отмена
Отображаются результаты для 
Вместо этого искать 
Вы имели в виду: 
cancel
1021
Просмотры
0
Полезный материал
20
Ответы
olegmedvedev5285
Beginner

Маршрутизация + IPSEC

Добрый день!

 

есть Asa 5550 (1) расположенная в центральном офисе (IP 192.168.1.0\24) и есть еще две Asa 5550 (IP 192.168.2.0\24 и IP 192.168.3.0\24) расположенные в двух других офисах. Между Асой центрального офиса и двух других поднят IPSEC VPN, соотвественно центральный офис (IP 192.168.1.0\24) видит эти обе подсети (IP 192.168.2.0\24 и 192.168.3.0\24) и эти подсети видят центральный офис, но подсеть ip192.168.2.0\24 не видит подсеть 192.168.3.0\24  ....

 

Подскажите пожалуйста как сделать так, что бы эти две подсети тоже могли видеть друг друга, поднимать еще один туннель между этими подсетями не хочется.

Заранее спасибо.

20 ОТВЕТ 20
goalkeeper
Beginner

Доброе день 

попробовали добавить маршруты между офисам ?

Спрашивай все что хочешь

Пробовал, маршруты не помогли.

У cisco asa есть такая отличная вещь, как packet tracer. Очень удобно через ASDM, но и через командную строку работает. Сразу видно где проблема.

 

 

________________________________________________________
Если ответ понравился, ставь звёздочку. Если ответ помог решить твою проблему, утверди его в качестве решения
Leonid Voronkin
VIP Collaborator

Покажите конфиги

 

________________________________________________________
Если ответ понравился, ставь звёздочку. Если ответ помог решить твою проблему, утверди его в качестве решения

Конфиг Asa550 Центральный офис:

 

