отмена
Отображаются результаты для 
Вместо этого искать 
Вы имели в виду: 
cancel
Объявления
Community Live

346
Просмотры
5
Полезный материал
1
Ответы
Denis Ivanov
Beginner

ASA5505 не получается поднять site to site vpn

Не получается поднять впн туннель между двумя ASA5505. ASDM показывает, что соединение произошло. Но трафик из одно локалки в другую так и не проходит. На обоих дополнительно поднят для клиентов anyconnect vpn. С ним проблем нет. Может подскажите что по конфигу. На втором аналогичен. Пробовал и через Wizzard поднимать. Пробовал и через командную строку.


ip local pool VPN-POOL-IP 192.168.6.35-192.168.6.68 mask 255.255.255.0
!
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.6.2 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address 84.4
boot system disk0:/asa924-k8.bin
ftp mode passive
dns server-group DefaultDNS
domain-name domain
object network OBJ_NAT_LAN
subnet 192.168.6.0 255.255.255.0
object network Myt
subnet 192.168.3.0 255.255.255.0
object network NETWORK_OBJ_192.168.6.0_24
subnet 192.168.6.0 255.255.255.0
object network testvpn
subnet 192.168.0.0 255.255.0.0
object network for-mytvpn
subnet 192.168.6.0 255.255.255.0
access-list 120 standard permit 192.168.6.0 255.255.255.0
access-list outside_cryptomap_1 extended permit ip object for-mytvpn object Myt
access-list outside_cryptomap extended permit ip object for-mytvpn object Myt
access-list 100 extended permit ip 192.168.6.0 255.255.255.0 192.168.3.0 255.255.255.0
pager lines 24
logging asdm informational
mtu inside 1500
mtu outside 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-791.bin
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
nat (inside,outside) source static any any destination static NETWORK_OBJ_192.168.6.0_24 NETWORK_OBJ_192.168.6.0_24 no-proxy-arp route-lookup
nat (inside,outside) source static testvpn testvpn destination static Myt Myt no-proxy-arp route-lookup
nat (inside,outside) source static for-mytvpn for-mytvpn destination static myt myt no-proxy-arp route-lookup
!
object network OBJ_NAT_LAN
nat (inside,outside) dynamic interface
route outside 0.0.0.0 0.0.0.0 84.47.169.65 1
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
no user-identity enable
user-identity default-domain LOCAL
aaa authentication http console LOCAL
aaa authentication telnet console LOCAL
aaa authentication ssh console LOCAL
http server enable
crypto ipsec ikev1 transform-set ESP_3DES_SHA_HMAC esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS esp-aes esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS mode transport
crypto ipsec ikev2 ipsec-proposal AES256
protocol esp encryption aes-256
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES192
protocol esp encryption aes-192
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES
protocol esp encryption aes
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal 3DES
protocol esp encryption 3des
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal DES
protocol esp encryption des
protocol esp integrity sha-1 md5
crypto ipsec security-association pmtu-aging infinite
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev2 ipsec-proposal AES256 AES192 AES 3DES DES
crypto map L2L 1 set ikev1 transform-set ESP-DES-MD5
crypto map L2L 1 set ikev2 ipsec-proposal AES256
crypto map outside_map 1 match address outside_cryptomap
crypto map outside_map 1 set peer 213.85.40.110
crypto map outside_map 1 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 1 set ikev2 ipsec-proposal AES256 AES192 AES 3DES DES
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto ca trustpoint _SmartCallHome_ServerCA
crl configure
crypto ca trustpoint ASDM_TrustPoint0
enrollment self
subject-name CN=ASA5505
crl configure
crypto ca trustpoint ASDM_Launcher_Access_TrustPoint_0
enrollment self
fqdn none
subject-name CN=213.,CN=ASA5505
crl configure
crypto ca trustpoint ASDM_Launcher_Access_TrustPoint_1
enrollment self
fqdn none
subject-name CN=213.,CN=ASA5505
crl configure
crypto ca trustpoint ASDM_Launcher_Access_TrustPoint_2
enrollment self
fqdn none
subject-name CN=213.,CN=ASA5505
crl configure
crypto ca trustpoint ASDM_Launcher_Access_TrustPoint_3
enrollment self
fqdn none
subject-name CN=213.,CN=ASA5505
crl configure
crypto ca trustpool policy
crypto ca certificate chain ASDM_TrustPoint0
certificate 326e975e
308201dd 30820146 a0030201 02020432 6e975e30 0d06092a 864886f7 0d010105
quit
crypto ikev2 policy 1
encryption aes-256
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 10
encryption aes-192
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 20
encryption aes
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 30
encryption 3des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 40
encryption des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 enable outside
crypto ikev2 remote-access trustpoint ASDM_TrustPoint0
crypto ikev1 enable outside
crypto ikev1 policy 1
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 20
authentication rsa-sig
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 40
authentication pre-share
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 50
authentication rsa-sig
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 60
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 70
authentication pre-share
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 80
authentication rsa-sig
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 110
authentication rsa-sig
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 130
authentication pre-share
encryption des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 140
authentication rsa-sig
encryption des
hash sha
group 2
lifetime 86400
telnet 169.254.0.0 255.255.0.0 inside
telnet timeout 20
ssh 192.168.6.0 255.255.255.0 inside
ssh timeout 15
ssh version 2
ssh key-exchange group dh-group1-sha1
console timeout 0

