1 AWS_TUNNEL_IP_2 
crypto map outside_map 1 set transform-set transform-amzn
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
ciscoasa(config)# show run nat
nat (inside) 0 access-list acl-amzn
nat (inside) 1 0.0.0.0 0.0.0.0
nat (outside) 1 10.0.0.0 255.255.255.0
ciscoasa(config)#

同安全流量

ciscoasa(config)# show run same-security-traffic 
same-security-traffic permit intra-interface
ciscoasa(config)#

从 10.0.0.15 ping 到 VPC 工作

ciscoasa(config)# packet-tracer input inside icmp 10.0.0.15 0 8 172.17.44.71      

Phase: 1
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in   0.0.0.0         0.0.0.0         outside

Phase: 2
Type: IP-OPTIONS
Subtype: 
Result: ALLOW
Config:
Additional Information:

Phase: 3
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
Additional Information:

Phase: 4
Type: NAT-EXEMPT
Subtype: 
Result: ALLOW
Config:
  match ip inside any outside 172.17.0.0 255.255.0.0
    NAT exempt
    translate_hits = 258, untranslate_hits = 104
Additional Information:

Phase: 5
Type: NAT
Subtype: 
Result: ALLOW
Config:
nat (inside) 1 0.0.0.0 0.0.0.0
  match ip inside any outside any
    dynamic translation to pool 1 (OFFICE_OUTSIDE_IP [Interface PAT])
    translate_hits = 9425616, untranslate_hits = 1313465
Additional Information:

Phase: 6
Type: NAT
Subtype: host-limits
Result: ALLOW
Config:
nat (inside) 1 0.0.0.0 0.0.0.0
  match ip inside any inside any
    dynamic translation to pool 1 (No matching global)
    translate_hits = 0, untranslate_hits = 0
Additional Information:

Phase: 7
Type: HOST-LIMIT
Subtype: 
Result: ALLOW
Config:
Additional Information:

Phase: 8
Type: ACCESS-LIST
Subtype: vpn-user
Result: ALLOW
Config:
Additional Information:

Phase: 9
Type: VPN
Subtype: encrypt
Result: ALLOW
Config:
Additional Information:

Phase: 10
Type: FLOW-CREATION
Subtype: 
Result: ALLOW
Config:
Additional Information:
New flow created with id 10392911, packet dispatched to next module

Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: allow

ciscoasa(config)#

从办公室外的 IP ping 失败

ciscoasa(config)# packet-tracer input inside icmp OFFICE_OUTSIDE_IP 0 8 172.17.44.71 detailed 

Phase: 1
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in   0.0.0.0         0.0.0.0         outside

Phase: 2
Type: IP-OPTIONS
Subtype: 
Result: ALLOW
Config:
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0xc959e0e0, priority=0, domain=inspect-ip-options, deny=true
    hits=9738259, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
    src ip=0.0.0.0, mask=0.0.0.0, port=0
    dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

Phase: 3
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0xc959dd58, priority=66, domain=inspect-icmp-error, deny=false
    hits=305383, user_data=0xc959dc40, cs_id=0x0, use_real_addr, flags=0x0, protocol=1
    src ip=0.0.0.0, mask=0.0.0.0, port=0
    dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

Phase: 4
Type: NAT-EXEMPT
Subtype: 
Result: ALLOW
Config:
  match ip inside any outside 172.17.0.0 255.255.0.0
    NAT exempt
    translate_hits = 259, untranslate_hits = 107
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0xc9603e48, priority=6, domain=nat-exempt, deny=false
    hits=271, user_data=0xca1792f8, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
    src ip=0.0.0.0, mask=0.0.0.0, port=0
    dst ip=172.17.0.0, mask=255.255.0.0, port=0, dscp=0x0

Phase: 5
Type: NAT
Subtype: 
Result: ALLOW
Config:
nat (inside) 1 0.0.0.0 0.0.0.0
  match ip inside any outside any
    dynamic translation to pool 1 (OFFICE_OUTSIDE_IP[Interface PAT])
    translate_hits = 9431076, untranslate_hits = 1314029
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0xc9620cf8, priority=1, domain=nat, deny=false
    hits=10741033, user_data=0xc9620c38, cs_id=0x0, flags=0x0, protocol=0
    src ip=0.0.0.0, mask=0.0.0.0, port=0
    dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

Phase: 6
Type: NAT
Subtype: host-limits
Result: ALLOW
Config:
nat (inside) 1 0.0.0.0 0.0.0.0
  match ip inside any inside any
    dynamic translation to pool 1 (No matching global)
    translate_hits = 0, untranslate_hits = 0
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0xc96208b8, priority=1, domain=host, deny=false
    hits=10681997, user_data=0xc9620538, cs_id=0x0, reverse, flags=0x0, protocol=0
    src ip=0.0.0.0, mask=0.0.0.0, port=0
    dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

