购买或续订
购买或续订
取消
开启建议
自动建议可通过在您键入时建议可能的匹配,而快速缩小您的搜索结果范围。
显示结果 
搜索替代 
您的意思是: 
cancel
开始对话
19210
查看次数
34
有帮助
26
回复

咨询下ipsec vpn 的问题

wuleihen
Spotlight
Spotlight

发布时间 ‎08-10-2018 02:14 AM

本帖最后由 wuleihen 于 2018-8-10 17:32 编辑
客户这里两地方,需要互联,配置IPsecvpn,A点是深信服的VPN设备,B点是asa5508,配置配完后,测试发现A点可以ping通B点内的设备,但B点却ping不通A点的设备地址,麻烦大神排查下,配置如下
A点的地址段是10.132.0.0 255.255.240.0 10.133.0.0 255.255.240.0 10.137.0.0 255.255.240.0
B点的地址段是10.145.0.0 255.255.240.0
: Hardware: ASA5508, 8192 MB RAM, CPU Atom C2000 series 2000 MHz, 1 CPU (8 cores)
:
ASA Version 9.8(1)
!
hostname asa
enable password $sha512$5000$Xre5nuZUSefXJxmsCK3WLw==$258TRrfyVQE031EHivl13g== pbkdf2
passwd PmWaOgPwdORk/oke encrypted
names
!
interface GigabitEthernet1/1
nameif outside
security-level 0
ip address
!
interface GigabitEthernet1/2
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/2.100
vlan 100
nameif wire
security-level 100
ip address 10.145.0.253 255.255.255.0
!
interface GigabitEthernet1/2.102
vlan 102
nameif wireless-guest
security-level 100
ip address 10.145.2.253 255.255.255.0
!
interface GigabitEthernet1/2.103
vlan 103
nameif other-management
security-level 100
ip address 10.145.3.125 255.255.255.128
!
interface GigabitEthernet1/2.104
vlan 104
nameif management
security-level 100
ip address 10.145.3.254 255.255.255.128
!
interface GigabitEthernet1/2.105
vlan 105
nameif wireless-employeer
security-level 100
ip address 10.145.1.253 255.255.255.0
!
ftp mode passive
dns server-group DefaultDNS
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object network obj_any
subnet 0.0.0.0 0.0.0.0
object network wire
subnet 10.145.0.0 255.255.255.0
object network wireless-employeer
subnet 10.145.1.0 255.255.255.0
object network other-management
subnet 10.145.3.0 255.255.255.128
object network management
subnet 10.145.3.128 255.255.255.128
object network wireless-guest
subnet 10.145.2.0 255.255.255.0
object network local-lan
subnet 10.145.0.0 255.255.240.0
object network remote
subnet 10.132.0.0 255.255.240.0
object network remote-df
subnet 10.137.0.0 255.255.240.0
object network remote-usa
subnet 10.133.0.0 255.255.240.0
access-list ipsecvpn extended permit ip object management object remote
access-list ipsecvpn extended permit ip object management object remote-df
access-list ipsecvpn extended permit ip object management object remote-usa
access-list ipsecvpn extended permit ip object wireless-employeer object remote-df
access-list ipsecvpn extended permit ip object wireless-employeer object remote
access-list ipsecvpn extended permit ip object wireless-employeer object remote-usa
access-list ipsecvpn extended permit ip object wire object remote
access-list ipsecvpn extended permit ip object wire object remote-df
access-list ipsecvpn extended permit ip object wire object remote-usa
access-list ipsecvpn extended permit ip object other-management object remote
access-list ipsecvpn extended permit ip object other-management object remote-df
access-list ipsecvpn extended permit ip object other-management object remote-usa
pager lines 24
logging enable
logging buffered debugging
logging asdm informational
mtu outside 1500
mtu wire 1500
mtu wireless-employeer 1500
mtu wireless-guest 1500
mtu other-management 1500
mtu management 1500
no failover
no monitor-interface service-module
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
arp rate-limit 16384
nat (other-management,outside) source static other-management other-management destination static remote remote no-proxy-arp route-lookup
nat (management,outside) source static management management destination static remote remote no-proxy-arp route-lookup
nat (management,outside) source static management management destination static remote-df remote-df no-proxy-arp route-lookup
nat (management,outside) source static management management destination static remote-usa remote-usa no-proxy-arp route-lookup
nat (wireless-employeer,outside) source static wireless-employeer wireless-employeer destination static remote remote no-proxy-arp route-lookup
nat (wireless-employeer,outside) source static wireless-employeer wireless-employeer destination static remote-df remote-df no-proxy-arp route-lookup
nat (wireless-employeer,outside) source static wireless-employeer wireless-employeer destination static remote-usa remote-usa no-proxy-arp route-lookup
