Cisco ASA 5506-X - 站点到站点 VPN 隧道 - 返回流量下降

网络工程 思科 思科 虚拟专用网 纳特 网络安全
2021-07-29 17:12:28

我已经为我的一位客户配置了 Cisco ASA 5506-X,但无法成功地将流量往返传递到远程网络。VPN 隧道根据“show crypto ipsec sa”成功连接。以下是我当前使用的清理配置的副本:

: 
: Serial Number: XXXXXXXXXXX
: Hardware:   ASA5506, 4096 MB RAM, CPU Atom C2000 series 1250 MHz, 1 CPU (4 cores)
:
ASA Version 9.4(1) 
!
hostname ciscoasa01
enable password XXXXXXXXXXXXXXX encrypted
names
!
interface GigabitEthernet1/1
 nameif outside
 security-level 0
 ip address 172.16.10.163 255.255.255.248 
!
interface GigabitEthernet1/2
 nameif inside
 security-level 100
 ip address 192.168.2.1 255.255.255.0 
!
interface GigabitEthernet1/3
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet1/4
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet1/5
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet1/6
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet1/7
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet1/8
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Management1/1
 management-only
 nameif management
 security-level 100
 no ip address
!
ftp mode passive
clock timezone CST -6
clock summer-time CDT recurring
dns domain-lookup outside
dns domain-lookup inside
dns server-group DefaultDNS
 name-server 8.8.8.8
 name-server 4.2.2.2
same-security-traffic permit inter-interface
object network obj_any
 subnet 0.0.0.0 0.0.0.0
object network Datacenter
 subnet 10.10.185.0 255.255.255.0
object network Internal
 subnet 192.168.2.0 255.255.255.0
access-list outside_cryptomap extended permit ip object Internal object Datacenter 
access-list outside_cryptomap extended permit icmp object Internal object Datacenter
access-list internet_access extended permit ip object Internal any 
access-list outside_access_in extended permit ip any any
pager lines 24
logging enable
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu management 1500
no failover
no monitor-interface service-module 
icmp unreachable rate-limit 1 burst-size 1
icmp permit any outside
icmp permit any inside
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
nat (inside,outside) source static Internal Internal destination static Datacenter Datacenter no-proxy-arp route-lookup
nat (outside,outside) source static Internal Internal destination static Datacenter Datacenter no-proxy-arp route-lookup
!
object network obj_any
 nat (any,outside) dynamic interface
!
nat (inside,outside) after-auto source dynamic any interface
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 172.16.10.161 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL 
http server enable
http 192.168.2.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
service sw-reset-button
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac 
crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS esp-3des esp-sha-hmac 
crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac 
crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS esp-aes-256 esp-sha-hmac 
crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS mode transport
crypto ipsec ikev2 ipsec-proposal 3DES
 protocol esp encryption 3des
 protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES256
 protocol esp encryption aes-256
 protocol esp integrity sha-1
crypto ipsec security-association pmtu-aging infinite
crypto map outside_map 1 match address outside_cryptomap
crypto map outside_map 1 set peer 20.30.40.185 
crypto map outside_map 1 set ikev1 transform-set ESP-3DES-SHA ESP-3DES-SHA-TRANS ESP-AES-256-SHA ESP-AES-256-SHA-TRANS
crypto map outside_map 1 set security-association lifetime seconds 3600
crypto map outside_map interface outside
crypto ca trustpool policy
crypto ikev2 policy 1
 encryption aes-256
 integrity sha
 group 2
 prf sha
 lifetime seconds 3600
crypto ikev1 enable outside
crypto ikev1 policy 120
 authentication pre-share
 encryption aes-256
 hash sha
 group 2
 lifetime 3600
telnet timeout 5
no ssh stricthostkeycheck
ssh 192.168.2.0 255.255.255.0 inside
ssh timeout 5
ssh key-exchange group dh-group1-sha1
console timeout 0
management-access management
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ntp server 24.56.178.140 source outside prefer
group-policy DfltGrpPolicy attributes
 vpn-tunnel-protocol ikev2 l2tp-ipsec 
group-policy GroupPolicy_20.30.40.185 internal
group-policy GroupPolicy_20.30.40.185 attributes
 vpn-tunnel-protocol ikev1 
dynamic-access-policy-record DfltAccessPolicy
username admin password XXXXXXXXXXXXXX encrypted privilege 15
tunnel-group 20.30.40.185 type ipsec-l2l
tunnel-group 20.30.40.185 general-attributes
 default-group-policy GroupPolicy_20.30.40.185
tunnel-group 20.30.40.185 ipsec-attributes
 ikev1 pre-shared-key *****
 peer-id-validate nocheck
 ikev2 remote-authentication pre-shared-key *****
 ikev2 local-authentication pre-shared-key *****
!
class-map filtered-class
 match any
class-map global-class
 match default-inspection-traffic
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum client auto
  message-length maximum 512
policy-map global_policy
 description Filtered Traffic
 class inspection_default
  inspect dns preset_dns_map 
  inspect ftp 
  inspect h323 h225 
  inspect h323 ras 
  inspect rsh 
  inspect rtsp 
  inspect esmtp 
  inspect sqlnet 
  inspect skinny  
  inspect sunrpc 
  inspect xdmcp 
  inspect sip  
  inspect netbios 
  inspect tftp 
  inspect ip-options 
 class filtered-class
  sfr fail-open
policy-map global-policy
 class global-class
  inspect icmp 
!
service-policy global_policy global
prompt hostname context 
no call-home reporting anonymous
Cryptochecksum:3ed383cb9ad07574a579a99ea71c2946
: end

