作为数据包路由问题升级后,错误输出下一跳由于vpn路由?
作为数据包路由问题升级后,错误输出下一跳由于vpn路由?
提问于 2018-05-04 12:32:09
我们刚刚用一个新的ASA5510替换了一个ASA5516x。所有的工作顺利,除了我们的网络之间的流量和客端的网站对网站VPN隧道。
旧系统: ASA5510版本9.1(7)15。新系统: ASA5516x版本9.9(1)。
流量从我们的网络到客户网络通过隧道是好的。
来自应该在隧道外流动的客户网络(它的目的地是我们网络中的公共web服务器)的流量不起作用。
在执行数据包捕获之后,ASA的两侧在更新之前和更新之后显示不同之处:
在更新(工作用例)之前,这是跟踪捕获的部分输出。这是第一个从外部进入ASA的数据包,离开内部,web服务器响应进入ASA,然后返回到外部。它驶向我们ISP的路由器(209.xx.142.25)
1: 09:26:13.592605 129.xxx.235.132.53828 > 209.xxx.142.28.443: S 3332805073:3332805073(0) win 8192 <mss 1380,nop,wscale 2,nop,nop,sackOK>
2: 09:26:13.592986 129.xxx.235.132.53828 > 192.168.2.28.443: S 3832318623:3832318623(0) win 8192 <mss 1300,nop,wscale 2,nop,nop,sackOK>
..
5: 09:26:13.593429 192.168.2.28.443 > 129.xxx.235.132.53828: S 3052302764:3052302764(0) ack 3832318624 win 14600 <mss 1460,nop,nop,sackOK,nop,wscale 7>
Phase: 4
Type: ROUTE-LOOKUP
Subtype: output and adjacency
Result: ALLOW
Config:
Additional Information:
found next-hop 209.xxx.142.25 using egress ifc outside
adjacency Active
next-hop mac address 68ef.bd4e.7eff hits 1012402
6: 09:26:13.593505 209.xxx.142.28.443 > 129.xxx.235.132.53828: S 4066137499:4066137499(0) ack 3332805074 win 14600 <mss 1300,nop,nop,sackOK,nop,wscale 7> 在第4阶段中,您可以看到退出数据包的下一个跳是209.xx.142.25(我们的ISP网关)。
这里是更新后的相同捕获。
1: 14:52:12.701349 129.xxx.235.132.61129 > 209.xxx.142.28.443: S 775761873:775761873(0) win 8192 <mss 1380,nop,wscale 2,nop,nop,sackOK>
2: 14:52:12.701639 129.xxx.235.132.61129 > 192.168.2.28.443: S 776220941:776220941(0) win 8192 <mss 1300,nop,wscale 2,nop,nop,sackOK>
3: 14:52:12.701791 192.168.2.28.443 > 129.xxx.235.132.61129: S 533424725:533424725(0) ack 776220942 win 14600 <mss 1460,nop,nop,sackOK,nop,wscale 7>
Phase: 4
Type: ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Config:
Additional Information:
found next-hop 129.xxx.235.132 using egress ifc outside在本例中,决定下一跳为129.xx.235.132(最终目的地而不是ISP的路由器)。这是问题的核心。
这导致我们检查ASA上的“显示路由”的输出,以了解与此目的地相关的路由:
在(工作)之前:
Gateway of last resort is 209.xxx.142.25 to network 0.0.0.0
S 129.xxx.235.132 255.255.255.255 [1/0] via 209.xxx.142.25, outside在(失败)之后:
Gateway of last resort is 209.xxx.142.25 to network 0.0.0.0
V 129.xx.235.132 255.255.255.255
connected by VPN (advertised), outside显然,在VPN流量路由的处理方式方面,在9.1到9.9ASA版本之间发生了一些变化。我如何调整我的配置以适应这种情况?
