网络工程 - Cisco ASA 到 AWS 云的 L2L ACL 问题 - 吾爱随笔录

Cisco ASA 到 AWS 云的 L2L ACL 问题

网络工程 l2vpn aws

2021-07-22 16:38:30

需要帮助才能看到我目前没有看到的东西。我已经为 AWS 云构建了一个 l2l 我运行了一个数据包跟踪出站并且通过了但是当我在其中运行数据包跟踪器出站时，我一直被隐式规则拒绝。我已经检查了我的配置，我没有看到什么是否认，也许一双新的眼睛会看到我没有看到的东西。

这是我的配置

object network dw01
host 10.20.10.103

object network dw01-NATLDN
host 10.180.0.103


object-group network Amazon.LocalLDN
network-object 10.180.0.0 255.255.255.0

object-group network Amazon-RemoteLDN
network-object 10.30.0.0 255.255.0.0


access-list OUTSIDE_cryptomap_10 extended permit ip object-group Amazon.LocalLDN object-group Amazon-RemoteLDN
access-list OUTSIDE_cryptomap_10 extended permit ip object-group Amazon-RemoteLDN object-group Amazon.LocalLDN

access-list amznLDN-filter extended permit ip host 52.56.71.96 host 208.126.125.10
access-list amznLDN-filter extended permit ip 10.30.0.0 255.255.0.0 10.180.0.0 255.255.255.0


nat (INSIDE,OUTSIDE) source static dw01 dw01-NATLDN destination static Amazon-RemoteLDN Amazon-RemoteLDN


crypto ipsec ikev1 transform-set transform-amzn esp-aes esp-sha-hmac

crypto map OUTSIDE_map 15 match address OUTSIDE_cryptomap_10
crypto map OUTSIDE_map 15 set pfs group2
crypto map OUTSIDE_map 15 set peer 52.56.71.96 
crypto map OUTSIDE_map 15 set ikev1 transform-set transform-amzn
crypto map OUTSIDE_map 15 set security-association lifetime seconds 3600
crypto map OUTSIDE_map 15 set nat-t-disable

tunnel-group 52.56.71.96 type ipsec-l2l
tunnel-group 52.56.71.96 general-attributes
default-group-policy Amazon-LDN
tunnel-group 52.56.71.96 ipsec-attributes
ikev1 pre-shared-key *****
isakmp keepalive threshold 10 retry 10

group-policy Amazon-LDN internal
group-policy Amazon-LDN attributes
vpn-idle-timeout none
vpn-session-timeout none
vpn-filter value amznLDN-filter
vpn-tunnel-protocol ikev1

痕迹：

Phase: 1
Type: CAPTURE
Subtype:
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x738e6b38, priority=13, domain=capture, deny=false
hits=2884362251, user_data=0x73831aa0, cs_id=0x0, l3_type=0x0
src mac=0000.0000.0000, mask=0000.0000.0000
dst mac=0000.0000.0000, mask=0000.0000.0000
input_ifc=OUTSIDE, output_ifc=any

Phase: 2
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
Forward Flow based lookup yields rule:
in id=0x72f221c0, priority=1, domain=permit, deny=false
hits=31054542779, user_data=0x0, cs_id=0x0, l3_type=0x8
src mac=0000.0000.0000, mask=0000.0000.0000
dst mac=0000.0000.0000, mask=0100.0000.0000
input_ifc=OUTSIDE, output_ifc=any

Phase: 3
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 10.0.0.0 255.0.0.0 INSIDE

Phase: 4
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:
Forward Flow based lookup yields rule:
in id=0x73cd1e50, priority=11, domain=permit, deny=true
hits=28748828, user_data=0x5, cs_id=0x0, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
input_ifc=OUTSIDE, output_ifc=any

预先感谢您的帮助！！

1个回答

当涉及直接在 ASA 上终止的隧道时，您不能将数据包跟踪器用于从外到内的流量。您是否真的在实际交通中测试了隧道的双向？

此外，您无法按照现有方式定义通往 AWS 的隧道，因为 AWS 隧道是基于路由的。

AWS 要求在加密映射匹配 ACL 中使用“any”，并且所有限制都通过 VPN-Filter 或路由完成。话虽如此，请发出以下命令以更正您的加密映射 ACL：

access-list OUTSIDE_cryptomap_10 extended permit ip any object-group Amazon-RemoteLDN
no access-list OUTSIDE_cryptomap_10 extended permit ip object-group Amazon.LocalLDN object-group Amazon-RemoteLDN
no access-list OUTSIDE_cryptomap_10 extended permit ip object-group Amazon-RemoteLDN object-group Amazon.LocalLDN

VPN 过滤器过滤来自远程端的流量，并在隧道形成后应用（这意味着它对限制公共对等 IP 没有影响，就像你试图做的那样）。话虽如此，请发出以下命令以更正您的 VPN 过滤器：

no access-list amznLDN-filter extended permit ip host 52.56.71.96 host 208.126.125.10

要添加冗余/容错隧道配置，请找到 AWS 为您创建的配置脚本进行复制/粘贴，并找到第二个隧道的加密映射部分和隧道组部分。然后，在您的 ASA 上，您需要执行以下操作：

crypto map OUTSIDE_map 15 set peer 52.56.71.96 <secondary tunnel peer IP address goes here after the existing peer IP address>
!
tunnel-group <secondary peer IP address here> type ipsec-l2l
tunnel-group <secondary peer IP address here> general-attributes
default-group-policy Amazon-LDN
tunnel-group <secondary peer IP address here> ipsec-attributes
ikev1 pre-shared-key *****
isakmp keepalive threshold 10 retry 10

其它你可能感兴趣的问题

上一篇使用 OUI 列表查找 MAC 地址下一篇Meraki 处于 ASA 后的直通模式