nat (other-management,outside) source static other-management other-management destination static remote-df remote-df no-proxy-arp route-lookup
nat (other-management,outside) source static other-management other-management destination static remote-usa remote-usa no-proxy-arp route-lookup
nat (wire,outside) source static wire wire destination static remote remote no-proxy-arp route-lookup
nat (wire,outside) source static wire wire destination static remote-df remote-df no-proxy-arp route-lookup
nat (wire,outside) source static wire wire destination static remote-usa remote-usa no-proxy-arp route-lookup
!
object network obj_any
nat (any,outside) dynamic interface
route outside 0.0.0.0 0.0.0.0 ****** 1
route management 10.128.0.0 255.240.0.0 10.132.0.1 1
route wire 10.145.0.0 255.255.255.0 10.145.3.253 1
route wireless-employeer 10.145.1.0 255.255.255.0 10.145.3.253 1
route wireless-employeer 10.132.0.0 255.255.240.0 10.132.0.1 1
route wireless-employeer 10.133.0.0 255.255.240.0 10.132.0.1 1
route wireless-employeer 10.137.0.0 255.255.240.0 10.132.0.1 1
route wireless-guest 10.145.2.0 255.255.255.0 10.145.3.253 1
route other-management 10.145.3.0 255.255.255.128 10.145.3.253 1
route management 10.145.3.128 255.255.255.128 10.145.3.253 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 sctp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
timeout conn-holddown 0:00:15
timeout igp stale-route 0:01:10
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL
aaa authentication login-history
http server enable
http 10.145.3.0 255.255.255.128 other-management
http 10.145.3.128 255.255.255.128 management
http 10.145.0.0 255.255.255.0 wire
no snmp-server location
no snmp-server contact
service sw-reset-button
crypto ipsec ikev1 transform-set transform esp-aes esp-sha-hmac
crypto ipsec security-association pmtu-aging infinite
crypto map crymap 1 match address ipsecvpn
crypto map crymap 1 set peer *.*.*.*
crypto map crymap 1 set ikev1 transform-set transform
crypto map crymap interface outside
crypto ca trustpool policy
no crypto isakmp nat-traversal
crypto ikev1 enable outside
crypto ikev1 policy 1
authentication pre-share
encryption aes
hash sha
group 2
lifetime 86400
telnet timeout 5
ssh stricthostkeycheck
ssh 0.0.0.0 0.0.0.0 outside
ssh 10.145.0.0 255.255.255.0 wire
ssh 10.145.3.128 255.255.255.128 management
ssh timeout 5
ssh version 2
ssh key-exchange group dh-group14-sha1
console timeout 0
dhcpd lease 36000
!
dhcpd address 10.145.0.1-10.145.0.249 wire
dhcpd dns 10.132.0.5 61.147.37.1 interface wire
dhcpd lease 36000 interface wire
dhcpd enable wire
!
dhcpd address 10.145.1.1-10.145.1.249 wireless-employeer
dhcpd dns 10.132.0.5 61.147.37.1 interface wireless-employeer
dhcpd lease 36000 interface wireless-employeer
dhcpd enable wireless-employeer
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
group-policy gp internal
group-policy gp attributes
vpn-tunnel-protocol ikev1
dynamic-access-policy-record DfltAccessPolicy
username admin password $sha512$5000$VeNcuhzHn/sy0eQMQtWXnA==$9n/wFy2uUi1GwjwATBWblA== pbkdf2
tunnel-group *.*.*.* type ipsec-l2l
tunnel-group *.*.*.* general-attributes
default-group-policy gp
tunnel-group *.*.*.* ipsec-attributes
ikev1 pre-shared-key *****
isakmp keepalive threshold 60 retry 5
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
no tcp-inspection
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
inspect icmp
inspect icmp error
!
show crypto ikev1 sa detail
IKEv1 SAs:
Active SA: 1
Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 1
1 IKE Peer: *.*.*.*
Type : L2L Role : responder
Rekey : no State : MM_ACTIVE
Encrypt : aes Hash : SHA
Auth : preshared Lifetime: 86400
Lifetime Remaining: 82425
标签:
26 条回复26

yuhao
Level 1
Level 1

发布时间 ‎08-22-2018 10:57 PM

route wireless-employeer 10.132.0.0 255.255.240.0 10.132.0.1 1
route wireless-employeer 10.133.0.0 255.255.240.0 10.132.0.1 1
route wireless-employeer 10.137.0.0 255.255.240.0 10.132.0.1 1
这几条去往对端的路由不需要指吧??直接走默认路由不行吗
0 有帮助

wuleihen
Spotlight
Spotlight

发布时间 ‎08-23-2018 06:26 AM

yuhao@wxncs.net 发表于 2018-8-23 13:57
route wireless-employeer 10.132.0.0 255.255.240.0 10.132.0.1 1
route wireless-employeer 10.133.0.0 ...

