Cisco ASA 在站点到站点 VPN 上拨入 VPN 访问设备

网络工程 思科 路由 思科 虚拟专用网 站点到站点
2021-07-23 09:04:20

问题

1) 我需要运行什么才能让现场与拨入网络客户端 EG ping 从 10.101.1.7 到 10.101.2.1 通话?

2) 我需要运行什么才能让拨入网络客户端与从 10.101.2.1 到 10.1.42.216 的站点到站点网络客户端 EG ping 通信?

我现在设置网络对象的 更新inoffice 10.101.1.0 255.255.255.0 outoffice 10.101.2.0 255.255.255.0

当我运行nat (inside,inside) source static inoffice interface destination static interface outoffice时,除了无法访问 ASDM(因此与 10.101.0.1 交谈)之外,其他一切都可以正常工作,并且我已将 ASA 更改为现在在 10.101.0.1 上运行,因此它不在办公室或办公室子网中。

概述

我已经成功设置了 Cisco ASA 5505 并连接到了 2 个不同的站点到站点 VPN,并且当我在网络本地时可以正常工作。

所以 ASA 提供了网络 10.101.0.0/16(10.101.1.0/24 是现场网络,10.101.2.0/24 是拨入网络)然后我有 2 个站点(在 AWS 内部)10.1.0.0/16 & 10.2 .0.0/16

我已经设法获得系统,所以我可以远程拨号,所以我的遥控器获得了 10.101.2.1 的 IP,我的遥控器可以 ping 我的工作站 10.101.1.7

但是,我无法让我的遥控器 ping 10.1.0.0 或 10.2.0.0 网络上的任何内容 我也无法让我的现场网络与拨入网络上的任何内容通话,而拨入客户端可以ping 通现场网络中的工作站。

我的 ASA 配置:

: Saved
:
ASA Version 9.1(1)
!
hostname ciscoasa
enable password ****** encrypted
passwd ****** encrypted
names
ip local pool OutOfOfficePool 10.101.2.1-10.101.2.254 mask 255.255.0.0
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 10.101.1.1 255.255.0.0
!
interface Vlan2
 nameif outside
 security-level 0
 ip address *.*.*.* 255.255.255.248
!
ftp mode passive
same-security-traffic permit intra-interface
object network obj_any
 subnet 0.0.0.0 0.0.0.0
object network inside
 subnet 10.101.0.0 255.255.0.0
object network inside-subnet
 subnet 10.101.0.0 255.255.0.0
object network obj-SrcNet
 subnet 0.0.0.0 0.0.0.0
object network obj-amzn-lon
 subnet 10.1.0.0 255.255.0.0
 object network obj-amzn-ire
 subnet 10.2.0.0 255.255.0.0
object network NETWORK_OBJ_10.101.2.0_24
 subnet 10.101.2.0 255.255.255.0
access-list outside_acl extended permit ip host 35.177.42.137 host *.*.*.*
access-list outside_acl extended permit ip host 52.56.51.249 host *.*.*.*
access-list outside_acl extended permit ip host 52.17.198.135 host *.*.*.*
access-list outside_acl extended permit ip host 54.72.63.159 host *.*.*.*
access-list acl-amzn-lon extended permit ip any 10.1.0.0 255.255.0.0
access-list IRELAND-135 extended permit ip host 52.17.198.135 host *.*.*.*
access-list IRELAND-159 extended permit ip host 54.72.63.159 host *.*.*.*
access-list IRELAND-LOCAL extended permit ip any4 10.2.0.0 255.255.0.0
access-list outside_access_in extended permit ip host 35.177.42.137 host *.*.*.*
access-list outside_access_in extended permit ip host 52.56.51.249 host *.*.*.*
access-list acl-amzn extended permit ip any4 10.1.0.0 255.255.0.0
access-list amzn-filter extended permit ip 10.1.0.0 255.255.0.0 10.101.0.0 255.255.0.0
access-list ireland-filter extended permit ip 10.2.0.0 255.255.0.0 10.101.0.0 255.255.0.0
access-list outside_cryptomap_2 extended permit ip any4 10.2.0.0 255.255.0.0
access-list outside_cryptomap_2 extended permit ip any 10.1.0.0 255.255.0.0
pager lines 24
logging asdm informational
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
icmp permit any outside
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
nat (inside,outside) source static obj-SrcNet obj-SrcNet destination static obj-amzn-ire obj-amzn-ire
nat (inside,outside) source static obj-SrcNet obj-SrcNet destination static obj-amzn-lon obj-amzn-lon
nat (inside,outside) source static any any destination static NETWORK_OBJ_10.101.2.0_24 NETWORK_OBJ_10.101.2.0_24 no-proxy-arp route-lookup
!
object network obj_any
 nat (inside,outside) dynamic interface
object network inside-subnet
 nat (inside,outside) dynamic interface
!
nat (inside,outside) after-auto source dynamic any interface
route outside 0.0.0.0 0.0.0.0 *.*.*.1 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
http server enable
http 10.0.0.0 255.0.0.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
sysopt connection tcpmss 1379
sla monitor 1
 type echo protocol ipIcmpEcho 10.1.0.1 interface outside
 frequency 5
sla monitor schedule 1 life forever start-time now
sla monitor 2
 type echo protocol ipIcmpEcho 10.2.0.1 interface outside
 frequency 5
sla monitor schedule 2 life forever start-time now
sla monitor 5
 type echo protocol ipIcmpEcho 8.8.8.8 interface outside
 frequency 5
sla monitor schedule 5 life forever start-time now
crypto ipsec ikev1 transform-set transform-amzn-lon esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set transform-amzn-ire esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set transfrom-amzn esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set transform-amzn esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set transfrom-amzn1 esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set transform-amzn1 esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set transform-ireland esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS esp-aes esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES128-SHA1_TRANS esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES128-SHA1_TRANS mode transport
crypto ipsec ikev2 ipsec-proposal DES
 protocol esp encryption des
 protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal 3DES
 protocol esp encryption 3des
 protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES
 protocol esp encryption aes
 protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES192
 protocol esp encryption aes-192
 protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES256
 protocol esp encryption aes-256 protocol esp integrity sha-1 md5
crypto ipsec security-association replay window-size 128
crypto ipsec security-association pmtu-aging infinite
crypto ipsec df-bit clear-df outside
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-192-SHA ESP-AES-256-SHA ESP-3DES-SHA ESP-DES-SHA ESP-AES-128-SHA-TRANS ESP-AES-192-SHA-TRANS ESP-AES-256-SHA-TRANS ESP-3DES-SHA-TRANS ESP-DES-SHA-TRANS
crypto dynamic-map DYN_OUTSIDE 10000 set ikev1 transform-set ESP-AES128-SHA1_TRANS
crypto map amazon_lon_map 1 match address acl-amzn-lon
crypto map amazon_lon_map 1 set pfs
crypto map amazon_lon_map 1 set peer 35.177.42.137 52.56.51.249
crypto map amazon_lon_map 1 set ikev1 transform-set transform-amzn-lon
crypto map amazon_lon_map 1 set ikev2 ipsec-proposal AES256 AES192 AES 3DES DES
crypto map amazon_lon_map 1 set security-association lifetime seconds 3600
crypto map amazon_lon_map 2 match address outside_cryptomap_2
crypto map amazon_lon_map 2 set pfs
crypto map amazon_lon_map 2 set peer 52.17.198.135 54.72.63.159
crypto map amazon_lon_map 2 set ikev1 transform-set transform-ireland
crypto map amazon_lon_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map MAP_OUTSIDE 10000 ipsec-isakmp dynamic DYN_OUTSIDE
crypto map MAP_OUTSIDE interface outside
crypto ca trustpoint _SmartCallHome_ServerCA
 crl configure
crypto ca trustpoint ASDM_TrustPoint0
 enrollment self
 subject-name CN=ciscoasa
 keypair OutOfOfficeKeyPair
 proxy-ldc-issuer
 crl configure
crypto ca trustpoint ASDM_TrustPoint1
 enrollment terminal
 subject-name CN=leeds.internal.beaconsoft.ltd,O=Beaconsoft Limited,C=UK
 keypair OutOfOfficeKeyPair
 crl configure
crypto ca trustpool policy
crypto ca certificate chain _SmartCallHome_ServerCA
 certificate ca 6ecc7aa5a7032009b8cebcf4e952d491
    ****
  quit
crypto ca certificate chain ASDM_TrustPoint0
 certificate 7f301c5c
    ****
  quit
crypto isakmp identity address
crypto ikev2 policy 1
 encryption aes-256
 integrity sha
 group 5 2
 prf sha
 lifetime seconds 86400
crypto ikev2 policy 10
 encryption aes-192
 integrity sha
 group 5 2
 prf sha
 lifetime seconds 86400
crypto ikev2 policy 20
 encryption aes
 integrity sha
 group 5 2
 prf sha
 lifetime seconds 86400
crypto ikev2 policy 30
 encryption 3des
 integrity sha
 group 5 2
 prf sha
 lifetime seconds 86400
crypto ikev2 policy 40
 encryption des
 integrity sha
 group 5 2
 prf sha
 lifetime seconds 86400
crypto ikev1 enable outside
crypto ikev1 policy 201
 authentication pre-share
 encryption aes
 hash sha
 group 2
 lifetime 28800
crypto ikev1 policy 1000
 authentication pre-share
 encryption aes-256
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 2000
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 3000
 authentication pre-share
 encryption aes
 hash sha
 group 2
 lifetime 86400
telnet timeout 5
ssh timeout 5
console timeout 0

