ASA VPN 通信问题

网络工程 思科 虚拟专用网 错误
2021-07-12 06:30:47

我遇到了SPOKE 1SPOKE 2无法相互通信的问题但是,SPOKE 1 和 SPOKE 2可以与HUB通信请参阅下面的辐条和集线器配置。

辐条 1(思科 SRST881,第 12.4 版)

辐条 2(思科 887VA,v.12.4(22r)

集线器 (ASA5525, v.8.6(1)2)

** Spoke 1 (Cisco SRST881, v. 12.4) **

crypto ikev2 proposal AES256-192-128-PROPOSAL
 encryption aes-cbc-256 aes-cbc-192 aes-cbc-128
 integrity sha1
 group 2

crypto ikev2 policy IKEv2-Policy
 proposal AES256-192-128-PROPOSAL

crypto ikev2 keyring VPN-KEYS
 peer ASA-DC
  address 200.200.200.1
  pre-shared-key local 12345678
  pre-shared-key remote 12345678

crypto ikev2 profile ASA-DC
 match identity remote address 200.200.200.1 255.255.255.255
 identity local address 50.50.50.1
 authentication local pre-share
 authentication remote pre-share
 keyring VPN-KEYS

crypto ipsec transform-set ESP-AES256-SHA esp-aes 256 esp-sha-hmac

crypto map SPOKE1-ASA 10 ipsec-isakmp
 set peer 200.200.200.1
 set transform-set ESP-AES256-SHA
 set ikev2-profile ASA-DC
 match address SPOKE1-VPN-ACL

interface FastEthernet4
 ip address dhcp
 ip nat outside
 ip virtual-reassembly in
 duplex auto
 speed auto
 crypto map SPOKE1-ASA

interface Vlan1
 ip address 192.168.210.225 255.255.255.224
 ip nat inside
 ip virtual-reassembly in

ip nat inside source list NONAT interface FastEthernet4 overload
ip route 0.0.0.0 0.0.0.0 50.50.50.1

ip access-list extended NONAT
 deny   ip 192.168.210.64 0.0.0.31 172.16.0.0 0.0.255.255
 permit ip 192.168.210.64 0.0.0.31 any

ip access-list extended SPOKE1-VPN-ACL
 permit ip 192.168.210.224 0.0.0.31 172.16.0.0 0.0.255.255
 permit ip 192.168.210.224 0.0.0.31 192.168.210.64 0.0.0.31

** 辐条 2(思科 887VA,v.12.4(22r) **

crypto ikev2 proposal AES256-192-128-PROPOSAL
 encryption aes-cbc-256 aes-cbc-192 aes-cbc-128
 integrity sha1
 group 2

crypto ikev2 policy IKEv2-Policy
 proposal AES256-192-128-PROPOSAL

crypto ikev2 keyring VPN-KEYS
 peer ASA-DC
  address 200.200.200.1
  pre-shared-key local 12345678
  pre-shared-key remote 12345678

crypto ikev2 profile ASA-DC
 match identity remote address 200.200.200.1 255.255.255.255
 identity local address 100.100.100.1
 authentication local pre-share
 authentication remote pre-share
 keyring VPN-KEYS

crypto ipsec transform-set ESP-AES256-SHA esp-aes 256 esp-sha-hmac

crypto map SPOKE2-ASA 10 ipsec-isakmp
 set peer 200.200.200.1
 set transform-set ESP-AES256-SHA
 set ikev2-profile ASA-DC
 match address SPOKE2-VPN-ACL

interface Vlan1
 ip address 192.168.210.65 255.255.255.224
 ip helper-address 172.16.5.32
 ip nat inside
 ip virtual-reassembly in

interface Dialer1
 ip address negotiated
 ip nat outside
 ip virtual-reassembly in
 encapsulation ppp
 dialer pool 1
 ppp chap hostname zzz@zzz.com
 ppp chap password 7 zzzzzzzzz
 crypto map SPOKE2-ASA

ip nat inside source list NONAT interface Dialer1 overload
ip route 0.0.0.0 0.0.0.0 Dialer1

ip access-list extended SPOKE2-VPN-ACL
 permit ip 192.168.210.64 0.0.0.31 172.16.0.0 0.0.255.255
 permit ip 192.168.210.64 0.0.0.31 192.168.210.224 0.0.0.31

ip access-list extended NONAT
 deny   ip 192.168.210.64 0.0.0.31 172.16.0.0 0.0.255.255
 permit ip 192.168.210.64 0.0.0.31 any

** 集线器 (ASA5525, v.8.6(1)2) **

object network SPOKE1
 subnet 192.168.210.224 255.255.255.224

object network SPOKE2
 subnet 192.168.210.64 255.255.255.224

object-group network INSIDE-SUBNET
 network-object 172.16.0.0 255.255.0.0


access-list VPN-SPOKE1 extended permit ip object-group INSIDE-SUBNET object SPOKE1
access-list VPN-SPOKE1 extended permit ip object SPOKE2 object SPOKE1
access-list VPN-SPOKE2 extended permit ip object-group INSIDE-SUBNET object SPOKE2
access-list VPN-SPOKE2 extended permit ip object SPOKE1 object SPOKE2

nat (inside,outside) source static inside-subnet-source INSIDE-SUBNET destination static SPOKE1 SPOKE1 no-proxy-arp route-lookup
nat (inside,outside) source static inside-subnet-source INSIDE-SUBNET destination static SPOKE2 SPOKE2 no-proxy-arp route-lookup
nat (any,outside) source static inside-subnet-source INSIDE-SUBNET destination static SPOKE1 SPOKE1 no-proxy-arp
nat (any,outside) source static inside-subnet-source INSIDE-SUBNET destination static SPOKE2 SPOKE2 no-proxy-arp