!
tls-proxy maximum-session 24
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ssl trust-point ASDM_TrustPoint0 outside
ssl trust-point ASDM_TrustPoint0 inside
webvpn
enable outside
anyconnect-essentials
anyconnect image disk0:/anyconnect-win-4.7.04056-webdeploy-k9.pkg 1
anyconnect profiles anyconnect-vpn_client_profile disk0:/anyconnect-vpn_client_profile.xml
anyconnect enable
tunnel-group-list enable
group-policy GroupPolicy_anyconnect-vpn internal
group-policy GroupPolicy_anyconnect-vpn attributes
wins-server value 192.168.6.4
dns-server value 192.168.6.4
vpn-tunnel-protocol ikev2 ssl-client
split-tunnel-policy tunnelspecified
split-tunnel-network-list value 120
default-domain value domain
webvpn
anyconnect profiles value anyconnect-vpn_client_profile type user
group-policy GroupPolicy_213. internal
group-policy GroupPolicy_213. attributes
vpn-tunnel-protocol ikev1
group-policy IPSEC-VPN internal
group-policy IPSEC-VPN attributes
wins-server value 192.168.6.4
dns-server value 192.168.6.4
vpn-tunnel-protocol ikev1
password-storage enable
split-tunnel-policy tunnelspecified
split-tunnel-network-list value 120
default-domain value domain
user-authentication-idle-timeout 240
username xxxx password Pi3bhBNPxoZNMzzr encrypted
username xxx password w1FJ8zXIriTvtuG8 encrypted
username xxxx password j3KmFaetaQSXjv7H encrypted
username xxx password yVXydlnQRFmKaCmy encrypted
tunnel-group IPSEC-VPN type remote-access
tunnel-group IPSEC-VPN general-attributes
address-pool VPN-POOL-IP
default-group-policy IPSEC-VPN
tunnel-group IPSEC-VPN ipsec-attributes
ikev1 pre-shared-key *****
tunnel-group anyconnect-vpn type remote-access
tunnel-group anyconnect-vpn general-attributes
address-pool VPN-POOL-IP
default-group-policy GroupPolicy_anyconnect-vpn
tunnel-group anyconnect-vpn webvpn-attributes
group-alias anyconnect-vpn enable
tunnel-group 213. type ipsec-l2l
tunnel-group 213. general-attributes
default-group-policy GroupPolicy_213.
tunnel-group 213. ipsec-attributes
ikev1 pre-shared-key *****
ikev2 remote-authentication pre-shared-key *****
ikev2 local-authentication pre-shared-key *****

 

1.JPG

1 УТВЕРЖДЕННОЕ РЕШЕНИЕ

Утвержденные решения
Sergey Lisitsin
Collaborator

Добрый день,

 

Похоже у Вас ошибка в NAT exempt rule.

nat (inside,outside) source static any any destination static NETWORK_OBJ_192.168.6.0_24 NETWORK_OBJ_192.168.6.0_24 no-proxy-arp route-lookup

 

попробуйте

nat (inside,outside) source static NETWORK_OBJ_192.168.6.0_24 NETWORK_OBJ_192.168.6.0_24 destination static Myt Myt

 

Просмотреть решение в исходном сообщении

1 ОТВЕТ 1
Sergey Lisitsin
Collaborator

Добрый день,

 

Похоже у Вас ошибка в NAT exempt rule.

nat (inside,outside) source static any any destination static NETWORK_OBJ_192.168.6.0_24 NETWORK_OBJ_192.168.6.0_24 no-proxy-arp route-lookup

 

попробуйте

nat (inside,outside) source static NETWORK_OBJ_192.168.6.0_24 NETWORK_OBJ_192.168.6.0_24 destination static Myt Myt

 

Просмотреть решение в исходном сообщении

Создать
Выразить признание своим коллегам
Опросы
Какой контент Вы хотели бы чаще видеть в Сообществе?
Content for Community-Ad

Сообщество Помогает Сообществу

Помощь по сообществу