我们有一个Cisco 1921路由器,在我们的一个分支机构运行IOS 15.1,通过L2L IPsec VPN连接到在总部运行ASA 7.2的ASA5510。 ASA还使用Cisco VPN客户端为基于现场的用户提供IPSec远程访问VPN。
networking看起来像这样:
192.168.14.0/24 - RT - Internet - ASA - 192.168.10.0/24 |----L2L VPN----|| |----RA VPN---- 192.168.10.223-192.168.10.242 (远程访问VPN使用192.168.10.0/24networking内的地址)
问题是,尽pipeRA VPN用户可以访问192.168.10.0/24(和其他连接的L2L VPN),但他们无法访问192.168.14.0/24networking。
以下是ASAconfiguration的一些有趣的部分:
interface Ethernet0/0 nameif outside security-level 0 ip address EXTERNAL_IP 255.255.255.240 ! interface Ethernet0/3 nameif inside security-level 100 ip address 192.168.10.252 255.255.255.0 ! same-security-traffic permit inter-interface same-security-traffic permit intra-interface access-list acl_in extended permit ip 192.168.8.0 255.255.248.0 192.168.8.0 255.255.248.0 access-list acl_out extended permit ip 192.168.8.0 255.255.248.0 192.168.8.0 255.255.248.0 access-list acl_nonat-inside extended permit ip 192.168.8.0 255.255.248.0 192.168.8.0 255.255.248.0 access-list vpngrint_splitTunnelAcl standard permit 192.168.10.0 255.255.255.0 access-list vpngrint_splitTunnelAcl standard permit 192.168.14.0 255.255.255.0 access-list acl_vpn-berlin extended permit ip 192.168.14.0 255.255.255.0 192.168.8.0 255.255.248.0 access-list acl_vpn-berlin extended permit ip 192.168.8.0 255.255.248.0 192.168.14.0 255.255.255.0 ip local pool poolvpnclients 192.168.10.223-192.168.10.242 ip verify reverse-path interface outside ip verify reverse-path interface web ip verify reverse-path interface inside nat-control global (outside) 1 EXTERNAL_IP nat (inside) 0 access-list acl_nonat-inside nat (inside) 1 192.168.10.0 255.255.255.0 access-group acl_out in interface outside access-group acl_in in interface inside crypto dynamic-map outside_dyn_map 20 set pfs crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA crypto map outside_map 200 match address acl_vpn-berlin crypto map outside_map 200 set peer IOS_ROUTER_EXTERNAL_IP crypto map outside_map 200 set transform-set ESP-AES-SHA crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map crypto map outside_map interface outside group-policy vpngrint internal group-policy vpngrint attributes wins-server value 192.168.10.5 dns-server value 192.168.10.5 vpn-simultaneous-logins 2147483647 vpn-idle-timeout 7200 vpn-tunnel-protocol IPSec split-tunnel-policy tunnelspecified split-tunnel-network-list value vpngrint_splitTunnelAcl default-domain value domain.local split-dns value domain.local domain.com tunnel-group vpngrint type ipsec-ra tunnel-group vpngrint general-attributes address-pool poolvpnclients default-group-policy vpngrint tunnel-group vpngrint ipsec-attributes pre-shared-key SECRET tunnel-group IOS_ROUTER_EXTERNAL_IP type ipsec-l2l tunnel-group IOS_ROUTER_EXTERNAL_IP ipsec-attributes pre-shared-key SECRET
拆分隧道ACL是匹配的,192.168.14.0出现在客户端的路由表中,外出的数据包可以在客户端的VPN接口上捕获。 他们也出现在我在ASA上设置的捕获中,但是他们没有到达L2L VPN连接的路由器。 nonat ACL应该是匹配的,以及绑定到接口的访问列表以及L2L VPN(隧道两边都是相同的)的感兴趣的stream量定义,所以我没有看到问题出在哪里在这一刻。
asa# sh capture capture frzberlin type raw-data access-list capture_frzberlin interface outside [Capturing - 280 bytes] capture frzberlin_inside type raw-data access-list capture_frzberlin interface inside [Capturing - 0 bytes] asa# sh capture frzberlin 4 packets captured 1: 17:46:41.563508 192.168.10.239.58452 > 192.168.14.1.22: R 1017791382:1017791382(0) ack 2592136529 win 65535 2: 17:46:44.853334 192.168.10.239.58455 > 192.168.14.1.22: R 668258002:668258002(0) ack 1048856085 win 65535 3: 17:46:47.602889 192.168.10.239.58458 > 192.168.14.1.22: R 2479281909:2479281909(0) ack 2603933177 win 65535 4: 17:47:42.913877 192.168.10.239.58490 > 192.168.14.1.22: R 1494613342:1494613342(0) ack 344737469 win 65535 4 packets shown
任何想法在debugging这将非常感激。
编辑:添加数据包跟踪器输出:
