Cisco ASA 站点到站点 VPN，远程 LAN 没有 Internet

网络工程思科虚拟专用网

2021-07-13 23:36:05

我有一个 Cisco ASA 5512 和 Cisco 891 的站点到站点 VPN。我希望所有流量，甚至 Internet 访问都通过我们的 ASA。VPN 已建立并正常工作。LAN 相互连接，但 891 上的远程 LAN 没有 Internet。我已经在这方面工作了一段时间，进行了试验和研究，但我似乎无法弄清楚我做错了什么。执行跟踪路由时，ASA 处的流量似乎正在下降。

我假设它是 NAT 规则或 VPN 策略。我查看了组策略，没有找到任何感兴趣的内容，并尝试了我认为需要的多个 NAT 规则。

我有 ASA 的配置、891 和来自 ASA 的数据包跟踪器输出，用于测试来自远程 LAN 用户的 ping，从 172.17.55.x 到 8.8.8.8，在第 8 阶段 ipsec-tunnel-flow 被丢弃.

我确定这是我犯的业余错误，但我似乎无法找到它。任何帮助表示赞赏！

ASA 配置

ASA Version 9.6(3)1  
!
hostname xxx
xlate per-session deny tcp any4 any4
xlate per-session deny tcp any4 any6
xlate per-session deny tcp any6 any4
xlate per-session deny tcp any6 any6
xlate per-session deny udp any4 any4 eq domain
xlate per-session deny udp any4 any6 eq domain
xlate per-session deny udp any6 any4 eq domain
xlate per-session deny udp any6 any6 eq domain
passwd 2KFQnbNIdI.2KYOU encrypted
names

