文档建议反馈控制台
首页
学习
活动
专区
圈层
工具
MCP广场
文章/答案/技术大牛
发布
首页
学习
活动
专区
圈层
工具
MCP广场
返回腾讯云官网
社区首页 >问答首页 >Cisco访问列表和网络配置

Cisco访问列表和网络配置
EN

Network Engineering用户
提问于 2021-07-19 09:30:09
回答 2查看 152关注 0票数 0

这是我对这个网络的配置。我发现ASA没有穿过彼此。另外,当我输入show crypto isakmp Sa和IPSec SA时,它根本没有显示任何内容。你们能找到什么问题,或对这个配置的建议,所有的LA,SD,SF,MI,NY的ASA?我真的很感激

代码语言:javascript
运行
复制
ISP

Int g0/0
ip add 2.2.1.1 255.255.255.252
no shut

Int g0/1
IP add 2.2.2.1 255.255.255.252
no shut

int g0/2
ip add 2.2.3.1 255.255.255.252
no shut

int g0/3
ip add 4.4.129.1 255.255.255.252
no shut

int g0/3
ip add 4.4.128.1 255.255.255.252
no shut

LA,ASA 5506: 8.4或更高

代码语言:javascript
运行
复制
!
hostname LA
!
interface G0/0
 nameif outside
 security-level 0
 ip address 2.2.1.2 255.255.255.0
 no shut
!
interface G0/1
 nameif inside
 security-level 100
 ip address 10.10.255.1 255.255.255.0
 no shut
!
route outside 0.0.0.0 0.0.0.0 2.2.1.1
!
!
object network INSIDE_NETWORK
 subnet 10.10.0.0 255.255.0.0
 nat (inside,outside) dynamic interface
!
!
! Allowing ICMP through ASA.
!
!class-map inspection_default
! match default-inspection-traffic
!
policy-map global_policy
 class inspection_default
  inspect icmp 
  inspect icmp error
!
!service-policy global_policy global
!
!
! Allowing ICMP to ASA's inside interface from another site.
!
management-access inside
!
!
! Phase 1 (IKEv1)
!
crypto ikev1 enable outside
!
crypto ikev1 policy 10
 authentication pre-share
 encryption aes-256
 hash sha
 group 5
 lifetime 86400
!
tunnel-group 4.4.128.2 type ipsec-l2l
tunnel-group 4.4.128.2 ipsec-attributes
 ikev1 pre-shared-key LA10toNY20
tunnel-group 2.2.2.2 type ipsec-l2l
tunnel-group 2.2.2.2 ipsec-attributes
 ikev1 pre-shared-key LA10toSF20
tunnel-group 2.2.3.2 type ipsec-l2l
tunnel-group 2.2.3.2 ipsec-attributes
 ikev1 pre-shared-key LA10toSD20

router eigrp 1
network 10.0.0.0
red stat



!
! Phase 2 (IPSec)
!
object network N_10.10.0.0_16
 subnet 10.10.0.0 255.255.0.0
object network N_10.128.0.0_16
 subnet 10.128.0.0 255.255.0.0
object network N_10.20.0.0_16
 subnet 10.20.0.0 255.255.0.0
object network N_10.30.0.0_16
 subnet 10.30.0.0 255.255.0.0
!
access-list IPSEC_NY_ACL extended permit ip object N_10.10.0.0_16 object N_10.128.0.0_16
access-list IPSEC_SF_ACL extended permit ip object N_10.10.0.0_16 object N_10.20.0.0_16
access-list IPSEC_SD_ACL extended permit ip object N_10.10.0.0_16 object N_10.30.0.0_16
!
! NAT Exemption (No NAT)
! Packet Tracer limitation (Manual NAT is not supported.)
!
nat (inside,outside) source static N_10.10.0.0_16 N_10.10.0.0_16 destination static N_10.128.0.0_16 N_10.128.0.0_16 no-proxy-arp route-lookup
nat (inside,outside) source static N_10.10.0.0_16 N_10.10.0.0_16 destination static N_10.20.0.0_16 N_10.20.0.0_16 no-proxy-arp route-lookup
nat (inside,outside) source static N_10.10.0.0_16 N_10.10.0.0_16 destination static N_10.30.0.0_16 N_10.30.0.0_16 no-proxy-arp route-lookup
!
crypto ipsec ikev1 transform-set IPSEC_SET esp-aes-256 esp-sha-hmac
!
crypto map IPSEC_MAP 10 match address IPSEC_NY_ACL
crypto map IPSEC_MAP 10 set peer 4.4.128.2
crypto map IPSEC_MAP 10 set ikev1 transform-set IPSEC_SET
crypto map IPSEC_MAP 10 set security-association lifetime seconds 86400
crypto map IPSEC_MAP 20 match address IPSEC_SF_ACL
crypto map IPSEC_MAP 20 set peer 2.2.2.2
crypto map IPSEC_MAP 20 set security-association lifetime seconds 86400
crypto map IPSEC_MAP 30 match address IPSEC_SD_ACL
crypto map IPSEC_MAP 30 set peer 2.2.3.2
crypto map IPSEC_MAP 30 set ikev1 transform-set IPSEC_SET
crypto map IPSEC_MAP 30 set security-association lifetime seconds 86400
!
crypto map IPSEC_MAP interface outside
!

