cancelar
Mostrar resultados para 
Pesquisar em vez de 
Queria dizer: 
Comunicados
Bem-vindo à Comunidade de Suporte da Cisco, gostaríamos de ter seus comentários.
New Member

ASA5505 roteando para o tunel errado

Boa tarde,

Tenho um ASA5505 configurado com 3 VPN site-to-site, todos com NAT.

Quando tento acessar uma das redes remotas o NAT traduz para endereço de outro tunel.

Abaixo tracer da conexão que tento estabelecer, o endereço de tradução esperado seria 192.168.247.135 e aparece 172.26.5.57 que é de outro tunel e cuja rede remota é diferente deste alvo.

ciscoasa# packet-tracer input inside tcp 192.168.210.18 www 201.77.89.11 www ?

detailed Dump more detailed information
xml Output in xml format
<cr>
ciscoasa# $tcp 192.168.210.18 www 201.77.89.11 www deta
ciscoasa# packet-tracer input inside tcp 192.168.210.18 www 201.77.89.11 www d$

Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
Forward Flow based lookup yields rule:
in id=0xcc0d2d30, priority=1, domain=permit, deny=false
hits=3158824, user_data=0x0, cs_id=0x0, l3_type=0x8
src mac=0000.0000.0000, mask=0000.0000.0000
dst mac=0000.0000.0000, mask=0100.0000.0000
input_ifc=inside, output_ifc=any

Phase: 2
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 0.0.0.0 0.0.0.0 outside

Phase: 3
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group global_access global
access-list global_access extended permit ip any any
Additional Information:
Forward Flow based lookup yields rule:
in id=0xcc1da4b8, priority=12, domain=permit, deny=false
hits=12051, user_data=0xca10b850, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0 dscp=0x0
input_ifc=any, output_ifc=any

Phase: 4
Type: NAT
Subtype:
Result: ALLOW
Config:
object network Services-rede-interna-NAT-Marisa
nat (inside,outside) static IP-Saida-Marisa
Additional Information:
Static translate 192.168.210.18/80 to 172.26.5.57/80
Forward Flow based lookup yields rule:
in id=0xcc84ddc0, priority=6, domain=nat, deny=false
hits=16762, user_data=0xcc84d6d8, cs_id=0x0, flags=0x0, protocol=0
src ip/id=192.168.0.0, mask=255.255.0.0, port=0, tag=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0 dscp=0x0
input_ifc=inside, output_ifc=outside

Phase: 5
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0xcba1e478, priority=0, domain=nat-per-session, deny=false
hits=36089, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=6
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0 dscp=0x0
input_ifc=any, output_ifc=any

Phase: 6
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0xcc0d85d0, priority=0, domain=inspect-ip-options, deny=true
hits=275155, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0 dscp=0x0
input_ifc=inside, output_ifc=any

Phase: 7
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Reverse Flow based lookup yields rule:
in id=0xcba1e478, priority=0, domain=nat-per-session, deny=false
hits=36091, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=6
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0 dscp=0x0
input_ifc=any, output_ifc=any

Phase: 8
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Reverse Flow based lookup yields rule:
in id=0xcc102320, priority=0, domain=inspect-ip-options, deny=true
hits=76339, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0 dscp=0x0
input_ifc=outside, output_ifc=any

Phase: 9
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 336620, packet dispatched to next module
Module information for forward flow ...
snp_fp_tracer_drop
snp_fp_inspect_ip_options
snp_fp_tcp_normalizer
snp_fp_translate
snp_fp_adjacency
snp_fp_fragment
snp_ifc_stat

Module information for reverse flow ...
snp_fp_tracer_drop
snp_fp_inspect_ip_options
snp_fp_translate
snp_fp_tcp_normalizer
snp_fp_adjacency
snp_fp_fragment
snp_ifc_stat

Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: allow

ciscoasa# sh run
: Saved
:
ASA Version 9.0(1)
!
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.247.10 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address 187.5.36.182 255.255.255.248
!
ftp mode passive
clock timezone GMT 0
object network obj_any
subnet 0.0.0.0 0.0.0.0
object network Call-flex-server-103
host 192.168.133.103
description Servidor call-flex-acesso liberatti
object network Liberatti-servidor-41
host 10.3.1.41
description Servidor site Liberatti
object network Liberatti-Network-10.3.1
subnet 10.3.1.0 255.255.255.0
description Rede Interna Liberatti
object network Services-VOIP-Network-133
subnet 192.168.133.0 255.255.255.0
description Acesso a rede Voip services
object network host-192.168.210.254
host 192.168.210.254
description a identificar
object network services-rede-interna-NAT-Sicredi
subnet 192.168.0.0 255.255.0.0
description Habilita NAT em toda a rede para acesso Sicredi
object network Services-NAT-247.110:3304=>133.103
host 192.168.247.110
description IP criado no NAT para acesso a SQL no servidor call-flex
object service SQL-calflex
service tcp source eq 3306 destination eq 3306
description SQL
object network call-flex-server-103-nat-liberatti
host 192.168.133.103
description nat reverso da liberatti para call-flex porta 3306
object network ip-247.110
host 192.168.247.110
description Usado para nat liberatti porta 3306
object network Call-flex-server-210.250
host 192.168.210.250
description Servidor call-flex na Services
object network ip-247.111
host 192.168.247.111
description Usado para nat Sicredi callflex
object network Volpato-Network-172.16.10
subnet 172.16.10.0 255.255.255.0
description Rede Interna Volpato
object network ip-247.120
host 192.168.247.120
description Usado para nat Volpato
object network ip-247.121
host 192.168.247.121
description Usado para nat Volpato
object network services-rede-interna-NAT-V2
subnet 192.168.0.0 255.255.0.0
description Habilita NAT em toda a rede da V2
object network NETWORK_OBJ_192.168.247.0_24
subnet 192.168.247.0 255.255.255.0
object network ip-247.122
host 192.168.247.122
description Criado para NAT rede V2
object network Sicredi-Network
subnet 201.77.89.0 255.255.255.0
description Rede DMZ Sicredi
object network GVT-Network
subnet 172.31.4.64 255.255.255.192
description Rede lado GVT
object network Painel_Callflex_Curitiba-133.112
host 192.168.133.112
description Painel callflex curitiba
object network Sicredi-Nat-Callflex
host 192.168.133.112
description Painel callflex curitiba
object service HTTP-painel-callflex
service tcp source eq www destination eq www
object network V2-network-192.168.230.0-24
subnet 192.168.230.0 255.255.255.0
description Rede interna V2 para VPN
object network V2-Nat-Callflex
host 192.168.133.112
description Servidor call-flex
object network Marisa-rede-interna
subnet 172.26.5.56 255.255.255.252
description Rede Marisa destino da VPN
object network Services-rede-interna-NAT-Marisa
subnet 192.168.0.0 255.255.0.0
description Nat para rede da Marisa
object network Marisa-rede-interna-NAT
subnet 172.16.100.0 255.255.252.0
object network IP-Saida-Marisa
host 172.26.5.57
description IP para traducao no NAT rede Marisa
object network IP-Saida-Nat-V2
host 192.168.247.123
description Ip de entrada para conexao com Callflex
object network IP-Saida-Nat-Sicredi
host 192.168.247.132
description Ip para tradução para acesso a rede sicredi
object-group service DM_INLINE_SERVICE_1
service-object icmp
service-object icmp echo
service-object icmp echo-reply
service-object icmp time-exceeded
service-object icmp traceroute
object-group network DM_INLINE_NETWORK_1
network-object object Marisa-rede-interna
network-object object Services-rede-interna-NAT-Marisa
object-group icmp-type DM_INLINE_ICMP_1
icmp-object echo
icmp-object echo-reply
icmp-object time-exceeded
icmp-object traceroute
object-group icmp-type DM_INLINE_ICMP_2
icmp-object echo
icmp-object echo-reply
icmp-object time-exceeded
icmp-object traceroute
object-group network DM_INLINE_NETWORK_2
network-object object services-rede-interna-NAT-Sicredi
network-object object Sicredi-Nat-Callflex
object-group network services-rede-interna-NAT-GVT
description services-rede-interna-NAT-GVT
network-object 192.168.247.0 255.255.255.0
access-list global_access extended permit ip any any
access-list global_access extended permit object-group DM_INLINE_SERVICE_1 any4 any4
access-list outside_access_in extended permit ip any any
access-list outside_access_in extended permit icmp any any object-group DM_INLINE_ICMP_2
access-list inside_access_in extended permit icmp any any object-group DM_INLINE_ICMP_1
access-list global_mpc extended permit ip any any
access-list outside_cryptomap_2 extended permit ip object-group DM_INLINE_NETWORK_2 object Sicredi-Network
access-list outside_cryptomap_3 extended permit ip object-group services-rede-interna-NAT-GVT object GVT-Network
access-list outside_cryptomap_4 extended permit ip object services-rede-interna-NAT-V2 object V2-network-192.168.230.0-24
access-list outside_cryptomap_5 extended deny ip any object Sicredi-Network
access-list outside_cryptomap_5 extended permit ip object-group DM_INLINE_NETWORK_1 object Marisa-rede-interna-NAT
!
object network services-rede-interna-NAT-Sicredi
nat (any,any) static 192.168.247.116
object network services-rede-interna-NAT-V2
nat (any,any) static ip-247.122
object network Sicredi-Nat-Callflex
nat (inside,outside) static ip-247.111 service tcp www www
object network V2-Nat-Callflex
nat (inside,outside) static IP-Saida-Nat-V2
object network Services-rede-interna-NAT-Marisa
nat (any,any) static IP-Saida-Marisa
access-group inside_access_in in interface inside
access-group outside_access_in in interface outside
access-group global_access global
route outside 0.0.0.0 0.0.0.0 187.5.36.177 1
route inside 192.168.0.0 255.255.0.0 192.168.247.2 1

