我有2个思科ASA 5505的运行V8.42。 所有工作正常(使用NAT),但我不能得到一个站点到站点的工作。
我在ASDM中使用了默认设置的向导(当然,对等地址/ PSK /本地/远程networking除外)。
当我发送ping到另一个ASA时,隧道不会出现。 我在互联网上发现了一些提到必须进行NAT豁免的post,所以我在ASDM向导中选中了这个框(使用“inside”选项)。 仍然没有结果。
请帮忙
: Saved : ASA Version 8.4(2) ! names <<NOT NEEDED>> ! interface Ethernet0/0 switchport access vlan 2 ! interface Ethernet0/1 ! interface Ethernet0/2 ! interface Ethernet0/3 ! interface Ethernet0/4 ! interface Ethernet0/5 ! interface Ethernet0/6 ! interface Ethernet0/7 ! interface Vlan1 nameif inside security-level 100 ip address ASA-Apeldoorn 255.255.255.0 ! interface Vlan2 nameif outside security-level 0 ip address <<NOT NEEDED>> 255.255.255.248 ! banner login = UNAUTHORIZED ACCESS STRICTLY PROHIBITED! banner login = banner login = We monitor and audit the usage of this system and all persons banner login = are hereby notified that use of this system constitutes to such banner login = monitoring and auditing. Unauthorized access or modification of banner login = any information stored on this system may result in criminal prosecution. banner login = banner login = PLEASE DISCONNECT IMMEDIATELY! ftp mode passive clock timezone CEST 1 clock summer-time CEDT recurring last Sun Mar 2:00 last Sun Oct 3:00 dns server-group DefaultDNS domain-name aacckantoor.local object network obj_any subnet 0.0.0.0 0.0.0.0 object network AmsioLAN subnet 10.11.79.0 255.255.255.0 object network NETWORK_OBJ_192.0.2.0_24 subnet 192.0.2.0 255.255.255.0 object-group network DM_INLINE_NETWORK_2 network-object object Sinkhole network-object object Sinkhole2 object-group service DM_INLINE_TCP_2 tcp port-object eq www port-object eq https access-list inside_access_in extended permit tcp 192.0.2.0 255.255.255.0 any eq www access-list inside_access_in extended permit tcp 192.0.2.0 255.255.255.0 any eq https access-list inside_access_in extended permit tcp 192.0.2.0 255.255.255.0 any eq ftp access-list inside_access_in extended permit tcp 192.0.2.0 255.255.255.0 any eq 3389 access-list inside_access_in extended permit udp 192.0.2.0 255.255.255.0 any eq domain access-list inside_access_in extended permit udp 192.0.2.0 255.255.255.0 any eq ntp access-list inside_access_in extended permit icmp 192.0.2.0 255.255.255.0 any access-list inside_access_in extended permit tcp host 192.0.2.10 any eq smtp access-list inside_access_in extended permit tcp 192.0.2.0 255.255.255.0 any eq 5721 access-list inside_access_in extended permit tcp 192.0.2.0 255.255.255.0 any eq imap4 access-list inside_access_in extended permit tcp 192.0.2.0 255.255.255.0 any eq 587 access-list inside_access_in extended permit tcp 192.0.2.0 255.255.255.0 any eq ldap access-list inside_access_in extended permit tcp 192.0.2.0 255.255.255.0 any eq 465 access-list inside_access_in extended permit tcp 192.0.2.0 255.255.255.0 any eq 3101 access-list inside_access_in extended permit tcp 192.0.2.0 255.255.255.0 any eq 2121 access-list inside_access_in extended permit tcp 192.0.2.0 255.255.255.0 any eq 49152 access-list inside_access_in extended permit tcp 192.0.2.0 255.255.255.0 any eq 49652 access-list inside_access_in extended permit tcp 192.0.2.0 255.255.255.0 any range 49152 49652 access-list inside_access_in extended permit udp 192.0.2.0 255.255.255.0 any eq 5059 access-list inside_access_in extended permit udp 192.0.2.0 255.255.255.0 any eq 5058 access-list inside_access_in extended deny tcp 192.0.2.0 255.255.255.0 object-group DM_INLINE_NETWORK_2 object-group DM_INLINE_TCP_2 access-list outside_access_in extended permit tcp any any eq www access-list outside_access_in extended permit tcp any any eq https access-list outside_cryptomap extended permit ip 192.0.2.0 255.255.255.0 object AmsioLAN pager lines 24 logging enable logging trap debugging logging asdm informational mtu inside 1500 mtu outside 1500 icmp unreachable rate-limit 1 burst-size 1 no asdm history enable arp timeout 14400 nat (inside,outside) source static NETWORK_OBJ_192.0.2.0_24 NETWORK_OBJ_192.0.2.0_24 destination static AmsioLAN AmsioLAN no-proxy-arp route-lookup ! object network obj_any nat (inside,outside) dynamic interface access-group inside_access_in in interface inside access-group outside_access_in in interface outside route outside 0.0.0.0 0.0.0.0 84.35.88.249 1 timeout xlate 3:00:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02 timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00 timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00 timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute timeout tcp-proxy-reassembly 