消毒康菲:
ASA Version 9.1(7)15
!
terminal width 180
hostname 5516xa
domain-name our.company.com
enable password ***** encrypted
xlate per-session deny tcp any4 any4
xlate per-session deny tcp any4 any6
xlate per-session deny tcp any6 any4
xlate per-session deny tcp any6 any6
xlate per-session deny udp any4 any4 eq domain
xlate per-session deny udp any4 any6 eq domain
xlate per-session deny udp any6 any4 eq domain
xlate per-session deny udp any6 any6 eq domain
passwd ***** encrypted
names
ip local pool vpnpool1 192.168.2.51-192.168.2.90 mask 255.255.255.0
!
interface Ethernet0/0
nameif inside
security-level 100
ip address 192.168.2.98 255.255.255.0
!
interface Ethernet0/1
no nameif
no security-level
no ip address
!
interface Ethernet0/2
nameif outside
security-level 0
ip address 209.xxx.142.26 255.255.255.248
!
interface Ethernet0/3
description LAN/STATE Failover Interface
!
interface Management0/0
management-only
nameif management
security-level 0
ip address 192.168.6.6 255.255.255.0 standby 192.168.6.7
!
boot system disk0:/asa917-15-k8.bin
ftp mode passive
clock timezone CST -6
clock summer-time CDT recurring
dns server-group DefaultDNS
domain-name our.company.com
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object network ourcompany-inside-isp
subnet 192.168.2.0 255.255.255.0
object service ssh
service tcp source eq ssh
object network webschedule-server
host 192.168.2.28
description Web server.
object network webschedule-server-outside
host 209.xxx.142.28
description The public (outside) address of the web schedule server.
object service http
service tcp source eq www
object service https
service tcp source eq https
object network falcon
host 192.168.2.14
description Falcon
object network nat-ourcompany-at-customer
host 192.168.5.2
description our addresses as they appear at customer thru tunnel.
object network obj_any
subnet 0.0.0.0 0.0.0.0
object network RA-DHCP-Pool
range 192.168.2.51 192.168.2.90
description RemoteAccess DHCP Pool
object network customerprd1
host 129.xxx.235.135
description Customer Server (prd1)
object network customerprd2
host 129.xxx.235.134
description Customer Server (prd2)
object network customertst
host 129.xxx.235.132
description Customer Server (tst)
object-group service traceroute udp
description traceroute udp ports
port-object range 33434 33534
object-group service allowed_outbound_services tcp
port-object eq www
port-object eq https
port-object eq ssh
port-object eq 465
port-object eq 587
port-object eq smtp
object-group network group-remote-customer
network-object object customerprd1
network-object object customerprd2
network-object object customertst
object-group network group-inhouse-customer
network-object object nat-ourcompany-at-customer
object-group network DHCP_VPN_Users
description DHCP_VPN_Users
network-object object RA-DHCP-Pool
network-object object webschedule-server
network-object object falcon
access-list group1_splitTunnelAcl standard permit 192.168.2.0 255.255.255.0
access-list group1_splitTunnelAcl standard permit host 129.xxx.235.132
access-list group1_splitTunnelAcl standard permit host 129.xxx.235.134
access-list group1_splitTunnelAcl standard permit host 129.xxx.235.135
access-list inside_access_in extended permit udp 192.168.2.0 255.255.255.0 any4 eq domain
access-list inside_access_in extended permit icmp any4 any4
access-list inside_access_in extended permit udp any4 any4 object-group traceroute
access-list inside_access_in extended permit ip 192.168.2.0 255.255.255.0 any4
access-list outside_210_cryptomap extended permit ip object nat-ourcompany-at-customer object-group group-remote-customer
access-list outside_access_in extended permit icmp any4 any4
access-list outside_access_in extended permit udp any4 any4 object-group traceroute
access-list outside_access_in extended permit tcp any4 object webschedule-server-outside eq https inactive
access-list outside_access_in extended permit tcp any4 object webschedule-server-outside eq www inactive
