отмена
Отображаются результаты для 
Вместо этого искать 
Вы имели в виду: 
Объявления
Добро пожаловать в Сообщество Технической поддержки Cisco. Мы рады получить обратную связь .
New Member

Поднять IPSec туннель между ASA 5510 и ASA 5505 в локальной сети

Добрый день, Коллеги! Есть срочная задача (надо сделать сегодня - завтра, до выходных и тем более до 12-го января первого дня рабочего после праздников). Надо поднять туннель IPSec VPN между ASA 5510 и ASA 5505 в локальной сети. Суть в том, что есть два объекта связанные физически одной локальной сетью. Сейчас оба объекта в одной внутренней подсети обслуживаются ASA 5510. Не хвататет IP 0-254. Надо отсечь один объект циской 5505. И построить канал IPSec VPN между 5510 и 5505. Подсеть внутреннюю на 5505 пустить через 5510 посредством Site-to-Site дальше, в том числе и в интернет. Сейчас не могу поднять туннель между 5510 и 5505. 5505 воткнута интерфейсом outside в локальную сеть 5510 (inside). Прошу помощи! Что я делаю не так? Что надо и как сделать? На ASA 5510 - ASA Version 8.4(5) На ASA 5505 - ASA Version 9.0(1) 192.168.2.0/24 - подсеть на ASA 5505 1.1.1.1/255.255.255.0 - ip который хочу поставить на outside 5505 и через него строить канал с 5510 192.168.2.1/255.255.255.0 - ip asa 5505 на inside 192.168.1.1/255.255.255.0 - ip asa 5510 на inside a.a.a.a/255.255.255.255 - ip asa 5510 на outside Кусок конфига с ASA 5505: ! interface Ethernet0/0 switchport access vlan 11 ! interface Ethernet0/1 switchport access vlan 22 ! interface Ethernet0/2 shutdown ! interface Ethernet0/3 shutdown ! interface Ethernet0/4 shutdown ! interface Ethernet0/5 shutdown ! interface Ethernet0/6 shutdown ! interface Ethernet0/7 shutdown ! interface Vlan1 no nameif no security-level no ip address ! interface Vlan11 nameif inside security-level 100 ip address 192.168.2.1 255.255.255.0 ! interface Vlan22 nameif outside security-level 0 ip address 1.1.1.1 255.255.255.0 ! ftp mode passive object network site-A subnet 192.168.2.0 255.255.255.0 object network site-B subnet 192.168.1.0 255.255.255.0 object network site-E subnet 192.168.5.0 255.255.255.0 object network all-networks subnet 192.168.0.0 255.0.0.0 object network internet subnet 192.168.2.0 255.255.255.0 object network site-C subnet 192.168.3.0 255.255.255.0 access-list all-network extended permit ip object all-networks object all-networks access-list VPN extended permit ip object site-A object site-B access-list VPN extended permit ip object site-A object site-E access-list VPN extended permit ip object site-A object site-C pager lines 24 logging enable logging asdm informational mtu inside 1500 mtu outside 1500 icmp unreachable rate-limit 1 burst-size 1 asdm image disk0:/asdm-711-52.bin no asdm history enable arp timeout 14400 no arp permit-nonconnected nat (inside,outside) source static site-A site-A destination static site-E site-E nat (inside,outside) source static site-A site-A destination static site-B site-B nat (inside,outside) source static site-A site-A destination static site-C site-C ! object network internet nat (inside,outside) dynamic interface route outside 0.0.0.0 0.0.0.0 192.168.1.1 1 timeout xlate 3:00:00 timeout pat-xlate 0:00:30 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02 timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00 timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00 timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute timeout tcp-proxy-reassembly 0:01:00 timeout floating-conn 0:00:00 dynamic-access-policy-record DfltAccessPolicy user-identity default-domain LOCAL aaa authentication ssh console LOCAL aaa authentication http console LOCAL http server enable http 192.168.2.0 255.255.255.0 inside no snmp-server location no snmp-server contact snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart sysopt connection preserve-vpn-flows crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS esp-aes esp-sha-hmac crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS mode transport crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS esp-aes esp-md5-hmac crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS mode transport crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS esp-aes-192 esp-sha-hmac crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS mode transport crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS esp-aes-192 esp-md5-hmac crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS mode transport crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS esp-aes-256 esp-sha-hmac crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS mode transport crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS esp-aes-256 esp-md5-hmac crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS mode transport crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS esp-3des esp-sha-hmac crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS mode transport crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS esp-3des esp-md5-hmac crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS mode transport crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS esp-des esp-sha-hmac crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS mode transport crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS esp-des esp-md5-hmac crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS mode transport crypto ipsec ikev2 ipsec-proposal AES256 protocol esp encryption aes-256 protocol esp integrity sha-1 md5 crypto ipsec ikev2 ipsec-proposal AES192 protocol esp encryption aes-192 protocol esp integrity sha-1 md5 crypto ipsec ikev2 ipsec-proposal AES protocol esp encryption aes protocol esp integrity sha-1 md5 crypto ipsec ikev2 ipsec-proposal 3DES protocol esp encryption 3des protocol esp integrity sha-1 md5 crypto ipsec ikev2 ipsec-proposal DES protocol esp encryption des protocol esp integrity sha-1 md5 crypto ipsec security-association lifetime seconds 86400 crypto ipsec security-association pmtu-aging infinite crypto map OM 1 match address VPN crypto map OM 1 set peer 192.168.1.1 crypto map OM 1 set ikev1 transform-set ESP-3DES-SHA crypto map OM 1 set reverse-route crypto map OM interface outside crypto ca trustpool policy crypto isakmp identity address crypto ikev2 policy 1 encryption aes-256 integrity sha group 5 2 prf sha lifetime seconds 86400 crypto ikev2 policy 10 encryption aes-192 integrity sha group 5 2 prf sha lifetime seconds 86400 crypto ikev2 policy 20 encryption aes integrity sha group 5 2 prf sha lifetime seconds 86400 crypto ikev2 policy 30 encryption 3des integrity sha group 5 2 prf sha lifetime seconds 86400 crypto ikev2 policy 40 encryption des integrity sha group 5 2 prf sha lifetime seconds 86400 crypto ikev1 enable outside crypto ikev1 am-disable crypto ikev1 policy 10 authentication pre-share encryption 3des hash sha group 2 lifetime 86400 crypto ikev1 policy 99 authentication pre-share encryption des hash sha group 2 lifetime none telnet timeout 5 ssh 192.168.2.0 255.255.255.0 inside ssh timeout 60 console timeout 0 management-access inside dhcpd address 192.168.2.150-192.168.2.254 inside dhcpd dns 192.168.1.5 interface inside dhcpd wins 192.168.1.5 interface inside dhcpd domain доменное.имя interface inside dhcpd auto_config outside vpnclient-wins-override interface inside dhcpd enable inside ! threat-detection basic-threat threat-detection statistics access-list no threat-detection statistics tcp-intercept group-policy DfltGrpPolicy attributes vpn-idle-timeout none vpn-tunnel-protocol ikev1 l2tp-ipsec ssl-clientless group-policy vpn internal group-policy vpn attributes vpn-idle-timeout none vpn-tunnel-protocol ikev1 username юзернаме password пассворд encrypted privilege 15 tunnel-group 192.168.1.1 type ipsec-l2l tunnel-group 192.168.1.1 ipsec-attributes ikev1 pre-shared-key **** ! class-map inspection_default match default-inspection-traffic ! ! policy-map type inspect dns preset_dns_map parameters message-length maximum client auto message-length maximum 512 policy-map global_policy class inspection_default inspect dns preset_dns_map inspect ftp inspect h323 h225 inspect h323 ras inspect rsh inspect rtsp inspect esmtp inspect sqlnet inspect skinny inspect sunrpc inspect xdmcp inspect sip inspect netbios inspect tftp inspect ip-options inspect icmp inspect http ! service-policy global_policy global prompt hostname context no call-home reporting anonymous -------------------------------------------------------------------------------- Теперь кусок конфига с ASA 5510: interface Ethernet0/0 nameif inside security-level 100 ip address 192.168.1.1 255.255.255.0 ! interface Ethernet0/1 shutdown no nameif security-level 0 no ip address ! interface Ethernet0/2 nameif outside security-level 0 ip address a.a.a.a 255.255.255.255 ospf network point-to-point non-broadcast ! interface Ethernet0/3 shutdown no nameif no security-level no ip address ! interface Management0/0 shutdown no nameif no security-level no ip address management-only ! ! time-range All ! ftp mode passive dns domain-lookup inside dns server-group DefaultDNS name-server 192.168.1.5 domain-name домаин-имя same-security-traffic permit inter-interface same-security-traffic permit intra-interface object network site-A subnet 192.168.1.0 255.255.255.0 object network site-B subnet 192.168.2.0 255.255.255.0 object network site-C subnet 192.168.3.0 255.255.255.0 object network all-networks range 192.168.1.2 192.168.1.254 object network site-E subnet 192.168.5.0 255.255.255.0 access-list a1 extended permit ip object site-A object site-E access-list a1 extended permit ip object site-B object site-E access-list a1 extended permit ip object site-C object site-E access-list ucmp extended permit icmp any any access-list ucmp extended permit udp any any eq 50 access-list ucmp extended permit esp any any access-list ALL extended permit ip any any access-list all-network extended permit ip object all-networks object all-networks access-list b1 extended permit ip object site-A object site-C access-list b1 extended permit ip object site-B object site-C access-list b1 extended permit ip object site-E object site-C access-list c1 extended permit ip object site-C object site-B access-list c1 extended permit ip object site-E object site-B access-list c1 extended permit ip object site-A object site-B pager lines 24 logging enable logging asdm informational logging mail debugging logging class auth mail debugging mtu inside 1500 mtu outside 1500 icmp unreachable rate-limit 1 burst-size 1 asdm image disk0:/asdm-711-52.bin asdm history enable arp timeout 14400 no arp permit-nonconnected nat (any,any) source static site-A site-A destination static site-E site-E nat (outside,outside) source static site-B site-B destination static site-C site-C no- proxy-arp inactive nat (inside,outside) source static site-C site-C destination static site-B site-B nat (inside,outside) source static site-A site-A destination static site-B site-B nat (inside,outside) source static site-A site-A destination static site-C site-C ! object network all-networks nat (inside,outside) dynamic interface route outside 0.0.0.0 0.0.0.0 IP_адрес_гейта_провайдера 1 timeout xlate 3:00:00 timeout pat-xlate 0:00:30 timeout conn 3:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:02:00 timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00 timeout sip 0:30:00 sip_media 0:20:00 sip-invite 0:03:00 sip-disconnect 0:02:00 timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute timeout tcp-proxy-reassembly 0:01:00 timeout floating-conn 0:00:00 dynamic-access-policy-record DfltAccessPolicy user-identity default-domain LOCAL aaa authentication ssh console LOCAL aaa authentication http console LOCAL http server enable http 192.168.1.0 255.255.255.0 inside no snmp-server location no snmp-server contact snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart sysopt connection preserve-vpn-flows sysopt noproxyarp inside crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS esp-aes esp-sha-hmac crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS mode transport crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS esp-aes esp-md5-hmac crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS mode transport crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS esp-aes-192 esp-sha-hmac crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS mode transport crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS esp-aes-192 esp-md5-hmac crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS mode transport crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS esp-aes-256 esp-sha-hmac crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS mode transport crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS esp-aes-256 esp-md5-hmac crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS mode transport crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS esp-3des esp-sha-hmac crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS mode transport crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS esp-3des esp-md5-hmac crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS mode transport crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS esp-des esp-sha-hmac crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS mode transport crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS esp-des esp-md5-hmac crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS mode transport crypto ipsec ikev2 ipsec-proposal DES protocol esp encryption des protocol esp integrity sha-1 md5 crypto ipsec ikev2 ipsec-proposal 3DES protocol esp encryption 3des protocol esp integrity sha-1 md5 crypto ipsec ikev2 ipsec-proposal AES protocol esp encryption aes protocol esp integrity sha-1 md5 crypto ipsec ikev2 ipsec-proposal AES192 protocol esp encryption aes-192 protocol esp integrity sha-1 md5 crypto ipsec ikev2 ipsec-proposal AES256 protocol esp encryption aes-256 protocol esp integrity sha-1 md5 crypto ipsec security-association lifetime seconds 86400 crypto map OM 1 match address a1 crypto map OM 1 set peer IP(это еще один туннель, он работает нормально) crypto map OM 1 set ikev1 transform-set ESP-3DES-SHA crypto map OM 1 set nat-t-disable crypto map OM 1 set reverse-route crypto map OM 2 match address c1 crypto map OM 2 set peer 1.1.1.1 (этот надо поднять) crypto map OM 2 set ikev1 transform-set ESP-3DES-SHA crypto map OM 2 set nat-t-disable crypto map OM 2 set reverse-route crypto map OM interface outside crypto isakmp identity address no crypto isakmp nat-traversal crypto ikev1 enable outside crypto ikev1 am-disable crypto ikev1 policy 10 authentication pre-share encryption 3des hash sha group 2 lifetime 86400 crypto ikev1 policy 66 authentication pre-share encryption des hash sha group 2 lifetime none telnet timeout 5 ssh 192.168.1.0 255.255.255.0 inside ssh 192.168.5.0 255.255.252.0 inside ssh timeout 60 ssh key-exchange group dh-group1-sha1 console timeout 0 management-access inside dhcpd address 192.168.1.150-192.168.1.254 inside dhcpd dns 192.168.1.5 interface inside dhcpd wins 192.168.1.5 interface inside dhcpd domain домаин.имя interface inside dhcpd auto_config outside vpnclient-wins-override interface inside dhcpd enable inside ! dhcprelay timeout 60 threat-detection basic-threat threat-detection statistics threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200 ntp authenticate ntp server нтп.сервер source outside webvpn enable outside anyconnect image disk0:/anyconnect-win-3.1.05170-k9.pkg 1 anyconnect enable tunnel-group-list enable group-policy SSLVPN_ASA internal group-policy SSLVPN_ASA attributes vpn-tunnel-protocol ssl-client split-tunnel-policy tunnelspecified split-tunnel-network-list value SPLIT_TUNNEL webvpn anyconnect ssl dtls enable anyconnect keep-installer installed anyconnect ssl keepalive 15 anyconnect ssl compression deflate anyconnect ask enable group-policy DfltGrpPolicy attributes vpn-idle-timeout none vpn-tunnel-protocol ikev1 l2tp-ipsec ssl-clientless group-policy vpn internal group-policy vpn attributes vpn-idle-timeout none vpn-tunnel-protocol ikev1 username юзер.имя password пароль encrypted privilege 15 group-lock value SSLVPN tunnel-group IP(это еще один туннель, он работает нормально) type ipsec-l2l tunnel-group IP(это еще один туннель, он работает нормально) ipsec-attributes ikev1 pre-shared-key *** tunnel-group 1.1.1.1(этот надо поднять) type ipsec-l2l tunnel-group 1.1.1.1(этот надо поднять) ipsec-attributes ikev1 pre-shared-key *** ! class-map inspection_default match default-inspection-traffic ! ! policy-map type inspect dns preset_dns_map parameters message-length maximum client auto message-length maximum 512 policy-map global_policy class inspection_default inspect dns preset_dns_map inspect ftp inspect h323 h225 inspect h323 ras inspect rsh inspect rtsp inspect esmtp inspect sqlnet inspect skinny inspect sunrpc inspect xdmcp inspect sip inspect netbios inspect tftp inspect ip-options inspect icmp inspect http class class-default user-statistics accounting ! service-policy global_policy global prompt hostname context no call-home reporting anonymous hpm topN enable
1 ОТВЕТ

Не поймите меня неправильно,

Не поймите меня неправильно, но врядли кто-либо захочет Вам помогать, вникая в такое форматирование. 

Рекомендую к ознакомлению:

http://www.catb.org/esr/faqs/smart-questions.html

перевод:

http://citforum.ru/howto/smart-questions-ru.shtml

Также рекомендую нарисовать схему as-is как есть сейчас и что Вы хотите получить.

50% ответа на вопрос - это правильно поставленный вопрос.

Спасибо за понимание.

182
Просмотры
0
Полезный материал
1
Ответы
СоздатьДля создания публикации, пожалуйста в систему