IPsec L2L vpn 求助
我总是在VPN这郁闷。主要是不会 所以用向导做的。好吧 我不会做VPN 这次做了个失败了。
配置发上来 求解。。这个拓扑是 ASA-1----------------某防火墙(映射)-------internet------------------ASA-2
所以这个ASA-1 outside 是私有地址
ASA--1
ASA Version 8.2(1)
!
hostname ciscoasa
enable password 2KFQnbNIdI.2KYOU encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
name 192.168.20.0 vpn
name 192.168.0.0 vpn1
name 58.210.23.166 huaqiao
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.10.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address 10.10.1.20 255.255.255.0
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
ftp mode passive
clock timezone CST 8
access-list 10 extended permit ip any any
access-list 10 extended permit icmp any any
access-list outside_1_cryptomap extended permit ip 192.168.10.0 255.255.255.0 vpn1 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.10.0 255.255.255.0 vpn1 255.255.255.0
access-list inside_access_out extended permit ip any any
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
ip local pool vpnpool 192.168.20.1-192.168.20.50 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) tcp interface 3389 192.168.10.2 3389 netmask 255.255.255.255
access-group 10 in interface outside
route outside 0.0.0.0 0.0.0.0 10.10.1.254 1
route outside vpn 255.255.255.0 192.168.10.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 0.0.0.0 0.0.0.0 inside
http 0.0.0.0 0.0.0.0 outside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set pfs
crypto map outside_map 1 set peer huaqiao
crypto map outside_map 1 set transform-set ESP-3DES-MD5
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 65535
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
telnet 0.0.0.0 0.0.0.0 inside
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 inside
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 5
ssh version 1
console timeout 0
dhcpd address 192.168.10.100-192.168.10.200 inside
dhcpd dns 61.177.7.1 192.168.10.2 interface inside
dhcpd enable inside
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
group-policy DfltGrpPolicy attributes
vpn-tunnel-protocol IPSec
username cisco password 3USUcOPFUiMCO4Jk encrypted privilege 15
tunnel-group 58.210.23.166 type ipsec-l2l
tunnel-group 58.210.23.166 ipsec-attributes
pre-shared-key *
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:118648698e643f955ca251b66218546d
: end
ASA-2
ASA Version 7.2(3)
!
hostname ciscoasa
domain-name default.domain.invalid
enable password 8Ry2YjIyt7RRXU24 encrypted
names
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.0.1 255.255.255.0
ospf cost 10
!
interface Vlan11
nameif outside
security-level 0
ip address 58.210.23.166 255.255.255.252
ospf cost 10
!
interface Ethernet0/0
switchport access vlan 11
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
shutdown
!
interface Ethernet0/7
shutdown
!
passwd 2KFQnbNIdI.2KYOU encrypted
ftp mode passive
dns server-group DefaultDNS
domain-name default.domain.invalid
object-group service ftp_pasv tcp
port-object range 50010 50014
access-list 10 extended permit ip any any
access-list 10 extended permit icmp any any
access-list 10 extended permit tcp any host 192.168.0.10 object-group ftp_pasv
access-list 10 extended permit tcp any host 192.168.0.10 eq ftp
access-list 10 extended permit tcp any host 192.168.0.10 eq ftp-data
access-list 10 extended permit tcp any any
access-list inside_nat0_outbound extended permit ip 192.168.0.0 255.255.255.0 192.168.10.0 255.255.255.0
access-list outside_1_cryptomap_1 extended permit ip 192.168.0.0 255.255.255.0 192.168.10.0 255.255.255.0
access-list outside_1_cryptomap extended permit ip 192.168.0.0 255.255.255.0 any
access-list inside_access_out extended permit ip any any
pager lines 24
logging enable
logging asdm debugging
mtu inside 1500
mtu outside 1500
ip local pool user 192.168.0.50-192.168.0.100 mask 255.255.255.0
ip local pool vpn 192.168.2.100-192.168.2.200 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/ASDM-523.BIN
no asdm history enable
arp timeout 14400
nat-control
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) tcp interface ftp 192.168.0.10 ftp netmask 255.255.255.255
static (inside,outside) tcp interface ftp-data 192.168.0.10 ftp-data netmask 255.255.255.255
static (inside,outside) tcp interface 50011 192.168.0.10 50011 netmask 255.255.255.255
static (inside,outside) tcp interface 50014 192.168.0.10 50014 netmask 255.255.255.255
static (inside,outside) tcp interface 50013 192.168.0.10 50013 netmask 255.255.255.255
static (inside,outside) tcp interface 50012 192.168.0.10 50012 netmask 255.255.255.255
static (inside,outside) tcp interface 50010 192.168.0.10 50010 netmask 255.255.255.255
static (inside,outside) tcp interface 3389 192.168.0.10 3389 netmask 255.255.255.255
access-group 10 in interface outside
route outside 0.0.0.0 0.0.0.0 58.210.23.165 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
http server enable
http 0.0.0.0 0.0.0.0 inside
http 0.0.0.0 0.0.0.0 outside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto map outside_map 1 match address outside_1_cryptomap_1
crypto map outside_map 1 set pfs
crypto map outside_map 1 set peer 221.224.120.140
crypto map outside_map 1 set transform-set ESP-3DES-MD5
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
crypto isakmp nat-traversal20
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd dns 61.177.7.1 192.168.0.10
!
