Cisco ASA5505, PAT, site-to-site vpn

Неотвеченый вопрос
апр 7th, 2015
User Badges:

Здравствуйте.

Прошу помощи в настройке ASA5505. Использую две ASA5505 для связывания двух локальных сетей через site-to-site vpn. Канал работает, локальные сети имеют выход друг на друга. Локальная сеть 10.1.10.0/24 также выходит в vlan dsz и vlan adm через PAT на первой ASA5505. Но есть одна проблема: не получается настроить доступ удаленной локальной сети 10.1.6.0/24 к локальным сетям сторонних организаций 192.168.0.0/16 (vlan dsz и vlan adm), к которым доступ организован через PAT на первой ASA5505. Можно ли реализовать такую настройку, как это сделать, что я делаю не так?

 

 


Настройки первой ASA5505:

ASA Version 8.2(1)
!
hostname asa1
domain-name aaa.local
enable password XXX encrypted
passwd XXX encrypted
names
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 10.1.10.254 255.255.255.0
!
interface Vlan2
 nameif outside
 security-level 0
 ip address 1.1.1.1 255.255.255.0
!
interface Vlan3
 nameif adm
 security-level 50
 ip address 192.168.44.74 255.255.255.0
!
interface Vlan4
 nameif dsz
 security-level 50
 ip address 10.142.1.240 255.255.255.0
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
 switchport access vlan 3
!
interface Ethernet0/2
 switchport access vlan 4
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
ftp mode passive
dns domain-lookup inside
dns server-group DefaultDNS
 name-server 8.8.4.4
 name-server 8.8.8.8
 domain-name aaa.local
same-security-traffic permit intra-interface
access-list ACL_NONAT extended permit ip 10.1.0.0 255.255.0.0 10.1.0.0 255.255.0.0
access-list ACL_NAT_ADM extended permit ip 10.1.0.0 255.255.0.0 192.168.44.0 255.255.255.0
access-list ACL_NAT_DSZ extended permit ip 10.1.0.0 255.255.0.0 10.142.1.0 255.255.255.0
access-list ACL_NAT_DSZ extended permit ip 10.1.0.0 255.255.0.0 192.168.0.0 255.255.255.0
access-list ACL_VPN extended permit ip 10.1.10.0 255.255.255.0 10.1.6.0 255.255.255.0
access-list ACL_NAT_WAN extended permit ip 10.1.10.0 255.255.255.0 any
access-list ACL_NAT_ADM_2 extended permit ip 10.1.10.0 255.255.255.0 192.168.44.0 255.255.255.0
pager lines 24
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu adm 1500
mtu dsz 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 30 interface
global (adm) 10 interface
global (dsz) 20 interface
nat (inside) 0 access-list ACL_NONAT
nat (inside) 10 access-list ACL_NAT_ADM_2
nat (inside) 20 access-list ACL_NAT_DSZ
nat (inside) 30 access-list ACL_NAT_WAN
nat (outside) 10 access-list ACL_NAT_ADM
route outside 0.0.0.0 0.0.0.0 7.7.7.7 1
route dsz 192.168.0.0 255.255.255.0 10.142.1.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication ssh console LOCAL
http server enable
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set vpnset esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto map MAP_VPN 60 match address ACL_VPN
crypto map MAP_VPN 60 set peer 2.2.2.2
crypto map MAP_VPN 60 set transform-set vpnset
crypto map MAP_VPN 60 set reverse-route
crypto map MAP_VPN interface outside
crypto isakmp enable outside
crypto isakmp policy 10
 authentication pre-share
 encryption 3des
 hash md5
 group 2
 lifetime 86400
crypto isakmp disconnect-notify
telnet timeout 5
ssh 10.1.10.0 255.255.255.0 inside
ssh timeout 25
console timeout 0
dhcpd dns 8.8.8.8 8.8.4.4
dhcpd domain social.local
dhcpd auto_config outside
!
dhcpd address 10.1.10.100-10.1.10.200 inside
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
 anyconnect-essentials
username XXX password XXX encrypted
tunnel-group 2.2.2.2 type ipsec-l2l
tunnel-group 2.2.2.2 ipsec-attributes
 pre-shared-key *
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
!
service-policy global_policy global
prompt hostname context

 

Настройки второй ASA5505:

