没有运气与思科网站到现场vpn

我有两台运行8.4的ASA 5505。两者都可以访问互联网。 ASA＃1在它后面有一个VoIP网关，它正在被NAT，因此有额外的规则。

这是在ASA＃1上：

interface Vlan1 nameif inside security-level 100 ip address 192.168.1.1 255.255.255.0 ! interface Vlan2 nameif outside security-level 0 ip address 10.10.10.1 255.255.255.224 ! object network server host 192.168.1.100 object service voip-range service udp source range 9000 9049 object service sip-tcp service tcp source eq sip object service sip-udp service udp source eq sip object service sip-secure service tcp source eq 5061 object service sip-tcp-remote service tcp source eq 5090 object service sip-udp-remote service udp source eq 5090 object network Remote_Network subnet 192.168.2.0 255.255.255.0 description Travis network object network My_Network subnet 192.168.1.0 255.255.255.0 access-list l2l_list extended permit ip object My_Network object Remote_Network access-list outside_access_in extended permit tcp any object server eq sip log errors access-list outside_access_in extended permit udp any object server eq sip log errors access-list outside_access_in extended permit udp any object server range 9000 9049 log errors access-list outside_access_in extended permit object sip-secure any object server log errors access-list outside_access_in extended permit object sip-tcp-remote any object server log errors access-list outside_access_in extended permit object sip-udp-remote any object server log errors access-list outside_access_in extended deny ip any any log alerts access-list inside_access_in extended permit ip any any log debugging nat (inside,outside) source static server interface service voip-range voip-range nat (inside,outside) source static server interface service sip-tcp sip-tcp nat (inside,outside) source static server interface service sip-udp sip-udp nat (inside,outside) source static server interface service sip-secure sip-secure nat (inside,outside) source static server interface service sip-tcp-remote sip-tcp-remote nat (inside,outside) source static server interface service sip-udp-remote sip-udp-remote nat (inside,outside) source dynamic any interface access-group inside_access_in in interface inside access-group outside_access_in in interface outside route outside 0.0.0.0 0.0.0.0 10.10.10.2 1 crypto ipsec ikev1 transform-set FirstSet esp-3des esp-md5-hmac crypto ipsec ikev2 ipsec-proposal sec protocol esp encryption aes 3des des protocol esp integrity sha-1 crypto map kernelvpn 1 match address l2l_list crypto map kernelvpn 1 set peer 10.10.10.8 crypto map kernelvpn 1 set ikev1 transform-set FirstSet crypto map kernelvpn 1 set ikev2 ipsec-proposal sec crypto map kernelvpn interface outside crypto ikev2 policy 1 encryption 3des integrity sha group 2 prf sha lifetime seconds 86400 crypto ikev2 enable outside crypto ikev1 enable outside crypto ikev1 policy 1 authentication pre-share encryption 3des hash sha group 2 lifetime 86400 ! tunnel-group 10.10.10.8 type ipsec-l2l tunnel-group 10.10.10.8 ipsec-attributes ikev1 pre-shared-key abcd1234

这就是ASA＃2上的内容

 interface Vlan1 nameif inside security-level 100 ip address 192.168.2.1 255.255.255.0 ! interface Vlan2 nameif outside security-level 0 ip address 10.10.10.8 255.255.255.224 ! object network Remote_Network subnet 192.168.1.0 255.255.255.0 description Travis network object network My_Network subnet 192.168.2.0 255.255.255.0 access-list l2l_list extended permit ip object My_Network object Remote_Network access-list outside_access_in extended deny ip any any log alerts access-list inside_access_in extended permit ip any any log debugging nat (inside,outside) source dynamic any interface access-group inside_access_in in interface inside access-group outside_access_in in interface outside route outside 0.0.0.0 0.0.0.0 10.10.10.9 1 crypto ipsec ikev1 transform-set FirstSet esp-3des esp-md5-hmac crypto ipsec ikev2 ipsec-proposal sec protocol esp encryption aes 3des des protocol esp integrity sha-1 crypto map kernelvpn 1 match address l2l_list crypto map kernelvpn 1 set peer 10.10.10.1 crypto map kernelvpn 1 set ikev1 transform-set FirstSet crypto map kernelvpn 1 set ikev2 ipsec-proposal sec crypto map kernelvpn interface outside crypto ikev2 policy 1 encryption 3des integrity sha group 2 prf sha lifetime seconds 86400 crypto ikev2 enable outside crypto ikev1 enable outside crypto ikev1 policy 1 authentication pre-share encryption 3des hash sha group 2 lifetime 86400 ! tunnel-group 10.10.10.1 type ipsec-l2l tunnel-group 10.10.10.1 ipsec-attributes ikev1 pre-shared-key *****

一些有用的输出：

 ciscoasa(config)# show crypto isakmp sa There are no IKEv1 SAs There are no IKEv2 SAs show crypto ipsec sa doesn't show a thing!

不知道我在这里有什么其他的select…我试着做下面的ping没有运气：

 ping inside 192.168.2.1

数据包跟踪产生以下内容：

 ciscoasa(config)# packet-trace input inside tcp 192.168.1.11 22 192.168.2.1 22 Phase: 1 Type: ROUTE-LOOKUP Subtype: input Result: ALLOW Config: Additional Information: in 0.0.0.0 0.0.0.0 outside Phase: 2 Type: ACCESS-LIST Subtype: log Result: ALLOW Config: access-group inside_access_in in interface inside access-list inside_access_in extended permit ip any any log debugging Additional Information: Phase: 3 Type: IP-OPTIONS Subtype: Result: ALLOW Config: Additional Information: Phase: 4 Type: NAT Subtype: Result: ALLOW Config: nat (inside,outside) source dynamic any interface Additional Information: Dynamic translate 192.168.1.11/22 to 10.10.10.2/22 Phase: 5 Type: HOST-LIMIT Subtype: Result: ALLOW Config: Additional Information: Phase: 6 Type: IP-OPTIONS Subtype: Result: ALLOW Config: Additional Information: Phase: 7 Type: FLOW-CREATION Subtype: Result: ALLOW Config: Additional Information: New flow created with id 475091, packet dispatched to next module Result: input-interface: inside input-status: up input-line-status: up output-interface: outside output-status: up output-line-status: up Action: allow

我没有看到你的隧道上的任何ASA的NAT语句。对于新代码ASA 8.4，您应该使用“两次nat”input这些VPN隧道。

 nat (inside,any) source static My_Network My_Network destination static Remote_Network Remote_Network