IPsec Asa to ASA

Nelson Neto · ‎10-02-2015

Boa noite a todos,

Estou fazendo um lab com o intuito de criar um "Tunnel" de um ASA para outro ASA, sendo que no meio do lab me deparei com o seguinte problema:

Eu fiz tanto no ASA 842-2 tanto no 842-3 a mesmo ACL:

<access-list PERMIT_ANY extended permit ip any any>

Apliquei a mesma ACL no access-groupe:

<access-group PERMIT_ANY global>.

Fiz o NAT nos dois ASAs:

<object network PAT

     nat (INT_LAN,INT_R1) dynamic interface>.

Mas me deparo com a seguinte questão, a lan no ASA842-2 pinga a wan e o outro ASA normalmente, entretanto, a lan do ASA842-3 só pinga o próprio ASA, e o asa ASA842-3 pinga a wan e o outro ASA.

Gostaria de resaltar que a ACL do ASA842-3 não está dando match e nem mesmo o NAT está dando match.

OBS: Feito os devidos TT acredito que o problema esteja no ASA842-3, de alguma forma ele não está deixando a lan se comunicar com a WAN.

OBS: Vou deixar o <show run> dos dois ASAs, logo depois de corrigir esse problema, vou buscar levantar o Tunnel entre os ASAs, que é o objetivo final.

Muito obrigado, Agradeço a todos.


>sh run do ASA842-2

ASA2(config)# sh run
: Saved
:
ASA Version 8.4(2)
!
hostname ASA2
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface GigabitEthernet0
 nameif INT_LAN
 security-level 0
 ip address 10.168.0.1 255.255.255.0
!
interface GigabitEthernet1
 nameif INT_R1
 security-level 100
 ip address 56.60.33.1 255.255.255.252
!
interface GigabitEthernet2
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet3
 shutdown
 no nameif
 no security-level
 no ip address
!
ftp mode passive
object network net-local
 subnet 10.168.0.0 255.255.255.0
object network net-remote
 subnet 192.10.0.0 255.255.255.0
object network net-R1
object network PAT
 subnet 10.168.0.0 255.255.255.0
object-group network PING
 network-object 10.168.0.0 255.255.255.0
access-list outside_1_cryptomap extended permit ip 10.168.0.0 255.255.255.0 192.10.0.0 255.255.255.0
access-list PERMIT_ANY extended permit ip any any
pager lines 24
mtu INT_LAN 1500
mtu INT_R1 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
nat (INT_LAN,INT_R1) source static net-local net-local destination static net-remote net-remote
!
object network PAT
 nat (INT_LAN,INT_R1) dynamic interface
access-group PERMIT_ANY global
route INT_R1 0.0.0.0 0.0.0.0 56.60.33.2 1
route INT_R1 56.12.100.0 255.255.255.252 56.60.33.2 1
route INT_R1 56.12.100.0 255.255.255.252 56.12.100.2 1
route INT_R1 192.10.0.0 255.255.255.0 192.10.0.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set pfs group1
crypto map outside_map 1 set peer 56.12.100.1
crypto map outside_map 1 set ikev1 transform-set ESP-3DES-SHA
crypto map outside_map interface INT_R1
crypto ikev1 enable INT_R1
crypto ikev1 policy 10
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd dns 8.8.8.8
dhcpd domain ASA2.net
!
dhcpd address 10.168.0.2-10.168.0.2 INT_LAN
dhcpd enable INT_LAN
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
tunnel-group 56.12.100.1 type ipsec-l2l
tunnel-group 56.12.100.1 ipsec-attributes
 ikev1 pre-shared-key *****
!
!
prompt hostname context
no call-home reporting anonymous
call-home
 profile CiscoTAC-1
  no active
  destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
  destination address email callhome@cisco.com
  destination transport-method http
  subscribe-to-alert-group diagnostic
  subscribe-to-alert-group environment
  subscribe-to-alert-group inventory periodic monthly
  subscribe-to-alert-group configuration periodic monthly
  subscribe-to-alert-group telemetry periodic daily
crashinfo save disable
Cryptochecksum:0a2115f5b2e581e73e3cc906c13a7789
: end

*********************


>sh run do ASA842-3


ASA3(config)# sh run
: Saved
:
ASA Version 8.4(2)
!
hostname ASA3
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface GigabitEthernet0
 nameif INT_LAN
 security-level 0
 ip address 192.10.0.1 255.255.255.0
!
interface GigabitEthernet1
 nameif INT_R1
 security-level 0
 ip address 56.12.100.1 255.255.255.252
!
interface GigabitEthernet2
 shutdown
 no nameif
 no security-level
 no ip address
!
ftp mode passive
object network net-local
 subnet 192.10.0.0 255.255.255.0
object network net-remote
 subnet 10.168.0.0 255.255.255.0
object network PAT
 subnet 192.10.0.0 255.255.255.0
object-group network PING
 network-object 192.10.0.0 255.255.255.0
access-list outside_1_cryptomap extended permit ip 192.10.0.0 255.255.255.0 10.168.0.0 255.255.255.0
access-list PERMIT_ANY extended permit ip any any
pager lines 24
mtu INT_LAN 1500
mtu INT_R1 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
nat (INT_LAN,INT_R1) source static net-local net-local destination static net-remote net-remote
!
object network PAT
 nat (INT_LAN,INT_R1) dynamic interface
access-group PERMIT_ANY global
route INT_R1 0.0.0.0 0.0.0.0 56.12.100.2 1
route INT_R1 10.168.0.0 255.255.255.0 10.168.0.1 1
route INT_R1 56.60.33.0 255.255.255.0 56.12.100.2 1
route INT_R1 56.60.33.0 255.255.255.0 56.60.33.2 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set pfs group1
crypto map outside_map 1 set peer 56.60.33.1
crypto map outside_map 1 set ikev1 transform-set ESP-3DES-SHA
crypto map outside_map interface INT_R1
crypto ikev1 enable INT_R1
crypto ikev1 policy 10
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd dns 8.8.8.8
dhcpd domain ASA3.com
!
dhcpd address 192.10.0.2-192.10.0.5 INT_LAN
dhcpd enable INT_LAN
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
tunnel-group 56.60.33.1 type ipsec-l2l
tunnel-group 56.60.33.1 ipsec-attributes
 ikev1 pre-shared-key *****
!
!
prompt hostname context
no call-home reporting anonymous
call-home
 profile CiscoTAC-1
  no active
  destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
  destination address email callhome@cisco.com
  destination transport-method http
  subscribe-to-alert-group diagnostic
  subscribe-to-alert-group environment
  subscribe-to-alert-group inventory periodic monthly
  subscribe-to-alert-group configuration periodic monthly
  subscribe-to-alert-group telemetry periodic daily
crashinfo save disable
Cryptochecksum:c19589fef992cc85bb080ee287aadbbe
: end

Atte,.