!
interface GigabitEthernet0/0
 description Uplink To ComRTR
 nameif outside
 security-level 100
 ip address xx.xx.xx.50 255.255.255.240 
!
interface GigabitEthernet0/1
 description Link To 1941
 nameif inside
 security-level 100
 ip address 172.17.25.1 255.255.255.192 
!
interface GigabitEthernet0/2
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet0/3
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet0/4
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet0/5
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Management0/0
 management-only
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet1/0
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet1/1
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet1/2
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet1/3
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet1/4
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet1/5
 shutdown
 no nameif
 no security-level
 no ip address
!
boot system disk0:/asa963-1-smp-k8.bin
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object network user-network
 subnet 192.168.128.0 255.255.255.0
object network server-network
 subnet 192.168.108.0 255.255.255.0
object network transit-network
 subnet 192.168.118.0 255.255.255.0
object network xxxUser
 subnet 172.17.50.0 255.255.255.0
object network xxxStorage
 subnet 172.17.55.0 255.255.255.0
object network xxxServer
 subnet 172.17.56.0 255.255.255.0
object network xxxMgmt
 subnet 172.17.57.0 255.255.255.0
object network xxxDMZOut
 subnet 172.17.65.0 255.255.255.192
object-group protocol DM_INLINE_PROTOCOL_1
 protocol-object ip
 protocol-object icmp
object-group protocol DM_INLINE_PROTOCOL_2
 protocol-object ip
 protocol-object icmp
object-group protocol DM_INLINE_PROTOCOL_3
 protocol-object ip
 protocol-object icmp
object-group protocol DM_INLINE_PROTOCOL_4
 protocol-object ip
 protocol-object icmp
object-group network DM_INLINE_NETWORK_1
 network-object object xxxDMZOut
 network-object object xxxMgmt
 network-object object xxxServer
 network-object object xxxStorage
 network-object object xxxUser
object-group network xxxFO
 network-object object xxxMgmt
 network-object object xxxServer
 network-object object xxxStorage
 network-object object xxxUser
access-list inside_access_in extended permit object-group DM_INLINE_PROTOCOL_1 any any 
access-list outside_access_in extended permit object-group DM_INLINE_PROTOCOL_2 any any 
access-list inside_access_out extended permit object-group DM_INLINE_PROTOCOL_3 any any 
access-list outside_access_out extended permit object-group DM_INLINE_PROTOCOL_4 any any 
access-list outside_cryptomap extended permit ip any object-group DM_INLINE_NETWORK_1 
pager lines 24
logging enable
logging monitor debugging
logging asdm informational
mtu outside 1500
mtu inside 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-781-150.bin
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
arp rate-limit 8192
nat (inside,outside) source static any any destination static DM_INLINE_NETWORK_1 DM_INLINE_NETWORK_1 no-proxy-arp route-lookup
nat (outside,outside) source dynamic xxxFO interface
nat (inside,outside) source dynamic inside-dmz-network interface
nat (inside,outside) source dynamic user-network interface
nat (inside,outside) source dynamic server-network interface
nat (inside,outside) source dynamic transit-network interface
nat (inside,outside) source dynamic any interface
access-group outside_access_in in interface outside
access-group outside_access_out out interface outside
access-group inside_access_in in interface inside
access-group inside_access_out out interface inside
router ospf 1
 network xx.xx.xx.48 255.255.255.240 area 0
 network 172.17.25.0 255.255.255.192 area 0
 area 0
 log-adj-changes
 redistribute static metric 10 metric-type 1 subnets
!
route outside 0.0.0.0 0.0.0.0 xx.xx.xx.62 150
route inside 192.168.250.0 255.255.255.0 172.17.25.3 10
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 sctp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
timeout conn-holddown 0:00:15
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL 
http server enable
http 192.168.128.0 255.255.255.0 inside
http 172.17.25.0 255.255.255.192 inside
http 192.168.10.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
sysopt noproxyarp inside
crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac 
crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac 
crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac 
crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac 
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac 
crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac 
crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS esp-aes esp-sha-hmac 
crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS esp-aes esp-md5-hmac 
crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS esp-aes-192 esp-sha-hmac 
crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS esp-aes-192 esp-md5-hmac 
crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS esp-aes-256 esp-sha-hmac 
crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS esp-aes-256 esp-md5-hmac 
crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac 
crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac 
crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS esp-3des esp-sha-hmac 
crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS esp-3des esp-md5-hmac 
crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac 
crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac 
crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS esp-des esp-sha-hmac 
crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS esp-des esp-md5-hmac 
crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS mode transport
crypto ipsec ikev2 ipsec-proposal DES
 protocol esp encryption des
 protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal 3DES
 protocol esp encryption 3des
 protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES
 protocol esp encryption aes
 protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES192
 protocol esp encryption aes-192
 protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES256
 protocol esp encryption aes-256
 protocol esp integrity sha-1 md5
crypto ipsec security-association pmtu-aging infinite
crypto map outside_map 1 match address outside_cryptomap
crypto map outside_map 1 set peer xx.xx.xx.55 
crypto map outside_map 1 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 1 set ikev2 ipsec-proposal DES 3DES AES AES192 AES256
crypto map outside_map interface outside
crypto ca trustpool policy
crypto ikev2 policy 1
 encryption aes-256 aes-192 aes
 integrity sha256 sha
 group 19 5 2
 prf sha384 sha256 sha
 lifetime seconds 3600
crypto ikev2 policy 10
 encryption aes-192
 integrity sha
 group 5 2
 prf sha
 lifetime seconds 86400
crypto ikev2 policy 20
 encryption aes
 integrity sha
 group 5 2
 prf sha
 lifetime seconds 86400
crypto ikev2 policy 30
 encryption 3des
 integrity sha
 group 5 2
 prf sha
 lifetime seconds 86400
crypto ikev2 policy 40
 encryption des
 integrity sha
 group 5 2
 prf sha
 lifetime seconds 86400
crypto ikev2 enable outside
crypto ikev2 enable inside
crypto ikev1 enable outside
crypto ikev1 enable inside
crypto ikev1 policy 10
 authentication pre-share
 encryption aes-256
 hash sha
 group 2
 lifetime 3600
crypto ikev1 policy 20
 authentication rsa-sig
 encryption aes-256
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 40
 authentication pre-share
 encryption aes-192
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 50
 authentication rsa-sig
 encryption aes-192
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 70
 authentication pre-share
 encryption aes
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 80
 authentication rsa-sig
 encryption aes
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 100
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 110
 authentication rsa-sig
 encryption 3des
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 130
 authentication pre-share
 encryption des
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 140
 authentication rsa-sig
 encryption des
 hash sha
 group 2
 lifetime 86400
telnet timeout 5
ssh stricthostkeycheck
ssh 192.168.128.0 255.255.255.0 inside
ssh 172.17.25.0 255.255.255.192 inside
ssh timeout 60
ssh key-exchange group dh-group1-sha1
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ntp server 129.6.15.30 source outside prefer
ntp server 129.6.15.28 source outside
group-policy GroupPolicy_xx.xx.xx.55 internal
group-policy GroupPolicy_xx.xx.xx.55 attributes
 vpn-tunnel-protocol ikev1 ikev2 
dynamic-access-policy-record DfltAccessPolicy
tunnel-group xx.xx.xx.55 type ipsec-l2l
tunnel-group xx.xx.xx.55 general-attributes
 default-group-policy GroupPolicy_xx.xx.xx.55
tunnel-group xx.xx.xx.55 ipsec-attributes
 ikev1 pre-shared-key *****
 ikev2 remote-authentication pre-shared-key *****
 ikev2 local-authentication pre-shared-key *****
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum client auto
  message-length maximum 512
  no tcp-inspection
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map 
  inspect ftp 
  inspect h323 h225 
  inspect h323 ras 
  inspect ip-options 
  inspect netbios 
  inspect rsh 
  inspect rtsp 
  inspect skinny  
  inspect esmtp 
  inspect sqlnet 
  inspect sunrpc 
  inspect tftp 
  inspect sip  
  inspect xdmcp 
  inspect icmp 
  inspect icmp error 
!
service-policy global_policy global
prompt hostname context 
no call-home reporting anonymous
call-home
 profile CiscoTAC-1
  no active
  destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
  destination address email callhome@cisco.com
  destination transport-method http
  subscribe-to-alert-group diagnostic
  subscribe-to-alert-group environment
  subscribe-to-alert-group inventory periodic monthly 9
  subscribe-to-alert-group configuration periodic monthly 9
  subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:1f0f409a04c12c7ae27344ced61dc9ff
: end

