服务器 Gind.cn
  1. 服务器 Gind.cn
  3. 思科ASA和870之间的站点到站点VPN不能ping远程networking
Intereting Posts
代理服务器作为DHCP GCE内部networking问题 Windows 2008服务器上的SQL 2008 – 授权问题 Google的networking蜘蛛多长时间一次抓取networking? 强制特定用户的SSH公钥authentication wdsutil声称Windows Server 2012 R2驱动程序是未签名的,但它们具有有效的证书 FibreChannel-SAN SCSI块设备丢失 networking共享回收站 如何停止stream量捕获? kvm与virtio scsi和rbd Eximconfiguration – 仅在本地主机上监听25 禁用特定的OpenSSH主机密钥 DNSredirect到网站目录 使用Ruby SDK创buildEC2实例,而不使用临时存储 如何通过不同的DSL路由器发送语音IPstream量

思科ASA和870之间的站点到站点VPN不能ping远程networking

我有两个通过cisco的站点到站点vpn连接的站点。 一个站点有一个思科ASA路由器,另一个有一个思科870路由器

隧道已经build立, 并活跃 ,但我不能通过链接发送任何stream量…

ASAconfiguration是: 

ASA Version 8.0(2) ! hostname ASA enable password **** encrypted names ! interface Vlan1 nameif inside security-level 100 ip address 172.16.10.5 255.255.255.0 ! interface Vlan2 nameif outside security-level 0 ip address xxxx 255.255.255.248 ! interface Ethernet0/0 switchport access vlan 2 ! interface Ethernet0/1 ! interface Ethernet0/2 ! interface Ethernet0/3 ! interface Ethernet0/4 ! interface Ethernet0/5 ! interface Ethernet0/6 ! interface Ethernet0/7 ! passwd **** encrypted boot system disk0:/asa802-k8.bin ftp mode passive clock timezone CEST 1 clock summer-time CEDT recurring last Sun Mar 2:00 last Sun Oct 3:00 object-group service RDP tcp port-object eq 3389 object-group network DM_INLINE_NETWORK_1 network-object 172.16.20.0 255.255.255.0 network-object 172.16.200.0 255.255.255.0 access-list 80 extended permit ip 172.16.10.0 255.255.255.0 object-group DM_INLINE_NETWORK_1 access-list 80 extended permit ip 172.16.10.0 255.255.255.0 172.16.20.0 255.255.255.0 access-list outside_1_cryptomap extended permit ip 172.16.10.0 255.255.255.0 172.16.20.0 255.255.255.0 pager lines 24 logging enable logging asdm informational mtu inside 1500 mtu outside 1500 icmp unreachable rate-limit 1 burst-size 1 icmp permit any inside asdm image disk0:/asdm-611.bin no asdm history enable arp timeout 14400 global (outside) 1 xxxx-yyyy netmask 255.0.0.0 global (outside) 1 interface nat (inside) 0 access-list 80 nat (inside) 1 0.0.0.0 0.0.0.0 access-group outside_access_in in interface outside route outside 0.0.0.0 0.0.0.0 zzzz 1 route outside 172.16.20.0 255.255.255.0 aaaa 1 timeout xlate 3:00:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02 timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00 timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00 timeout uauth 0:05:00 absolute dynamic-access-policy-record DfltAccessPolicy http server enable no snmp-server location no snmp-server contact snmp-server enable traps snmp authentication linkup linkdown coldstart crypto ipsec transform-set strong esp-3des esp-sha-hmac crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac crypto map outside_map 1 match address outside_1_cryptomap crypto map outside_map 1 set pfs crypto map outside_map 1 set peer aaaa crypto map outside_map 1 set transform-set ESP-DES-SHA crypto map outside_map interface outside crypto isakmp enable inside crypto isakmp enable outside crypto isakmp policy 8 authentication pre-share encryption 3des hash sha group 2 lifetime none crypto isakmp policy 30 authentication pre-share encryption des hash sha group 1 lifetime 86400 no crypto isakmp nat-traversal telnet 172.16.10.0 255.255.255.0 inside telnet timeout 5 ssh 172.16.10.0 255.255.255.0 inside ssh timeout 5 ssh version 2 console timeout 0 dhcpd auto_config outside ! threat-detection basic-threat threat-detection statistics access-list ! class-map inspection_default match default-inspection-traffic ! ! policy-map type inspect dns preset_dns_map parameters message-length maximum 512 policy-map global_policy class inspection_default inspect dns preset_dns_map inspect ftp inspect h323 h225 inspect h323 ras inspect rsh inspect rtsp inspect esmtp inspect sqlnet inspect skinny inspect sunrpc inspect xdmcp inspect sip inspect netbios inspect tftp inspect pptp ! service-policy global_policy global tunnel-group aaaa type ipsec-l2l tunnel-group aaaa ipsec-attributes pre-shared-key * prompt hostname context Cryptochecksum:f9c4dfffca26f9975d64ad42a3a71452 : end asdm image disk0:/asdm-611.bin no asdm history enable

