cancelar
Mostrando los resultados de 
Buscar en lugar de 
Quiere decir: 
cancel
927
Visitas
5
ÚTIL
5
Respuestas

Problemas con ACL VPN IPSEC L2L

danielmanqui
Level 1
Level 1

Hola, buenas tardes a todos, primero que todo felicitarlo por esta excelente comunidad!

Les planteo la siguiente problemática: estoy configurando una VPN IPSEC L2L, el establecimiento del tunel se realiza con exito y tengo trafico a travez de el ( ICMP, RDP, HTTPS), el problema esta en que por el tunel estoy pasando dos redes, un segmento corresponde a las redes LAN ( LAN(local) - LAN(remota) ) y el segundo segmento es de las DMZ ( DMZ(local) - DMZ(remota), el trafico entre las redes del mismo tipo: LAN a LAN y DMZ a DMZ se realiza sin inconvenientes , pero el trafico que va de las redes LAN locales a las DMZ remotas "no esta pasando por el tunel",  cree tanto las ACLs y NAT desde las interfaces INSIDE y DMZ pero aun asi no logro este trafico a travez del tunel IPSEC, envio mi configuracion por si alguien lo puede revisar y hecharme una manito con la configuracion, se los agradeceria mucho:

 

RED-LAN local       RED-LAN remota
20.10.2.0/24 ---> 30.10.2.0/24 = trafico de datos sin problemas

RED-DMZ local      RED-DMZ remota
20.10.1.0/24 ---> 30.10.1.0/24 = trafico de datos sin problemas

RED-LAN local       RED-DMZ remota
20.10.2.0/24 ---> 30.10.1.0/24 = NO HAY TRAFICO DE DATOS ( NO HAY PING )

 

ASA LOCAL:

object-group network VPN-DMZ-LOCAL
network-object host 20.10.1.1
network-object host 20.10.1.2
network-object host 20.10.1.3
object-group network VPN-DMZ-REMOTA
network-object host 30.10.1.1
network-object host 30.10.1.2
network-object host 30.10.1.3
object-group network NAT-VPN-REDES-REMOTA
group-object VPN-LAN-REMOTA
group-object VPN-DMZ-REMOTA

object network RED-LAN
subnet 20.10.2.0 255.255.255.0
object network RED-DMZ
subnet 20.10.1.0 255.255.255.0

object network SERVER-I
range 20.10.1.1 20.10.1.3

access-list DMZ-ACCESS-IN remark ACCESO ICMP
access-list DMZ-ACCESS-IN extended permit icmp object SERVER-I any
access-list DMZ-ACCESS-IN extended permit icmp object SERVER-I any echo
access-list DMZ-ACCESS-IN extended permit icmp object SERVER-I any echo-reply
access-list INSIDE-ACCESS-IN remark ACCESO ICMP
access-list INSIDE-ACCESS-IN extended permit icmp object RED-LAN any
access-list INSIDE-ACCESS-IN extended permit icmp object RED-LAN any echo
access-list INSIDE-ACCESS-IN extended permit icmp object RED-LAN any echo-reply
access-list INSIDE-ACCESS-IN extended permit ip object RED-LAN any
access-list VPN-IPSEC-1 remark /-/--- VPN SITE REMOTO ---/-/
access-list VPN-IPSEC-1 remark PERMIT ICMP RED-LAN-LOCAL - RED-LAN-REMOTA
access-list VPN-IPSEC-1 extended permit icmp object-group VPN-LAN-LOCAL object-group VPN-LAN-REMOTA
access-list VPN-IPSEC-1 extended permit icmp object-group VPN-LAN-LOCAL object-group VPN-LAN-REMOTA echo
access-list VPN-IPSEC-1 extended permit icmp object-group VPN-LAN-LOCAL object-group VPN-LAN-REMOTA echo-reply
access-list VPN-IPSEC-1 remark PERMIT ICMP RED-LAN-LOCAL - RED-DMZ-REMOTA
access-list VPN-IPSEC-1 extended permit icmp object-group VPN-LAN-LOCAL object-group VPN-DMZ-REMOTA
access-list VPN-IPSEC-1 extended permit icmp object-group VPN-LAN-LOCAL object-group VPN-DMZ-REMOTA echo
access-list VPN-IPSEC-1 extended permit icmp object-group VPN-LAN-LOCAL object-group VPN-DMZ-REMOTA echo-reply
access-list VPN-IPSEC-1 remark PERMIT ICMP RED-DMZ-LOCAL - RED-DMZ-REMOTA
access-list VPN-IPSEC-1 extended permit icmp object-group VPN-DMZ-LOCAL object-group VPN-DMZ-REMOTA
access-list VPN-IPSEC-1 extended permit icmp object-group VPN-DMZ-LOCAL object-group VPN-DMZ-REMOTA echo
access-list VPN-IPSEC-1 extended permit icmp object-group VPN-DMZ-LOCAL object-group VPN-DMZ-REMOTA echo-reply
access-list VPN-IPSEC-1 remark RESPUESTA ICMP RED-DMZ-LOCAL - RED-LAN-REMOTA
access-list VPN-IPSEC-1 extended permit icmp object-group VPN-DMZ-LOCAL object-group VPN-LAN-REMOTA echo
access-list VPN-IPSEC-1 extended permit icmp object-group VPN-DMZ-LOCAL object-group VPN-LAN-REMOTA echo-reply