891 配置

Building configuration...

Current configuration : 5837 bytes
!
! Last configuration change at 16:01:35 UTC Fri Oct 20 2017 by xadmin
version 15.3
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname xxx
!
boot-start-marker
boot-end-marker
!
aqm-register-fnf
!
!
no aaa new-model
!
crypto pki trustpoint TP-self-signed-4171442197
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-4171442197
 revocation-check none
 rsakeypair TP-self-signed-4171442197
!
!
crypto pki certificate chain TP-self-signed-4171442197
 certificate self-signed 01
  3082022B 30820194 A0030201 02020101 300D0609 2A864886 F70D0101 05050030
  31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
  69666963 6174652D 34313731 34343231 3937301E 170D3137 30393239 31363236
  30395A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
  4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D34 31373134
  34323139 3730819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
  81009450 A8547893 136F6C92 1E677A11 F8D6BCAA B04B9719 C72995B4 700A9D23
  36F3BA2D 9BEF1764 EE597429 31BB8B53 F0F1819A F7045E4D 8B732B1F 71E86339
  6471B695 2FE1E053 A80E2E76 0818432E E38CA925 86AAFD79 606297A5 8AB4437E
  62BDD416 567EA9E5 4CBAD846 67B63866 ABA598FC C0995092 BA50CC93 994DF537
  EFA30203 010001A3 53305130 0F060355 1D130101 FF040530 030101FF 301F0603
  551D2304 18301680 148C7228 7D29BC2C D1889BA2 B498EA3D 9EA0CD3E EB301D06
  03551D0E 04160414 8C72287D 29BC2CD1 889BA2B4 98EA3D9E A0CD3EEB 300D0609
  2A864886 F70D0101 05050003 81810094 4EE90FA5 EB72183B 4F6C38EB 4A83A6C7
  7A5345F4 A0D0AFA6 F31B9EF3 8DDAFDB5 74103BF3 D86BB26E CEAD05BD A213CD01
  A968B4D6 32160C2A E84E0E1C 308F34E5 F041E1F5 AA4740C8 497517DE 5BECDA82
  3C985E40 7D4FA127 17566B5E 23D42842 36FC679A 496FA752 747FBFDE 7FE61B83
  0E6F6932 990775FD 650704FE 18985C
        quit
!
!
!
!