ASA Version 8.2(1)
!
hostname asa2
domain-name bbb.local
enable password XXX encrypted
passwd XXX encrypted
names
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 10.1.6.254 255.255.255.0
!
interface Vlan2
 nameif outside
 security-level 0
 ip address 2.2.2.2 255.255.255.0
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
ftp mode passive
dns domain-lookup inside
dns server-group DefaultDNS
 name-server 8.8.4.4
 name-server 8.8.8.8
 domain-name bbb.local
access-list ACL_NONAT extended permit ip 10.1.6.0 255.255.255.0 10.1.10.0 255.255.255.0
access-list ACL_NONAT extended permit ip 10.1.6.0 255.255.255.0 10.142.1.0 255.255.255.0
access-list ACL_NONAT extended permit ip 10.1.6.0 255.255.255.0 192.168.0.0 255.255.0.0
access-list ACL_VPN extended permit ip 10.1.6.0 255.255.255.0 10.1.10.0 255.255.255.0
access-list ACL_VPN extended permit ip 10.1.6.0 255.255.255.0 10.142.1.0 255.255.255.0
access-list ACL_VPN extended permit ip 10.1.6.0 255.255.255.0 192.168.0.0 255.255.0.0
access-list ACL_NAT_WAN extended permit ip 10.1.6.0 255.255.255.0 any
pager lines 24
logging asdm informational
mtu outside 1500
mtu inside 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 10 interface
nat (inside) 0 access-list ACL_NONAT
nat (inside) 10 access-list ACL_NAT_WAN
route outside 0.0.0.0 0.0.0.0 7.7.7.7 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication ssh console LOCAL
http server enable
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set vpnset esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto map MAP_VPN 60 match address ACL_VPN
crypto map MAP_VPN 60 set peer 1.1.1.1
crypto map MAP_VPN 60 set transform-set vpnset
crypto map MAP_VPN 60 set reverse-route
crypto map MAP_VPN interface outside
crypto isakmp enable outside
crypto isakmp policy 10
 authentication pre-share
 encryption 3des
 hash md5
 group 2
 lifetime 86400
crypto isakmp disconnect-notify
telnet timeout 5
ssh 10.1.6.0 255.255.255.0 inside
ssh timeout 15
console timeout 0
dhcpd dns 8.8.8.8 8.8.4.4
dhcpd domain bbb.local
dhcpd auto_config outside
!
dhcpd address 10.1.6.100-10.1.6.200 inside
dhcpd enable inside
!

threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
username XXX password XXX encrypted
tunnel-group 1.1.1.1 type ipsec-l2l
tunnel-group 1.1.1.1 ipsec-attributes
 pre-shared-key *
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
!
service-policy global_policy global
prompt hostname context


 

 

 

 

Прикрепленные файлы: 
I have this problem too.
0 голоса
Loading.
vst-ksz-nvkz ср, 04/08/2015 - 21:43
User Badges:

Похоже, что вырисовывается вариант "спасение утопающего - дело рук самого утопающего". И так, изучение проблемы показало, что трафик от удаленной локальной сети идет через интерфейс outside, а это значит, что правила PAT, которые я использовал для первой ASA5505, не верные или не точные:

access-list ACL_NAT_ADM extended permit ip 10.1.0.0 255.255.0.0 192.168.44.0 255.255.255.0
access-list ACL_NAT_DSZ extended permit ip 10.1.0.0 255.255.0.0 10.142.1.0 255.255.255.0
access-list ACL_NAT_DSZ extended permit ip 10.1.0.0 255.255.0.0 192.168.0.0 255.255.255.0
access-list ACL_VPN extended permit ip 10.1.10.0 255.255.255.0 10.1.6.0 255.255.255.0
access-list ACL_NAT_WAN extended permit ip 10.1.10.0 255.255.255.0 any
access-list ACL_NAT_ADM_2 extended permit ip 10.1.10.0 255.255.255.0 192.168.44.0 255.255.255.0
nat (inside) 0 access-list ACL_NONAT
nat (inside) 10 access-list ACL_NAT_ADM_2
nat (inside) 20 access-list ACL_NAT_DSZ
nat (inside) 30 access-list ACL_NAT_WAN
nat (outside) 10 access-list ACL_NAT_ADM

Переписал их следующим образом:

access-list ACL_NONAT extended permit ip 10.1.10.0 255.255.255.0 10.1.6.0 255.255.255.0

access-list ACL_NAT_ADM extended permit ip 10.1.10.0 255.255.255.0 192.168.44.0 255.255.255.0
access-list ACL_NAT_ADM_VPN extended permit ip 10.1.6.0 255.255.255.0 192.168.44.0 255.255.255.0
access-list ACL_NAT_DSZ extended permit ip 10.1.10.0 255.255.255.0 10.142.1.0 255.255.255.0
access-list ACL_NAT_DSZ extended permit ip 10.1.10.0 255.255.255.0 192.168.0.0 255.255.255.0
access-list ACL_NAT_DSZ_VPN extended permit ip 10.1.6.0 255.255.255.0 10.142.1.0 255.255.255.0
access-list ACL_NAT_DSZ_VPN extended permit ip 10.1.6.0 255.255.255.0 192.168.0.0 255.255.255.0

