在 VPN 隧道出口侧通过 SSH 连接到 ASA

网络工程 思科 虚拟专用网 ssh
2021-07-08 21:06:59

我在两个 ASA 设备(图中的 HQ-FW1 和 Branch-FW1)之间有一个正常运行的 L2L 隧道。

网络图

HQ-PC2 - 192.168.10.21
HQ-FW1 eth0 - 192.168.20.2 (outside)
HQ-FW1 eth1 - 192.168.10.2 (inside)
Branch-FW1 eth0 - 10.1.1.2 (outside)
Branch-FW1 eth1 - 10.1.10.1 (inside)
Branch-PC2 - 10.1.10.3

我有适用于 ASA 和它们各自内部网络的 SSH 配置(Branch-PC2 -> Branch-FW1 和 HQ-PC2 -> HQ-FW1)我可以成功连接通过 HQ-AAA-Server 节点执行的身份验证。我还可以从 HQ-PC2 SSH 到 Branch-PC2,表明 SSH 确实可以通过隧道工作。

但是我无法获得从 HQ-PC2 到 Branch-FW1 的 SSH 连接。当我尝试连接时没有响应,并且从 Wireshark 来看,根本没有从 Branch-FW1 返回的响应(没有 SYN-ACK 数据包)。

控制台输出

SSH 配置:

Branch-FW(config)# show ssh
Timeout: 10 minutes
Version allowed: 2
192.168.10.21 255.255.255.255 inside
192.168.10.2 255.255.255.255 inside
192.168.20.2 255.255.255.255 inside
10.1.10.1 255.255.255.255 inside
10.1.10.3 255.255.255.255 inside

我已经为 HQ-FW1 添加了外部和内部接口,以防源地址被 NAT,但它没有帮助。我不确定是什么问题?

编辑:另外值得注意的是,ASA 不会响应从总部网络到其内部接口的 ping。

完整配置:


: 
: Serial Number: 9A2EL3EHE12
: Hardware:   ASAv, 2048 MB RAM, CPU Pentium II 2000 MHz
: Written by admin at 14:49:01.099 UTC Fri Dec 3 2021
!
ASA Version 9.5(2)204 
!
hostname Branch-FW
domain-name asecuritycompany.com
enable password 8Ry2YjIyt7RRXU24 encrypted
xlate per-session deny tcp any4 any4
xlate per-session deny tcp any4 any6
xlate per-session deny tcp any6 any4
xlate per-session deny tcp any6 any6
xlate per-session deny udp any4 any4 eq domain
xlate per-session deny udp any4 any6 eq domain
xlate per-session deny udp any6 any4 eq domain
xlate per-session deny udp any6 any6 eq domain
names
!
interface GigabitEthernet0/0
 description TO THE BRANCH ROUTER OUTSIDE 10.1.1.0/30 NETWORK
 nameif outside
 security-level 0
 ip address 10.1.1.2 255.255.255.252 
!
interface GigabitEthernet0/1
 description TO THE BRANCH INSIDE 10.1.10.0/24 NETWORK
 nameif inside
 security-level 100
 ip address 10.1.10.1 255.255.255.0 
!
interface GigabitEthernet0/2
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet0/3
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet0/4
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet0/5
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet0/6
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Management0/0
 shutdown
 no nameif
 no security-level
 no ip address
!
ftp mode passive
dns server-group DefaultDNS
 domain-name asecuritycompany.com
same-security-traffic permit inter-interface
object network net-local
 subnet 10.1.10.0 255.255.255.0
object network net-outside
 subnet 10.1.1.0 255.255.255.252
object network net-remote
 subnet 192.168.10.0 255.255.255.0
access-list HQFTPACL extended permit ip object net-local object net-remote 
pager lines 23
mtu outside 1500
mtu inside 1500
no failover
no monitor-interface service-module 
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
nat (inside,outside) source static net-local net-local destination static net-remote net-remote
!
object network net-local
 nat (inside,outside) dynamic interface
object network net-outside
 nat (inside,outside) dynamic interface
route outside 0.0.0.0 0.0.0.0 10.1.1.1 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 sctp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
aaa-server HQ-TACACS-GROUP protocol tacacs+
aaa-server HQ-TACACS-GROUP (inside) host 192.168.10.10
 key testing123
user-identity default-domain LOCAL
aaa authentication serial console HQ-TACACS-GROUP LOCAL
aaa authentication telnet console HQ-TACACS-GROUP LOCAL
aaa authentication ssh console HQ-TACACS-GROUP LOCAL
aaa authentication enable console HQ-TACACS-GROUP LOCAL
aaa authorization command HQ-TACACS-GROUP LOCAL
aaa accounting ssh console HQ-TACACS-GROUP
aaa accounting enable console HQ-TACACS-GROUP
aaa accounting command HQ-TACACS-GROUP
aaa accounting serial console HQ-TACACS-GROUP
aaa accounting telnet console HQ-TACACS-GROUP
no snmp-server location
no snmp-server contact
crypto ipsec ikev1 transform-set HQFTPTRANS esp-aes-256 esp-sha-hmac 
crypto ipsec security-association pmtu-aging infinite
crypto map HQFTPMAP 1 match address HQFTPACL
crypto map HQFTPMAP 1 set pfs group1
crypto map HQFTPMAP 1 set peer 192.168.20.2 
crypto map HQFTPMAP 1 set ikev1 transform-set HQFTPTRANS
crypto map HQFTPMAP interface outside
crypto ca trustpoint _SmartCallHome_ServerCA
 no validation-usage
 crl configure
crypto ca trustpool policy
 auto-import
crypto ikev1 enable outside
crypto ikev1 policy 10
 authentication pre-share
 encryption aes-256
 hash sha
 group 2
 lifetime 86400
telnet timeout 5
ssh stricthostkeycheck
ssh 192.168.10.21 255.255.255.255 outside
ssh 192.168.10.2 255.255.255.255 outside
ssh 192.168.20.2 255.255.255.255 outside
ssh 10.1.10.1 255.255.255.255 outside
ssh 10.1.10.3 255.255.255.255 outside
ssh 192.168.10.21 255.255.255.255 inside
ssh 192.168.10.2 255.255.255.255 inside
ssh 192.168.20.2 255.255.255.255 inside
ssh 10.1.10.1 255.255.255.255 inside
ssh 10.1.10.3 255.255.255.255 inside
ssh timeout 10
ssh version 2
ssh key-exchange group dh-group14-sha1
console timeout 0
management-access inside
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
dynamic-access-policy-record DfltAccessPolicy
username localadmin password zDkbp36jt66L0Z6u encrypted privilege 15
tunnel-group 192.168.20.2 type ipsec-l2l
tunnel-group 192.168.20.2 ipsec-attributes
 ikev1 pre-shared-key SECRET-KEY
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns migrated_dns_map_1
 parameters
  message-length maximum client auto
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns migrated_dns_map_1 
  inspect ftp 
  inspect h323 h225 
  inspect h323 ras 
  inspect ip-options 
  inspect netbios 
  inspect rsh 
  inspect rtsp 
  inspect skinny  
  inspect esmtp 
  inspect sqlnet 
  inspect sunrpc 
  inspect tftp 
  inspect sip  
  inspect xdmcp 
  inspect icmp 
!
service-policy global_policy global
prompt hostname context 
no call-home reporting anonymous
call-home
 profile CiscoTAC-1
  no active
  destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
  destination address email callhome@cisco.com
  destination transport-method http
  subscribe-to-alert-group diagnostic
  subscribe-to-alert-group environment
  subscribe-to-alert-group inventory periodic monthly
  subscribe-to-alert-group configuration periodic monthly
  subscribe-to-alert-group telemetry periodic daily
 profile License
  destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
  destination transport-method http
Cryptochecksum:60799b961f095cef738bd26bb9bedc75
: end

以下数据包跟踪器命令从 HQ-FW1 成功:

packet-tracer input inside tcp 192.168.10.21 1234 10.1.10.1 22
0个回答
没有发现任何回复~
其它你可能感兴趣的问题
上一篇当LTE到UMTS IRAT切换时,MAC层会发生什么变化? 下一篇N5K-5672 CoPP 问题