dhcpd address 192.168.0.100-192.168.0.200 inside
dhcpd dns 61.177.7.1 interface inside
dhcpd enable inside
!
vpnclient mode client-mode
vpnclient vpngroup remote password ********
vpnclient username admin password ********
!
!
group-policy DefaultRAGroup internal
group-policy DefaultRAGroup attributes
dns-server value 192.168.0.10 61.171.7.1
vpn-tunnel-protocol IPSec
group-policy DfltGrpPolicy attributes
banner none
wins-server none
dns-server none
dhcp-network-scope none
vpn-access-hours none
vpn-simultaneous-logins 3
vpn-idle-timeout 30
vpn-session-timeout none
vpn-filter none
vpn-tunnel-protocol IPSec
password-storage disable
ip-comp disable
re-xauth disable
group-lock none
pfs disable
ipsec-udp disable
ipsec-udp-port 10000
split-tunnel-policy tunnelall
split-tunnel-network-list none
default-domain none
split-dns none
intercept-dhcp 255.255.255.255 disable
secure-unit-authentication disable
user-authentication disable
user-authentication-idle-timeout 30
ip-phone-bypass disable
leap-bypass disable
nem disable
backup-servers keep-client-config
msie-proxy server none
msie-proxy method no-modify
msie-proxy except-list none
msie-proxy local-bypass disable
nac disable
nac-sq-period 300
nac-reval-period 36000
nac-default-acl none
address-pools none
smartcard-removal-disconnect enable
client-firewall none
client-access-rule none
webvpn
functions url-entry
html-content-filter none
homepage none
keep-alive-ignore 4
http-comp gzip
filter none
url-list none
customization value DfltCustomization
port-forward none
port-forward-name value Application Access
sso-server none
deny-message value Login was successful, but because certain criteria have not been met or due to some specific group policy, you do not have permission to use any of the VPN features. Contact your IT administrator for more information
svc none
svc keep-installer installed
svc keepalive none
svc rekey time none
svc rekey method none
svc dpd-interval client none
svc dpd-interval gateway none
svc compression deflate
username admin password p7STi9PrEjZcr6WH encrypted privilege 15
username wisdom password 8wOqQbVTC.vNpHdK encrypted privilege 0
tunnel-group DefaultRAGroup general-attributes
address-pool user
default-group-policy DefaultRAGroup
tunnel-group DefaultRAGroup ipsec-attributes
pre-shared-key *
tunnel-group 221.224.120.140 type ipsec-l2l
tunnel-group 221.224.120.140 ipsec-attributes
pre-shared-key *
tunnel-group-map default-group DefaultL2LGroup
prompt hostname context
no compression svc http-comp
Cryptochecksum:b78cd037281b79b755b3d2d0f157102a
: end
http://bbs.spoto.net/xwb/images/bgimg/icon_logo.png 该贴已经同步到 hui8821637的微博 我对VPN很烂。 所以求大家帮帮忙 老师很快会出现滴 楼主还是把你的配置脚本贴上来吧,show看了头很晕的 ------- ASA-1 里边静态路由有这么一条 route outside vpn 255.255.255.0 192.168.10.1 1
这条把去对端192.168.0.0/24的路由下一条怎么指向自己的INSIDE口了? 应该去掉吧,其他的配置没什么问题 -woniu1-进来了解一下吧~ yangning365 发表于 2011-6-23 16:27 static/image/common/back.gif
ASA-1 里边静态路由有这么一条 route outside vpn 255.255.255.0 192.168.10.1 1
这条把去对端192.168.0 ...
这是原本做remoteVPN留下来的。 你看VPN 在names里指的是192.168.20.0/24
我监控VPN状态发现ASA-1是有收包 但是木有发包就是说TX=0 RX=XXXXX
ASA-2呢 却是TX=XXXX RX=0
为什么呢? roy 发表于 2011-6-23 15:01 static/image/common/back.gif
-
您能不笑完帮咱看看么?
我为这VPN都愁死了--
页:
[1]
2