0:01:00 timeout floating-conn 0:00:00 dynamic-access-policy-record DfltAccessPolicy user-identity default-domain LOCAL aaa authentication enable console LOCAL aaa authentication http console LOCAL aaa authentication serial console LOCAL aaa authentication ssh console LOCAL aaa authentication telnet console LOCAL http server enable <<NOT NEEDED>> no snmp-server location no snmp-server contact snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac crypto ipsec ikev2 ipsec-proposal DES protocol esp encryption des protocol esp integrity sha-1 md5 crypto ipsec ikev2 ipsec-proposal 3DES protocol esp encryption 3des protocol esp integrity sha-1 md5 crypto ipsec ikev2 ipsec-proposal AES protocol esp encryption aes protocol esp integrity sha-1 md5 crypto ipsec ikev2 ipsec-proposal AES192 protocol esp encryption aes-192 protocol esp integrity sha-1 md5 crypto ipsec ikev2 ipsec-proposal AES256 protocol esp encryption aes-256 protocol esp integrity sha-1 md5 crypto map outside_map 1 match address outside_cryptomap crypto map outside_map 1 set peer <<NOT NEEDED>> crypto map outside_map 1 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5 crypto map outside_map 1 set ikev2 ipsec-proposal AES256 AES192 AES 3DES DES crypto map outside_map interface outside crypto ikev2 policy 1 encryption aes-256 integrity sha group 5 2 prf sha lifetime seconds 86400 crypto ikev2 policy 10 encryption aes-192 integrity sha group 5 2 prf sha lifetime seconds 86400 crypto ikev2 policy 20 encryption aes integrity sha group 5 2 prf sha lifetime seconds 86400 crypto ikev2 policy 30 encryption 3des integrity sha group 5 2 prf sha lifetime seconds 86400 crypto ikev2 policy 40 encryption des integrity sha group 5 2 prf sha lifetime seconds 86400 crypto ikev2 enable outside crypto ikev1 enable outside crypto ikev1 policy 10 authentication crack encryption aes-256 hash sha group 2 lifetime 86400 crypto ikev1 policy 20 authentication rsa-sig encryption aes-256 hash sha group 2 lifetime 86400 crypto ikev1 policy 30 authentication pre-share encryption aes-256 hash sha group 2 lifetime 86400 crypto ikev1 policy 40 authentication crack encryption aes-192 hash sha group 2 lifetime 86400 crypto ikev1 policy 50 authentication rsa-sig encryption aes-192 hash sha group 2 lifetime 86400 crypto ikev1 policy 60 authentication pre-share encryption aes-192 hash sha group 2 lifetime 86400 crypto ikev1 policy 70 authentication crack encryption aes hash sha group 2 lifetime 86400 crypto ikev1 policy 80 authentication rsa-sig encryption aes hash sha group 2 lifetime 86400 crypto ikev1 policy 90 authentication pre-share encryption aes hash sha group 2 lifetime 86400 crypto ikev1 policy 100 authentication crack encryption 3des hash sha group 2 lifetime 86400 crypto ikev1 policy 110 authentication rsa-sig encryption 3des hash sha group 2 lifetime 86400 crypto ikev1 policy 120 authentication pre-share encryption 3des hash sha group 2 lifetime 86400 crypto ikev1 policy 130 authentication crack encryption des hash sha group 2 lifetime 86400 crypto ikev1 policy 140 authentication rsa-sig encryption des hash sha group 2 lifetime 86400 crypto ikev1 policy 150 authentication pre-share encryption des hash sha group 2 lifetime 86400 console timeout 0 dhcpd auto_config outside ! threat-detection basic-threat threat-detection statistics access-list no threat-detection statistics tcp-intercept webvpn group-policy GroupPolicy_91.200.51.22 internal group-policy GroupPolicy_91.200.51.22 attributes vpn-tunnel-protocol ikev1 ikev2 username <<NOT NEEDED>> tunnel-group <<NOT NEEDED>> type ipsec-l2l tunnel-group <<NOT NEEDED>> general-attributes default-group-policy GroupPolicy_91.200.51.22 tunnel-group <<NOT NEEDED>> ipsec-attributes ikev1 pre-shared-key ***** ikev2 remote-authentication pre-shared-key ***** ikev2 local-authentication pre-shared-key ***** ! class-map inspection_default match default-inspection-traffic ! ! policy-map type inspect dns preset_dns_map parameters message-length maximum client auto message-length maximum 512 policy-map global_policy class inspection_default inspect dns preset_dns_map inspect ftp inspect h323 h225 inspect h323 ras inspect rsh inspect rtsp inspect esmtp inspect sqlnet inspect skinny inspect sunrpc inspect xdmcp inspect sip inspect netbios inspect tftp inspect ip-options inspect pptp ! service-policy global_policy global prompt hostname context no call-home reporting anonymous Cryptochecksum:a653d78272a501e97c50b13ad2ffec99 : end 你需要对有趣的stream量进行NAT豁免……如果在8.4上使用向导,这是最后一项。