route outside 192.168.210.64 255.255.255.224 200.200.200.1 1
route outside 192.168.210.224 255.255.255.224 200.200.200.1 1

crypto ipsec ikev2 ipsec-proposal AES256-192-128-PROPOSAL
 protocol esp encryption aes-256 aes-192 aes
 protocol esp integrity sha-1

crypto map ASA-VPN-SITE 10 match address VPN-SPOKE1
crypto map ASA-VPN-SITE 10 set peer 50.50.50.1
crypto map ASA-VPN-SITE 20 set ikev2 ipsec-proposal AES256-192-128-PROPOSAL

crypto map ASA-VPN-SITE 20 match address VPN-SPOKE2
crypto map ASA-VPN-SITE 20 set peer 100.100.100.1
crypto map ASA-VPN-SITE 20 set ikev2 ipsec-proposal AES256-192-128-PROPOSAL

tunnel-group 50.50.50.1 type ipsec-l2l
tunnel-group 50.50.50.1 ipsec-attributes
 ikev2 remote-authentication pre-shared-key *****
 ikev2 local-authentication pre-shared-key *****

tunnel-group 100.100.100.1 type ipsec-l2l
tunnel-group 100.100.100.1 ipsec-attributes
 ikev2 remote-authentication pre-shared-key *****
 ikev2 local-authentication pre-shared-key *****

same-security-traffic permit intra-interface

感谢布雷特的快速回复。请看下面的结果。

ciscoasa# icmp 192.168.210.65 8 0 192.168.210.225 外的数据包跟踪器输入

阶段:1 类型:CAPTURE 子类型:结果:允许 配置:附加信息:MAC 访问列表

阶段:2 类型:ACCESS-LIST 子类型:结果:允许 配置:隐式规则附加信息:MAC 访问列表

阶段:3 类型:UN-NAT 子类型:静态结果:允许配置:nat (inside,any) source static obj-192.168.0.0-nonat obj-192.168.0.0-nonat destination static obj-192.168.0.0-nonat obj-192.168 .0.0-nonat no-proxy-arp 附加信息:NAT 转移到 Untranslate 192.168.210.225/0 到 192.168.210.225/0 内的出口接口

阶段:4 类型:ACCESS-LIST 子类型:log 结果:ALLOW 配置:访问组外在接口外访问列表外扩展许可 icmp 任何附加信息:

阶段:5 类型:IP-OPTIONS 子类型:结果:允许 配置:附加信息:

阶段:6 类型:检查子类型:np-inspect 结果:允许配置:类映射检查默认匹配默认检查流量策略映射 global_policy 类检查默认检查 icmp 服务策略 global_policy 全局附加信息:

阶段:7 类型:检查子类型:np-inspect 结果:允许配置:附加信息:

阶段:8 类型:VPN 子类型:ipsec-tunnel-flow 结果:允许 配置:附加信息:

阶段:9 类型:NAT 子类型:rpf-check 结果:允许配置:nat (inside,any) source static obj-192.168.0.0-nonat obj-192.168.0.0-nonat destination static obj-192.168.0.0-nonat obj-192.16 .0.0-nonat no-proxy-arp 附加信息:

阶段:10 类型:IP-OPTIONS 子类型:结果:允许 配置:附加信息:

阶段:11 类型:VPN 子类型:加密 结果:DROP 配置:附加信息:

结果:input-interface:outside input-status:up input-line-status:up output-interface:inside output-status:up output-line-status:up Action:drop Drop-reason:(acl-drop) Flow被配置的规则拒绝

2个回答

您对 Spoke 的 NAT 豁免搞砸了。

首先,您将 Spoke 2 地址作为 Spoke 1 的来源,而您完全缺少 Spoke 2:

ip access-list extended NONAT
deny   ip 192.168.210.64 0.0.0.31 172.16.0.0 0.0.255.255
permit ip 192.168.210.64 0.0.0.31 any

你需要有:

ip access-list extended NONAT
deny   ip 192.168.210.224 0.0.0.31 172.16.0.0 0.0.255.255
deny   ip 192.168.210.224 0.0.0.31 192.168.210.64 0.0.0.31
permit ip 192.168.210.224 0.0.0.31 any

然后在 Spoke 2 上您有正确的来源,但只是缺少 Spoke 1 的条目:

ip access-list extended NONAT
deny   ip 192.168.210.64 0.0.0.31 172.16.0.0 0.0.255.255
permit ip 192.168.210.64 0.0.0.31 any

这需要添加 Spoke 1 段,如下所示:

ip access-list extended NONAT
deny   ip 192.168.210.64 0.0.0.31 172.16.0.0 0.0.255.255
deny   ip 192.168.210.64 0.0.0.31 192.168.210.224 0.0.0.31
permit ip 192.168.210.64 0.0.0.31 any

您需要全网状 VPN 拓扑。文档都是在线的。您最好的选择是 DMVPN,但 ASA 不支持隧道接口,因此不支持 DMVPN。

如果您需要帮助,请联系我 :-) 。http:rack.pub

http://www.cisco.com/c/en/us/td/docs/security/security_management/cisco_security_manager/security_manager/3-2-2/user/guide/UserGuide/vpchap.html#wp586214

在此处输入图片说明

其它你可能感兴趣的问题
上一篇OSPF 路由标记和 BGP AS Prepend 下一篇Cisco SG300-52 SNMP ifInOctets 值不合理