nat (INSIDE,OUTSIDE) source static VPN-LAN-LOCAL VPN-LAN-LOCAL destination static NAT-VPN-REDES-REMOTA NAT-VPN-REDES-REMOTA no-proxy-arp route-lookup
nat (DMZ,OUTSIDE) source static VPN-DMZ-LOCAL VPN-DMZ-LOCAL destination static NAT-VPN-REDES-REMOTA NAT-VPN-REDES-REMOTA no-proxy-arp route-lookup

 

ASA REMOTO:

object-group network VPN-DMZ-LOCAL
network-object host 30.10.1.1
network-object host 30.10.1.2
network-object host 30.10.1.3
object-group network VPN-DMZ-REMOTA
network-object host 20.10.1.1
network-object host 20.10.1.2
network-object host 20.10.1.3
object-group network NAT-VPN-REDES-REMOTA
group-object VPN-LAN-REMOTA
group-object VPN-DMZ-REMOTA

object network RED-LAN
subnet 30.10.2.0 255.255.255.0
object network RED-DMZ
subnet 30.10.1.0 255.255.255.0

access-list DMZ-ACCESS-IN remark ACCESO ICMP INTERNO
access-list DMZ-ACCESS-IN extended permit icmp object RED-DMZ object RED-LAN
access-list DMZ-ACCESS-IN extended permit icmp object RED-DMZ object RED-LAN echo
access-list DMZ-ACCESS-IN remark ACCESO ICMP DMZ EXTERNA
access-list DMZ-ACCESS-IN extended permit icmp object RED-DMZ object-group VPN-DMZ-REMOTA
access-list DMZ-ACCESS-IN extended permit icmp object RED-DMZ object-group VPN-DMZ-REMOTA echo
access-list DMZ-ACCESS-IN extended permit icmp object RED-DMZ object-group VPN-DMZ-REMOTA echo-reply
access-list DMZ-ACCESS-IN remark RESPUESTA ICMP LAN EXTERNA
access-list DMZ-ACCESS-IN extended permit icmp object RED-DMZ object-group VPN-LAN-REMOTA echo
access-list DMZ-ACCESS-IN extended permit icmp object RED-DMZ object-group VPN-LAN-REMOTA echo-reply
access-list INSIDE-ACCESS-IN remark ACCESO ICMP
access-list INSIDE-ACCESS-IN extended permit icmp object RED-LAN any
access-list INSIDE-ACCESS-IN extended permit icmp object RED-LAN any echo
access-list INSIDE-ACCESS-IN extended permit icmp object RED-LAN any echo-reply
access-list VPN-IPSEC-1 remark /-/--- VPN SITE REMOTO ---/-/
access-list VPN-IPSEC-1 remark PERMIT ICMP RED-LAN-LOCAL - RED-LAN-REMOTA
access-list VPN-IPSEC-1 extended permit icmp object-group VPN-LAN-LOCAL object-group VPN-LAN-REMOTA
access-list VPN-IPSEC-1 extended permit icmp object-group VPN-LAN-LOCAL object-group VPN-LAN-REMOTA echo
access-list VPN-IPSEC-1 extended permit icmp object-group VPN-LAN-LOCAL object-group VPN-LAN-REMOTA echo-reply
access-list VPN-IPSEC-1 remark PERMIT ICMP RED-LAN-LOCAL - RED-DMZ-REMOTA
access-list VPN-IPSEC-1 extended permit icmp object-group VPN-LAN-LOCAL object-group VPN-DMZ-REMOTA
access-list VPN-IPSEC-1 extended permit icmp object-group VPN-LAN-LOCAL object-group VPN-DMZ-REMOTA echo
access-list VPN-IPSEC-1 extended permit icmp object-group VPN-LAN-LOCAL object-group VPN-DMZ-REMOTA echo-reply
access-list VPN-IPSEC-1 remark PERMIT ICMP RED-DMZ-LOCAL - RED-DMZ-REMOTA
access-list VPN-IPSEC-1 extended permit icmp object-group VPN-DMZ-LOCAL object-group VPN-DMZ-REMOTA
access-list VPN-IPSEC-1 extended permit icmp object-group VPN-DMZ-LOCAL object-group VPN-DMZ-REMOTA echo
access-list VPN-IPSEC-1 extended permit icmp object-group VPN-DMZ-LOCAL object-group VPN-DMZ-REMOTA echo-reply
access-list VPN-IPSEC-1 remark RESPUESTA ICMP RED-DMZ-LOCAL - RED-LAN-REMOTA
access-list VPN-IPSEC-1 extended permit icmp object-group VPN-DMZ-LOCAL object-group VPN-LAN-REMOTA echo
access-list VPN-IPSEC-1 extended permit icmp object-group VPN-DMZ-LOCAL object-group VPN-LAN-REMOTA echo-reply