Phase: 7
Type: HOST-LIMIT
Subtype: 
Result: ALLOW
Config:
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0xc95a1058, priority=0, domain=host-limit, deny=false
    hits=3610687, user_data=0x0, cs_id=0x0, flags=0x0, protocol=0
    src ip=0.0.0.0, mask=0.0.0.0, port=0
    dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

Phase: 8
Type: ACCESS-LIST
Subtype: vpn-user
Result: DROP
Config:
Additional Information:
 Forward Flow based lookup yields rule:
 out id=0xca201808, priority=12, domain=vpn-user, deny=true
    hits=17, user_data=0xc793c300, filter_id=0x4(amzn-filter), protocol=0
    src ip=0.0.0.0, mask=0.0.0.0, port=0
    dst ip=0.0.0.0, mask=0.0.0.0, port=0

Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule

ciscoasa(config)#

系统选择

ciscoasa(config)# show run all sysopt
no sysopt connection timewait
sysopt connection tcpmss 1387
sysopt connection tcpmss minimum 0
sysopt connection permit-vpn
sysopt connection reclassify-vpn
no sysopt connection preserve-vpn-flows
no sysopt nodnsalias inbound
no sysopt nodnsalias outbound
no sysopt radius ignore-secret
no sysopt noproxyarp inside
no sysopt noproxyarp outside
ciscoasa(config)#

debug icmp trace当我尝试通过站点到站点隧道 ping 某些内容时,从远程连接打开和 ping 不会产生任何结果。当我尝试在办公室 LAN 中 ping 某些东西时,我得到:

ICMP echo request from outside:10.0.0.19 to outside:10.0.1.34 ID=12 seq=0 len=8
ICMP echo request translating outside:10.0.0.19/12 to outside:OFFICE_OUTSIDE_IP/47077

10.0.0.19 是远程连接的 IP 地址。

从办公室 LAN,我可以通过站点到站点隧道成功 ping AWS 虚拟机,但如果直接从 ASA 5505 完成,ping 会失败。

我不知道这是否是正常行为,但在我未经训练的眼睛看来,远程连接似乎被视为外部连接。我会假设如果你通过 VPN 连接,你会被认为是在里面。

这是远程连接时的路由表减去 IPv6 部分(由netstat -nrmacbook 生成):

Routing tables

Internet:
Destination        Gateway            Flags        Refs      Use   Netif Expire
default            link#12            UCS            16        0   utun1
default            10.128.128.128     UGScI          16        0     en0
8.8.8.8            link#12            UHWIi           6       41   utun1
10                 link#4             UCS             1        0     en0
10.0.0.19          10.0.0.19          UH              0       11   utun1
10.128.128.128/32  link#4             UCS             1        0     en0
10.128.128.128     0:18:a:34:c7:94    UHLWIir        19       89     en0   1198
10.243.58.109/32   link#4             UCS             0        0     en0
10.255.255.255     ff:ff:ff:ff:ff:ff  UHLWbI          0        3     en0
17.146.233.11      link#12            UHW3I           0        5   utun1     10
17.158.28.36       link#12            UHWIi           2       10   utun1
17.171.4.15        link#12            UHWIi           1        1   utun1
17.172.224.14      link#12            UHWIi           1        3   utun1
17.172.232.134     link#12            UHWIi           1       23   utun1
17.173.254.222     link#12            UHW3I           0        9   utun1      9
17.173.254.223     link#12            UHW3I           0        4   utun1      9
23.211.232.189     link#12            UHW3I           0       17   utun1      7
23.212.21.149      link#12            UHWIi           1        4   utun1
74.125.25.188      link#12            UHWIi           1       14   utun1
74.125.28.125      link#12            UHWIi           1       71   utun1
74.125.239.17      link#12            UHWIi           1       18   utun1
74.125.239.181     link#12            UHWIi           1       19   utun1
127                127.0.0.1          UCS             0        0     lo0
127.0.0.1          127.0.0.1          UH              1    39007     lo0
169.254            link#4             UCS             0        0     en0
OFFICE_OUTSIDE_IP  10.128.128.128     UGHS            3        1     en0
OFFICE_OUTSIDE_IP  link#12            UHW3I           0        3   utun1      6
224.0.0.251        link#12            UHmW3I          0        0   utun1     10

来自我家 linux 机器的更清晰的路由表连接到 VPN:

$ route -n
Kernel IP routing table
Destination       Gateway         Genmask         Flags Metric Ref    Use Iface
0.0.0.0           0.0.0.0         0.0.0.0         U     0      0        0 tun0
10.0.0.0          0.0.0.0         255.255.255.0   U     0      0        0 tun0
OFFICE_OUTSIDE_IP 192.168.1.1     255.255.255.255 UGH   0      0        0 eth0
192.168.1.0       0.0.0.0         255.255.255.0   U     1      0        0 eth0