asa# packet-tracer input outside tcp 192.168.10.238 1337 192.168.14.1 22 detailed Phase: 1 Type: CAPTURE Subtype: Result: ALLOW Config: Additional Information: Forward Flow based lookup yields rule: in id=0x481b320, priority=12, domain=capture, deny=false hits=12333239, user_data=0x49a4ba8, cs_id=0x0, l3_type=0x0 src mac=0000.0000.0000, mask=0000.0000.0000 dst mac=0000.0000.0000, mask=0000.0000.0000 Phase: 2 Type: ACCESS-LIST Subtype: Result: ALLOW Config: Implicit Rule Additional Information: Forward Flow based lookup yields rule: in id=0x3d81c88, priority=1, domain=permit, deny=false hits=4437186449, user_data=0x0, cs_id=0x0, l3_type=0x8 src mac=0000.0000.0000, mask=0000.0000.0000 dst mac=0000.0000.0000, mask=0100.0000.0000 Phase: 3 Type: FLOW-LOOKUP Subtype: Result: ALLOW Config: Additional Information: Found no matching flow, creating a new flow Phase: 4 Type: ROUTE-LOOKUP Subtype: input Result: ALLOW Config: Additional Information: in 0.0.0.0 0.0.0.0 outside Phase: 5 Type: ROUTE-LOOKUP Subtype: input Result: ALLOW Config: Additional Information: in 192.168.10.238 255.255.255.255 outside Phase: 6 Type: ACCESS-LIST Subtype: log Result: ALLOW Config: access-group acl_out in interface outside access-list acl_out extended permit ip 192.168.8.0 255.255.248.0 192.168.8.0 255.255.248.0 Additional Information: Forward Flow based lookup yields rule: in id=0x401f738, priority=12, domain=permit, deny=false hits=9263075, user_data=0x401f6f8, cs_id=0x0, flags=0x0, protocol=0 src ip=192.168.8.0, mask=255.255.248.0, port=0 dst ip=192.168.8.0, mask=255.255.248.0, port=0, dscp=0x0 Phase: 7 Type: IP-OPTIONS Subtype: Result: ALLOW Config: Additional Information: Forward Flow based lookup yields rule: in id=0x3d84930, priority=0, domain=permit-ip-option, deny=true hits=115197791, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0 src ip=0.0.0.0, mask=0.0.0.0, port=0 dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0 Phase: 8 Type: CP-PUNT Subtype: Result: ALLOW Config: Additional Information: Forward Flow based lookup yields rule: in id=0x4e53c10, priority=79, domain=punt, deny=true hits=8524, user_data=0x3a2e750, cs_id=0x0, flags=0x0, protocol=0 src ip=192.168.10.238, mask=255.255.255.255, port=0 dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0 Phase: 9 Type: VPN Subtype: ipsec-tunnel-flow Result: ALLOW Config: Additional Information: Forward Flow based lookup yields rule: in id=0x3e43da8, priority=69, domain=ipsec-tunnel-flow, deny=false hits=396, user_data=0x265722ac, cs_id=0x0, reverse, flags=0x0, protocol=0 src ip=192.168.10.238, mask=255.255.255.255, port=0 dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0 Phase: 10 Type: VPN Subtype: encrypt Result: ALLOW Config: Additional Information: Forward Flow based lookup yields rule: out id=0x4a2f450, priority=70, domain=encrypt, deny=false hits=1499, user_data=0x252bccdc, cs_id=0x4729788, reverse, flags=0x0, protocol=0 src ip=192.168.8.0, mask=255.255.248.0, port=0 dst ip=192.168.14.0, mask=255.255.255.0, port=0, dscp=0x0 Phase: 11 Type: VPN Subtype: ipsec-tunnel-flow Result: ALLOW Config: Additional Information: Reverse Flow based lookup yields rule: in id=0x490a410, priority=69, domain=ipsec-tunnel-flow, deny=false hits=1547, user_data=0x252c08dc, cs_id=0x0, reverse, flags=0x0, protocol=0 src ip=192.168.14.0, mask=255.255.255.0, port=0 dst ip=192.168.8.0, mask=255.255.248.0, port=0, dscp=0x0 Phase: 12 Type: IP-OPTIONS Subtype: Result: ALLOW Config: Additional Information: Reverse Flow based lookup yields rule: in id=0x3d84930, priority=0, domain=permit-ip-option, deny=true hits=115197792, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0 src ip=0.0.0.0, mask=0.0.0.0, port=0 dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0 Phase: 13 Type: VPN Subtype: encrypt Result: ALLOW Config: Additional Information: Reverse Flow based lookup yields rule: out id=0x402da30, priority=70, domain=encrypt, deny=false hits=0, user_data=0x266af5ac, cs_id=0x4729788, reverse, flags=0x0, protocol=0 src ip=192.168.14.0, mask=255.255.255.0, port=0 dst ip=192.168.8.0, mask=255.255.248.0, port=0, dscp=0x0 Result: input-interface: outside input-status: up input-line-status: up output-interface: outside output-status: up output-line-status: up Action: drop Drop-reason: (ipsec-spoof) IPSEC Spoof detected