我只建立了一个 IPSEC vpn 连接，而没有建立另一个。

在 Google 上访问配置的链接：https ://drive.google.com/open?id = 1yB_yIWvJ51A0UeNbkAEiTH9YMIEipqy_

profile1- outside interface - 66.x.x.x  local network- 172.19.0.0 /24    remote network = 192.168.192.0 /24

profile2 = outside interface - 75.x.x.x local network 192.168.198.0 /24  remote 172.19.0.0 /24

我已经为配置文件 1 创建了豁免的 nat 规则，并且它在远程站点上运行良好

需要一些帮助来启动和运行两个 vpn(ipsec)。

家庭办公室配置： 家庭办公室： 家庭办公室：

Result of the command: "show running-config"

: Saved
:
ASA Version 8.2(3) 
!
hostname trrrr
domain-name 
enable password 
passwd F7nfGx encrypted
names
dns-guard
!
interface Ethernet0/0
 nameif outside
 security-level 0
 ip address x.x.x.x.x 255.255.255.224 standby 19x.21.x.x 
!
interface Ethernet0/1
 nameif inside
 security-level 100
 ip address 192.168.128.1 255.255.255.0 standby 192.168.128.10 
!
interface Ethernet0/2
 nameif dmz
 security-level 10
 ip address 192.168.130.1 255.255.255.0 standby 192.168.130.5 
!
interface Ethernet0/3
 description LAN/STATE Failover Interface
!
interface Management0/0
 shutdown
 no nameif
 no security-level
 no ip address
!
banner exec Authorized Access Only! Violators will be prosecuted.
banner login Authorized Access Only! Violators will be prosecuted.
banner asdm Authorized Access Only! Violators will be prosecuted.
boot system disk0:/asa823-k8.bin
boot system disk0:/disk0/asa724-k8.bin
boot system disk0:/asa724-k8.bin
ftp mode passive
clock timezone AST -4
dns domain-lookup inside
dns server-group DefaultDNS
 domain-name 
same-security-traffic permit intra-interface
object-group service DM_INLINE_SERVICE_1
 service-object icmp 
 service-object icmp echo
 service-object icmp echo-reply
object-group network stj-ami-inside
 network-object 192.168.192.0 255.255.255.240
object-group network stt-sorp-admin
 network-object 172.19.0.0 255.255.255.0
 network-object host 172.19.5.68
 network-object host 172.19.5.193
 network-object host 192.168.198.21
 network-object host 192.168.198.11
access-list acl_inside extended permit tcp host 172.19.0.15 any eq smtp 
.255.0 
access-list netflow-export extended permit ip any any 
access-list vpn_split standard permit host 192.168.198.19 
access-list outside_cryptomap extended permit ip object-group stt-sorp-admin object-group stj-ami-inside 
access-list dmz_cryptomap extended permit ip 172.19.0.0 255.255.0.0 10.220.129.0 255.255.255.0 
pager lines 15
logging enable
logging timestamp
logging asdm-buffer-size 300
logging buffered warnings
logging trap informational
logging history informational
logging asdm informational
logging mail alerts

logging device-id hostname
logging host inside 172.19.0.13
no logging message 106015
no logging message 313001
no logging message 313008
no logging message 106023
no logging message 710003
no logging message 106100
no logging message 302015
no logging message 302014
no logging message 302013
no logging message 302018
no logging message 302017
no logging message 302016
no logging message 302021
no logging message 302020
flow-export destination inside 172.19.0.111 2055
flow-export template timeout-rate 1
flow-export delay flow-create 60
mtu outside 1500
mtu inside 1500
mtu dmz 1500

ip verify reverse-path interface outside
ip verify reverse-path interface dmz
failover
failover lan unit primary
failover lan interface failoverint Ethernet0/3
failover link failoverint Ethernet0/3
failover interface ip failoverint 192.168.160.1 255.255.255.0 standby 192.168.160.2
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-635.bin
asdm history enable
arp timeout 14400
nat-control
global (outside) 1 interface
nat (inside) 0 access-list 101
nat (inside) 1 0.0.0.0 0.0.0.0
nat (dmz) 1 0.0.0.0 0.0.0.0

static (inside,dmz) 192.168.196.0 192.168.196.0 netmask 255.255.255.0 
static (dmz,outside) 192.81.x.x x.168.130.22 netmask 255.255.255.255 
static (inside,outside) 192.x.x.x 192.168.198.19 netmask 255.255.255.255 
static (dmz,outside) 192.x1.xx.x 192.168.130.12 netmask 255.255.255.255 
static (dmz,outside) 192.x1.x.x 192.168.130.24 netmask 255.255.255.255 
access-group 125 in interface outside
access-group acl_inside in interface inside
access-group exch_dmz in interface dmz
route outside 0.0.0.0 0.0.0.0 192.x.x.x 1