嗯,这三条我已经删掉了,之前也没加,试试加了会不会好??也不行,
0 有帮助

wuleihen
Spotlight
Spotlight

发布时间 ‎08-23-2018 07:00 AM

yuhao@wxncs.net 发表于 2018-8-23 13:57
route wireless-employeer 10.132.0.0 255.255.240.0 10.132.0.1 1
route wireless-employeer 10.133.0.0 ...

那咨询下,这路由改怎么写呢??
0 有帮助

yssqt5211
Level 1
Level 1

发布时间 ‎08-25-2018 06:18 PM

你这个问题有点奇怪,按理说 数据包一来一回,要不通 都不通才对,两边的拓扑能给看一下吗?
0 有帮助

yssqt5211
Level 1
Level 1

发布时间 ‎08-26-2018 12:45 AM

你是用的 野蛮模式 吗?
0 有帮助

yuhao
Level 1
Level 1

发布时间 ‎08-27-2018 11:19 PM

wuleihen 发表于 2018-8-23 22:00
那咨询下,这路由改怎么写呢??

路由没有问题。
你加一个粗略acl 测试一下
access-list 100 permit ip any any
access-group 100 in int outside
再试试
0 有帮助

yuhao
Level 1
Level 1

发布时间 ‎08-27-2018 11:20 PM

wuleihen 发表于 2018-8-23 22:00
那咨询下,这路由改怎么写呢??

还有确认一下两端感兴趣流量是否正确
0 有帮助

wuleihen
Spotlight
Spotlight

发布时间 ‎08-28-2018 02:16 AM

yssqt5211 发表于 2018-8-26 15:45
你是用的 野蛮模式 吗?

当时主模式和主动模式都测试过的,都可以建立VPN,但当时都没测通,问题已经解决了,开case的,好像多条路由导致的,唉,
0 有帮助

wuleihen
Spotlight
Spotlight

发布时间 ‎08-28-2018 02:17 AM

yuhao@wxncs.net 发表于 2018-8-28 14:20
还有确认一下两端感兴趣流量是否正确

VPN建立是没问题的,现在已经解决了,找思科开case的,好像多了一条路由导致的,
0 有帮助

yssqt5211
Level 1
Level 1

发布时间 ‎08-29-2018 04:17 PM

wuleihen 发表于 2018-8-28 17:17
VPN建立是没问题的,现在已经解决了,找思科开case的,好像多了一条路由导致的,

你好,多条路由导致的?多条路由可能hash到其它接口去了,那这样的话应该两边都不通才对。
0 有帮助

马世骏.A.M
Level 1
Level 1

发布时间 ‎08-29-2018 08:30 PM

最近在给一个客户配置网康-UCLOUD云端的IPsec vpn遇到了一个问题,现象和您的一样。、
原因:1、线下网康的ipsec vpn的nat策略里没有配置“不属于”策略;
2、出口是双线负载,需要做了一个策略路由把线下网段的流量指向了ipsec vpn配置信息中的固定的那个ip地址。最后才实现了两侧云端都通。 ;
问题现象是一样,但是问题原因是不是一样就不知道了,仅供参考。
0 有帮助

xiaocqu
Spotlight
Spotlight

发布时间 ‎09-14-2018 07:50 PM

wuleihen 发表于 2018-8-13 13:30
怎么测试是否匹配感兴趣流 ??我对照了两边的访问控制列表都是对应的

1/ show access-list ipsecvpn,记住hitcnt值
access-list abc; 1 elements; name hash: 0x275fa452
access-list abc line 1 extended permit ip any any (hitcnt=0) 0x88500c8e
2/ 在B点触发流量.
3/ show access-list ipsecvpn,再次查看hitcnt值是否增长
access-list abc; 1 elements; name hash: 0x275fa452
access-list abc line 1 extended permit ip any any (hitcnt=0) 0x88500c8e
0 有帮助
快捷链接

浏览社区快速链接并以您的母语获取个性化内容:

发布或浏览文章 分享想法或新闻 观看我们的所有视频视频
Customers Also Viewed These Support Documents