отмена
Отображаются результаты для 
Вместо этого искать 
Вы имели в виду: 
Объявления
Добро пожаловать в Сообщество Технической поддержки Cisco. Мы рады получить обратную связь .
New Member

IP-sec site-to-site problem ASA ver 9.1 vs IOS

Hi all,

 

I'm trying to set up site-to-site vpn between ASA and IOS router

the networks are:

172.25.0.0 (inside of ASA) A.A.A.A (outside of ASA) is needed to connect to IOS Router B.B.B.B address with 192.168.1.0 inside network

Below are configs:

ASA:

ASA-5505# sh run
: Saved
:
ASA Version 9.0(1)
!
hostname ASA-5505
domain-name 1.kz
names
ip local pool vpn_pool_ASA-5505 192.168.172.2-192.168.172.100 mask 255.255.255.0
ip local pool SAME_NET_ALA 172.25.66.200-172.25.66.210 mask 255.255.255.0
!
interface Ethernet0/0
 switchport access vlan 2
 speed 10
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 172.25.66.15 255.255.255.0
!
interface Vlan2
 nameif outside
 security-level 0
 ip address A.A.A.A 255.255.255.252
!
ftp mode passive
clock timezone ALMST 6
clock summer-time ALMDT recurring last Sun Mar 0:00 last Sun Oct 0:00
dns server-group DefaultDNS
 domain-name 1.kz
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object network obj_any
 subnet 0.0.0.0 0.0.0.0
object network NETWORK_OBJ_172.25.66.0_24
 subnet 172.25.66.0 255.255.255.0
object network NETWORK_OBJ_192.168.172.0_25
 subnet 192.168.172.0 255.255.255.128
object network NETWORK_OBJ_172.25.66.192_27
 subnet 172.25.66.192 255.255.255.224
object network ALA_office
 subnet 192.168.1.0 255.255.255.0
object network NETWORK_OBJ_172.25.0.0_16
 subnet 172.25.0.0 255.255.0.0
access-list SAME_NET_ALA_splitTunnelAcl standard permit 172.25.66.0 255.255.255.0
access-list SAME_NET_ALA_splitTunnelAcl standard permit 10.0.0.0 255.0.0.0
access-list SAME_NET_ALA_splitTunnelAcl standard permit 172.0.0.0 255.0.0.0
access-list VPN-OUT-INS extended permit ip 192.168.172.0 255.255.255.0 any log
access-list VPN-IN-INS extended permit ip any any log
access-list VPN-OUT-OUT extended permit ip any 192.168.172.0 255.255.255.0 log
access-list VPN-OUT-ALL standard permit any4
access-list net172 standard permit 172.25.0.0 255.255.0.0
access-list net10 standard permit 10.0.0.0 255.0.0.0
access-list outside_cryptomap extended permit ip object NETWORK_OBJ_172.25.66.0_24 object ALA_office
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
icmp permit any inside
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
nat (inside,outside) source static NETWORK_OBJ_172.25.66.0_24 NETWORK_OBJ_172.25.66.0_24 destination static NETWORK_OBJ_192.168.172.0_25 NETWORK_OBJ_192.168.172.0_25 no-proxy-arp route-lookup
nat (inside,outside) source static obj_any obj_any destination static NETWORK_OBJ_172.25.66.192_27 NETWORK_OBJ_172.25.66.192_27 no-proxy-arp route-lookup
nat (inside,outside) source static NETWORK_OBJ_172.25.66.0_24 NETWORK_OBJ_172.25.66.0_24 destination static ALA_office ALA_office no-proxy-arp route-lookup
!
object network obj_any
 nat (inside,outside) dynamic interface
!
nat (inside,outside) after-auto source dynamic any interface
access-group VPN-IN-INS in interface inside
access-group VPN-IN-INS out interface inside
route outside 0.0.0.0 0.0.0.0 88.204.136.165 1
route inside 10.0.0.0 255.0.0.0 172.25.66.1 2
route inside 172.0.0.0 255.0.0.0 172.25.66.1 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL
http server enable
http 192.168.1.0 255.255.255.0 inside
http 172.25.66.16 255.255.255.255 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS esp-aes esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set Alma-set esp-aes esp-sha-hmac
crypto ipsec ikev2 ipsec-proposal DES
 protocol esp encryption des
 protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal 3DES
 protocol esp encryption 3des
 protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES
 protocol esp encryption aes
 protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES192
 protocol esp encryption aes-192
 protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES256
 protocol esp encryption aes-256
 protocol esp integrity sha-1 md5
crypto ipsec security-association pmtu-aging infinite
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 1 match address outside_cryptomap
crypto map outside_map 1 set peer B.B.B.B
crypto map outside_map 1 set ikev1 transform-set Alma-set
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto map inside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map inside_map interface inside
crypto ca trustpool policy
crypto ikev2 policy 1
 encryption aes-256
 integrity sha
 group 5 2
 prf sha
 lifetime seconds 86400
crypto ikev2 policy 10
 encryption aes-192
 integrity sha
 group 5 2
 prf sha
 lifetime seconds 86400
crypto ikev2 policy 20
 encryption aes
 integrity sha
 group 5 2
 prf sha
 lifetime seconds 86400
crypto ikev2 policy 30
 encryption 3des
 integrity sha
 group 5 2
 prf sha
 lifetime seconds 86400
crypto ikev2 policy 40
 encryption des
 integrity sha
 group 5 2
 prf sha
 lifetime seconds 86400
crypto ikev2 enable outside
crypto ikev1 enable outside
crypto ikev1 policy 1
 authentication pre-share
 encryption 3des
 hash md5
 group 2
 lifetime 86400
crypto ikev1 policy 5
 authentication pre-share
 encryption aes
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 10
 authentication crack
 encryption aes-256
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 20
 authentication rsa-sig
 encryption aes-256
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 30
 authentication pre-share
 encryption aes-256
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 40
 authentication crack
 encryption aes-192
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 50
 authentication rsa-sig
 encryption aes-192
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 60
 authentication pre-share
 encryption aes-192
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 70
 authentication crack
 encryption aes
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 80
 authentication rsa-sig
 encryption aes
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 100
 authentication crack
 encryption 3des
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 110
 authentication rsa-sig
 encryption 3des
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 120
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 130
 authentication crack
 encryption des
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 140
 authentication rsa-sig
 encryption des
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 150
 authentication pre-share
 encryption des
 hash sha
 group 2
 lifetime 86400
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 inside
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 5
console timeout 0

dhcpd auto_config outside
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
 enable outside
 no anyconnect-essentials
group-policy web_access internal
group-policy web_access attributes
 vpn-tunnel-protocol ssl-clientless
 webvpn
  url-list value PRTG
group-policy SAME_NET_ALA internal
group-policy SAME_NET_ALA attributes
 dns-server value 8.8.8.8
 vpn-tunnel-protocol ikev1
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value SAME_NET_ALA_splitTunnelAcl
group-policy GroupPolicy1 internal
group-policy GroupPolicy1 attributes
 vpn-tunnel-protocol ikev1
group-policy GroupPolicy_to_ALA internal
tunnel-group SAME_NET_ALA type remote-access
tunnel-group SAME_NET_ALA general-attributes
 address-pool SAME_NET_ALA
 default-group-policy SAME_NET_ALA
tunnel-group SAME_NET_ALA ipsec-attributes
 ikev1 pre-shared-key *****
tunnel-group web_access type remote-access
tunnel-group web_access general-attributes
 default-group-policy web_access
tunnel-group B.B.B.B type ipsec-l2l
tunnel-group B.B.B.B general-attributes
 default-group-policy GroupPolicy1
tunnel-group B.B.B.B ipsec-attributes
 ikev1 pre-shared-key *****
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum client auto
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect ip-options
  inspect netbios
  inspect rsh
  inspect rtsp
  inspect skinny
  inspect esmtp
  inspect sqlnet
  inspect sunrpc
  inspect tftp
  inspect sip
  inspect xdmcp
  inspect icmp
  inspect http
!
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:932099620805dc22d9e48a5e04314887
: end

 

and IOS Router:

 

R1921_center#sh run
Building configuration...

Current configuration : 6881 bytes
!
! Last configuration change at 12:22:45 UTC Fri Aug 29 2014 by yerzhan
version 15.2
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname R1921_center
!
boot-start-marker
boot-end-marker
!
!
logging buffered 51200 warnings
!
aaa new-model
!
!
aaa authentication login userauthen local
aaa authorization network groupauthor local
!
!
!
!
!
aaa session-id common
!
ip cef
!
!
!
!


!
!
!
!
ip domain name yourdomain.com
no ipv6 cef
!
multilink bundle-name authenticated
!
!
crypto pki trustpoint TP-self-signed-260502430
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-260502430
 revocation-check none
 rsakeypair TP-self-signed-260502430
!
!
crypto pki certificate chain TP-self-signed-260502430
 certificate self-signed 01
  30820229 30820192 A0030201 02020101 300D0609 2A864886 F70D0101 05050030
  30312E30 2C060355 04031325 494F532D 53656C66 2D536967 6E65642D 43657274
  69666963 6174652D 32363035 30323433 30301E17 0D313331 31323630 35343131
  355A170D 32303031 30313030 30303030 5A303031 2E302C06 03550403 1325494F
  532D5365 6C662D53 69676E65 642D4365 72746966 69636174 652D3236 30353032
  34333030 819F300D 06092A86 4886F70D 01010105 0003818D 00308189 02818100
  C178A16C 26637A32 E2FE6EB2 DE63FC5D 2F4096D2 1A223CAF 52A122A1 F152F0E0
  D2305008 FA312D36 E055D09C 730111B6 487A01D5 629F8DE4 42FF0444 4B3B107A
  F6439BA2 970EFE71 C9127F72 F93603E0 11B3F622 73DB1D7C 1889D57C 88C3B141
  ED39B0EA 377CE1F7 610F9C76 FC9C843F A81AEFFE 07917A4B 2946032B 207160B9
  02030100 01A35330 51300F06 03551D13 0101FF04 05300301 01FF301F 0603551D
  23041830 1680146B B9F671FA BDD822DF 76802EEA 161D18D6 9B8C4030 1D060355
  1D0E0416 04146BB9 F671FABD D822DF76 802EEA16 1D18D69B 8C40300D 06092A86
  4886F70D 01010505 00038181 00B0C56F F1F4F85C 5FE7BF24 27D1DF41 7E9BB9CE
  0447910A 07209827 E780FA0D 3A969CD0 12929830 14AAA496 0D17F684 7F841261
  56365D9C AA15019C ABC74D0A 3CD4E002 F63AA181 B3CC4461 4E56E58D C8237899
  29F48CFA 67C4B84B 95D456C3 F0CF858D 43C758C3 C285FEF1 C002E2C5 DCFB9A8A
  6A1DF7E3 EE675EAF 7A608FB7 88
        quit
license udi pid CISCO1921/K9 sn FCZ1748C14U
!
redundancy
!
!
!
!
!
!
!
crypto isakmp policy 1
 encr 3des
 hash md5
 authentication pre-share
 group 2
!
crypto isakmp policy 3
 encr 3des
 authentication pre-share
 group 2
!
crypto isakmp policy 5
 encr aes 256
 authentication pre-share
 group 2
crypto isakmp key PSK-KEY address A.A.A.A
crypto isakmp key 6 PSK-KEY address 0.0.0.0
!
crypto isakmp client configuration group ALA-EMP-VPN
 key *.*.*.*
 dns 8.8.8.8
 domain cisco.com
 pool ippool
 acl 101
 netmask 255.255.255.0
!
!
crypto ipsec transform-set dmvpn_alad esp-3des esp-md5-hmac
 mode transport
crypto ipsec transform-set myset esp-3des esp-md5-hmac
 mode tunnel
crypto ipsec transform-set TRIPSECMAX esp-3des esp-md5-hmac
 mode transport
crypto ipsec transform-set AES-SHA esp-aes esp-sha-hmac
 mode tunnel
!
crypto ipsec profile MAXPROFILE
 set transform-set TRIPSECMAX
!
!
crypto ipsec profile dmvpn_profile
 set transform-set dmvpn_alad
!
!
crypto dynamic-map dynmap 10
 set transform-set myset
 reverse-route
!
!
!
crypto map clientmap client authentication list userauthen
crypto map clientmap isakmp authorization list groupauthor
crypto map clientmap client configuration address respond
crypto map clientmap 20 ipsec-isakmp
 set peer A.A.A.A
 set transform-set AES-SHA
 match address VPN_ASA_PAV
!
!
!
!
!
interface Loopback1
 ip address 10.10.10.10 255.255.255.255
!

interface Tunnel2
 ip address 192.168.101.1 255.255.255.240
 no ip redirects
 ip nhrp authentication NHRPMAX
 ip nhrp map multicast dynamic
 ip nhrp network-id 4679
 ip ospf network broadcast
 ip ospf hello-interval 30
 ip ospf priority 10
 tunnel source GigabitEthernet0/1
 tunnel mode gre multipoint
 tunnel key 4679
!
interface Embedded-Service-Engine0/0
 no ip address
 shutdown
!
interface GigabitEthernet0/0
 description to_LAN
 ip address 192.168.1.253 255.255.255.0
 ip nat inside
 ip virtual-reassembly in
 duplex auto
 speed auto
!
interface GigabitEthernet0/1
 description to_ISP
 ip address B.B.B.B 255.255.255.252
 ip nat outside
 ip virtual-reassembly in
 duplex auto
 speed auto
 crypto map clientmap
!
router ospf 100
 auto-cost reference-bandwidth 1000
 area 0 authentication message-digest
 area 192.168.1.0 authentication message-digest
 redistribute static subnets
 passive-interface default
 no passive-interface Tunnel1
 network 10.10.10.10 0.0.0.0 area 192.168.1.0
 network 192.168.1.0 0.0.0.255 area 192.168.1.0
 network 192.168.222.0 0.0.0.15 area 0
!
router ospf 1
 router-id 1.1.1.1
 redistribute static subnets
 passive-interface default
 no passive-interface Tunnel2
 network 10.10.10.10 0.0.0.0 area 192.168.1.0
 network 192.168.1.0 0.0.0.255 area 192.168.1.0
 network 192.168.101.0 0.0.0.15 area 0
!
ip local pool ippool 192.168.33.1 192.168.33.20
ip forward-protocol nd
!
ip http server
ip http access-class 23
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
ip nat inside source list 111 interface GigabitEthernet0/1 overload
ip nat inside source static tcp 192.168.1.11 22 B.B.B.B 8022 extendable
ip route 0.0.0.0 0.0.0.0 B.B.B.C
!
ip access-list extended ACL-NAT
 deny   ip 192.168.1.0 0.0.0.255 172.25.0.0 0.0.255.255
 permit ip any any
ip access-list extended ACL-VPN
 permit ip 192.168.1.0 0.0.0.255 172.25.0.0 0.0.255.255
ip access-list extended VPN_ASA_PAV
 permit ip 192.168.1.0 0.0.0.255 172.25.66.0 0.0.0.255
!
access-list 101 permit ip 192.168.1.0 0.0.0.255 192.168.33.0 0.0.0.255
access-list 111 deny   ip 192.168.1.0 0.0.0.255 192.168.33.0 0.0.0.255
access-list 111 permit ip any any
!
!
!
!
!
control-plane
!
!
!
line con 0
line aux 0
line 2
 no activation-character
 no exec
 transport preferred none
 transport output pad telnet rlogin lapb-ta mop udptn v120 ssh
 stopbits 1
line vty 0 4
 exec-timeout 0 0
 privilege level 15
 transport input telnet ssh
line vty 5 15
 exec-timeout 0 0
 privilege level 15
 transport input telnet ssh
!
scheduler allocate 20000 1000
!
end

1 УТВЕРЖДЕННОЕ РЕШЕНИЕ

Утвержденные решения

Воспроизвел Вашу конфигурацию

Воспроизвел Вашу конфигурацию, на маршрутизаторе убрал:

crypto map clientmap client authentication list userauthen
crypto map clientmap isakmp authorization list groupauthor
crypto map clientmap client configuration address respond

 

ACL 111 должен так выглядеть у Вас:

Extended IP access list 111
    10 deny ip 192.168.1.0 0.0.0.255 192.168.33.0 0.0.0.255
    15 deny ip 192.168.1.0 0.0.0.255 172.25.66.0 0.0.0.255 
    20 permit ip any any 

Все сразу завелось.

Чтобы ещё и remote access к маршрутизатору заработал, нужно переделать конфигурацию немного:

 

crypto isakmp profile CLIENT_AUTH
   match identity address 0.0.0.0
   client authentication list userauthen
   isakmp authorization list groupauthor
   client configuration address respond

crypto dynamic-map dynmap 10
 set transform-set myset
 set isakmp-profile CLIENT_AUTH
 reverse-route

 

Но я могу ошибаться здесь, не прверял.

Пожалуйста, не забывайте отмечать правильный ответ, если сообщение Вам помогло.

 

9 ОТВЕТ.

Please make me know if You

Please make me know if You need my reply translated to English.

Бегло просмотрел конфигурацию и увидел, что здесь:

access-list 111 deny   ip 192.168.1.0 0.0.0.255 192.168.33.0 0.0.0.255
access-list 111 permit ip any any

 

Вам нужно добавить

 

access-list 111 deny   ip 192.168.1.0 0.0.0.255 172.25.66.0 0.0.0.255

 

Если это не исправит проблему, нужно с обоих сторон смотреть:

sh crypto isakmp sa

sh crypto ipsec sa

show crypto map

и дальше уже в зависимости от того, что мы там увидим, включать debug crypto isakmp, debug crypto ipsec.

New Member

Спасибо за ответ.добавил 

Спасибо за ответ.

добавил 

!
access-list 101 permit ip 192.168.1.0 0.0.0.255 192.168.33.0 0.0.0.255
access-list 111 deny   ip 192.168.1.0 0.0.0.255 192.168.33.0 0.0.0.255
access-list 111 deny   ip 192.168.1.0 0.0.0.255 172.25.66.0 0.0.0.255
access-list 111 permit ip any any

 

но не помогло,

ниже выводы команд:

IOS:

R1921_center#sh crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst             src             state          conn-id status

IPv6 Crypto ISAKMP SA

R1921_center#sh crypto ipsec sa

interface: GigabitEthernet0/1
    Crypto map tag: clientmap, local addr B.B.B.B

   protected vrf: (none)
   local  ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0/0/0)
   remote ident (addr/mask/prot/port): (172.25.66.0/255.255.255.0/0/0)
   current_peer A.A.A.A port 500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
    #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 0, #recv errors 0

     local crypto endpt.: B.B.B.B, remote crypto endpt.: A.A.A.A
     path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet0/1
     current outbound spi: 0x0(0)
     PFS (Y/N): N, DH group: none

     inbound esp sas:

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:

     outbound ah sas:

     outbound pcp sas:
R1921_center#

 

R1921_center#show crypto map
        Interfaces using crypto map VPN-TUNNEL:

Crypto Map IPv4 "clientmap" 20 ipsec-isakmp
        Peer = A.A.A.A
        Extended IP access list VPN_ASA_PAV
            access-list VPN_ASA_PAV permit ip 192.168.1.0 0.0.0.255 172.25.66.0 0.0.0.255
        Current peer: A.A.A.A
        Security association lifetime: 4608000 kilobytes/3600 seconds
        Responder-Only (Y/N): N
        PFS (Y/N): N
        Transform sets={
                AES-SHA:  { esp-aes esp-sha-hmac  } ,
        }
        Interfaces using crypto map clientmap:
                GigabitEthernet0/1

ASA:

aladiah# sh crypto isakmp sa

IKEv1 SAs:

   Active SA: 5
    Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 5

1   IKE Peer: 217.XX.76.XX
    Type    : user            Role    : responder
    Rekey   : no              State   : AM_ACTIVE
2   IKE Peer: 217.XX.76.XX
    Type    : user            Role    : responder
    Rekey   : no              State   : AM_ACTIVE
3   IKE Peer: XX.30.219.XX
    Type    : user            Role    : responder
    Rekey   : no              State   : AM_ACTIVE
4   IKE Peer: 37.XX.164.XX
    Type    : user            Role    : responder
    Rekey   : no              State   : AM_ACTIVE
5   IKE Peer: XX.150.164.XX
    Type    : user            Role    : responder
    Rekey   : no              State   : AM_ACTIVE

У вас маршрутизатор даже не

У вас маршрутизатор даже не пытается поднять isakmp.

Сделайте ping  172.25.66.1 source 192.168.1.253

с маршрутизатора. 

Затем на нем снова

show crypto isakmp sa. Вы должны увидеть состояние QM_IDLE. То же самое со стороны ASA.

Если не так, будем включать debug crypto isakmp и смотреть дальше.

New Member

R1921_center#ping 172.25.66


R1921_center#ping 172.25.66.16 sou
R1921_center#ping 172.25.66.16 source 192.168.1.253
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.25.66.16, timeout is 2 seconds:
Packet sent with a source address of 192.168.1.253
.....
Success rate is 0 percent (0/5)
R1921_center#show crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst             src             state          conn-id status
A.A.A.A  B.B.B.B   CONF_XAUTH        1010 ACTIVE

IPv6 Crypto ISAKMP SA

R1921_center#show crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst             src             state          conn-id status

IPv6 Crypto ISAKMP SA


ASA:

ASA# ping 192.168.1.253
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.1.253, timeout is 2 seconds:
?????
Success rate is 0 percent (0/5)
ASA# show crypto isakmp sa

IKEv1 SAs:

   Active SA: 5
    Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 5

1   IKE Peer: X.X.X.48
    Type    : user            Role    : responder
    Rekey   : no              State   : AM_ACTIVE
2   IKE Peer: X.X.X.48
    Type    : user            Role    : responder
    Rekey   : no              State   : AM_ACTIVE
3   IKE Peer: X.X.164.28
    Type    : user            Role    : responder
    Rekey   : no              State   : AM_ACTIVE
4   IKE Peer: X.X.164.28
    Type    : user            Role    : responder
    Rekey   : no              State   : AM_ACTIVE
5   IKE Peer: XX.X.219.99
    Type    : user            Role    : responder
    Rekey   : no              State   : AM_ACTIVE

 

Вот что было.

 

У вас не должно быть фазы

У вас не должно быть фазы XAUTH.

Зачем вам вот это на маршрутизаторе:

 

crypto map clientmap client authentication list userauthen
crypto map clientmap isakmp authorization list groupauthor
crypto map clientmap client configuration address respond

crypto isakmp client configuration group ALA-EMP-VPN
 key *.*.*.*
 dns 8.8.8.8
 domain cisco.com
 pool ippool
 acl 101
 netmask 255.255.255.0
!

 

Нужно это убрать и добавить ключ, такой же как на ASA:

tunnel-group B.B.B.B ipsec-attributes
 ikev1 pre-shared-key *****

 

crypto isakmp key ***** address A.A.A.A
New Member

crypto map clientmap client

crypto map clientmap client authentication list userauthen
crypto map clientmap isakmp authorization list groupauthor
crypto map clientmap client configuration address respond

crypto isakmp client configuration group ALA-EMP-VPN
 key *.*.*.*
 dns 8.8.8.8
 domain cisco.com
 pool ippool
 acl 101
 netmask 255.255.255.0
 
Это для подключения IP-Sec VPN к рутеру.
Снес, все равно такой же статус

Воспроизвел Вашу конфигурацию

Воспроизвел Вашу конфигурацию, на маршрутизаторе убрал:

crypto map clientmap client authentication list userauthen
crypto map clientmap isakmp authorization list groupauthor
crypto map clientmap client configuration address respond

 

ACL 111 должен так выглядеть у Вас:

Extended IP access list 111
    10 deny ip 192.168.1.0 0.0.0.255 192.168.33.0 0.0.0.255
    15 deny ip 192.168.1.0 0.0.0.255 172.25.66.0 0.0.0.255 
    20 permit ip any any 

Все сразу завелось.

Чтобы ещё и remote access к маршрутизатору заработал, нужно переделать конфигурацию немного:

 

crypto isakmp profile CLIENT_AUTH
   match identity address 0.0.0.0
   client authentication list userauthen
   isakmp authorization list groupauthor
   client configuration address respond

crypto dynamic-map dynmap 10
 set transform-set myset
 set isakmp-profile CLIENT_AUTH
 reverse-route

 

Но я могу ошибаться здесь, не прверял.

Пожалуйста, не забывайте отмечать правильный ответ, если сообщение Вам помогло.

 

New Member

Евгений спасибо все

Евгений спасибо все заработало!

 

Сорри что поздно ответил,

приболел, было не до VPNa.

 

Теперь другая проблема.

Пытаюсь добавить вторую сеть для доступа,

не получается.

сетка 172,25,66,0 ходит, сетка 172,16,22,0 не ходит.

 

Ниже конфиги:

IOS:

object-group network 2-nd_srv
 host 172.16.22.90

ip route 0.0.0.0 0.0.0.0 A.A.A.A
ip route 10.20.1.0 255.255.255.0 10.20.1.254
ip route 172.16.22.0 255.255.255.0 172.16.22.89
!
ip access-list extended ACL-NAT
 deny   ip 192.168.1.0 0.0.0.255 172.25.0.0 0.0.255.255
 permit ip any any
ip access-list extended ACL-VPN
 permit ip 192.168.1.0 0.0.0.255 172.25.0.0 0.0.255.255
 permit ip 192.168.1.0 0.0.0.255 object-group 2-nd_srv
!
access-list 101 permit ip 192.168.1.0 0.0.0.255 192.168.33.0 0.0.0.255
access-list 111 deny   ip 192.168.1.0 0.0.0.255 192.168.33.0 0.0.0.255
access-list 111 deny   ip 192.168.1.0 0.0.0.255 172.25.66.0 0.0.0.255
access-list 111 deny   ip 192.168.1.0 0.0.0.255 172.16.22.0 0.0.0.255
access-list 111 permit ip any any

 

ASA

object network 2-nd_srv
 host 172.16.22.90

object network ALA_office
 subnet 192.168.1.0 255.255.255.0
object network NETWORK_OBJ_172.25.0.0_16
 subnet 172.25.0.0 255.255.0.0

nat (inside,outside) source static NETWORK_OBJ_172.25.0.0_16 NETWORK_OBJ_172.25.0.0_16 destination static ALA_office ALA_office no-proxy-arp route-lookup
nat (inside,outside) source static 2-nd_srv 2-nd_srv destination static ALA_office ALA_office no-proxy-arp route-lookup

 

 

 

access-list outside_cryptomap extended permit ip object NETWORK_OBJ_172.25.0.0_16 object ALA_office


access-list outside_cryptomap extended permit ip object 2-nd_srv object ALA_office

 

в иосе у вас две сетки в

в иосе у вас две сетки в разные стороны роутятся.

 

IOS:

object-group network 2-nd_srv
 host 172.16.22.90

ip route 0.0.0.0 0.0.0.0 A.A.A.A
ip route 172.16.22.0 255.255.255.0 172.16.22.89

 

одна по дефолтному маршруту а вторая в другую сторону.

 

в аса

я бы просто добавил вторую сетку в существующий обжект групп

conf t

no object network 2-nd_srv
 object network NETWORK_OBJ_172.25.0.0_16
  host 172.16.22.90

exi

wr

 

 

таким образом у вас уже прописан и работает IPSec для обжект групп.

добавив туда хост этот хост тоже будет работать.

роутинг сделать нужно такой же как для работающей сети.

139
Просмотры
5
Полезный материал
9
Ответы
СоздатьДля создания публикации, пожалуйста в систему