当我执行从此 Cisco ASA 到远程网络的数据包跟踪时,它工作正常,但是当我执行从远程网络返回到此 ASA 后面的 LAN 的数据包跟踪时,我得到以下信息:

# packet-tracer input outside tcp 10.10.185.2 3389 192.168.2.5 3389 detailed

Phase: 1
Type: ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Config:
Additional Information:
found next-hop 192.168.2.5 using egress ifc  inside

Phase: 2
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group outside_access_in in interface outside
access-list outside_access_in extended permit ip any any 
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0x7fffde35d0a0, priority=13, domain=permit, deny=false
    hits=24, user_data=0x7fffcfffed00, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
    src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
    dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
    input_ifc=outside, output_ifc=any

Phase: 3
Type: NAT     
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0x7fffdd3fd8a0, priority=0, domain=nat-per-session, deny=false
    hits=470, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=6
    src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
    dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
    input_ifc=any, output_ifc=any

Phase: 4
Type: IP-OPTIONS
Subtype: 
Result: ALLOW
Config:
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0x7fffddb1e950, priority=0, domain=inspect-ip-options, deny=true
    hits=2051, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
    src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
    dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
    input_ifc=outside, output_ifc=any

Phase: 5
Type: SFR
Subtype: 
Result: ALLOW
Config:
class-map filtered-class
 match any
policy-map global_policy
 description Filtered Traffic
 class filtered-class
  sfr fail-open
service-policy global_policy global
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0x7fffde1e96f0, priority=71, domain=sfr, deny=false
    hits=25, user_data=0x7fffde1e90a0, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
    src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
    dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
    input_ifc=outside, output_ifc=any

Phase: 6
Type: VPN
Subtype: ipsec-tunnel-flow
Result: DROP  
Config:
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0x7fffde312c90, priority=70, domain=ipsec-tunnel-flow, deny=false
    hits=1, user_data=0x197c4, cs_id=0x7fffddbdbc70, reverse, flags=0x0, protocol=0
    src ip/id=10.10.185.0, mask=255.255.255.0, port=0, tag=any
    dst ip/id=192.168.2.0, mask=255.255.255.0, port=0, tag=any, dscp=0x0
    input_ifc=outside, output_ifc=any

Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: inside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule

我似乎无法找到阻碍交通正常返回的原因。我似乎也无法将来自 Cisco ASA 后面的 LAN 的流量发送到 Internet 再返回,即使我有 NAT 规则应该解决这个问题,但我会从 VPN 隧道流量开始,一次解决一件事.

有任何想法吗?

编辑

根据dareuja 的要求添加一些信息。

显示运行 nat 输出:

# sho run nat
nat (outside,any) source static any any destination static interface Win_Svr service RDP RDP no-proxy-arp
nat (inside,outside) source dynamic obj_any interface
nat (inside,outside) source static Internal Internal destination static Datacenter Datacenter no-proxy-arp route-lookup
!
object network obj_any
 nat (any,outside) dynamic interface

从 192.168.2.5 的内部 IP 到 8.8.8.8 的外部的数据包跟踪器输出

# packet-tracer input inside tcp 192.168.2.5 53 8.8.8.8 53

Phase: 1
Type: ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Config:
Additional Information:
found next-hop 172.16.10.161 using egress ifc  outside

Phase: 2
Type: NAT
Subtype: 
Result: ALLOW
Config:
nat (inside,outside) source dynamic obj_any interface
Additional Information:
Dynamic translate 192.168.2.5/53 to 172.16.10.163/53

Phase: 3
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:

Phase: 4      
Type: IP-OPTIONS
Subtype: 
Result: ALLOW
Config:
Additional Information:

Phase: 5
Type: SFR
Subtype: 
Result: ALLOW
Config:
class-map filtered-class
 match any
policy-map global_policy
 description Filtered Traffic
 class filtered-class
  sfr fail-open
service-policy global_policy global
Additional Information:

Phase: 6
Type: NAT
Subtype: rpf-check
Result: ALLOW 
Config:
nat (inside,outside) source dynamic obj_any interface
Additional Information:

Phase: 7
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:

Phase: 8
Type: IP-OPTIONS
Subtype: 
Result: ALLOW
Config:
Additional Information:

Phase: 9
Type: FLOW-CREATION
Subtype: 
Result: ALLOW
Config:
Additional Information:
New flow created with id 13956, packet dispatched to next module

Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: allow

'show crypto ipsec sa peer 20.30.40.185' 的输出

# sh crypto ipsec sa peer 20.30.40.185 detail   
peer address: 20.30.40.185
    Crypto map tag: outside_map, seq num: 1, local addr: 172.16.10.163

      access-list outside_cryptomap extended permit ip 192.168.2.0 255.255.255.0 10.10.185.0 255.255.255.0 
      local ident (addr/mask/prot/port): (192.168.2.0/255.255.255.0/0/0)
      remote ident (addr/mask/prot/port): (10.10.185.0/255.255.255.0/0/0)
      current_peer: 20.30.40.185


      #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
      #pkts decaps: 11043, #pkts decrypt: 11043, #pkts verify: 11043
      #pkts compressed: 0, #pkts decompressed: 0
      #pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0
      #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
      #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
      #TFC rcvd: 0, #TFC sent: 0
      #Valid ICMP Errors rcvd: 0, #Invalid ICMP Errors rcvd: 0
      #pkts no sa (send): 0, #pkts invalid sa (rcv): 0
      #pkts encaps failed (send): 0, #pkts decaps failed (rcv): 0
      #pkts invalid prot (rcv): 0, #pkts verify failed: 0
      #pkts invalid identity (rcv): 0, #pkts invalid len (rcv): 0
      #pkts invalid pad (rcv): 0,
      #pkts invalid ip version (rcv): 0,
      #pkts replay rollover (send): 0, #pkts replay rollover (rcv): 0
      #pkts replay failed (rcv): 0
      #pkts min mtu frag failed (send): 0, #pkts bad frag offset (rcv): 0
      #pkts internal err (send): 0, #pkts internal err (rcv): 0

      local crypto endpt.: 172.16.10.163/4500, remote crypto endpt.: 20.30.40.185/4500
      path mtu 1500, ipsec overhead 82(52), media mtu 1500
      PMTU time remaining (sec): 0, DF policy: copy-df
      ICMP error validation: disabled, TFC packets: disabled
      current outbound spi: CDCAAA61
      current inbound spi : 337E6914

    inbound esp sas:
      spi: 0x337E6914 (863922452)
         transform: esp-aes-256 esp-sha-hmac no compression 
         in use settings ={L2L, Tunnel,  NAT-T-Encaps, IKEv1, }
         slot: 0, conn_id: 12288, crypto-map: outside_map
         sa timing: remaining key lifetime (kB/sec): (4373985/2388)
         IV size: 16 bytes
         replay detection support: Y
         Anti replay bitmap: 
          0xFFFFFFFF 0xFFFFFFFF
    outbound esp sas:
      spi: 0xCDCAAA61 (3452611169)
         transform: esp-aes-256 esp-sha-hmac no compression 
         in use settings ={L2L, Tunnel,  NAT-T-Encaps, IKEv1, }
         slot: 0, conn_id: 12288, crypto-map: outside_map
         sa timing: remaining key lifetime (kB/sec): (4374000/2386)
         IV size: 16 bytes
         replay detection support: Y
         Anti replay bitmap: 
          0x00000000 0x00000001
2个回答

您将无法使用从远程到本地的数据包跟踪器测试 VPN,如果您这样做,预计会出现丢弃。我相信这是由于期望流量将被加密,因此每个安全性都会丢弃接收未加密的数据包(即使通过模拟)。(如果我可以在我的实验室中进行设置,我也会对此进行测试。)也在实验室中进行了EDIT测试,在测试 VPN 时从远程采购将下降。如果其他人有不同的经历,请告诉我。

我在 ASA 之间的 Ikev2 站点到站点隧道方面遇到了非常相似的问题。尽管所有配置看起来都是正确的,但隧道的一侧会将流量路由回内部接口。

经过数小时的检查配置,让我感到震惊的是数据包跟踪器的输出。我注意到当我在正在运行的隧道一侧运行数据包跟踪器时,第一阶段输出是预期的“UN-NAT”。在行为异常的 ASA 上,数据包跟踪器的第一阶段输出是“ROUTE-LOOKUP”

检查您的 cisco 软件的路由配置和操作顺序。

对于我的配置,问题是 un-nat nat 条目中的路由查找语句。

其它你可能感兴趣的问题
上一篇iBGP 和 IGP 的关系 下一篇我需要一对接线板的功能,但我不想为每个端口运行一根电缆