dynamic-access-policy-record DfltAccessPolicy


group-policy DfltGrpPolicy attributes
vpn-tunnel-protocol l2tp-ipsec
group-policy GroupPolicy-libertti internal
group-policy GroupPolicy-libertti attributes
vpn-tunnel-protocol l2tp-ipsec
group-policy GroupPolicy-Sicredi internal
group-policy GroupPolicy-Sicredi attributes
vpn-tunnel-protocol ikev1
group-policy GroupPolicy3 internal
group-policy GroupPolicy3 attributes
vpn-tunnel-protocol l2tp-ipsec
group-policy GroupPolicy2 internal
group-policy GroupPolicy2 attributes
vpn-tunnel-protocol ikev1
group-policy GroupPolicy1 internal
group-policy GroupPolicy1 attributes
vpn-tunnel-protocol ikev1
group-policy GroupPolicy-Marisa internal
group-policy GroupPolicy-Marisa attributes
vpn-tunnel-protocol ikev1
username admin password QSIOJWiwliLl6lXN encrypted
tunnel-group 200.102.9.75 type ipsec-l2l
tunnel-group 200.102.9.75 general-attributes
default-group-policy GroupPolicy-libertti
tunnel-group 200.102.9.75 ipsec-attributes
ikev1 pre-shared-key *****
tunnel-group 201.77.95.50 type ipsec-l2l
tunnel-group 201.77.95.50 general-attributes
default-group-policy GroupPolicy-Sicredi
tunnel-group 201.77.95.50 ipsec-attributes
ikev1 pre-shared-key *****
isakmp keepalive disable
ikev2 remote-authentication pre-shared-key *****
ikev2 local-authentication pre-shared-key *****
tunnel-group GVT-VPN type ipsec-l2l
tunnel-group GVT-VPN general-attributes
default-group-policy GroupPolicy3
tunnel-group GVT-VPN ipsec-attributes
ikev1 pre-shared-key *****
tunnel-group 179.191.77.50 type ipsec-l2l
tunnel-group 179.191.77.50 general-attributes
default-group-policy GroupPolicy2
tunnel-group 179.191.77.50 ipsec-attributes
ikev1 pre-shared-key *****
tunnel-group 177.19.201.138 type ipsec-l2l
tunnel-group 177.19.201.138 general-attributes
default-group-policy GroupPolicy-Marisa
tunnel-group 177.19.201.138 ipsec-attributes
ikev1 pre-shared-key *****
isakmp keepalive disable
no tunnel-group-map enable ou
no tunnel-group-map enable ike-id
!
class-map inspection_default
match access-list global_mpc
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
!
service-policy global_policy global
prompt hostname context
call-home reporting anonymous
Cryptochecksum:9f1bdbcfcffc76c380fd8924fd749e9b
: end


