思科ASA 5506-X -站点间VPN隧道-返回流量下降
思科ASA 5506-X -站点间VPN隧道-返回流量下降
提问于 2015-10-21 23:50:04
我已经为我的一个客户配置了一个Cisco ASA 5506-X,而且我很难成功地将交通往返传送到远程网络。VPN隧道按照“显示密码ipsec sa”成功连接。下面是我目前使用的擦除配置的副本:
:
: Serial Number: XXXXXXXXXXX
: Hardware: ASA5506, 4096 MB RAM, CPU Atom C2000 series 1250 MHz, 1 CPU (4 cores)
:
ASA Version 9.4(1)
!
hostname ciscoasa01
enable password XXXXXXXXXXXXXXX encrypted
names
!
interface GigabitEthernet1/1
nameif outside
security-level 0
ip address 172.16.10.163 255.255.255.248
!
interface GigabitEthernet1/2
nameif inside
security-level 100
ip address 192.168.2.1 255.255.255.0
!
interface GigabitEthernet1/3
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/4
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/5
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/6
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/7
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/8
shutdown
no nameif
no security-level
no ip address
!
interface Management1/1
management-only
nameif management
security-level 100
no ip address
!
ftp mode passive
clock timezone CST -6
clock summer-time CDT recurring
dns domain-lookup outside
dns domain-lookup inside
dns server-group DefaultDNS
name-server 8.8.8.8
name-server 4.2.2.2
same-security-traffic permit inter-interface
object network obj_any
subnet 0.0.0.0 0.0.0.0
object network Datacenter
subnet 10.10.185.0 255.255.255.0
object network Internal
subnet 192.168.2.0 255.255.255.0
access-list outside_cryptomap extended permit ip object Internal object Datacenter
access-list outside_cryptomap extended permit icmp object Internal object Datacenter
access-list internet_access extended permit ip object Internal any
access-list outside_access_in extended permit ip any any
pager lines 24
logging enable
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu management 1500
no failover
no monitor-interface service-module
icmp unreachable rate-limit 1 burst-size 1
icmp permit any outside
icmp permit any inside
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
nat (inside,outside) source static Internal Internal destination static Datacenter Datacenter no-proxy-arp route-lookup
nat (outside,outside) source static Internal Internal destination static Datacenter Datacenter no-proxy-arp route-lookup
!
object network obj_any
nat (any,outside) dynamic interface
!
nat (inside,outside) after-auto source dynamic any interface
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 172.16.10.161 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL
http server enable
http 192.168.2.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
service sw-reset-button
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS mode transport
crypto ipsec ikev2 ipsec-proposal 3DES
protocol esp encryption 3des
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES256
protocol esp encryption aes-256
protocol esp integrity sha-1
crypto ipsec security-association pmtu-aging infinite
crypto map outside_map 1 match address outside_cryptomap
crypto map outside_map 1 set peer 20.30.40.185
crypto map outside_map 1 set ikev1 transform-set ESP-3DES-SHA ESP-3DES-SHA-TRANS ESP-AES-256-SHA ESP-AES-256-SHA-TRANS
crypto map outside_map 1 set security-association lifetime seconds 3600
crypto map outside_map interface outside
crypto ca trustpool policy
crypto ikev2 policy 1
encryption aes-256
integrity sha
group 2
prf sha
lifetime seconds 3600
crypto ikev1 enable outside
crypto ikev1 policy 120
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 3600
telnet timeout 5
no ssh stricthostkeycheck
ssh 192.168.2.0 255.255.255.0 inside
ssh timeout 5
ssh key-exchange group dh-group1-sha1
console timeout 0
management-access management
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ntp server 24.56.178.140 source outside prefer
group-policy DfltGrpPolicy attributes
vpn-tunnel-protocol ikev2 l2tp-ipsec
group-policy GroupPolicy_20.30.40.185 internal
group-policy GroupPolicy_20.30.40.185 attributes
vpn-tunnel-protocol ikev1
dynamic-access-policy-record DfltAccessPolicy
username admin password XXXXXXXXXXXXXX encrypted privilege 15
tunnel-group 20.30.40.185 type ipsec-l2l
tunnel-group 20.30.40.185 general-attributes
default-group-policy GroupPolicy_20.30.40.185
tunnel-group 20.30.40.185 ipsec-attributes
ikev1 pre-shared-key *****
peer-id-validate nocheck
ikev2 remote-authentication pre-shared-key *****
ikev2 local-authentication pre-shared-key *****
!