!
ip dhcp excluded-address 172.17.50.1 172.17.50.99
ip dhcp excluded-address 172.17.50.201 172.17.50.254
ip dhcp excluded-address 172.17.56.1 172.17.56.199
ip dhcp excluded-address 172.17.56.221 172.17.56.254
ip dhcp excluded-address 172.17.55.1 172.17.55.199
ip dhcp excluded-address 172.17.55.221 172.17.55.254
!
ip dhcp pool user100
 import all
 network 172.17.50.0 255.255.255.0
 default-router 172.17.50.1
 dns-server 192.168.108.11 172.17.56.60
 domain-name xxx
!
ip dhcp pool storage300
 import all
 network 172.17.55.0 255.255.255.0
 default-router 172.17.55.1
 dns-server 192.168.108.11 172.17.56.60
 domain-name xxx
!
ip dhcp pool servers400
 import all
 network 172.17.56.0 255.255.255.0
 default-router 172.17.56.1
 dns-server 192.168.108.11 172.17.56.60
 domain-name xxx
!
!
!
ip domain name xxx
ip name-server 172.17.56.60
ip cef
no ipv6 cef
!
!
!
!
!
multilink bundle-name authenticated
!
!
!
!
!
!
!
license udi pid C891F-K9 sn FGL1931238L
!
!
!
!
!
!
!
!
!
crypto isakmp policy 10
 encr aes 256
 authentication pre-share
 group 2
 lifetime 3600
crypto isakmp key xxx address xx.xx.xx.50
!
!
crypto ipsec transform-set xxx esp-aes esp-sha-hmac
 mode tunnel
!
!
!
crypto map xxx 10 ipsec-isakmp
 set peer xx.xx.xx.50
 set transform-set xxx
 match address 100
!
!
!
!
!
!
interface BRI0
 no ip address
 encapsulation hdlc
 shutdown
 isdn termination multidrop
!
interface FastEthernet0
 no ip address
 shutdown
 duplex auto
 speed auto
!
interface GigabitEthernet0
 description User
 switchport access vlan 100
 no ip address
!
interface GigabitEthernet1
 description Trunk to Host NIC1
 switchport mode trunk
 no ip address
!
interface GigabitEthernet2
 description Trunk to Host NIC2
 switchport mode trunk
 no ip address
!
interface GigabitEthernet3
 description Mgmt
 switchport access vlan 500
 no ip address
!
interface GigabitEthernet4
 description User
 switchport access vlan 100
 no ip address
!
interface GigabitEthernet5
 description Synology
 switchport access vlan 300
 no ip address
!
interface GigabitEthernet6
 description Synology
 switchport access vlan 300
 no ip address
!
interface GigabitEthernet7
 no ip address
!
interface GigabitEthernet8
 ip address xx.xx.xx.55 255.255.255.240
 duplex auto
 speed auto
 crypto map xxx
!
interface Vlan1
 no ip address
!
interface Vlan100
 description User vlan
 ip address 172.17.50.1 255.255.255.0
!
interface Vlan300
 description Storage vlan
 ip address 172.17.55.1 255.255.255.0
!
interface Vlan400
 description Server vlan
 ip address 172.17.56.1 255.255.255.0
!
interface Vlan500
 description Management vlan
 ip address 172.17.57.1 255.255.255.0
!
interface Async3
 no ip address
 encapsulation slip
!
router ospf 1
 network xx.xx.xx.48 0.0.0.15 area 0
 network 172.17.50.0 0.0.0.255 area 0
 network 172.17.55.0 0.0.0.255 area 0
 network 172.17.56.0 0.0.0.255 area 0
 network 172.17.57.0 0.0.0.255 area 0
 network 172.17.65.0 0.0.0.63 area 0
!
ip forward-protocol nd
no ip http server
ip http authentication local
ip http secure-server
!
!
ip route 0.0.0.0 0.0.0.0 xx.xx.xx.62
!
!
access-list 100 permit ip 172.17.50.0 0.0.0.255 any
access-list 100 permit ip 172.17.55.0 0.0.0.255 any
access-list 100 permit ip 172.17.56.0 0.0.0.255 any
access-list 100 permit ip 172.17.57.0 0.0.0.255 any
access-list 100 permit ip 172.17.65.0 0.0.0.63 any
!
control-plane
!
!
!
mgcp behavior rsip-range tgcp-only
mgcp behavior comedia-role none
mgcp behavior comedia-check-media-src disable
mgcp behavior comedia-sdp-force disable
!
mgcp profile default
!
!
!
!
!
line con 0
 no modem enable
line aux 0
line 3
 modem InOut
 speed 115200
 flowcontrol hardware
line vty 0 4
 login local
 transport input ssh
!
scheduler allocate 20000 1000
!
end