SF,ASA 5506: 8.4或更高版本

代码语言:javascript
运行
复制
!
hostname SF
!
interface G0/0
 nameif outside
 security-level 0
 ip address 2.2.2.2 255.255.255.252
 no shut
!
interface G0/1
 nameif inside
 security-level 100
 ip address 10.20.255.1 255.255.255.252
 no shut
!
route outside 0.0.0.0 0.0.0.0 2.2.2.1
!
!
object network INSIDE_NETWORK
 subnet 10.20.0.0 255.255.0.0
 nat (inside,outside) dynamic interface




! Allowing ICMP through ASA.
!
!class-map inspection_default
! match default-inspection-traffic
!
policy-map global_policy
 class inspection_default
  inspect icmp 
  inspect icmp error
!
!service-policy global_policy global
!
!
! Allowing ICMP to ASA's inside interface from another site.
!
management-access inside


! Phase 1 (IKEv1)
!
crypto ikev1 enable outside
!
crypto ikev1 policy 10
 authentication pre-share
 encryption aes-256
 hash sha
 group 5
 lifetime 86400
!
tunnel-group 2.2.1.2 type ipsec-l2l
tunnel-group 2.2.1.2 ipsec-attributes
 ikev1 pre-shared-key LA10toSF20

router eigrp 1
network 10.0.0.0
red stat



! Phase 2 (IPSec)
!
object network N_10.20.0.0_16
 subnet 10.20.0.0 255.255.0.0
object network N_10.10.0.0_16
 subnet 10.10.0.0 255.255.0.0


access-list IPSEC_SF_ACL extended permit ip object N_10.20.0.0_16 object N_10.10.0.0_16


! NAT Exemption (No NAT)
! Packet Tracer limitation (Manual NAT is not supported.)
!
crypto ipsec ikev1 transform-set IPSEC_SET esp-aes-256 esp-sha-hmac

nat (inside,outside) source static N_10.20.0.0_16 N_10.20.0.0_16 destination static N_10.10.0.0_16 N_10.10.0.0_16 no-proxy-arp route-lookup
crypto map IPSEC_MAP 20 match address IPSEC_SF_ACL
crypto map IPSEC_MAP 20 set peer 2.2.1.2
crypto map IPSEC_MAP 20 set ikev1 transform-set IPSEC_SET
crypto map IPSEC_MAP 20 set security-association lifetime seconds 86400
!
crypto map IPSEC_MAP interface outside
!

SD,ASA 5506: 8.4或更高

代码语言:javascript
运行
复制
!
hostname SD
!
interface G0/0
 nameif outside
 security-level 0
 ip address 2.2.3.2 255.255.255.252
 no shut
!
interface G0/1
 nameif inside
 security-level 100
 ip address 10.30.255.1 255.255.255.252
 no shut
!
route outside 0.0.0.0 0.0.0.0 2.2.3.1
!
!
object network INSIDE_NETWORK
 subnet 10.30.0.0 255.255.0.0
 nat (inside,outside) dynamic interface




! Allowing ICMP through ASA.
!
!class-map inspection_default
! match default-inspection-traffic
!
policy-map global_policy
 class inspection_default
  inspect icmp 
  inspect icmp error
!
!service-policy global_policy global
!
!
! Allowing ICMP to ASA's inside interface from another site.
!
management-access inside