class-map filtered-class
match any
class-map global-class
match default-inspection-traffic
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
description Filtered Traffic
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
class filtered-class
sfr fail-open
policy-map global-policy
class global-class
inspect icmp
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:3ed383cb9ad07574a579a99ea71c2946
: end当我从Cisco ASA到远程网络执行数据包跟踪时,它工作得很好,但是当我从远程网络执行数据包跟踪回到这个ASA后面的LAN时,我会得到以下信息:
# packet-tracer input outside tcp 10.10.185.2 3389 192.168.2.5 3389 detailed
Phase: 1
Type: ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Config:
Additional Information:
found next-hop 192.168.2.5 using egress ifc inside
Phase: 2
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group outside_access_in in interface outside
access-list outside_access_in extended permit ip any any
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7fffde35d0a0, priority=13, domain=permit, deny=false
hits=24, user_data=0x7fffcfffed00, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
input_ifc=outside, output_ifc=any
Phase: 3
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7fffdd3fd8a0, priority=0, domain=nat-per-session, deny=false
hits=470, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=6
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
input_ifc=any, output_ifc=any
Phase: 4
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7fffddb1e950, priority=0, domain=inspect-ip-options, deny=true
hits=2051, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
input_ifc=outside, output_ifc=any
Phase: 5
Type: SFR
Subtype:
Result: ALLOW
Config:
class-map filtered-class
match any
policy-map global_policy
description Filtered Traffic
class filtered-class
sfr fail-open
service-policy global_policy global
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7fffde1e96f0, priority=71, domain=sfr, deny=false
hits=25, user_data=0x7fffde1e90a0, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
input_ifc=outside, output_ifc=any
Phase: 6
Type: VPN
Subtype: ipsec-tunnel-flow
Result: DROP
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7fffde312c90, priority=70, domain=ipsec-tunnel-flow, deny=false
hits=1, user_data=0x197c4, cs_id=0x7fffddbdbc70, reverse, flags=0x0, protocol=0
src ip/id=10.10.185.0, mask=255.255.255.0, port=0, tag=any
dst ip/id=192.168.2.0, mask=255.255.255.0, port=0, tag=any, dscp=0x0
input_ifc=outside, output_ifc=any
Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: inside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule我似乎找不出是什么阻碍了交通的正常返回。我似乎也无法从Cisco ASA背后的局域网获得流量,并返回到Internet,尽管我有NAT规则来处理这个问题,但我将从VPN隧道流量开始,一次解决一件事。
有什么想法吗?
编辑
添加一些信息每达留贾的要求。
显示运行nat输出:
# sho run nat
nat (outside,any) source static any any destination static interface Win_Svr service RDP RDP no-proxy-arp
nat (inside,outside) source dynamic obj_any interface
nat (inside,outside) source static Internal Internal destination static Datacenter Datacenter no-proxy-arp route-lookup
!
