网络工程 - 如何在站点到站点 VPN 配置中连接到不同的子网 - 吾爱随笔录

我有两个具有站点到站点 ipsec vpn 配置设置的位置。一侧的局域网是 192.168.30.x。另一端的 LAN 是 192.168.16.x，通过 192.168.2.x 的 cisco 3560 交换机连接子网。192.168.30.x 和 192.168.16.x lans 上的所有位置都可以 ping、rdp 等，没有问题。问题是192.168.2.x和192.168.30.x子网不能互相看到（不能ping，rdp等）。我在 192.168.16.x 端使用 ASA-5510，在 192.168.30.x 端使用 TZ-215。

下面是 192.168.16.x 端的 ASA-5510 配置，它通过 Cisco 3560 交换机连接了子网 192.168.2.x。

ASA Version 8.2(5)48 
!
hostname ***-**-*****
domain-name **********.com
enable password **************** encrypted
passwd **************** encrypted
names
dns-guard
!
interface Ethernet0/0
 speed 100
 duplex full
 nameif inside
 security-level 100
 ip address 192.168.16.42 255.255.255.252 
!
interface Ethernet0/1
 description Credit Solutions connection
 nameif outside
 security-level 0
 ip address 97.64.134.142 255.255.255.252 
!
interface Ethernet0/2
 description Internet Connection (and VOIP)
 nameif internet
 security-level 0
 ip address 63.229.183.186 255.255.255.248 
!
interface Ethernet0/3
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Management0/0
 speed 100
 duplex full
 nameif management
 security-level 100
 ip address 192.168.1.1 255.255.255.0 
!
boot system disk0:/asa825-48-k8.bin
ftp mode passive
dns server-group DefaultDNS
 domain-name **********.com
same-security-traffic permit intra-interface
object-group network telesoft_in_nonvoip
 network-object 69.176.73.0 255.255.255.224
 network-object 69.176.73.32 255.255.255.224
object-group network telesoft_in_voip
 network-object 172.25.0.0 255.255.0.0
object-group service telesoft_in_voip_tcpudp tcp-udp
 port-object eq sip
 port-object eq www
object-group service telesoft_in_nonvoip_udp udp
 port-object eq tftp
object-group service telesoft_in_nonvoip_tcp tcp
 port-object eq ftp
object-group service telesoft_in_voip_udp udp
 port-object range 16384 32776
object-group network inside_voip
 network-object 10.255.18.208 255.255.255.240
object-group network test-access
 network-object host 184.98.74.30
 network-object host 4.2.2.2
object-group network RFC1918
 network-object 192.168.0.0 255.255.0.0
 network-object 10.0.0.0 255.0.0.0
 network-object 172.16.0.0 255.240.0.0
object-group network VoIP
 description Telesphere Ranges
 network-object 63.229.183.184 255.255.255.248
 network-object 69.176.73.0 255.255.255.192
access-list internet-side extended permit ip 162.42.243.208 255.255.255.240 63.229.183.184 255.255.255.248 
access-list internet-side extended deny ip any host 10.255.18.209 
access-list internet-side extended permit tcp object-group telesoft_in_nonvoip 10.255.18.208 255.255.255.240 object-group telesoft_in_nonvoip_tcp 
access-list internet-side extended permit udp object-group telesoft_in_nonvoip 10.255.18.208 255.255.255.240 object-group telesoft_in_nonvoip_udp 
access-list internet-side extended permit tcp object-group telesoft_in_voip object-group inside_voip object-group telesoft_in_voip_tcpudp 
access-list internet-side extended permit udp object-group telesoft_in_voip object-group inside_voip object-group telesoft_in_voip_tcpudp 
access-list internet-side extended permit udp object-group telesoft_in_voip object-group inside_voip object-group telesoft_in_voip_udp 
access-list internet-side extended permit icmp any any echo-reply 
access-list internet-side extended permit icmp any any time-exceeded 
access-list nonat extended permit ip object-group RFC1918 object-group RFC1918 
access-list nonat extended permit ip object-group RFC1918 object-group VoIP 
access-list nonat extended permit ip 192.168.16.0 255.255.255.0 192.168.30.0 255.255.255.0 
access-list nonat extended permit ip 192.168.2.0 255.255.255.0 192.168.30.0 255.255.255.0 
access-list inside extended permit icmp any any 
access-list inside extended permit ip any any 
access-list outside extended permit icmp any any 
access-list vpn_tunnel_phxnap extended permit ip 192.168.16.0 255.255.255.0 192.168.30.0 255.255.255.0 
access-list vpn_tunnel_phxnap extended permit ip 192.168.2.0 255.255.255.0 192.168.30.0 255.255.255.0 
pager lines 24
logging enable
logging buffer-size 16384