dhcpd domain leeds.internal.beaconsoft.ltd
dhcpd auto_config outside
dhcpd option 3 ip 10.101.1.1 *.*.*.*
dhcpd option 6 ip 8.8.8.8 8.8.4.4
!
dhcpd address 10.101.1.5-10.101.2.4 inside
dhcpd dns 8.8.8.8 8.8.4.4 interface inside
dhcpd domain leeds.internal.beaconsoft.ltd interface inside
dhcpd option 3 ip 10.101.1.1 interface inside
dhcpd enable inside
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
 enable outside
group-policy DefaultRAGroup internal
group-policy DefaultRAGroup attributes
 dns-server value 8.8.8.8 8.8.4.4
 vpn-tunnel-protocol l2tp-ipsec
 default-domain value leeds.internal.beaconsoft.ltd
group-policy OutOfOffice internal
group-policy OutOfOffice attributes
 dns-server value 8.8.8.8 8.8.4.4
 vpn-tunnel-protocol ikev1 l2tp-ipsec
 default-domain value leeds.internal.beaconsoft.ltd
group-policy ireland-filter internal
group-policy ireland-filter attributes
 vpn-filter value ireland-filter
 vpn-tunnel-protocol ikev1
group-policy filter1 internal
group-policy filter1 attributes
 vpn-filter value amzn-filter
group-policy filter internal
group-policy filter attributes
 vpn-filter value acl-amzn
username Martin password OJGPTRIZGYa1YSuquXoicg== nt-encrypted privilege 0
username Martin attributes
 vpn-group-policy OutOfOffice
 vpn-tunnel-protocol ikev1 l2tp-ipsec
tunnel-group DefaultRAGroup general-attributes
 address-pool OutOfOfficePool
 default-group-policy DefaultRAGroup
tunnel-group DefaultRAGroup ipsec-attributes
 ikev1 pre-shared-key *****
tunnel-group DefaultRAGroup ppp-attributes
 authentication pap
 authentication ms-chap-v2
tunnel-group 35.177.42.137 type ipsec-l2l
tunnel-group 35.177.42.137 general-attributes
 default-group-policy filter1
tunnel-group 35.177.42.137 ipsec-attributes
 ikev1 pre-shared-key *****
 isakmp keepalive threshold 10 retry 10
tunnel-group 52.56.51.249 type ipsec-l2l
tunnel-group 52.56.51.249 general-attributes
 default-group-policy filter1
tunnel-group 52.56.51.249 ipsec-attributes
 ikev1 pre-shared-key *****
 isakmp keepalive threshold 10 retry 10
tunnel-group IRELAND-135 type ipsec-l2l
tunnel-group IRELAND-135 general-attributes
 default-group-policy ireland-filter
tunnel-group IRELAND-135 ipsec-attributes
 ikev1 pre-shared-key *****
 isakmp keepalive threshold 10 retry 10
tunnel-group IRELAND-159 type ipsec-l2l
tunnel-group IRELAND-159 general-attributes
 default-group-policy ireland-filter
tunnel-group IRELAND-159 ipsec-attributes
 ikev1 pre-shared-key *****
 isakmp keepalive threshold 10 retry 10
tunnel-group OutOfOffice type remote-access
tunnel-group OutOfOffice general-attributes
 address-pool OutOfOfficePool
 default-group-policy OutOfOffice
tunnel-group OutOfOffice ipsec-attributes
 ikev1 pre-shared-key *****
 ikev1 trust-point ASDM_TrustPoint0
tunnel-group OutOfOffice ppp-attributes
 authentication ms-chap-v2
tunnel-group 52.17.198.135 type ipsec-l2l
tunnel-group 52.17.198.135 general-attributes
 default-group-policy ireland-filter
tunnel-group 52.17.198.135 ipsec-attributes
 ikev1 pre-shared-key *****
tunnel-group 54.72.63.159 type ipsec-l2l
tunnel-group 54.72.63.159 general-attributes
 default-group-policy ireland-filter
tunnel-group 54.72.63.159 ipsec-attributes
 ikev1 pre-shared-key *****
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum client auto
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
  inspect ip-options
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:641f9d6eb344bf069af64678716624a5
: end
1个回答