ASA Version 9.1(7)32
!
hostname ciscoasa-5550
domain-name steklonit.ru
enable password CL3OQS5fAjwNjpHj encrypted
passwd LnOfruIeSegXO4oX encrypted
names
ip local pool ReSer_VPN 192.168.1.125-192.168.1.127 mask 255.255.255.0
!
interface GigabitEthernet0/0
nameif outside
security-level 0
ip address 190.104.30.2 255.255.255.0
!
interface GigabitEthernet0/1
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/2
nameif Delan
security-level 100
ip address 192.168.10.2 255.255.255.0
!
interface GigabitEthernet0/3
nameif inside
security-level 100
ip address 192.168.1.2 255.255.255.0
!
interface Management0/0
nameif Manage
security-level 100
ip address 192.168.0.1 255.255.255.0
!
interface GigabitEthernet1/0
nameif WiFi
security-level 100
ip address 192.168.8.2 255.255.255.0
!
interface GigabitEthernet1/1
nameif ADMIN
security-level 100
ip address 192.168.9.2 255.255.255.0
!
interface GigabitEthernet1/2
nameif Skud_i_Vn
security-level 80
ip address 192.168.11.253 255.255.255.0
!
interface GigabitEthernet1/3
nameif VOIP
security-level 100
ip address 192.168.20.2 255.255.255.0
!
boot system disk0:/asa917-32-k8.bin
ftp mode passive
clock timezone MSK/MSD 3
clock summer-time MSK/MDD recurring last Sun Mar 2:00 last Sun Oct 3:00
dns domain-lookup outside
dns server-group DefaultDNS
name-server 195.107.107.5
name-server 195.107.107.6
name-server 8.8.4.4
domain-name steklonit.ru
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object-group network LAN-inside
network-object 192.168.1.0 255.255.255.0
object-group network LAN-WiFi
network-object 192.168.8.0 255.255.255.0
object-group network Host-X
network-object host 8.8.8.8
network-object host 8.8.4.4
object-group network UFA
network-object 192.168.2.0 255.255.255.0
object-group network Egor
network-object 192.168.4.0 255.255.255.0
object-group network Samara
network-object 192.168.3.0 255.255.255.0
object-group network LAN-Moscow
network-object 192.168.1.0 255.255.255.0
network-object 192.168.8.0 255.255.255.0
network-object 192.168.10.0 255.255.255.0
object-group network LAN_VOIP
network-object host 192.168.20.0
object-group network LAN_DELAN
network-object host 192.168.10.0
access-list nonat extended permit ip 192.168.9.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list nonat extended permit ip 192.168.9.0 255.255.255.0 192.168.8.0 255.255.255.0
access-list nonat extended permit ip 192.168.9.0 255.255.255.0 192.168.10.0 255.255.255.0
access-list nonat extended permit ip 192.168.1.0 255.255.255.0 192.168.8.0 255.255.255.0
access-list nonat extended permit ip 192.168.8.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list nonat extended permit ip 192.168.1.0 255.255.255.0 192.168.10.0 255.255.255.0
access-list nonat extended permit ip 192.168.10.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list nonat extended permit ip 192.168.8.0 255.255.255.0 192.168.10.0 255.255.255.0
access-list nonat extended permit ip 192.168.10.0 255.255.255.0 192.168.8.0 255.255.255.0
access-list nonat extended permit ip object-group LAN-Moscow object-group UFA
access-list nonat extended permit ip object-group UFA object-group LAN-Moscow
access-list nonat extended permit ip any 192.168.6.124 255.255.255.252
access-list nonat extended permit ip object-group LAN-Moscow object-group Samara
access-list nonat extended permit ip object-group Samara object-group LAN-Moscow
access-list nonat extended permit ip object-group LAN-Moscow object-group Egor
access-list nonat extended permit ip object-group Egor object-group LAN-Moscow
access-list WiFi_access_in extended permit ip any any
access-list outside_Ufa_cryptomap extended permit ip object-group LAN-Moscow object-group UFA
access-list inside_access_in extended permit ip any any
access-list outside_Samara_cryptomap extended permit ip object-group LAN-Moscow object-group Samara
access-list Delan_access_in extended permit ip any any
access-list outside_int extended permit icmp any any
access-list outside_Egorievsk_cryptomap extended permit ip object-group LAN-Moscow object-group Egor
pager lines 24
logging enable
logging asdm informational
mtu outside 1500
mtu Delan 1500
mtu inside 1500
mtu Manage 1500
mtu WiFi 1500
mtu ADMIN 1500
mtu Skud_i_Vn 1500
mtu VOIP 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-781-150.bin
asdm location 192.168.6.127 255.255.255.255 Delan
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
nat (Delan,inside) source static LAN_DELAN LAN_DELAN destination static LAN-inside LAN-inside no-proxy-arp route-lookup
nat (Delan,WiFi) source static LAN_DELAN LAN_DELAN destination static LAN-WiFi LAN-WiFi no-proxy-arp route-lookup
nat (inside,outside) source static LAN-Moscow LAN-Moscow destination static UFA UFA no-proxy-arp route-lookup
nat (inside,outside) source static UFA UFA destination static LAN-Moscow LAN-Moscow no-proxy-arp route-lookup
nat (inside,outside) source static any any destination static obj-192.168.6.124 obj-192.168.6.124 no-proxy-arp route-lookup
nat (inside,outside) source static LAN-Moscow LAN-Moscow destination static Samara Samara no-proxy-arp route-lookup
nat (inside,outside) source static Samara Samara destination static LAN-Moscow LAN-Moscow no-proxy-arp route-lookup
nat (inside,outside) source static LAN-Moscow LAN-Moscow destination static Egor Egor no-proxy-arp route-lookup
nat (inside,outside) source static Egor Egor destination static LAN-Moscow LAN-Moscow no-proxy-arp route-lookup