logging monitor debugging
logging buffered debugging
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu internet 1500
mtu management 1500
ip local pool NogalesTest 192.168.16.28-192.168.16.29 mask 255.255.255.248
icmp unreachable rate-limit 1 burst-size 1
icmp permit any outside
asdm image disk0:/asdm-713.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list nonat
nat (inside) 1 0.0.0.0 0.0.0.0
nat (management) 1 0.0.0.0 0.0.0.0
static (inside,outside) 192.168.2.0 192.168.6.0 netmask 255.255.255.0 
access-group inside in interface inside
access-group outside in interface outside
access-group internet-side in interface internet
route outside 0.0.0.0 0.0.0.0 97.64.134.141 1
route outside 4.2.2.2 255.255.255.255 97.64.134.141 1
route outside 10.10.0.0 255.255.0.0 192.168.7.2 1
route inside 10.255.18.208 255.255.255.240 192.168.16.41 1
route internet 65.243.39.0 255.255.255.0 63.229.183.185 1
route internet 69.176.73.0 255.255.255.224 63.229.183.185 1
route internet 69.176.73.32 255.255.255.224 63.229.183.185 1
route internet 162.42.243.208 255.255.255.240 63.229.183.185 1
route internet 172.25.0.0 255.255.0.0 63.229.183.185 1
route outside 184.98.74.30 255.255.255.255 173.16.104.1 1
route outside 184.164.128.134 255.255.255.255 97.64.134.141 1
route inside 192.168.0.0 255.255.0.0 192.168.16.41 1
route inside 192.168.2.0 255.255.255.0 192.168.16.41 1
route inside 192.168.4.0 255.255.255.0 192.168.16.41 1
route inside 192.168.17.0 255.255.255.0 192.168.16.41 1
route outside 192.168.30.0 255.255.255.0 184.164.128.134 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication ssh console LOCAL 
aaa authentication enable console LOCAL 
aaa authentication http console LOCAL 
http server enable
http 192.168.16.0 255.255.255.192 inside
http 192.168.1.0 255.255.255.0 management
http 192.168.0.73 255.255.255.255 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac 
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac 
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto map outside-map 2 match address vpn_tunnel_phxnap
crypto map outside-map 2 set peer 184.164.128.134 
crypto map outside-map 2 set transform-set ESP-3DES-SHA
crypto map outside-map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
 authentication pre-share
 encryption aes-256
 hash sha
 group 5
 lifetime 86400
crypto isakmp policy 20
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
crypto isakmp policy 30
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 28800
telnet timeout 5
ssh 192.168.0.0 255.255.255.0 inside
ssh 192.168.16.0 255.255.255.192 inside
ssh 184.98.74.30 255.255.255.255 outside
ssh 192.168.1.0 255.255.255.0 management
ssh timeout 60
console timeout 0
management-access inside
dhcpd address 192.168.1.2-192.168.1.254 management
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
group-policy DfltGrpPolicy attributes
 dns-server value 192.168.2.14 192.168.0.7
 default-domain value *********.com
username asaadmin password **************** encrypted
username admin password **************** encrypted
username jmartin password **************** encrypted privilege 0
tunnel-group 184.164.128.134 type ipsec-l2l
tunnel-group 184.164.128.134 ipsec-attributes
 pre-shared-key ****************
 isakmp keepalive threshold 10 retry 3
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map global_policy
 class inspection_default
  inspect ftp 
  inspect h323 h225 
  inspect rsh 
  inspect sunrpc 
  inspect xdmcp 
  inspect tftp 
  inspect dns 
  inspect ip-options 
!
service-policy global_policy global
prompt hostname context 
no call-home reporting anonymous
call-home
 profile CiscoTAC-1
  no active
  destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
  destination address email callhome@cisco.com
  destination transport-method http
  subscribe-to-alert-group diagnostic
  subscribe-to-alert-group environment
  subscribe-to-alert-group inventory periodic monthly
  subscribe-to-alert-group configuration periodic monthly
  subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:***********************
: end