access-list ACL_VPN extended permit ip 10.1.10.0 255.255.255.0 10.1.6.0 255.255.255.0
access-list ACL_VPN extended permit ip 10.142.1.0 255.255.255.0 10.1.6.0 255.255.255.0
access-list ACL_VPN extended permit ip 192.168.0.0 255.255.255.0 10.1.6.0 255.255.255.0
access-list ACL_VPN extended permit ip 192.168.44.0 255.255.255.0 10.1.6.0 255.255.255.0

access-list ACL_NAT_WAN extended permit ip 10.1.10.0 255.255.255.0 any

!-трафик мимо nat
nat (inside) 0 access-list ACL_NONAT

!-трафик на adm
nat (inside) 10 access-list ACL_NAT_ADM
nat (outside) 10 access-list ACL_NAT_ADM_VPN outside
global (adm) 10 interface

!-трафик на dsz
nat (inside) 20 access-list ACL_NAT_DSZ
nat (outside) 20 access-list ACL_NAT_DSZ_VPN outside
global (dsz) 20 interface

!-трафик наружу для локальной сети inside
nat (inside) 30 access-list ACL_NAT_WAN
global (outside) 30 interface

В новых правилах nat 10 и 20 (отмечены зеленым) входящий интерфейс обозначен как outside и команды имеет директиву outside, которая должна обеспечить прохождение трафика с интерфейса c меньшим security-level (outside) на интерфейс с больших security-level (dsz и adm).

Все переписано, но проблема не исчезла, буду копать дальше.

vst-ksz-nvkz пн, 04/13/2015 - 02:33
User Badges:

Ну что хлопчики, старого bsd-шника не проведешь. Огромная благодарность vst-ksz-nvkz, который дал правильный ответ ;)

Идея о подвохе у меня возникла после детального изучения ответа на команду:

asa1(config)# show crypto ipsec sa
interface: outside
    Crypto map tag: MAP_VPN, seq num: 60, local addr: 1.1.1.1

      access-list ACL_VPN permit ip 10.1.6.0 255.255.255.0 10.1.10.0 255.255.255.0
      local ident (addr/mask/prot/port): (10.1.6.0/255.255.255.0/0/0)
      remote ident (addr/mask/prot/port): (10.1.10.0/255.255.255.0/0/0)
      current_peer: 1.1.1.1
..........

Как видим, ASA5505 сопоставляет с vpn-каналом только пакеты, адресованные с 10.1.10.0/24 на 10.1.6.0/24, а остальные подсети adm и dsz, прописанные в access-list ACL_VPN, просто игнорирует. Другими словами, Cisco воспринимает составной access-list ACL_VPN (состоит из нескольких правил), используемый в crypto map, как ординарный и за результирующее правило берет первое правило. В официальной документации на межсетевой экран не встретил упоминание на эту замечательная особенность. Решение проблемы следующее: на каждую подсеть, к которой нужно организовать доступ через vpn, необходимо создать отдельный crypto map.

Настройки первой ASA5505:

access-list ACL_NONAT extended permit ip 10.1.10.0 255.255.255.0 10.1.6.0 255.255.255.0

access-list ACL_NAT_ADM extended permit ip 10.1.10.0 255.255.255.0 192.168.44.0 255.255.255.0
access-list ACL_NAT_ADM_VPN extended permit ip 10.1.6.0 255.255.255.0 192.168.44.0 255.255.255.0

access-list ACL_NAT_DSZ extended permit ip 10.1.10.0 255.255.255.0 10.142.1.0 255.255.255.0
access-list ACL_NAT_DSZ extended permit ip 10.1.10.0 255.255.255.0 192.168.0.0 255.255.255.0
access-list ACL_NAT_DSZ_VPN extended permit ip 10.1.6.0 255.255.255.0 10.142.1.0 255.255.255.0
access-list ACL_NAT_DSZ_VPN extended permit ip 10.1.6.0 255.255.255.0 192.168.0.0 255.255.255.0

access-list ACL_VPN_MAIN extended permit ip 10.1.10.0 255.255.255.0 10.1.6.0 255.255.255.0
access-list ACL_VPN_DSZ extended permit ip 192.168.0.0 255.255.255.0 10.1.6.0 255.255.255.0
access-list ACL_VPN_ADM extended permit ip 192.168.44.0 255.255.255.0 10.1.6.0 255.255.255.0

access-list ACL_NAT_WAN extended permit ip 10.1.10.0 255.255.255.0 any

!-трафик мимо nat
nat (inside) 0 access-list ACL_NONAT

!-трафик на ADM
nat (inside) 10 access-list ACL_NAT_ADM
nat (outside) 10 access-list ACL_NAT_ADM_VPN outside
global (adm) 10 interface

!-трафик на DSZ
nat (inside) 20 access-list ACL_NAT_DSZ
nat (outside) 20 access-list ACL_NAT_DSZ_VPN outside
global (dsz) 20 interface

!-трафик наружу
nat (inside) 30 access-list ACL_NAT_WAN
global (outside) 30 interface

crypto isakmp policy 10
 authentication pre-share
 encryption 3des
 hash md5
 group 2
 quit

crypto ipsec transform-set vpnset esp-3des esp-sha-hmac

tunnel-group 2.2.2.2 type ipsec-l2l
tunnel-group 2.2.2.2 ipsec-attributes
 pre-shared-key lay-lay
 isakmp keepalive
 quit

crypto map MAP_VPN 60 set peer 2.2.2.2
crypto map MAP_VPN 60 set transform-set vpnset
crypto map MAP_VPN 60 set reverse-route
crypto map MAP_VPN 60 match address ACL_VPN_MAIN

crypto map MAP_VPN 61 set peer 2.2.2.2
crypto map MAP_VPN 61 set transform-set vpnset
crypto map MAP_VPN 61 set reverse-route
crypto map MAP_VPN 61 match address ACL_VPN_DSZ

crypto map MAP_VPN 62 set peer 2.2.2.2
crypto map MAP_VPN 62 set transform-set vpnset
crypto map MAP_VPN 62 set reverse-route
crypto map MAP_VPN 62 match address ACL_VPN_ADM

crypto map MAP_VPN interface outside
crypto isakmp enable outside
crypto isakmp disconnect-notify 

Настройки второй ASA5505:

access-list ACL_NONAT extended permit ip 10.1.6.0 255.255.255.0 10.1.10.0 255.255.255.0
access-list ACL_NONAT extended permit ip 10.1.6.0 255.255.255.0 10.142.1.0 255.255.255.0
access-list ACL_NONAT extended permit ip 10.1.6.0 255.255.255.0 192.168.0.0 255.255.0.0

access-list ACL_VPN_MAIN extended permit ip 10.1.6.0 255.255.255.0 10.1.10.0 255.255.255.0
access-list ACL_VPN_DSZ extended permit ip 10.1.6.0 255.255.255.0 192.168.0.0 255.255.255.0
access-list ACL_VPN_ADM extended permit ip 10.1.6.0 255.255.255.0 192.168.44.0 255.255.255.0

access-list ACL_NAT_WAN extended permit ip 10.1.6.0 255.255.255.0 any

!-трафик мимо nat
nat (inside) 0 access-list ACL_NONAT

!-трафик на nat
nat (inside) 10 access-list ACL_NAT_WAN
global (outside) 10 interface

crypto isakmp policy 10
 authentication pre-share
 encryption 3des
 hash md5
 group 2
 quit

crypto ipsec transform-set vpnset esp-3des esp-sha-hmac

tunnel-group 1.1.1.1 type ipsec-l2l
tunnel-group 1.1.1.1 ipsec-attributes
 pre-shared-key lay-lay
 quit

crypto map MAP_VPN 60 set peer 1.1.1.1
crypto map MAP_VPN 60 set transform-set vpnset
crypto map MAP_VPN 60 set reverse-route
crypto map MAP_VPN 60 match address ACL_VPN_MAIN

crypto map MAP_VPN 61 set peer 1.1.1.1
crypto map MAP_VPN 61 set transform-set vpnset
crypto map MAP_VPN 61 set reverse-route
crypto map MAP_VPN 61 match address ACL_VPN_DSZ

crypto map MAP_VPN 62 set peer 1.1.1.1
crypto map MAP_VPN 62 set transform-set vpnset
crypto map MAP_VPN 62 set reverse-route
crypto map MAP_VPN 62 match address ACL_VPN_ADM

crypto map MAP_VPN interface outside
crypto isakmp enable outside
crypto isakmp disconnect-notify

Кстати, я выявил и другие особенности в конфигурировании Cisco. Ввод правил nat нужно осуществлять в том же порядке, в котором сетевой трафик будет обрабатываться этими правилами. Если вы забыли написать какое-либо правило nat в серединке, то вставить его в существующую конфигурацию можно будет только переписав всю цепочку правил nat. Nat_id никак не определяет порядок выполнения правил nat.

Спасибо всем откликнувшимся.

Действия

Информация о дискуссии