nat (inside,Delan) source static obj-192.168.1.0 obj-192.168.1.0 destination static obj-192.168.10.0 obj-192.168.10.0 no-proxy-arp route-lookup
nat (inside,WiFi) source static LAN-inside LAN-inside destination static LAN-WiFi LAN-WiFi no-proxy-arp
nat (inside,ADMIN) source static LAN-inside LAN-inside destination static Admin Admin no-proxy-arp route-lookup
nat (WiFi,outside) source static LAN-Moscow LAN-Moscow destination static UFA UFA no-proxy-arp route-lookup
nat (WiFi,outside) source static UFA UFA destination static LAN-Moscow LAN-Moscow no-proxy-arp route-lookup
nat (WiFi,outside) source static any any destination static obj-192.168.1.124 obj-192.168.1.124 no-proxy-arp route-lookup
nat (WiFi,outside) source static LAN-Moscow LAN-Moscow destination static Samara Samara no-proxy-arp route-lookup
nat (WiFi,outside) source static Samara Samara destination static LAN-Moscow LAN-Moscow no-proxy-arp route-lookup
nat (WiFi,outside) source static LAN-Moscow LAN-Moscow destination static Egor Egor no-proxy-arp route-lookup
nat (WiFi,outside) source static Egor Egor destination static LAN-Moscow LAN-Moscow no-proxy-arp route-lookup
nat (WiFi,Delan) source static obj-192.168.8.0 obj-192.168.8.0 destination static obj-192.168.10.0 obj-192.168.10.0 no-proxy-arp route-lookup
nat (WiFi,inside) source static LAN-WiFi LAN-WiFi destination static LAN-inside LAN-inside no-proxy-arp route-lookup
nat (WiFi,VOIP) source static LAN-WiFi LAN-WiFi destination static LAN_VOIP LAN_VOIP no-proxy-arp route-lookup
!
object network obj-192.168.1.0
nat (inside,outside) dynamic interface
object network obj-192.168.8.0
nat (WiFi,outside) dynamic interface
object network obj-192.168.10.0
nat (Delan,outside) dynamic interface
access-group outside_int in interface outside
access-group Delan_access_in in interface Delan
access-group inside_access_in in interface inside
access-group WiFi_access_in in interface WiFi
route outside 0.0.0.0 0.0.0.0 190.104.30.1 1
route outside 192.168.2.0 255.255.255.0 190.104.30.1 1
route outside 192.168.3.0 255.255.255.0 190.104.30.1 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL
http server enable
http 192.168.9.0 255.255.255.0 Manage
http 192.168.1.87 255.255.255.255 inside
http 192.168.1.101 255.255.255.255 inside
snmp-server host inside 192.168.1.61 poll community flvbY!1#
no snmp-server location
no snmp-server contact
snmp-server enable traps ipsec start stop
snmp-server enable traps entity config-change fru-insert fru-remove
snmp-server enable traps memory-threshold
snmp-server enable traps interface-threshold
snmp-server enable traps remote-access session-threshold-exceeded
snmp-server enable traps connection-limit-reached
snmp-server enable traps cpu threshold rising
snmp-server enable traps ikev2 start stop
snmp-server enable traps nat packet-discard
crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec security-association pmtu-aging infinite
crypto map outside_map 1 match address outside_Ufa_cryptomap
crypto map outside_map 1 set peer 192.150.62.21
crypto map outside_map 1 set ikev1 transform-set ESP-3DES-SHA
crypto map outside_map 1 set reverse-route
crypto map outside_map 2 match address outside_Samara_cryptomap
crypto map outside_map 2 set peer 182.105.22.5
crypto map outside_map 2 set ikev1 transform-set ESP-3DES-SHA
crypto map outside_map 2 set reverse-route
crypto map outside_map 3 match address outside_Egorievsk_cryptomap
crypto map outside_map 3 set peer 193.109.194.30
crypto map outside_map 3 set ikev1 transform-set ESP-3DES-SHA
crypto map outside_map 3 set reverse-route
crypto map outside_map interface outside
crypto ca trustpool policy
crypto ikev1 enable outside
crypto ikev1 policy 1
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet timeout 5
ssh stricthostkeycheck
ssh 192.168.1.87 255.255.255.255 inside
ssh timeout 15
ssh version 2
ssh key-exchange group dh-group1-sha1
console timeout 0
!
tls-proxy maximum-session 1000
!
threat-detection basic-threat
threat-detection statistics
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
group-policy DfltGrpPolicy attributes
vpn-tunnel-protocol ikev1 l2tp-ipsec ssl-clientless
group-policy RuSer internal
group-policy RuSer attributes
dns-server value 195.107.107.5 195.107.107.6
vpn-tunnel-protocol ikev1
default-domain value steklonit.ru
username admin password 8gnt7/.hoRgi7N5A encrypted privilege 15
username medvedev password P6m5DacN2LJt3NEL encrypted privilege 15
username zubov password 5jpxWsZ28vigFDNs encrypted privilege 15
username zubov attributes
vpn-group-policy RuSer
tunnel-group 192.150.62.21 type ipsec-l2l
tunnel-group 192.150.62.21 ipsec-attributes
ikev1 pre-shared-key dgY*(753!
tunnel-group RuSer type remote-access
tunnel-group RuSer general-attributes
address-pool ReSer_VPN
default-group-policy RuSer
tunnel-group RuSer ipsec-attributes
ikev1 pre-shared-key ***********
tunnel-group 182.105.22.5 type ipsec-l2l
tunnel-group 182.105.22.5 ipsec-attributes
ikev1 pre-shared-key **********
tunnel-group 193.109.194.30 type ipsec-l2l
tunnel-group 193.109.194.30 ipsec-attributes
ikev1 pre-shared-key **********
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
class class-default
user-statistics accounting
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email callhome@cisco.com
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
hpm topN enable
Cryptochecksum:8dfed9c064ec596d6e39f58768dae331
: end