access-list outside_access_in extended permit tcp any4 object webschedule-server eq www
access-list outside_access_in extended permit tcp any4 object webschedule-server eq https
access-list outside_access_in extended permit udp any4 192.168.2.0 255.255.255.0 eq ntp
access-list RA-ACL extended permit ip any4 any4
pager lines 50
mtu inside 1500
mtu outside 1500
mtu management 1500
failover
failover lan unit primary
failover lan interface failoverlink Ethernet0/3
failover replication http
failover link failoverlink Ethernet0/3
failover interface ip failoverlink 10.1.10.1 255.255.255.0 standby 10.1.10.2
no monitor-interface management
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-762.bin
asdm history enable
arp timeout 14400
no arp permit-nonconnected
nat (inside,any) source static any any destination static ourcompany-inside-isp ourcompany-inside-isp no-proxy-arp route-lookup
nat (inside,outside) source static webschedule-server webschedule-server-outside service http http
nat (inside,outside) source static webschedule-server interface service http http
nat (inside,outside) source static webschedule-server webschedule-server-outside service https https
nat (inside,outside) source static webschedule-server interface service https https
nat (inside,inside) source dynamic ourcompany-inside-isp nat-ourcompany-at-customer destination static group-remote-customer group-remote-customer
nat (inside,outside) source dynamic ourcompany-inside-isp nat-ourcompany-at-customer destination static group-remote-customer group-remote-customer
nat (outside,outside) source dynamic ourcompany-inside-isp nat-ourcompany-at-customer destination static group-remote-customer group-remote-customer
!
object network ourcompany-inside-isp
nat (outside,outside) dynamic interface
object network obj_any
nat (inside,outside) dynamic interface
access-group inside_access_in in interface inside
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 209.xxx.142.25 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
ldap attribute-map ldapmap2
map-name memberOf Group-Policy
map-value memberOf CN=FullVPN,CN=Users,DC=,DC=us,DC=com group2
dynamic-access-policy-record DfltAccessPolicy
aaa-server Radius protocol radius
aaa-server Radius (inside) host 192.168.2.9
key *********************
aaa-server Radius (inside) host 10.0.1.128
key *********************
user-identity default-domain LOCAL
aaa authentication ssh console Radius LOCAL
aaa authentication http console Radius LOCAL
aaa authentication serial console Radius LOCAL
http server enable 4443
http 192.168.4.0 255.255.255.0 management
http 192.168.2.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
no snmp-server enable
sysopt connection tcpmss 1300
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set strong esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set nah esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set ts-memorial esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set transform-amzn esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES256-SHA1_TRANS esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES256-SHA1_TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES128-SHA1_TRANS esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES128-SHA1_TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES256-SHA1 esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS esp-aes esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS mode transport
crypto ipsec security-association pmtu-aging infinite
crypto dynamic-map outside_dyn_map 20 set ikev1 transform-set ESP-AES256-SHA1_TRANS ESP-AES128-SHA1_TRANS ESP-AES256-SHA1
crypto dynamic-map outside_dyn_map 30 set pfs
crypto map outside_map 210 match address outside_210_cryptomap
crypto map outside_map 210 set peer 129.xxx.230.17
crypto map outside_map 210 set ikev1 transform-set strong
crypto map outside_map 210 set reverse-route
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto ca trustpool policy
crypto isakmp disconnect-notify
crypto ikev1 enable outside