作为一个实验(又名抓稻草),我将 OFFICE_OUTSIDE_IP 添加到 amazon-filter 访问列表中:

access-list amzn-filter extended permit ip 172.17.0.0 255.255.0.0 10.0.0.0 255.0.0.0 
access-list amzn-filter extended permit ip 172.17.0.0 255.255.0.0 host OFFICE_OUTSIDE_IP 
access-list amzn-filter extended deny ip any any

有了这个,debug icmp trace我可以看到来自远程连接的 ping 尝试,但 ping 仍然失败:

ICMP echo request from outside:10.0.0.19 to outside:172.17.44.71 ID=22350 seq=2 len=56
ICMP echo request translating outside:10.0.0.19/22350 to outside:OFFICE_OUTSIDE_IP/8998

当前运行的配置在这里我在配置中编辑的任何内容都应该非常明显。由于我继承的内容,地址空间很乱。我希望将来能把它清理干净。

4个回答

在 cisco 论坛上得到了解决我问题回复

you are missing NAT exempt from the IP local pool to the destination of the site to site:

access-list NAT_EXEMPT permit ip 10.0.0.0 255.255.255.0 172.17.0.0 255.255.0.0

NAT (outside) 0 access-list NAT_EXEMPT

我认为您的 vpn 过滤器引起了问题,并且没有必要。尝试通过执行删除它clear config group-policy filter

检查您是否打开了此设置: sysopt connection permit-vpn通过执行show run all sysopt. 当它打开时,所有 VPN 流量将绕过接口 ACL,您将不需要 VPN 过滤器。

access-list amzn-filter extended permit ip 172.17.0.0 255.255.0.0 10.0.0.0 255.0.0.0 
access-list amzn-filter extended deny ip any any

除非您的“远程”用户包含在 10.0.0.0/8 网络中,否则您的过滤器缺少他们的 IP 范围。从我收集的您的输出来看,有 AWS (172.17.0.0/16)、您的办公室 (10.0.0.0/8) 和“远程”网络。您从未提供 IP 范围,因此我无法确定。

关于您的第二个数据包跟踪器输出。您似乎正在尝试使用外部接口的源地址从内部接口进行 ping 操作。我很确定这总是会失败,因为您的外部接口 IP(很可能)不在您在加密域中允许的 IP 范围内。

假设你有这样的东西:

[10.0.0.0/8 nets]---[路由器]---[asa]--->[internet]

您可以尝试以下操作。请注意,配置不完整,这意味着它不允许例如访问 Internet。如果您发布完整的配置,我们可以提供更多帮助。像你一直在做的那样编辑任何敏感的东西(密码、PSK、外部 IP 等)

!
!
!
interface Ethernet0/0
 description to internet
 nameif outside
 security-level 0
 ip address 1.1.1.2 255.255.255.252
!
interface Ethernet0/1
 description to router
 nameif inside
 security-level 100
 ip address 10.10.10.252 255.255.255.252
!
!
!
object-group protocol PROTOCOLS_ALL
 protocol-object ip
 protocol-object icmp
!
object-group network GRP_AWS_NET
 network-object 172.17.0.0 255.225.0.0
!
object-group network GRP_LOCAL_NETS
 network-object 10.0.0.0 255.0.0.0
!
!
!
access-list acl-amzn extended permit ip object-group GRP_LOCAL_NETS object-group GRP_AWS_NET
access-list inside_access_in extended permit object-group PROTOCOLS_ALL object-group GRP_LOCAL_NETS object-group GRP_AWS_NET
access-list inside_access_in extended permit object-group PROTOCOLS_ALL object-group GRP_AWS_NET any
!
!
!
access-group outside_access_in in interface outside
access-group inside_access_in in interface inside
!
!
!
route outside 0.0.0.0 0.0.0.0 1.1.1.1 1
route inside 10.0.0.0 255.0.0.0 10.10.10.251
!
!
!
global (outside) 1 interface
nat (inside) 0 access-list acl-amzn
nat (inside) 1 10.0.0.0 255.0.0.0
!
!
!
crypto map outside_map 1 match address acl-amzn
crypto map outside_map 1 set pfs
crypto map outside_map 1 set connection-type originate-only
crypto map outside_map 1 set peer <YOUR_AMZN_IP_1> <YOUR_AMZN_IP_2>
crypto map outside_map 1 set transform-set transform-amzn
crypto map outside_map 1 set nat-t-disable ! <--- this may help you. give it a try.
crypto map outside_map interface outside
!
!
!
tunnel-group <YOUR_AMZN_IP_1> type ipsec-l2l
tunnel-group <YOUR_AMZN_IP_1> ipsec-attributes
 pre-shared-key  SOME_PRESHARED_KEY
!
tunnel-group <YOUR_AMZN_IP_2> type ipsec-l2l
tunnel-group <YOUR_AMZN_IP_2> ipsec-attributes
 pre-shared-key  SOME_PRESHARED_KEY
!
!
!
其它你可能感兴趣的问题
上一篇不要碎片集,还在被碎片化 下一篇什么是分布式防火墙?