nat (INSIDE,OUTSIDE) source static VPN-LAN-LOCAL VPN-LAN-LOCAL destination static NAT-VPN-REDES-REMOTA NAT-VPN-REDES-REMOTA no-proxy-arp route-lookup
nat (DMZ,OUTSIDE) source static VPN-DMZ-LOCAL VPN-DMZ-LOCAL destination static NAT-VPN-REDES-REMOTA NAT-VPN-REDES-REMOTA no-proxy-arp route-lookup

 

Saludos!!

5 RESPUESTAS 5

Hola

Si de LAN a LAN, y DMZ a DMZ funciona,  y de LAN a DMZ no funciona, debes crear un NAT estatico source LAN-LAN destination DMZ DMZ. 

Prueba haciendolo 1 a 1, no utilizando el siguiente grupo:

 

object-group network NAT-VPN-REDES-REMOTA
group-object VPN-LAN-REMOTA
group-object VPN-DMZ-REMOTA

 

De igual manera revisa la ACL en ambos lados. 

Saludos. 




>> Marcar como útil o contestado, si la respuesta resolvió la duda, esto ayuda a futuras consultas de otros miembros de la comunidad. <<

Hola Julio,, lo probare y te cuento,, muchas gracias!!!

Un gusto Daniel, quedo al pendiente.

Saludos




>> Marcar como útil o contestado, si la respuesta resolvió la duda, esto ayuda a futuras consultas de otros miembros de la comunidad. <<

Hola Julio, te comento que realice los cambios pero aun no logro tener comunicación (ICMP) entre el segmento LAN-Local y la DMZ-Remota, se mantiene la conectibidad LAN-LAN y DMZ-DMZ:

 

asi quedo la config:

 

ASA LOCAL

 

access-list VPN-IPSEC-1 remark /-/--- VPN SITE REMOTO ---/-/
access-list VPN-IPSEC-1 extended permit icmp object-group VPN-LAN-LOCAL object-group NAT-VPN-REDES-REMOTA
access-list VPN-IPSEC-1 extended permit icmp object-group VPN-LAN-LOCAL object-group NAT-VPN-REDES-REMOTA echo
access-list VPN-IPSEC-1 extended permit icmp object-group VPN-LAN-LOCAL object-group NAT-VPN-REDES-REMOTA echo-reply
access-list VPN-IPSEC-1 remark PERMIT ICMP RED-DMZ-LOCAL - RED-DMZ-REMOTA
access-list VPN-IPSEC-1 extended permit icmp object-group VPN-DMZ-LOCAL object-group VPN-DMZ-REMOTA
access-list VPN-IPSEC-1 extended permit icmp object-group VPN-DMZ-LOCAL object-group VPN-DMZ-REMOTA echo
access-list VPN-IPSEC-1 extended permit icmp object-group VPN-DMZ-LOCAL object-group VPN-DMZ-REMOTA echo-reply
access-list split_tunnel-VPN_USER-INTERNO remark ACCESO DESDE TUNEL VPN ANYCONNECT INTERNO