route inside 192.168.199.0 255.255.255.192 192.168.128.6 3
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server partnerauth protocol radius
aaa-server partnerauth (inside) host 172.19.0.133
 timeout 20
 key *****
aaa-server partnerauth (inside) host 172.19.5.68
 timeout 20
 key *****
nac-policy DfltGrpPolicy-nac-framework-create nac-framework
 reval-period 36000
 sq-period 300
aaa authentication ssh console LOCAL 
http server enable
http 0.0.0.0 0.0.0.0 inside
snmp-server host inside 172.19.0.111 community *****
snmp-server location stt-it-srvroom
snmp-server contact dalma simon
snmp-server community *****
snmp-server enable traps snmp linkup linkdown
snmp-server enable traps entity config-change
service resetoutside
crypto ipsec transform-set client esp-3des esp-md5-hmac 
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac 
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac 
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac 
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac 
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac 
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac 
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac 
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac 
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac 
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac 
crypto ipsec transform-set snap esp-des esp-md5-hmac 
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map dynmap 10 set transform-set client
crypto map mymap 1 match address 105
crypto map mymap 1 set peer 65.xx.x0 
crypto map mymap 1 set transform-set snap
crypto map mymap 1 set nat-t-disable
crypto map mymap 2 match address outside_cryptomap
crypto map mymap 2 set pfs 
crypto map mymap 2 set peer 66.x.x.x1 
crypto map mymap 2 set transform-set ESP-AES-256-SHA
crypto map mymap 2 set phase1-mode aggressive 
crypto map mymap 10 ipsec-isakmp dynamic dynmap
crypto map mymap interface outside
crypto map scada_map 20 match address scada_crypto_20
crypto map scada_map 20 set peer 1x.xx.x8.11 
crypto map scada_map 20 set transform-set ESP-AES-256-SHA
crypto map scada_map interface inside
crypto isakmp identity address 
crypto isakmp enable outside
crypto isakmp enable inside
crypto isakmp policy 10
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
crypto isakmp policy 15
 authentication pre-share
 encryption aes-256
 hash sha
 group 2
 lifetime 28800
crypto isakmp policy 35
 authentication pre-share
 encryption des
 hash md5
 group 2
 lifetime 86400
crypto isakmp nat-traversal 30
no vpn-addr-assign dhcp
telnet 172.19.0.27 255.255.255.255 inside
telnet timeout 60
de
ssh 0.0.0.0 0 inside
ssh timeout 60
ssh version 2
console timeout 0

  svc keepalive 15
  svc rekey method ssl
  svc dpd-interval client 3600
  svc compression deflate
  svc ask enable
  customization value DfltCustomization
group-policy dfltgrppolicy internal

 authentication-server-group (outside) partnerauth
tunnel-group 65.x.xx.x0 type ipsec-l2l
tunnel-group x.x.x.x ipsec-attributes
 pre-shared-key *****
tunnel-group Board_VPN type remote-access


 address-pool Teledyne
 ttributes
 pre-shared-key *****
tunnel-group 66.248.178.141 type ipsec-l2l
tunnel-group 66.248.178.141 ipsec-attributes
 pre-shared-key *****

 class class-default
  flow-export event-type all destination 172.19.0.111
policy-map global-policy
 class netflow-export-class
  flow-export event-type all destination 172.19.0.111
!
service-policy global_policy global
smtps
 server 172.19.0.28
 default-group-policy DfltGrpPolicy
smtp-server 172.19.0.28 172.16.0.8
prompt hostname context 
Cryptochecksum:801f0b6b730d1584a16f5ae425478672
: end

远程办公：

命令的结果：“show running-config”

: Saved
:
ASA Version 8.2(5) 
!
hostname AFire
domain-name 
enable password q4sv encrypted
passwd 2KFQnbNIted
names
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
 switchport access vlan 3
!
interface Ethernet0/2
 switchport access vlan 3
 shutdown
!
interface Ethernet0/3
 shutdown
!
interface Ethernet0/4
 shutdown
!
interface Ethernet0/5
 shutdown
!
interface Ethernet0/6
 shutdown
!
interface Ethernet0/7
 shutdown
!
interface Vlan1
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Vlan2
 nameif outside
 security-level 0
 ip address 6.x.x.1 255.255.255.192 
!
interface Vlan3
 nameif inside
 security-level 100
 ip address 192.168.192.1 255.255.255.240 
!
ftp mode passive
clock timezone AST -4
dns domain-lookup outside
dns server-group DefaultDNS
 name-server 
 name-server 
 domain-name viya
object-group service tcp-2449 tcp
 description tcp 2449
 port-object eq 2449
object-group service DM_INLINE_TCP_1 tcp
 group-object tcp-2449
 port-object eq echo
 port-object eq ssh
object-group service udp-12345 udp
 description udp 12345
 port-object eq 12345
object-group service DM_INLINE_SERVICE_1
 service-object ip 
 service-object icmp 
 service-object tcp-udp eq echo 
object-group service DM_INLINE_SERVICE_2
 service-object icmp 
 service-object icmp echo-reply
object-group service DM_INLINE_SERVICE_3
 service-object icmp 
 service-object icmp echo-reply
object-group network DM_INLINE_NETWORK_2
 network-object 172.19.0.0 255.255.255.0
 network-object host 172.19.5.68
 network-object host 172.19.5.193
 network-object host 192.168.198.21
 network-object host 192.168.198.11
object-group network stj-ami-inside
 network-object 192.168.192.0 255.255.255.240
object-group network stj-remote-site
 network-object 172.19.0.0 255.255.255.0
 network-object host 172.19.5.68
 network-object host 172.19.5.193
 network-object host 192.168.198.21
 network-object host 192.168.198.11
access-list outside_access_in extended permit tcp host 1x.x.x host 66.x.x.x object-group DM_INLINE_TCP_1 
access-list outside_access_in extended permit ip host 192.x.x.x host 66.x.x.x
access-list outside_access_in extended permit udp host 192.x,x,x, host 66.x.x.x object-group udp-12345 
access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_3 any host 192.x.x.x 
access-list outside_access_in extended permit ip object-group stj-remote-site object-group stj-ami-inside 
access-list inside_access_in extended permit ip any any 
access-list outside_cryptomap extended permit ip object-group stj-ami-inside object-group stj-remote-site 
access-list inside_access_in_1 extended permit ip 192.168.192.0 255.255.255.240 host 66.x.x.x 
access-list inside_access_in_1 extended permit object-group DM_INLINE_SERVICE_1 any host 66.x.x.x 
access-list inside_access_in_1 extended permit object-group DM_INLINE_SERVICE_2 any any 
access-list inside_access_in_1 extended permit ip 192.168.192.0 255.255.255.240 object-group DM_INLINE_NETWORK_2 
access-list inside_access_in_1 extended permit ip any interface outside inactive 
access-list vpn2stt extended permit ip object-group stj-ami-inside object-group stj-remote-site 
access-list inside_nat0_outbound extended permit ip object-group stj-ami-inside object-group stj-remote-site 
pager lines 24
logging enable
logging asdm informational
mtu outside 1500
mtu inside 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-635.bin
asdm history enable
arp timeout 14400
nat-control
global (outside) 1 interface
global (outside) 100 192.x.x.x
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
access-group outside_access_in in interface outside
access-group inside_access_in_1 in interface inside
route outside 0.0.0.0 0.0.0.0 66.2.x.x.x 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication ssh console LOCAL 
http server enable
http 192.x.x.x 255.255.255.255 outside
snmp-server host outside 192.x.x.x community ***** version 2c
no snmp-server location
no snmp-server contact
snmp-server community *****
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac 
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac 
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac 
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac 
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac 
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac 
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac 
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac 
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac 
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac 
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto map outside_map2 1 match address outside_cryptomap
crypto map outside_map2 1 set pfs 
crypto map outside_map2 1 set peer 192.x.x.x 
crypto map outside_map2 1 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map2 1 set phase1-mode aggressive 
crypto map outside_map2 interface outside
crypto isakmp enable outside
crypto isakmp policy 30
 authentication pre-share
 encryption aes-256
 hash sha
 group 2
 lifetime 28800
crypto isakmp policy 120
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
crypto isakmp policy 170
 authentication pre-share
 encryption des
 hash md5
 group 2
 lifetime 86400
crypto isakmp nat-traversal 30
telnet timeout 5
ssh 192.x.x.x. 255.255.255.255 outside
ssh 192.x.x.x 255.255.255.255 outside
ssh timeout 45
console timeout 0

threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
group-policy DfltGrpPolicy attributes
 vpn-tunnel-protocol IPSec l2tp-ipsec svc webvpn
username  encrypted privilege 15
tunnel-group 192.x.x.x type ipsec-l2l
tunnel-group 192.x.x.x ipsec-attributes
 pre-shared-key *****
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum client auto
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map 
  inspect ftp 
  inspect h323 h225 
  inspect h323 ras 
  inspect ip-options 
  inspect netbios 
  inspect rsh 
  inspect rtsp 
  inspect skinny  
  inspect esmtp 
  inspect sqlnet 
  inspect sunrpc 
  inspect tftp 
  inspect sip  
  inspect xdmcp 
!
service-policy global_policy global
prompt hostname context 
no call-home reporting anonymous
call-home
 profile CiscoTAC-1
  no active
  destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
  destination address email callhome@cisco.com
  destination transport-method http
  subscribe-to-alert-group diagnostic
  subscribe-to-alert-group environment
  subscribe-to-alert-group inventory periodic monthly
  subscribe-to-alert-group configuration periodic monthly
  subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:467e78738dc98a129577fe202b0584e9
: end