Конфиг Asa офис 1:

 

ASA Version 9.1(7)32
!
hostname asa5550-ufa
domain-name steklonit-ufa.ru
enable password CL3OQS5fAjwNjpHj encrypted
xlate per-session deny tcp any4 any4
xlate per-session deny tcp any4 any6
xlate per-session deny tcp any6 any4
xlate per-session deny tcp any6 any6
xlate per-session deny udp any4 any4 eq domain
xlate per-session deny udp any4 any6 eq domain
xlate per-session deny udp any6 any4 eq domain
xlate per-session deny udp any6 any6 eq domain
passwd 2KFQnbNIdI.2KYOU encrypted
names
ip local pool VPN-inside-AnyConnect 192.168.13.0-192.168.13.100 mask 255.255.255.0
!
interface GigabitEthernet0/0
nameif outside
security-level 0
ip address 192.150.62.21 255.255.255.252
!
interface GigabitEthernet0/1
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/2
nameif inside
security-level 100
ip address 192.168.2.130 255.255.255.0
!
interface GigabitEthernet0/3
nameif inside2
security-level 50
ip address 192.168.11.130 255.255.255.0
!
interface Management0/0
nameif Manage
security-level 100
ip address 192.168.22.2 255.255.255.0
!
interface GigabitEthernet1/0
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/1
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/2
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/3
shutdown
no nameif
no security-level
no ip address
!
boot system disk0:/asa917-32-k8.bin
ftp mode passive
clock timezone YEKST 5
clock summer-time YEKDT recurring last Sun Mar 2:00 last Sun Oct 3:00
dns domain-lookup outside
dns server-group DefaultDNS
name-server 81.30.199.5
name-server 81.30.199.95
name-server 8.8.4.4
domain-name steklonit-ufa.ru
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object network obj-192.168.2.0
subnet 192.168.2.0 255.255.255.0
object network obj-192.168.11.0
subnet 192.168.11.0 255.255.255.0
object network NETWORK_OBJ_192.168.13.0_25
subnet 192.168.13.0 255.255.255.128
object-group network Moscow
network-object 192.168.1.0 255.255.255.0
network-object 192.168.8.0 255.255.255.0
network-object host 192.168.10.0
network-object host 192.168.20.0
object-group network Egor
network-object 192.168.4.0 255.255.255.0
object-group network Samara
network-object host 192.168.3.0
access-list nonat extended permit ip 192.168.2.0 255.255.255.0 192.168.11.0 255.255.255.0
access-list nonat extended permit ip 192.168.11.0 255.255.255.0 192.168.2.0 255.255.255.0
access-list nonat extended permit ip 192.168.2.0 255.255.255.0 object-group Moscow
access-list nonat extended permit ip object-group Moscow 192.168.2.0 255.255.255.0
access-list outside_Moscow_cryptomap extended permit ip 192.168.2.0 255.255.255.0 object-group Moscow
access-list inside2_access_in extended permit ip 192.168.11.0 255.255.255.0 any
access-list inside_access_in extended permit ip any any
access-list outside_access_in extended permit icmp any any
access-list AnyConnect_Client_Local_Print extended deny ip any4 any4
access-list AnyConnect_Client_Local_Print extended permit tcp any4 any4 eq lpd
access-list AnyConnect_Client_Local_Print remark IPP: Internet Printing Protocol
access-list AnyConnect_Client_Local_Print extended permit tcp any4 any4 eq 631
access-list AnyConnect_Client_Local_Print remark Windows' printing port
access-list AnyConnect_Client_Local_Print extended permit tcp any4 any4 eq 9100
access-list AnyConnect_Client_Local_Print remark mDNS: multicast DNS protocol
access-list AnyConnect_Client_Local_Print extended permit udp any4 host 224.0.0.251 eq 5353
access-list AnyConnect_Client_Local_Print remark LLMNR: Link Local Multicast Name Resolution protocol
access-list AnyConnect_Client_Local_Print extended permit udp any4 host 224.0.0.252 eq 5355
access-list AnyConnect_Client_Local_Print remark TCP/NetBIOS protocol
access-list AnyConnect_Client_Local_Print extended permit tcp any4 any4 eq 137
access-list AnyConnect_Client_Local_Print extended permit udp any4 any4 eq netbios-ns
access-list SSL_VPN standard permit 192.168.2.0 255.255.255.0
pager lines 24
logging enable
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu inside2 1500
mtu Manage 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-781-150.bin
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
nat (inside,any) source static obj-192.168.2.0 obj-192.168.2.0 destination static obj-192.168.11.0 obj-192.168.11.0 no-proxy-arp route-lookup
nat (inside,any) source static obj-192.168.11.0 obj-192.168.11.0 destination static obj-192.168.2.0 obj-192.168.2.0 no-proxy-arp route-lookup
nat (inside,any) source static obj-192.168.2.0 obj-192.168.2.0 destination static Moscow Moscow no-proxy-arp route-lookup
nat (inside,any) source static Moscow Moscow destination static obj-192.168.2.0 obj-192.168.2.0 no-proxy-arp route-lookup
nat (inside2,outside) source static obj-192.168.2.0 obj-192.168.2.0 destination static obj-192.168.11.0 obj-192.168.11.0 no-proxy-arp route-lookup
nat (inside2,outside) source static obj-192.168.11.0 obj-192.168.11.0 destination static obj-192.168.2.0 obj-192.168.2.0 no-proxy-arp route-lookup
nat (inside2,outside) source static obj-192.168.2.0 obj-192.168.2.0 destination static Moscow Moscow no-proxy-arp route-lookup
nat (inside2,outside) source static Moscow Moscow destination static obj-192.168.2.0 obj-192.168.2.0 no-proxy-arp route-lookup
nat (inside2,inside2) source static obj-192.168.2.0 obj-192.168.2.0 destination static obj-192.168.11.0 obj-192.168.11.0 no-proxy-arp route-lookup