这里有很多东西要看......

  1. crypto map amazon_lon_map什么都不做,因为它没有绑定到接口。相反,您所有的由外向内的加密都由crypto map MAP_OUTSIDE(因为它有相应的crypto map MAP_OUTSIDE interface outside

  2. 您没有任何access-group陈述,因此您access-list outside_aclaccess-list outside_access_in可能没有做您认为他们应该做的事情。无论如何,您可能不需要它们。

  3. 您的三个手动nat语句似乎是身份 NAT,但您允许 ASA 代理 ARP。由于obj-SrcNetis current 0.0.0.0,这意味着您的网络可能认为它尝试访问的每个地址都由 ASA 应答。你可能不想要这个。

  4. 正如@RonTrunk 在他的评论中提到的,您将需要发夹式 NAT 以允许您的远程访问 VPN 客户端访问您的 Amazon 隧道。不过,发夹很难。

  5. ip local pool OutOfOfficePoolinside接口子网内的网络范围这可能会给您带来其他问题(尤其是使用transport-basedtransform-set而不是隧道)。

  6. 你有objects 有重复的定义和access-lists 有不同的命名约定,这增加了混乱。

  7. 您混合使用手册natobject nat语句,我会避免这种情况。就个人而言,我坚持使用 manual nat

如果是我,取决于其中有多少已经对你有用,有多少没有,我可能会破坏这个配置并从基本原理开始,但是,如果这是一个生产设备,只有在你有一个可靠的时候这样做备份和恢复过程,相信你理解我的建议......

也就是说,这里...