ciscoasa# sh ver

Cisco Adaptive Security Appliance Software Version 9.0(1)
Device Manager Version 7.2(2)

Compiled on Fri 26-Oct-12 16:36 by builders
System image file is "disk0:/asa901-k8.bin"
Config file at boot was "startup-config"

ciscoasa up 1 day 22 hours

Hardware: ASA5505, 512 MB RAM, CPU Geode 500 MHz,
Internal ATA Compact Flash, 128MB
BIOS Flash M50FW016 @ 0xfff00000, 2048KB

Encryption hardware device : Cisco ASA-5505 on-board accelerator (revision 0x0)
Boot microcode : CN1000-MC-BOOT-2.00
SSL/IKE microcode : CNLite-MC-SSLm-PLUS-2.03
IPSec microcode : CNlite-MC-IPSECm-MAIN-2.08
Number of accelerators: 1

0: Int: Internal-Data0/0 : address is f872.ea53.2cee, irq 11
1: Ext: Ethernet0/0 : address is f872.ea53.2ce6, irq 255
2: Ext: Ethernet0/1 : address is f872.ea53.2ce7, irq 255
3: Ext: Ethernet0/2 : address is f872.ea53.2ce8, irq 255
4: Ext: Ethernet0/3 : address is f872.ea53.2ce9, irq 255
5: Ext: Ethernet0/4 : address is f872.ea53.2cea, irq 255
6: Ext: Ethernet0/5 : address is f872.ea53.2ceb, irq 255
7: Ext: Ethernet0/6 : address is f872.ea53.2cec, irq 255
8: Ext: Ethernet0/7 : address is f872.ea53.2ced, irq 255
9: Int: Internal-Data0/1 : address is 0000.0003.0002, irq 255
10: Int: Not used : irq 255
11: Int: Not used : irq 255

Licensed features for this platform:
Maximum Physical Interfaces : 8 perpetual
VLANs : 20 DMZ Unrestricted
Dual ISPs : Enabled perpetual
VLAN Trunk Ports : 8 perpetual
Inside Hosts : Unlimited perpetual
Failover : Active/Standby perpetual
Encryption-DES : Enabled perpetual
Encryption-3DES-AES : Enabled perpetual
AnyConnect Premium Peers : 2 perpetual
AnyConnect Essentials : Disabled perpetual
Other VPN Peers : 25 perpetual
Total VPN Peers : 25 perpetual
Shared License : Disabled perpetual
AnyConnect for Mobile : Disabled perpetual
AnyConnect for Cisco VPN Phone : Disabled perpetual
Advanced Endpoint Assessment : Disabled perpetual
UC Phone Proxy Sessions : 2 perpetual
Total UC Proxy Sessions : 2 perpetual
Botnet Traffic Filter : Disabled perpetual
Intercompany Media Engine : Disabled perpetual
Cluster : Disabled perpetual

This platform has an ASA 5505 Security Plus license.

Serial Number: JMX1724405N
Running Permanent Activation Key: 0xbf10da5c 0x9c042b12 0x0471b530 0xa7ac4cd4 0x89033da8
Configuration register is 0x1
Configuration last modified by admin at 14:25:29.736 GMT Fri Jan 20 2017
ciscoasa#

1 RESPOSTA
New Member

Olá, boa tarde.

Olá, boa tarde.

Você enviou toda a configuração?

Não localizei as configurações de crypto map...

Abraço.

62
Apresentações
0
Útil
1
Respostas
CriarFaça o para criar o conteúdo