数据包跟踪器输出

Phase: 1
Type: ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Config:
Additional Information:
found next-hop xx.xx.xx.62 using egress ifc  outside

Phase: 2
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group outside_access_in in interface outside
access-list outside_access_in extended permit object-group DM_INLINE_PROTOCOL_2          any any
object-group protocol DM_INLINE_PROTOCOL_2
 protocol-object ip
 protocol-object icmp
Additional Information:

Phase: 3
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (outside,outside) source dynamic xxxFO interface
Additional Information:
Dynamic translate 172.17.55.200/0 to xx.xx.xx.50/21969

Phase: 4
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:

Phase: 5
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 6
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
class-map inspection_default
 match default-inspection-traffic
policy-map global_policy
 class inspection_default
  inspect icmp
service-policy global_policy global
Additional Information:

Phase: 7
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
Additional Information:

Phase: 8
Type: VPN
Subtype: ipsec-tunnel-flow
Result: DROP
Config:
Additional Information:

Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule

3个回答

1

您在 Cisco ASA 和 891 路由器上的配置对我来说看起来不错，我能够在以下情况下应用其中的大部分，并且可以正常工作：

让我们说：

您的本地 LAN 网络位于 R4 Loopback 0 接口上
您的远程 LAN 网络位于 R1 环回接口和 R3 上。
Internet 资源位于 R2 上。

当您要访问时：

来自远程网络（R1 Lo0 IP：172.17.55.200 和 R3）的本地网络（R4 Lo0 IP：192.168.108.1）。VPN 隧道将启动，流量通过它并通过 R4 转发到本地网络。远程和本地网络的 IP 地址保持不变（NAT 豁免）：

###Successfully ping R4 Lo0:

R1#ping 192.168.108.1 source loopback 0
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.108.1, timeout is 2 seconds:
Packet sent with a source address of 172.17.55.200
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 32/40/44 ms


R3#ping 192.168.108.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.108.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 120/124/128 ms


ciscoasa#show isa

IKEv1 SAs:

 Active SA: 1
  Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
 Total IKE SA: 1

 1   IKE Peer: 45.67.89.1
     Type    : L2L             Role    : responder
     Rekey   : no              State   : MM_ACTIVE