如果我理解正确,您的 LAN 用户在 10.101.0.0/16 上。您在 10.1.0.0/16 上有一个 Amazon London LAN,在 10.2.0.0/16 上有一个 Amazon Ireland LAN:

object OBJ_LAN01
  subnet 10.101.0.0 255.255.0.0
object OBJ_AZNLON01
  subnet 10.1.0.0 255.255.0.0
object OBJ_AZNIRE01
  subnet 10.2.0.0 255.255.0.0

你有一群 VPN 用户——让我们把他们放在其他地方:

ip local pool IPP_RA_VPN 10.255.1.1-10.255.1.254 mask 255.255.255.0

object OBJ_RA_VPN
  subnet 10.255.1.0 255.255.255.0

您希望您的 LAN 和 VPN 用户能够访问相同的内容(就像 VPN 人员在您的 LAN 上一样),因此我们将它们组合在一起:

object-group OGP_PERMITTED_LOCAL
  network-object OBJ_LAN01
  network-object OBJ_RA_VPN

同样,我们将对本地人应该能够访问的所有远程网络进行分组:

object-group OGP_PERMITTED_REMOTE
  network-object OBJ_AZNLON01
  network-object OBJ_AZNIRE01

在这一点上,我不知道一件事:

  1. 要么:您希望您 LAN 中的任何人都能够访问 Amazon 站点,并且您希望 Amazon 站点上的任何内容都可以访问您 LAN 上的设备,在这种情况下,我们的身份验证是 NAT:

    nat (outside,outside) source static OGP_PERMITTED_LOCAL OGP_PERMITTED_LOCAL destination static OGP_PERMITTED_REMOTE OGP_PERMITTED_REMOTE no-proxy-arp route-lookup
nat (inside,outside) source static OGP_PERMITTED_LOCAL OGP_PERMITTED_LOCAL destination static OGP_PERMITTED_REMOTE OGP_PERMITTED_REMOTE no-proxy-arp route-lookup

  2. 或者:您希望您 LAN 中的任何人都能够访问 Amazon 站点,并且您希望 Amazon 站点上的任何内容访问您 LAN 上的设备,在这种情况下,我们将 NAT 隐藏在您的外部接口地址后面:

    nat (outside,outside) source dynamic OGP_PERMITTED_LOCAL interface destination static OGP_PERMITTED_REMOTE OGP_PERMITTED_REMOTE no-proxy-arp route-lookup
nat (inside,outside) source dynamic OGP_PERMITTED_LOCAL interface destination static OGP_PERMITTED_REMOTE OGP_PERMITTED_REMOTE no-proxy-arp route-lookup

请注意,在上述两种情况下,我们nat都在(inside,outside)执行(outside,outside)后者是发夹 - 您的 VPN 客户端在技术上将在外面并返回到外面。这就是为什么您还需要通过接口允许相同的安全性:

same-security-traffic permit intra-interface

我们现在将定义 VPN 到 Amazon 的有趣流量。这必须在 Amazon 的 VPN 配置中复制,但我不是 AWS 人员,所以我不能立即知道它会是什么样子。同样,这取决于我们在上面选择的内容:

  1. 如果我们身份-NAT:

    access-list ACL_VPN_AZNLON extended permit ip object-group OGP_PERMITTED_LOCAL object OBJ_AZNLON01
access-list ACL_VPN_AZNIRE extended permit ip object-group OGP_PERMITTED_LOCAL object OBJ_AZNIRE01

  2. 如果我们隐藏 NAT:

    access-list ACL_VPN_AZNLON extended permit ip interface outside object-group OBJ_AZNLON01
access-list ACL_VPN_AZNIRE extended permit ip interface outside object-group OBJ_AZNIRE01

请注意,在 Amazon 的基础设施中定义 VPN 时,我真的帮不上忙。可以说身份 NAT 解决方案要求您在第 2 阶段加密域中设置一个具有两个子网的隧道(这可能意味着两个单独的第 2 阶段安全关联配置,具体取决于亚马逊的做法),而hide-NAT one 只需要一个 Phase #2 安全关联。