! Phase 1 (IKEv1)
!
crypto ikev1 enable outside
!
crypto ikev1 policy 10
 authentication pre-share
 encryption aes-256
 hash sha
 group 5
 lifetime 86400
!
tunnel-group 2.2.1.2 type ipsec-l2l
tunnel-group 2.2.1.2 ipsec-attributes
 ikev1 pre-shared-key LA10toSD20

router eigrp 1
network 10.0.0.0
red stat



! Phase 2 (IPSec)
!
object network N_10.30.0.0_16
 subnet 10.30.0.0 255.255.0.0
object network N_10.10.0.0_16
 subnet 10.10.0.0 255.255.0.0


access-list IPSEC_SD_ACL extended permit ip object N_10.30.0.0_16 object N_10.10.0.0_16


! NAT Exemption (No NAT)
! Packet Tracer limitation (Manual NAT is not supported.)
!
crypto ipsec ikev1 transform-set IPSEC_SET esp-aes-256 esp-sha-hmac

nat (inside,outside) source static N_10.30.0.0_16 N_10.30.0.0_16 destination static N_10.10.0.0_16 N_10.10.0.0_16 no-proxy-arp route-lookup
crypto map IPSEC_MAP 30 match address IPSEC_SD_ACL
crypto map IPSEC_MAP 30 set peer 2.2.1.2
crypto map IPSEC_MAP 30 set ikev1 transform-set IPSEC_SET
crypto map IPSEC_MAP 30 set security-association lifetime seconds 86400
!
crypto map IPSEC_MAP interface outside
!

MI,ASA 5506: 8.4或更高

代码语言:javascript
运行
复制
!
hostname MI
!
interface G0/0
 nameif outside
 security-level 0
 ip address 4.4.129.2 255.255.255.252
 no shut
!
interface G0/1
 nameif inside
 security-level 100
 ip address 10.129.255.1 255.255.255.252
 no shut
!
route outside 0.0.0.0 0.0.0.0 4.4.129.1
!
!
object network INSIDE_NETWORK
 subnet 10.129.0.0 255.255.0.0
 nat (inside,outside) dynamic interface




! Allowing ICMP through ASA.
!
!class-map inspection_default
! match default-inspection-traffic
!
policy-map global_policy
 class inspection_default
  inspect icmp 
  inspect icmp error
!
!service-policy global_policy global
!
!
! Allowing ICMP to ASA's inside interface from another site.
!
management-access inside


! Phase 1 (IKEv1)
!
crypto ikev1 enable outside
!
crypto ikev1 policy 10
 authentication pre-share
 encryption aes-256
 hash sha
 group 5
 lifetime 86400
!
tunnel-group 4.4.128.2 type ipsec-l2l
tunnel-group 4.4.128.2 ipsec-attributes
 ikev1 pre-shared-key NY10toMI20

router eigrp 1
network 10.0.0.0
red stat


! Phase 2 (IPSec)
!
object network N_10.129.0.0_16
 subnet 10.129.0.0 255.255.0.0
object network N_10.128.0.0_16
 subnet 10.128.0.0 255.255.0.0


access-list IPSEC_MI_ACL extended permit ip object N_10.129.0.0_16 object N_10.128.0.0_16


! NAT Exemption (No NAT)
! Packet Tracer limitation (Manual NAT is not supported.)
!
crypto ipsec ikev1 transform-set IPSEC_SET esp-aes-256 esp-sha-hmac

nat (inside,outside) source static N_10.129.0.0_16 N_10.129.0.0_16 destination static N_10.128.0.0_16 N_10.128.0.0_16 no-proxy-arp route-lookup
crypto map IPSEC_MAP 20 match address IPSEC_MI_ACL
crypto map IPSEC_MAP 20 set peer 4.4.128.2
crypto map IPSEC_MAP 20 set ikev1 transform-set IPSEC_SET
crypto map IPSEC_MAP 20 set security-association lifetime seconds 86400
!
crypto map IPSEC_MAP interface outside
!