来自远程网络（R1 Lo0 IP：172.17.55.200 和 R3）的 Internet 资源（R2 IP：56.78.90.1）。VPN 隧道将启动并且流量通过它并转发回相同的外部接口（远程网络的 IP 地址是 NAT ASA 外部 IP：13.10.12.1）到互联网（R5，然后是 R2）：

###Successfully ping R2:

R1#ping 56.78.90.1 source loopback 0

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 56.78.90.1, timeout is 2 seconds:
Packet sent with a source address of 172.17.55.200
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 40/51/60 ms


R3#ping 56.78.90.1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 56.78.90.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 120/148/216 ms


###Successfully SSH and logged into R2:

R3#ssh -l Netlab 56.78.90.1    
Password:    
R2#

###NATted, captured traffic and connections on ASA:

ciscoasa# show xlate
...
ICMP PAT from outside:172.17.55.200/4 to outside:13.10.12.1/4 flags ri idle 0:00:04 timeout 0:00:30
TCP PAT from outside:172.17.50.2/17592 to outside:13.10.12.1/17592 flags ri idle 0:00:12 timeout 0:00:30


ciscoasa# show conn
4 in use, 5 most used

TCP outside  56.78.90.1:22 outside  172.17.50.2:17592, idle 0:00:18, bytes 1947, flags UIOB


ciscoasa# show capture
capture Internet type raw-data interface outside [Capturing - 4615 bytes]
  match tcp any host 56.78.90.1 eq ssh


ciscoasa# show capture Internet

87 packets captured

1: 10:04:51.166068       13.10.12.1.17592 > 56.78.90.1.22: S 2513675164:2513675164(0) win 4128 <mss 536>
2: 10:04:51.196645       56.78.90.1.22 > 13.10.12.1.17592: S 497508457:497508457(0) ack 2513675165 win 4128 <mss 536>
3: 10:04:51.248705       13.10.12.1.17592 > 56.78.90.1.22: . ack 497508458 win 4128
...

2

正如我之前在评论中所写，在这种情况下或在具有外部接口和来自远程网络的源 IP 的 VPN 情况下，您不应使用数据包跟踪器进行测试。它总是会在 VPN 阶段导致“Drop”。

鉴于我能够使用来自 R3 的实际流量访问 R2，我遇到了以下数据包跟踪器的“丢弃”：

ciscoasa# packet-tracer input outside tcp 172.17.50.2 17592 56.78.90.1 22
...
Phase: 8
Type: VPN
Subtype: ipsec-tunnel-flow
Result: DROP
Config:
Additional Information:
...

3

要解决此问题，您应该：

打开类似于我在第 1 节中所做的捕获。
尝试使用来自远程网络的真实流量。
尝试使用目标公共 URL 和公共 IP 地址，以防您的 DNS 服务器（本地：192.168.108.11 和远程：172.17.56.60）无法正常工作。
在 ASA 端监控 NATed 数据包和连接。

我希望它有帮助。稍后，您可以使用更多发现更新您的问题，我将相应地更新此答案。

解决了。

似乎是使用 ASDM 的未记录的 Cisco 错误，当在 NAT 语句中使用多个对象时，它不喜欢 ASDM 创建的对象组。ASA 正在建立与错误接口的连接。清除 NAT 语句，构建对象组，应用，并按预期开始构建连接。

感谢帮助！

如果流量进入 ASA 的外部接口，被解密并再次直接返回，那么我认为您需要使用以下命令。

same-security-traffic permit intra-interface

更新：

same-security-traffic intra-interface 命令允许流量进出同一接口，这通常是不允许的。此功能对于进入接口但随后路由出同一接口的 VPN 流量可能很有用。

https://www.cisco.com/c/en/us/td/docs/security/asa/asa82/command/reference/cmd_ref/s1.html

其它你可能感兴趣的问题

上一篇Cisco ASA 5510 DMZ 配置问题下一篇将 QSFP+ 连接到 QSFP+ 和将 4xSFP+ 连接到 QSFP+（所有 DAC）有什么区别