使用show access-list ACL_VPN_AZNLON,看看亚马逊伦敦会看到-注意,这句话显示两行的身份NAT?这是您的两个安全关联。您添加的每个 LAN 子网都会多出一行(如果您需要),除非您想尝试将所有用户动态 NAT 转换为 LAN 子网中的一个专用地址,然后再转移到 Amazon。

我们将再添加一个 NAT 语句,作为后备选项,以便您的 LAN 用户使用 ISP 分配的外部地址访问 Internet:

object OBJ_ANY_IPV4
  subnet 0.0.0.0 0.0.0.0

nat (inside,outside) after-auto source dynamic OBJ_LAN01 interface destination OBJ_ANY_IPV4 OBJ_ANY_IPV4

现在我们可以为阶段 #1 和阶段 #2 建立加密策略。我将假设您已在(尽管未使用)crypto map语句中正确转录了这些内容,因此我会将您上面的内容改编为下面的第 2 阶段设置。请注意,我目前只熟悉 IKEv1,因此在此阶段我忽略了 IKEv2(无论如何,它看起来并未在您的配置中启用):

crypto ipsec ikev1 transform-set IKEV1_AES128_SHA1 esp-aes esp-sha-hmac

crypto map CRY_OUTSIDE 10 match address ACL_VPN_AZNLON
crypto map CRY_OUTSIDE 10 set peer 35.177.42.137 52.56.51.249
crypto map CRY_OUTSIDE 10 set ikev1 transform-set IKEV1_AES128_SHA1
crypto map CRY_OUTSIDE 10 set pfs group2
crypto map CRY_OUTSIDE 10 set security-association lifetime seconds 3600

crypto map CRY_OUTSIDE 20 match address ACL_VPN_AZNIRE
crypto map CRY_OUTSIDE 20 set peer 52.17.198.135 54.72.63.159
crypto map CRY_OUTSIDE 20 set ikev1 transform-set IKEV1_AES128_SHA1
crypto map CRY_OUTSIDE 20 set pfs group2
crypto map CRY_OUTSIDE 20 set security-association lifetime seconds 3600

同样,我不确定您正在使用哪个阶段 #1 设置(也许您可以在 Amazon 的生态系统中进行选择),因此我将使用您现有配置中优先级最高的设置,如下(您可以在此处配置多个) ; 策略编号表示优先级——在可能的情况下,首先选择最小的编号):

crypto ikev1 policy 100
  authentication pre-share
  encryption aes
  hash sha
  group 2
  lifetime 28800

现在,我们将为每个对等方设置预共享密钥(用 *** 代替您的相关密钥):

tunnel-group 35.177.42.137 type ipsec-l2l
tunnel-group 35.177.42.137 ipsec-attributes
  ikev1 pre-shared-key ******

tunnel-group 52.56.51.249 type ipsec-l2l
tunnel-group 52.56.51.249 ipsec-attributes
  ikev1 pre-shared-key ******

tunnel-group 52.17.198.135 type ipsec-l2l
tunnel-group 52.17.198.135 ipsec-attributes
  ikev1 pre-shared-key ******

tunnel-group 54.72.63.159 type ipsec-l2l
tunnel-group 54.72.63.159 ipsec-attributes
  ikev1 pre-shared-key ******

现在我们将设置结合在一起,至少让站点到站点发挥作用:

crypto map CRY_OUTSIDE interface outside
crypto ikev1 enable outside

如果我们做对了,到目前为止,您的 LAN 用户现在应该能够访问 Amazon 站点,并且根据您在上面的 #1/#2 中的选择,您的 Amazon 对象也应该能够访问您的 LAN 设备.