object network obj_any
nat (any,outside) dynamic interface从192.168.2.5的内部IP到外部8.8.8.8的包追踪器输出源
# packet-tracer input inside tcp 192.168.2.5 53 8.8.8.8 53
Phase: 1
Type: ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Config:
Additional Information:
found next-hop 172.16.10.161 using egress ifc outside
Phase: 2
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (inside,outside) source dynamic obj_any interface
Additional Information:
Dynamic translate 192.168.2.5/53 to 172.16.10.163/53
Phase: 3
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Phase: 4
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 5
Type: SFR
Subtype:
Result: ALLOW
Config:
class-map filtered-class
match any
policy-map global_policy
description Filtered Traffic
class filtered-class
sfr fail-open
service-policy global_policy global
Additional Information:
Phase: 6
Type: NAT
Subtype: rpf-check
Result: ALLOW
Config:
nat (inside,outside) source dynamic obj_any interface
Additional Information:
Phase: 7
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Phase: 8
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 9
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 13956, packet dispatched to next module
Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: allow“显示加密ipsec对等程序20.30.40.185”的输出
# sh crypto ipsec sa peer 20.30.40.185 detail
peer address: 20.30.40.185
Crypto map tag: outside_map, seq num: 1, local addr: 172.16.10.163
access-list outside_cryptomap extended permit ip 192.168.2.0 255.255.255.0 10.10.185.0 255.255.255.0
local ident (addr/mask/prot/port): (192.168.2.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (10.10.185.0/255.255.255.0/0/0)
current_peer: 20.30.40.185
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 11043, #pkts decrypt: 11043, #pkts verify: 11043
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#TFC rcvd: 0, #TFC sent: 0
#Valid ICMP Errors rcvd: 0, #Invalid ICMP Errors rcvd: 0
#pkts no sa (send): 0, #pkts invalid sa (rcv): 0
#pkts encaps failed (send): 0, #pkts decaps failed (rcv): 0
#pkts invalid prot (rcv): 0, #pkts verify failed: 0
#pkts invalid identity (rcv): 0, #pkts invalid len (rcv): 0
#pkts invalid pad (rcv): 0,
#pkts invalid ip version (rcv): 0,
#pkts replay rollover (send): 0, #pkts replay rollover (rcv): 0
#pkts replay failed (rcv): 0
#pkts min mtu frag failed (send): 0, #pkts bad frag offset (rcv): 0
#pkts internal err (send): 0, #pkts internal err (rcv): 0
local crypto endpt.: 172.16.10.163/4500, remote crypto endpt.: 20.30.40.185/4500
path mtu 1500, ipsec overhead 82(52), media mtu 1500
PMTU time remaining (sec): 0, DF policy: copy-df
ICMP error validation: disabled, TFC packets: disabled
current outbound spi: CDCAAA61
current inbound spi : 337E6914
inbound esp sas:
spi: 0x337E6914 (863922452)
transform: esp-aes-256 esp-sha-hmac no compression
in use settings ={L2L, Tunnel, NAT-T-Encaps, IKEv1, }
slot: 0, conn_id: 12288, crypto-map: outside_map
sa timing: remaining key lifetime (kB/sec): (4373985/2388)
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0xFFFFFFFF 0xFFFFFFFF
outbound esp sas:
spi: 0xCDCAAA61 (3452611169)
transform: esp-aes-256 esp-sha-hmac no compression
in use settings ={L2L, Tunnel, NAT-T-Encaps, IKEv1, }
slot: 0, conn_id: 12288, crypto-map: outside_map
sa timing: remaining key lifetime (kB/sec): (4374000/2386)
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001回答 2
Network Engineering用户
回答已采纳
发布于 2015-10-22 00:11:41
您将无法使用从远程到本地的数据包跟踪程序测试VPN,如果这样做,则需要一滴。我相信,这是由于预期流量将被加密,接收未加密的数据包(即使通过模拟)被丢弃的每个安全。(如果我能在我的实验室安装它,我也会把它测试出来的。)在实验室中进行编辑测试,在测试VPN时,从远程获得的资源将会减少。如果其他人有过不同的经历,请告诉我。
Network Engineering用户
发布于 2016-02-06 03:23:49
我的Ikev2站点和ASA之间的隧道有一个非常相似的问题。尽管所有的配置看起来都是正确的,但隧道的一侧会将流量从内部接口返回。
经过几个小时的查证,吐露出来的是包追踪器的输出。我注意到,当我在隧道一侧运行包追踪器时,第一阶段的输出是预期的“tunnel”。在行为不当的ASA上,数据包追踪器的第一阶段输出是“路由查找”。
检查您的cisco软件的路由配置和操作顺序。
对于我的配置,问题是un nat条目中的路由查找语句。
页面原文内容由Network Engineering提供。腾讯云小微IT领域专用引擎提供翻译支持
原文链接:
https://networkengineering.stackexchange.com/questions/23584
复制相关文章
相似问题
腾讯云开发者
Copyright © 2013 - 2026 Tencent Cloud. All Rights Reserved. 腾讯云 版权所有
深圳市腾讯计算机系统有限公司 ICP备案/许可证号:粤B2-20090059 
粤公网安备44030502008569号
腾讯云计算(北京)有限责任公司 京ICP证150476号 | 京ICP备11018762号