nat (inside2,inside2) source static obj-192.168.11.0 obj-192.168.11.0 destination static obj-192.168.2.0 obj-192.168.2.0 no-proxy-arp route-lookup
nat (inside2,inside2) source static obj-192.168.12.0 obj-192.168.12.0 destination static Moscow Moscow no-proxy-arp route-lookup
nat (inside2,inside2) source static Moscow Moscow destination static obj-192.168.12.0 obj-192.168.2.0 no-proxy-arp route-lookup
nat (inside,outside) source static any any destination static NETWORK_OBJ_192.168.13.0_25 NETWORK_OBJ_192.168.13.0_25 no-proxy-arp route-lookup
!
object network obj-192.168.2.0
nat (inside,outside) dynamic interface
object network obj-192.168.11.0
nat (inside2,outside) dynamic interface
access-group outside_access_in in interface outside
access-group inside_access_in in interface inside
access-group inside2_access_in in interface inside2
route outside 0.0.0.0 0.0.0.0 192.150.102.9 1
route outside 192.168.1.0 255.255.255.0 192.150.102.9 1
route outside 192.168.8.0 255.255.255.0 192.150.102.9 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
webvpn
svc ask enable default webvpn
aaa-server LDAP protocol ldap
aaa-server LDAP (inside) host 192.168.1.3
server-port 389
ldap-base-dn DC=steklonit-ufa,DC=ru
ldap-scope subtree
ldap-naming-attribute sAMAccountName
ldap-login-password ************
ldap-login-dn CN=IIS-2 centry,CN=Users,DC=steklonit-ufa,DC=ru
server-type microsoft
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL
http server enable
http 192.168.1.121 255.255.255.255 inside
no snmp-server location
no snmp-server contact
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec ikev2 ipsec-proposal DES
protocol esp encryption des
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal 3DES
protocol esp encryption 3des
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES
protocol esp encryption aes
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES192
protocol esp encryption aes-192
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES256
protocol esp encryption aes-256
protocol esp integrity sha-1 md5
crypto ipsec security-association pmtu-aging infinite
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev2 ipsec-proposal AES256 AES192 AES 3DES DES
crypto map outside_map 1 match address outside_Moscow_cryptomap
crypto map outside_map 1 set peer 190.104.30.2
crypto map outside_map 1 set ikev1 transform-set ESP-3DES-SHA
crypto map outside_map 1 set reverse-route
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto ca trustpoint ASDM_TrustPoint1
keypair ASDM_TrustPoint1
crl configure
crypto ca trustpoint ASDM_TrustPoint0
enrollment self
subject-name CN=asa5550-ufa
keypair ASDM_TrustPoint0
crl configure
crypto ca trustpool policy
crypto ca certificate chain ASDM_TrustPoint1
certificate ca 7d5b5126b476ba11db74160bbc530da7
30820613 308203fb a0030201 0202107d 5b5126b4 76ba11db 74160bbc 530da730
0d06092a 864886f7 0d01010c 05003081 88310b30 09060355 04061302 55533113
30110603 55040813 0a4e6577 204a6572 73657931 14301206 03550407 130b4a65
72736579 20436974 79311e30 1c060355 040a1315 54686520 55534552 54525553
54204e65 74776f72 6b312e30 2c060355 04031325 55534552 54727573 74205253
41204365 72746966 69636174 696f6e20 41757468 6f726974 79301e17 0d313831
31303230 30303030 305a170d 33303132 33313233 35393539 5a30818f 310b3009
06035504 06130247 42311b30 19060355 04081312 47726561 74657220 4d616e63
68657374 65723110 300e0603 55040713 0753616c 666f7264 31183016 06035504
0a130f53 65637469 676f204c 696d6974 65643137 30350603 55040313 2e536563
7469676f 20525341 20446f6d 61696e20 56616c69 64617469 6f6e2053 65637572
65205365 72766572 20434130 82012230 0d06092a 864886f7 0d010101 05000382
010f0030 82010a02 82010100 d67333d6 d73c20d0 00d21745 b8d63e07 a23fc741
ee3230c9 b06cfdf4 9fcb1298 0f2d3f8d 4d010c82 0f177f62 2ee9b848 79fb1683
4eadd732 2593b707 bfb9503f a94cc340 2ae939ff d981ca1f 163241da 8026b923
7a87201e e3ff209a 3c95446f 87750690 40b43293 16091008 233ed2dd 870f6f5d
51146a0a 69c54f01 7269cfd3 934c6d04 a0a31b82 7eb19ab9 edc59ec5 37789f9a
0834fb56 2e58c409 0e06645b bc37dcf1 9f2868a8 56b092a3 5c9fbb88 98081b24
1dab3085 aeafb02e 9e7a9dc1 c0421ce2 02f0eae0 4ad2ef90 0eb4c140 16f06f85
424a64f7 a430a0fe bf2ea327 5a8e8b58 b8adc319 178463ed 6f56fd83 cb6034c4
74bee69d dbe1e4e5 ca0c5f15 02030100 01a38201 6e308201 6a301f06 03551d23
04183016 80145379 bf5aaa2b 4acf5480 e1d89bc0 9df2b203 66cb301d 0603551d
0e041604 148d8c5e c454ad8a e177e99b f99b05e1 b8018d61 e1300e06 03551d0f
0101ff04 04030201 86301206 03551d13 0101ff04 08300601 01ff0201 00301d06
03551d25 04163014 06082b06 01050507 03010608 2b060105 05070302 301b0603
551d2004 14301230 06060455 1d200030 08060667 810c0102 01305006 03551d1f
04493047 3045a043 a041863f 68747470 3a2f2f63 726c2e75 73657274 72757374
2e636f6d 2f555345 52547275 73745253 41436572 74696669 63617469 6f6e4175
74686f72 6974792e 63726c30 7606082b 06010505 07010104 6a306830 3f06082b
06010505 07300286 33687474 703a2f2f 6372742e 75736572 74727573 742e636f
6d2f5553 45525472 75737452 53414164 64547275 73744341 2e637274 30250608
2b060105 05073001 86196874 74703a2f 2f6f6373 702e7573 65727472 7573742e
636f6d30 0d06092a 864886f7 0d01010c 05000382 02010032 bf61bd0e 48c34fc7
ba474df8 9c781901 dc131d80 6ffcc370 b4529a31 339a5752 fb319e6b a4ef54aa
898d4017 68f81110 7cd2cab1 f15586c7 eeb33691 86f63951 bf46bf0f a0bab4f7
7e49c42a 36179ee4 68397aaf 944e566f b27b3bbf 0a86bdcd c5771c03 b838b1a2
1f5f7edb 8adc4648 b6680acf b2b5b4e2 34e467a9 3866095e d2b8fc9d 283a1740
27c2724e 29fd213c 7ccf13fb 962cc531 44fd13ed d59ba969 68777cee e1ffa4f9