crypto ikev1 ipsec-over-tcp port 10000
crypto ikev1 policy 20
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
crypto ikev1 policy 40
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 28800
crypto ikev1 policy 60
authentication pre-share
encryption aes-256
hash sha
group 5
lifetime 28800
crypto ikev1 policy 70
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 28800
crypto ikev1 policy 100
authentication rsa-sig
encryption aes-256
hash sha
group 5
lifetime 86400
telnet timeout 5
ssh scopy enable
ssh stricthostkeycheck
ssh 192.168.2.0 255.255.255.0 inside
ssh 192.168.0.0 255.255.0.0 management
ssh timeout 5
ssh version 2
ssh cipher encryption custom "aes128-ctr"
ssh cipher integrity custom "hmac-sha1"
ssh key-exchange group dh-group1-sha1
console timeout 5
management-access inside
no vpn-addr-assign dhcp
vpn-addr-assign local reuse-delay 1
dhcprelay timeout 60
threat-detection basic-threat
threat-detection statistics host
threat-detection statistics port
threat-detection statistics protocol
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ntp server 216.239.35.4 source outside prefer
tftp-server inside 192.168.2.17 5516ax
ssl trust-point _wildcard inside
ssl trust-point _wildcard outside
webvpn
port 4443
enable outside
dtls port 4443
anyconnect image disk0:/anyconnect-win-4.3.02039-k9.pkg 1
anyconnect image disk0:/anyconnect-macosx-i386-4.3.02039-k9.pkg 2
anyconnect profiles Default disk0:/default.xml
anyconnect enable
port-forward test1 4001 10.23.10.109 4001
tunnel-group-list enable
cache
disable
group-policy DfltGrpPolicy attributes
vpn-tunnel-protocol ikev1 l2tp-ipsec ssl-clientless
group-policy group2 internal
group-policy group2 attributes
wins-server none
dns-server value 192.168.2.17 192.168.2.14
dhcp-network-scope 192.168.2.98
vpn-idle-timeout none
vpn-session-timeout none
vpn-filter value RA-ACL
vpn-tunnel-protocol ikev1 ikev2 l2tp-ipsec ssl-client
password-storage disable
split-tunnel-policy tunnelspecified
split-tunnel-network-list value group1_splitTunnelAcl
default-domain value our.company.com
intercept-dhcp 255.255.255.255 enable
webvpn
html-content-filter none
anyconnect keep-installer installed
anyconnect ssl rekey time 30
anyconnect ssl rekey method ssl
anyconnect dpd-interval client none
anyconnect dpd-interval gateway none
anyconnect profiles value Default type user
anyconnect ask none default anyconnect
tunnel-group DefaultL2LGroup ipsec-attributes
ikev1 pre-shared-key **********
tunnel-group DefaultRAGroup general-attributes
address-pool (inside) vpnpool1
address-pool vpnpool1
authentication-server-group Radius
default-group-policy group2
tunnel-group DefaultRAGroup ipsec-attributes
ikev1 pre-shared-key ***********
isakmp keepalive disable
tunnel-group DefaultRAGroup ppp-attributes
authentication ms-chap-v2
tunnel-group DefaultWEBVPNGroup general-attributes
authentication-server-group Radius
default-group-policy group2
dhcp-server 192.168.2.98
tunnel-group group2 type remote-access
tunnel-group group2 general-attributes
address-pool vpnpool1
authentication-server-group Radius LOCAL
default-group-policy group2
password-management
tunnel-group group2 webvpn-attributes
group-alias Group2 disable
group-alias group2 enable
tunnel-group group2 ipsec-attributes
ikev1 pre-shared-key ******
tunnel-group 129.xxx.230.17 type ipsec-l2l
tunnel-group 129.xxx.230.17 ipsec-attributes
ikev1 pre-shared-key ***********
isakmp keepalive disable
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 4096
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
class class-default
user-statistics accounting
!
service-policy global_policy global
smtp-server 192.168.2.17
prompt hostname context
no call-home reporting anonymous
hpm topN enable
Cryptochecksum:7d5b78b68915ad22e68c090a72abb86a
: end回答 1
Network Engineering用户
回答已采纳
发布于 2018-05-09 20:07:20
我设法在实验室里建立了这个模型,并自己发现了答案:
“没有加密地图outside_map 210设置反向路线”
页面原文内容由Network Engineering提供。腾讯云小微IT领域专用引擎提供翻译支持
原文链接:
https://networkengineering.stackexchange.com/questions/50284
复制相关文章
相似问题
腾讯云开发者