870configuration是: 

 Current configuration : 3749 bytes ! version 12.4 no service pad service timestamps debug datetime msec service timestamps log datetime msec no service password-encryption ! ! boot-start-marker boot-end-marker ! no logging buffered enable secret 5 **** ! aaa new-model ! ! aaa authentication login default local aaa authorization exec default local ! ! aaa session-id common dot11 syslog ip cef ! ! ! ! ! username Administrator view root secret 5 **** ! ! crypto isakmp policy 1 encr 3des authentication pre-share group 2 ! crypto isakmp policy 2 authentication pre-share crypto isakmp key * address xxxx ! ! crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac crypto ipsec transform-set ESP-3DES-SHA1 esp-3des esp-sha-hmac crypto ipsec transform-set ASA esp-des esp-sha-hmac ! crypto map SDM_CMAP_1 1 ipsec-isakmp description Tunnel tox.xxx set peer xxxx set transform-set ASA match address 102 ! archive log config hidekeys ! ! controller DSL 0 line-term cpe ! ! ! ! interface BRI0 no ip address encapsulation hdlc shutdown ! interface FastEthernet0 ! interface FastEthernet1 switchport access vlan 2 ! interface FastEthernet2 ! interface FastEthernet3 ! interface Vlan1 ip address 172.16.20.6 255.255.255.0 ! interface Vlan2 ip address aaaa 255.255.192.0 crypto map SDM_CMAP_1 ! ip forward-protocol nd ip route 0.0.0.0 0.0.0.0 bbbb ! no ip http server ip http secure-server ! access-list 102 remark CCP_ACL Category=4 access-list 102 remark IPSec Rule access-list 102 permit ip 172.16.20.0 0.0.0.255 172.16.10.0 0.0.0.255 ! ! ! control-plane ! ! line con 0 no modem enable line aux 0 line vty 0 4 transport input ssh transport output ssh ! scheduler max-task-time 5000 end

其中aaaa是870路由器的外部IP地址,xxxx是ASA路由器的外部IP地址。 有些部分被遗漏,密码被清空。

从任一networking中的任何主机ping到另一个networking中的任何主机都不起作用。 RDP会话,SSH会话…(所以这不只是ICMP)

从您的ASA中删除以下内容 

 route outside 172.16.20.0 255.255.255.0 aaaa 1

通过使用此路由声明,ASA将无法通过隧道发送或返回stream量。

另外,您在encryption映射中引用的以下ACL中定义您的“保护/感兴趣”stream量。 

 access-list outside_1_cryptomap extended permit ip 172.16.10.0 255.255.255.0 172.16.20.0 255.255.255.0

当您查看上面的encryption地图匹配ACL时,您的NAT自由/身份是有趣的。 

 object-group network DM_INLINE_NETWORK_1 network-object 172.16.20.0 255.255.255.0 network-object 172.16.200.0 255.255.255.0 access-list 80 extended permit ip 172.16.10.0 255.255.255.0 object-group DM_INLINE_NETWORK_1 access-list 80 extended permit ip 172.16.10.0 255.255.255.0 172.16.20.0 255.255.255.0 nat (inside) 0 access-list 80

您的访问列表80中有多余的匹配项。 当对象组展开时,ACL的第1行将匹配ACL的第2行。 冗余,应该可以修复,但不可能是这里的任何问题的原因。