36380853 39a28434 9c19f3be 0eacd524 37eb23a8 78d0d3e7 ef924764 623922ef
c6f711be 2285c666 4424268e 10328dc8 93ae079e 833e2fd9 f9f5468e 63bec1e6
b4dca6cd 21a8860a 95d92e85 261afdfc b1b65742 6d95d133 f6391406 824138f5
8f58dc80 5ba4d57d 9578fda7 9bfffdc5 a869ab26 e7a7a405 875ba9b7 b8a3200b
97a94585 ddb38be5 89378e29 0dfc0617 f638400e 42e41206 fb7bf3c6 116862df
e398f413 d8154f8b b169d910 60bc642a ea31b7e4 b5a33a14 9b26e30b 7bfd028e
b699c138 975936f6 a874a286 b65eebc6 64eacfa0 a3f96e9e ba2d11b6 86980858
2dc9ac25 64f25e75 b438c1ae 7f5a4683 ea51cab6 f1991135 6ba56a7b c600b0e7
f8be64b2 adc8c2f1 ace351ea a493e079 c8e18140 c90a5be1 123cc160 2ae397c0
8942ca94 cf469812 69bb98d0 c2d30d72 4b476ee5 93c43228 638743e4 b0323e0a
d34bbf23 9b142941 2b9a041f 932df1c7 39483cad 5a127f
quit
crypto ca certificate chain ASDM_TrustPoint0
certificate 7d64d65e
30820302 308201ea a0030201 0202047d 64d65e30 0d06092a 864886f7 0d010105
05003043 31143012 06035504 03130b61 73613535 35302d75 6661312b 30290609
2a864886 f70d0109 02161c61 73613535 35302d75 66612e73 74656b6c 6f6e6974
2d756661 2e727530 1e170d32 30303731 35303630 3035325a 170d3330 30373133
30363030 35325a30 43311430 12060355 0403130b 61736135 3535302d 75666131
2b302906 092a8648 86f70d01 0902161c 61736135 3535302d 7566612e 7374656b
6c6f6e69 742d7566 612e7275 30820122 300d0609 2a864886 f70d0101 01050003
82010f00 3082010a 02820101 009c798d 2e0b1842 aeb1dc47 65863937 9d3d90ef
36b65965 e152245c 096c022d 26275110 1f5b18cb d5b9e50f d53222f7 e1f8dff3
b2f0604c 600f8149 1455ee9c 157e5402 6975f66f 8de17303 857987f2 6122b865
32208d6b 196bafb1 0aafac54 6b77242e 98699ddb ec7b84b9 1ad59dcd 8cc37c9e
db89ae83 071f23ff a9b10a37 d4745530 8d20b6c0 e682ea3b 394f3a98 6cd2e5bb
c946b4a0 27837b57 013daddf ddbcc9bc d438cb9f 6cdc0dbf 49d4c821 44c4b0e8
f78d03d1 22ab971c 4bd68231 000776f7 07abb618 b00fc417 fd8cd9ac 694ad9a6
b8f0ba51 5373d464 b77d5965 239e6dd5 f7e18150 ae3bfb67 9e06fece 15711308
09d6493c 93794478 4240c1c8 75020301 0001300d 06092a86 4886f70d 01010505
00038201 0100070b e5617695 7a42a452 5323493e a66ab777 68612626 556a15bb
76248d2b 595b48e3 c1f2ac40 b90e3568 6090088c 2718f6e5 87474f89 3f9885c9
b6ab7071 900c8330 49414a54 dc68c3fd 9185b302 87d2b473 2a4ef377 1900c43a
e72b8b42 2079e1f6 34cae73d 213d49e9 e7c83f6a 20c671d8 dbd139cc 4f3d9954
af1e0349 e83253b3 d7f4eb25 d61d54ee fdc264d7 e90fc7ab 8cf37f56 b05bd2fe
c9b92ca5 ebff979f ed8ec3ab 6918e808 4612c116 4574c8a4 5f30f015 b8936f60
087f0e01 d033f149 392bc135 29467b2c 3beb5184 f1d92aae c8867f53 66ef0969
64c7b068 6dbb59c3 6a48514b c5903d49 13ff167e a10b2d46 b1ff8b39 5fb76757
9330c72e 13a1
quit
crypto ikev2 policy 1
encryption aes-256
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 10
encryption aes-192
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 20
encryption aes
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 30
encryption 3des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 40
encryption des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 enable outside client-services port 443
crypto ikev2 remote-access trustpoint ASDM_TrustPoint0
crypto ikev1 enable outside
crypto ikev1 policy 1
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet timeout 5
ssh stricthostkeycheck
ssh 192.168.2.111 255.255.255.255 inside
ssh timeout 15
ssh version 2
ssh key-exchange group dh-group1-sha1
console timeout 0
!
tls-proxy maximum-session 1000
!
threat-detection basic-threat
threat-detection statistics port
threat-detection statistics protocol
threat-detection statistics access-list
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
ssl trust-point ASDM_TrustPoint0 inside2
ssl trust-point ASDM_TrustPoint0 inside
ssl trust-point ASDM_TrustPoint0 Manage
ssl trust-point ASDM_TrustPoint0 outside
webvpn
enable outside
anyconnect image disk0:/anyconnect-win-3.1.01065-k9.pkg 1
anyconnect image disk0:/anyconnect-macosx-i386-3.1.01065-k9.pkg 2
anyconnect profiles VPN_inside_AnyConnect_client_profile disk0:/VPN_inside_AnyConnect_client_profile.xml
anyconnect enable
tunnel-group-list enable
cache
disable
group-policy DfltGrpPolicy attributes
group-policy GroupPolicy_VPN_inside_AnyConnect internal
group-policy GroupPolicy_VPN_inside_AnyConnect attributes
wins-server none
dns-server value 8.8.4.4 192.168.2.3
vpn-tunnel-protocol ssl-client ssl-clientless
split-tunnel-policy tunnelspecified
split-tunnel-network-list value SSL_VPN
default-domain value steklonit-ufa.ru
split-tunnel-all-dns enable
group-policy Steklo internal
group-policy Steklo attributes
vpn-tunnel-protocol ssl-clientless
webvpn
url-list value stek
username admin password 8gnt7/.hoRgi7N5A encrypted privilege 15
username VPN_user password UX6Utnse77cLc6rb encrypted privilege 0
username VPN_user attributes
vpn-group-policy Steklo
tunnel-group 190.104.30.2 type ipsec-l2l
tunnel-group 190.104.30.2 ipsec-attributes
ikev1 pre-shared-key ***********
tunnel-group VPN_inside_AnyConnect type remote-access
tunnel-group VPN_inside_AnyConnect general-attributes
address-pool VPN-inside-AnyConnect
authentication-server-group LDAP
default-group-policy GroupPolicy_VPN_inside_AnyConnect
tunnel-group VPN_inside_AnyConnect webvpn-attributes
group-alias VPN_inside_AnyConnect enable
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
inspect ip-options
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email callhome@cisco.com
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:e0497248617e9546863851e3de793035
: end