access-list INSIDE-ACCESS-IN remark ACCESO ICMP
access-list INSIDE-ACCESS-IN extended permit icmp object RED-LAN any
access-list INSIDE-ACCESS-IN extended permit icmp object RED-LAN any echo
access-list INSIDE-ACCESS-IN extended permit icmp object RED-LAN any echo-reply

access-list DMZ-ACCESS-IN remark ACCESO ICMP
access-list DMZ-ACCESS-IN extended permit icmp object SERVER-I any
access-list DMZ-ACCESS-IN extended permit icmp object SERVER-I any echo
access-list DMZ-ACCESS-IN extended permit icmp object SERVER-I any echo-reply

nat (INSIDE,OUTSIDE) source static VPN-LAN-LOCAL VPN-LAN-LOCAL destination static VPN-LAN-REMOTA VPN-LAN-REMOTA no-proxy-arp route-lookup
nat (INSIDE,OUTSIDE) source static VPN-LAN-LOCAL VPN-LAN-LOCAL destination static VPN-DMZ-REMOTA VPN-DMZ-REMOTA no-proxy-arp route-lookup
nat (DMZ,OUTSIDE) source static VPN-DMZ-LOCAL VPN-DMZ-LOCAL destination static VPN-DMZ-REMOTA VPN-DMZ-REMOTA no-proxy-arp route-lookup

 

ASA REMOTO

 

access-list VPN-IPSEC-1 remark /-/--- VPN SITE REMOTO ---/-/
access-list VPN-IPSEC-1 extended permit icmp object-group VPN-LAN-LOCAL object-group NAT-VPN-REDES-REMOTA
access-list VPN-IPSEC-1 extended permit icmp object-group VPN-LAN-LOCAL object-group NAT-VPN-REDES-REMOTA echo
access-list VPN-IPSEC-1 extended permit icmp object-group VPN-LAN-LOCAL object-group NAT-VPN-REDES-REMOTA echo-reply
access-list VPN-IPSEC-1 remark PERMIT ICMP RED-DMZ-LOCAL - RED-DMZ-REMOTA
access-list VPN-IPSEC-1 extended permit icmp object-group VPN-DMZ-LOCAL object-group VPN-DMZ-REMOTA
access-list VPN-IPSEC-1 extended permit icmp object-group VPN-DMZ-LOCAL object-group VPN-DMZ-REMOTA echo
access-list VPN-IPSEC-1 extended permit icmp object-group VPN-DMZ-LOCAL object-group VPN-DMZ-REMOTA echo-reply

access-list DMZ-ACCESS-IN remark ACCESO ICMP INTERNO
access-list DMZ-ACCESS-IN extended permit icmp object RED-DMZ any
access-list DMZ-ACCESS-IN extended permit icmp object RED-DMZ any echo
access-list DMZ-ACCESS-IN extended permit icmp object RED-DMZ any echo-reply
access-list INSIDE-ACCESS-IN remark ACCESO ICMP
access-list INSIDE-ACCESS-IN extended permit icmp object RED-LAN any
access-list INSIDE-ACCESS-IN extended permit icmp object RED-LAN any echo
access-list INSIDE-ACCESS-IN extended permit icmp object RED-LAN any echo-reply

nat (INSIDE,OUTSIDE) source static VPN-LAN-LOCAL VPN-LAN-LOCAL destination static VPN-LAN-REMOTA VPN-LAN-REMOTA no-proxy-arp route-lookup
nat (INSIDE,OUTSIDE) source static VPN-LAN-LOCAL VPN-LAN-LOCAL destination static VPN-DMZ-REMOTA VPN-DMZ-REMOTA no-proxy-arp route-lookup
nat (DMZ,OUTSIDE) source static VPN-DMZ-LOCAL VPN-DMZ-LOCAL destination static VPN-DMZ-REMOTA VPN-DMZ-REMOTA no-proxy-arp route-lookup

 

Saludos!

 

Hola,

Voy a revisar tu configuración.

 

Saludos 




>> Marcar como útil o contestado, si la respuesta resolvió la duda, esto ayuda a futuras consultas de otros miembros de la comunidad. <<
Vamos a comenzar

¡Conecte con otros expertos de Cisco y del mundo! Encuentre soluciones a sus problemas técnicos o comerciales, y aprenda compartiendo experiencias.

Queremos que su experiencia sea grata, le compartimos algunos links que le ayudarán a familiarizarse con la Comunidad de Cisco: