----------------------------------------------

###### ASA 1 ##########

ASA Version 9.1(6)
!
hostname cisco

dns-guard
!
interface GigabitEthernet0/0
nameif outside0
security-level 0
ip address 1.1.1.4 255.255.255.248
!
interface GigabitEthernet0/3
nameif inside3
security-level 100
ip address 192.168.17.254 255.255.255.0
!
no ftp mode passive
clock timezone CST 8
dns domain-lookup outside0
dns server-group DefaultDNS
nam-e-server 114.114.114.114
same-security-traffic permit inter-interface
object network peer_local
subnet 192.168.17.0 255.255.255.0
object network network_local
subnet 192.168.17.0 255.255.255.0
object network peer_shanghai
subnet 192.168.16.0 255.255.255.0

object-group network peer_pool
network-object object peer_shanghai

object-group network DNS_CTCC
network-object host 114.114.114.114
network-object host 114.114.114.114

object-group service service_web tcp
port-object eq www
port-object eq https

object-group network network_webhost
network-object host 192.168.17.33
network-object host 192.168.17.34

access-list outbound extended permit ip object peer_local object-group peer_pool
access-list outbound extended permit udp object network_local object-group DNS_CTCC eq domain
access-list outbound extended permit tcp object-group network_webhost any object-group service_web
access-list outside_cryptomap_4 extended permit ip object peer_local object peer_shanghai

pager lines 24
logging asdm informational
mtu outside0 1500
mtu inside3 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-7161.bin
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
nat (inside3,any) source static peer_local peer_local destination static peer_pool peer_pool no-proxy-arp route-lookup
!
object network network_local
nat (inside3,outside0) dynamic interface
access-group inbound in interface outside0
access-group outbound out interface outside0
route outside0 0.0.0.0 0.0.0.0 1.1.1.1 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec security-association pmtu-aging infinite

crypto map outside_cryptomap 4 match address outside_cryptomap_5
crypto map outside_cryptomap 4 set peer 2.2.2.2
crypto map outside_cryptomap 4 set ikev1 transform-set ESP-3DES-MD5
crypto map outside_cryptomap interface outside0
crypto ca trustpool policy
crypto ikev1 enable outside0
crypto ikev1 policy 1
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
telnet timeout 5
no ssh stricthostkeycheck

console timeout 0
management-access inside3
dhcpd address 192.168.17.140-192.168.17.199 inside3
dhcpd dns 192.168.17.1 interface inside3
dhcpd wins 192.168.17.1 interface inside3
dhcpd domain test.com interface inside3
dhcpd option 3 ip 192.168.17.254 interface inside3
dhcpd enable inside3
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ntp server ntp source outside0 prefer

tunnel-group 2.2.2.2 type ipsec-l2l
tunnel-group 2.2.2.2 ipsec-attributes
ikev1 pre-shared-key *****
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
password encryption aes
: end

-------------------------------------------------

############ ASA 2 #################

ASA Version 9.1(7)32
!
hostname cisco
names
dns-guard
ip local pool homeoffice 10.0.253.10-10.0.253.200 mask 255.255.255.0
!
interface GigabitEthernet0/0
nameif outside0
security-level 0
ip address 2.2.2.2 255.255.255.252
!
!
interface GigabitEthernet0/3
nameif inside3
security-level 100
ip address 192.168.16.254 255.255.255.0
!
ftp mode passive
clock timezone CST 8
dns domain-lookup outside0
dns server-group DefaultDNS
name-server 114.114.114.114
same-security-traffic permit inter-interface
object network network_local
subnet 192.168.16.0 255.255.255.0
object network peer_local
subnet 192.168.16.0 255.255.255.0
object network peer_Hangzhou
subnet 192.168.17.0 255.255.255.0

object-group network peer_pool
network-object object peer_Hangzhou

object-group service service_web
service-object tcp destination eq www
service-object tcp destination eq https
object-group network DNS_CTCC
network-object host 114.114.114.114
network-object host 114.114.114.114

object-group network host_local
network-object host 192.168.16.20
access-list outside_cryptomap_4 extended permit ip object peer_local object peer_Hangzhou
access-list outbound extended permit udp object network_local object-group DNS_CTCC eq domain
access-list outbound extended permit ip object peer_local object-group peer_pool
access-list outbound extended permit ip object-group host_local any4
pager lines 24
logging enable
logging asdm informational
mtu outside0 1500
mtu inside3 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-7122.bin
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
nat (inside3,any) source static peer_local peer_local destination static peer_pool peer_pool no-proxy-arp route-lookup
!
object network network_local
nat (inside3,outside0) dynamic interface
nat (inside3,outside0) after-auto source dynamic network_local interface
access-group inbound in interface outside0
access-group outbound out interface outside0
route outside0 0.0.0.0 0.0.0.0 2.2.2.1 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL

no snmp-server location
no snmp-server contact
no snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec security-association pmtu-aging infinite

crypto map outside_cryptomap 4 match address outside_cryptomap_4
crypto map outside_cryptomap 4 set peer 1.1.1.4
crypto map outside_cryptomap 4 set ikev1 transform-set ESP-3DES-MD5
crypto map outside_cryptomap interface outside0
crypto ca trustpool policy
crypto ikev1 enable outside0
crypto ikev1 policy 1
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
telnet timeout 5

console timeout 0
management-access inside3
dhcpd address 192.168.16.90-192.168.16.220 inside3
dhcpd dns 114.114.114.114 interface inside3
dhcpd domain test.com interface inside3
dhcpd option 6 ip 114.114.114.114 interface inside3
dhcpd option 3 ip 192.168.16.254 interface inside3
dhcpd enable inside3
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ntp server 114.118.7.161 source outside0 prefer
webvpn
anyconnect-essentials
cache
disable

tunnel-group 1.1.1.4 type ipsec-l2l
tunnel-group 1.1.1.4 ipsec-attributes
ikev1 pre-shared-key *****
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
inspect icmp
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
password encryption aes
: end

-------------------END-----------

 在ASA 1设备上运行traceroute qq.com 有返回值，在ASA 2 设备上运行traceroute qq.com 没有返回值，全部是*号，这是为什么？哪里配置错了吗？

然后在ASA1和ASA2的inside接口下的PC上运行traceroute qq.com 又都没有返回值，这是为什么？？哪里错了吗？求指教