Конфиг Asa офис 2:

 

ASA Version 9.1(7)32
!
hostname asa5550-ksi
domain-name ksi-izol.ru
enable password CL3OQS5fAjwNjpHj encrypted
xlate per-session deny tcp any4 any4
xlate per-session deny tcp any4 any6
xlate per-session deny tcp any6 any4
xlate per-session deny tcp any6 any6
xlate per-session deny udp any4 any4 eq domain
xlate per-session deny udp any4 any6 eq domain
xlate per-session deny udp any6 any4 eq domain
xlate per-session deny udp any6 any6 eq domain
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface GigabitEthernet0/0
nameif outside
security-level 0
ip address 182.105.202.5 255.255.255.252
!
interface GigabitEthernet0/1
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/2
nameif inside
security-level 100
ip address 192.168.3.1 255.255.255.0
!
interface GigabitEthernet0/3
shutdown
nameif inside2
security-level 100
ip address 192.168.30.1 255.255.255.0
!
interface Management0/0
nameif Manage
security-level 100
ip address 192.168.33.3 255.255.255.0
!
interface GigabitEthernet1/0
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/1
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/2
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/3
shutdown
no nameif
no security-level
no ip address
!
boot system disk0:/asa917-32-k8.bin
ftp mode passive
clock timezone YEKST 5
clock summer-time YEKDT recurring last Sun Mar 2:00 last Sun Oct 3:00
dns domain-lookup outside
dns server-group DefaultDNS
name-server 81.30.199.5
name-server 81.30.199.95
name-server 8.8.4.4
domain-name ksi-izol.ru
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object network obj-192.168.3.0
subnet 192.168.3.0 255.255.255.0
object network obj-192.168.30.0
subnet 192.168.30.0 255.255.255.0
object-group network Moscow
network-object 192.168.1.0 255.255.255.0
network-object 192.168.8.0 255.255.255.0
network-object 192.168.12.0 255.255.255.0
object-group network Egor
network-object 192.168.4.0 255.255.255.0
object-group network Samara
network-object 192.168.3.0 255.255.255.0
object-group network Ufa
network-object 192.168.2.0 255.255.255.0
access-list nonat extended permit ip 192.168.3.0 255.255.255.0 192.168.30.0 255.255.255.0
access-list nonat extended permit ip 192.168.30.0 255.255.255.0 192.168.3.0 255.255.255.0
access-list nonat extended permit ip 192.168.3.0 255.255.255.0 object-group Moscow
access-list nonat extended permit ip object-group Moscow 192.168.3.0 255.255.255.0
access-list outside_Moscow_cryptomap extended permit ip 192.168.3.0 255.255.255.0 object-group Moscow
access-list inside_access_in extended permit ip any4 any4
access-list outside_access_in extended permit icmp any4 any4
pager lines 24
logging enable
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu inside2 1500
mtu Manage 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-645.bin
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
nat (inside,any) source static obj-192.168.3.0 obj-192.168.3.0 destination static obj-192.168.30.0 obj-192.168.30.0 no-proxy-arp route-lookup
nat (inside,any) source static obj-192.168.30.0 obj-192.168.30.0 destination static obj-192.168.3.0 obj-192.168.3.0 no-proxy-arp route-lookup
nat (inside,any) source static obj-192.168.3.0 obj-192.168.3.0 destination static Moscow Moscow no-proxy-arp route-lookup
nat (inside,any) source static Moscow Moscow destination static obj-192.168.3.0 obj-192.168.3.0 no-proxy-arp route-lookup
!
object network obj-192.168.3.0
nat (inside,outside) dynamic interface
object network obj-192.168.250.15
nat (inside,outside) static interface service tcp 3389 4758
access-group outside_access_in in interface outside
access-group inside_access_in in interface inside
route outside 0.0.0.0 0.0.0.0 182.105.202.9 1
route outside 192.168.6.0 255.255.255.255 182.105.202.9 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL
aaa authentication http console LOCAL
http server enable
http 192.168.3.10 255.255.255.255 inside
no snmp-server location
no snmp-server contact
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec security-association pmtu-aging infinite
crypto map outside_map 1 match address outside_Moscow_cryptomap
crypto map outside_map 1 set peer 90.154.32.2
crypto map outside_map 1 set ikev1 transform-set ESP-3DES-SHA
crypto map outside_map 1 set reverse-route
crypto map outside_map interface outside
crypto ca trustpool policy
crypto ikev1 enable outside
crypto ikev1 policy 1
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet timeout 5
ssh stricthostkeycheck
ssh 192.168.3.10 255.255.255.255 inside
ssh timeout 15
ssh version 2
ssh key-exchange group dh-group1-sha1
console timeout 0
!
tls-proxy maximum-session 1000
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ssl encryption aes128-sha1 3des-sha1
webvpn
enable outside
cache
disable
username admin password 8gnt7/.hoRgi7N5A encrypted privilege 15
tunnel-group 190.104.30.2 type ipsec-l2l
tunnel-group 190.104.30.2 ipsec-attributes
ikev1 pre-shared-key *********
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email callhome@cisco.com
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:1cc9c16d06a84c9f27ee2b0dfb1c5eee
: end