现在让我们尝试让您的远程访问用户就位。为此,我们需要一个动态地图和一个策略。我假设您在这里使用的是旧式 Cisco VPN 客户端,但我可以看到您在旧配置中也启用了 L2TP/IPsec。我将在这里掩盖 L2TP/IPsec,但如果不正确,应该可以通过一些调整使其工作。

首先,我们需要为 VPN 用户定义感兴趣的流量

access-list ACL_VPN_RA extended permit ip any object OBB_RA_VPN

然后我们需要一个动态地图,它将阶段 2 设置应用于您的 VPN 用户:

crypto dynamic-map CDY_OUTSIDE 10 match address ACL_VPN_RA
crypto dynamic-map CDY_OUTSIDE 10 set ikev1 transform-set IKEV1_AES128_SHA1
crypto dynamic-map CDY_OUTSIDE 10 set security-association lifetime seconds 7200
crypto dynamic-map CDY_OUTSIDE 10 set reverse-route

我们需要定义一些特定于用户的设置,这些设置在group-policy. 您可能希望使用 LAN 内部的 DNS 服务器,以便您的用户可以解析您的私人服务器名称(将 10.101.100.100 和 10.101.200.200 替换为适用的地址),我们将使用拆分调谐,以便仅对您网络的请求通过隧道,而正常的 Internet 请求继续使用 VPN 用户自己的 ISP。

access-list ACL_RA_VPN_SPLIT_TUNNEL extended permit ip object OBJ_LAN01 object OBJ_RA_VPN
access-list ACL_RA_VPN_SPLIT_TUNNEL extended permit ip object-group OGP_PERMITTED_REMOTE object OBJ_RA_VPN

group-policy GPO_RA_VPN
  vpn-tunnel-protocol ikev1
  dns-server value 10.101.100.100 10.101.200.200
  split-tunnel-policy tunnelspecified
  split-tunnel-network-list value ACL_RA_VPN_SPLIT_TUNNEL
  default-domain value leeds.internal.beaconsoft.ltd

我不知道你的信任组的东西——我只用预共享密钥完成了这些,而不是证书。我将在下面使用 PSK,但如果需要,您可以替换任何证书工作(同样,用 *** 替换您的 PSK):

tunnel-group TUN_RA_VPN type remote-access
tunnel-group TUN_RA_VPN general-attributes
  address-pool IPP_RA_VPN
  default-group-policy GPO_RA_VPN
tunnel-group TUN_RA_VPN ipsec-attributes
  ikev1 pre-shared-key *****

通过将动态策略附加到静态加密映射,我们应该能够将动态策略绑定到外部接口:

crypto map CRY_OUTSIDE 65535 ipsec-isakmp dynamic CDY_OUTSIDE

最后,通过使用sysopt自动允许 VPN 连接绕过access-group限制选项,我们将避免为 VPN 流量显式编写访问控制语句的需要这是一个常见(但隐藏得很深)的选项,我认为默认情况下已启用,但我们将在此处专门添加它:

sysopt connection permit-vpn

我敢肯定,我在您的配置中遗漏了您的网络的许多细微差别,因此我必须相信您会将上述概念正确地折叠到您自己的设置中。

但是,此时(假设您可以正确配置 Amazon 端),您应该有两个从您的设备到 Amazon 的站点到站点隧道和一个远程访问 VPN(使用旧的 Cisco VPN Client),它们可以同时访问您的 LAN 和 Amazon 环境。

我们没有涵盖从 Internet 到您的 LAN 的访问,因此我们仍然没有access-group. 所有从外到内的访问都受到 限制security-level从 Amazon 到您的 LAN 的访问取决于您选择的有关身份 NAT 或隐藏 NAT 的选项。如果选择了隐藏 NAT,Amazon 对象应该无法访问您的 LAN,因为它们只能看到您的外部地址。不过,稍后更改此设置可能会有些挑战,因此请明智地选择。

清理旧的、未使用的配置项对您来说是一项练习!

无论如何,祝你好运!

其它你可能感兴趣的问题
上一篇是否可以在 Juniper MX 系列路由器中为家庭 inet/inet6 接口进行第 2 层端口镜像? 下一篇如果 traceroute 失败,为什么 ping 仍然有效?