纽约,ASA 5506: 8.4或更高版本

代码语言:javascript
运行
复制
!
hostname NY
!
interface G0/0
 nameif outside
 security-level 0
 ip address 4.4.128.2 255.255.255.252
 no shut
!
interface G0/1
 nameif inside
 security-level 100
 ip address 10.128.255.1 255.255.255.252
 no shut
!
route outside 0.0.0.0 0.0.0.0 4.4.128.1
!
!
object network INSIDE_NETWORK
 subnet 10.128.0.0 255.255.0.0
 nat (inside,outside) dynamic interface




! Allowing ICMP through ASA.
!
!class-map inspection_default
! match default-inspection-traffic
!
policy-map global_policy
 class inspection_default
  inspect icmp 
  inspect icmp error
!
!service-policy global_policy global
!
!
! Allowing ICMP to ASA's inside interface from another site.
!
management-access inside


! Phase 1 (IKEv1)
!
crypto ikev1 enable outside
!
crypto ikev1 policy 10
 authentication pre-share
 encryption aes-256
 hash sha
 group 5
 lifetime 86400
!
tunnel-group 4.4.129.2 type ipsec-l2l
tunnel-group 4.4.129.2 ipsec-attributes
 ikev1 pre-shared-key NY10toMI20
tunnel-group 2.2.1.2 type ipsec-l2l
tunnel-group 2.2.1.2 ipsec-attributes
 ikev1 pre-shared-key LA10toNY20

router eigrp 1
network 10.0.0.0
red stat


! Phase 2 (IPSec)
!
object network N_10.128.0.0_16
 subnet 10.128.0.0 255.255.0.0
object network N_10.129.0.0_16
 subnet 10.129.0.0 255.255.0.0
object network N_10.128.0.0_16
 subnet 10.128.0.0 255.255.0.0
object network N_10.10.0.0_16
 subnet 10.10.0.0 255.255.0.0


access-list IPSEC_MI_ACL extended permit ip object N_10.128.0.0_16 object N_10.129.0.0_16
access-list IPSEC_NY_ACL extended permit ip object N_10.128.0.0_16 object N_10.10.0.0_16


! NAT Exemption (No NAT)
! Packet Tracer limitation (Manual NAT is not supported.)
!
crypto ipsec ikev1 transform-set IPSEC_SET esp-aes-256 esp-sha-hmac

nat (inside,outside) source static N_10.128.0.0_16 N_10.128.0.0_16 destination static N_10.129.0.0_16 N_10.129.0.0_16 no-proxy-arp route-lookup
nat (inside,outside) source static N_10.128.0.0_16 N_10.128.0.0_16 destination static N_10.10.0.0_16 N_10.10.0.0_16 no-proxy-arp route-lookup
crypto map IPSEC_MAP 10 match address IPSEC_NY_ACL
crypto map IPSEC_MAP 10 set peer 2.2.1.2
crypto map IPSEC_MAP 10 set ikev1 transform-set IPSEC_SET
crypto map IPSEC_MAP 10 set security-association lifetime seconds 86400
crypto map IPSEC_MAP 20 match address IPSEC_MI_ACL
crypto map IPSEC_MAP 20 set peer 4.4.129.2
crypto map IPSEC_MAP 20 set ikev1 transform-set IPSEC_SET
crypto map IPSEC_MAP 20 set security-association lifetime seconds 86400
!
crypto map IPSEC_MAP interface outside
ipsec
acl
eigrp
network-access
cisco-asa
EN

回答 2

Network Engineering用户

发布于 2021-07-19 20:02:14

每个ASA必须知道后面的网络-要么使用静态路由,要么建立像OSPF这样的路由协议。

如果没有适当的路由,所有流量都会进入默认网关。

票数 0
EN

Network Engineering用户

发布于 2023-01-11 15:09:59

从基础开始。在外部IP上从一个ASA到另一个ASA进行Ping,以验证它是可访问的。然后启用‘调试密码ipsec’‘调试密码ikev1’'debug crypto isakmp‘,并查看日志输出。从防火墙内的主机生成通信量,发送到通过VPN隧道应该可用的IP地址。查看错误日志或调试输出指示的内容。继续根据日志输出进行故障排除。

票数 0
EN
页面原文内容由Network Engineering提供。腾讯云小微IT领域专用引擎提供翻译支持
原文链接:

https://networkengineering.stackexchange.com/questions/74603

复制
相关文章

相似问题

领券

腾讯云开发者

扫码关注腾讯云开发者

扫码关注腾讯云开发者

领取腾讯云代金券

热门产品

热门推荐

更多推荐

Copyright © 2013 - 2025 Tencent Cloud. All Rights Reserved. 腾讯云 版权所有 

深圳市腾讯计算机系统有限公司 ICP备案/许可证号:粤B2-20090059 深公网安备号 44030502008569

腾讯云计算(北京)有限责任公司 京ICP证150476号 |  京ICP备11018762号 | 京公网安备号11010802020287

问题归档专栏文章快讯文章归档关键词归档开发者手册归档开发者手册 Section 归档