 

Sergey Lisitsin
Rising star

Добрый день,

 

У Вас в конфигурациях споков не включены сети друг друга в crypto map ACL. Значит надо сделать следующее:

 

1. Включить сеть 192.168.3.0/24 в ACL во втором офисе

2. Добавить NAT exempt правило для этой сети из локального крипто домена (попросту - скопируйте конфиг сети 192.168.1.0/24)

3. Включить сеть 192.168.2.0/24 в ACL в третьем офисе

4. Добавить NAT exempt правило для этой сети из локального крипто домена (попросту - скопируйте конфиг сети 192.168.1.0/24)

5. Добавить NAT exempt правило в направлении (outside, outside) на центральной АСЕ для сетей 2 и 3.

A командa same-security permit intra-interface на центральной АСЕ у Вас уже есть.

 

Вроде бы всё.

Добрый день

 

1. Включил сеть 192.168.3.0/24 в ACL во втором офисе

object-group network Samara
network-object 192.168.3.0 255.255.255.0

access-list nonat extended permit ip object-group Samara 192.168.2.0 255.255.255.0

2. Добавил NAT exempt правило

nat (inside,outside) source static obj-192.168.2.0 obj-192.168.2.0 destination static Samara Samara no-proxy-arp route-lookup

3. Включил сеть 192.168.2.0/24 в ACL в третьем офисе

object-group network Ufa

network-object 192.168.2.0 255.255.255.0

access-list nonat extended permit ip object-group Ufa 192.168.3.0 255.255.255.0

4. Добавил NAT exempt правило

nat (inside,outside) source static obj-192.168.3.0 obj-192.168.3.0 destination static Samara Samara no-proxy-arp route-lookup

5. Добавил NAT exempt правило в направлении (outside, outside) на центральной АСЕ для сетей 2 и 3.

nat (outside,outside) source static UFA UFA destination static Samara Samara no-proxy-arp route-lookup

 

где то ошибся я, так как не работает сети друг друга не видят

По-моему Вы так и не включили сети в крипто ACL. Вы создали объекты и создали NAT exempt. Но вы не добавили эти объекты в object-group Moscow. Так как Moscow с точки зрения топологии является хабом.

Добрый день.

Вы это имели ввиду?

Второй офис
object-group network Moscow
network-object 192.168.1.0 255.255.255.0
network-object 192.168.3.0 255.255.255.0
access-list outside_Moscow_cryptomap extended permit ip 192.168.2.0 255.255.255.0 object-group Moscow

 

Третий офис
object-group network Moscow
network-object 192.168.1.0 255.255.255.0
network-object 192.168.2.0 255.255.255.0
access-list outside_Moscow_cryptomap extended permit ip 192.168.3.0 255.255.255.0 object-group Moscow

Добрый день.

 

Да, именно это.

Нет, подсети друг друга не видят, к сожалению.

Pfcket Tracer говорит Type: VPN SubtypeencryptResultDROP

Не удалось отобразить этот виджет.