Cisco ASA VPN 隧道到第二个位置 - 所有流量都通过第一个隧道

我在从 Cisco ASA 5510 设置第二条 VPN 隧道时遇到了麻烦。当我运行数据包跟踪器时，我没有看到数据包经过 NAT 豁免阶段或 VPN 查找阶段。第一条隧道已启动并运行良好，一端有一个 Watchguard。第二条隧道是 PIX（未知型号或版本）

任何你们的想法我都会很感激。

这是我的网络模式： 内部网络：10.10.10.0/24 内部条件：10.10.10.1 外部条件：8.8.8.8

第一个 VPN 隧道内部网络：10.0.40.0/24 内部条件：10.0.40.1 外部条件：74.128.54.15

第二条 VPN 隧道内部网络：10.1.0.160/27 内部条件：未知 外部条件：63.74224.5

这是我的运行配置：

: Saved
:
ASA Version 7.2(1)
!
hostname asa1
domain-name domain.com
enable password xxxxxxxxxx encrypted
names
name 10.10.10.52 sub1
dns-guard
!
interface Ethernet0/0
 nameif outside
 security-level 0
 ip address 8.8.8.8 255.255.255.224 standby 8.8.8.9
!
interface Ethernet0/1
 nameif inside
 security-level 100
 ip address 10.10.10.1 255.255.255.0 standby 10.10.10.2
!
interface Ethernet0/2
 description LAN Failover Interface
!
interface Ethernet0/3
 description STATE Failover Interface
!
interface Management0/0
 nameif management
 security-level 100
 ip address 192.168.1.1 255.255.255.0 standby 192.168.1.2
 management-only
!
passwd xxxxxxxxxxxxx encrypted
banner motd ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
banner motd This is a private system. If you are not
banner motd authorized to access this system,
banner motd LOG OFF NOW!
banner motd ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
boot system disk0:/asa721-k8.bin
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns domain-lookup outside
dns server-group DefaultDNS
 name-server 8.8.8.8
 name-server 8.8.4.4
 domain-name domain.com
object-group service httpANDhttps tcp
 description Both port 80 and 443
 port-object eq https
 port-object eq www
object-group service PASVports tcp
 description ports 50000-51000
 port-object range 50000 50100

--cut-- other access-list items here

access-list inside_access_in extended permit ip any any
access-list watchguard extended permit ip 10.10.10.0 255.255.255.0 10.0.40.0 255.255.255.0
access-list outside_30_cryptomap extended permit ip 10.10.10.0 255.255.255.0 10.1.0.160 255.255.255.224
access-list inside_nat0_outbound extended permit ip 10.10.10.0 255.255.255.0 10.1.0.160 255.255.255.224
access-list outside_cryptomap_1 extended permit ip 10.10.10.0 255.255.255.0 10.1.0.160 255.255.255.224
pager lines 24
logging enable
logging timestamp
logging trap emergencies
logging asdm informational
logging from-address [email protected]
logging recipient-address [email protected] level alerts
logging host inside int-logging 6/1470
logging class vpn trap emergencies
mtu outside 1500
mtu inside 1500
mtu management 1500
failover
failover lan unit primary
failover lan interface LANfailover Ethernet0/2
failover key *****
failover replication http
failover mac address Ethernet0/0 xxxx.abcd.xxx1 xxxx.abcd.xxx2
failover mac address Ethernet0/1 xxxx.abcd.xxx3 xxxx.abcd.xxx4
failover link Statefailover Ethernet0/3
failover interface ip LANfailover 192.168.1.25 255.255.255.252 standby 192.168.1.26
failover interface ip Statefailover 192.168.1.49 255.255.255.252 standby 192.168.1.50
no monitor-interface management
icmp permit 10.10.10.0 255.255.255.0 inside
asdm image disk0:/asdm521.bin
no asdm history enable
arp timeout 14400
nat-control
global (outside) 101 interface
nat (inside) 0 access-list watchguard
nat (inside) 101 0.0.0.0 0.0.0.0

--cut-- -- static nats here -- 

access-group outside_access_in in interface outside
access-group inside_access_in in interface inside
route outside 0.0.0.0 0.0.0.0 8.8.8.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
http server enable
http 192.168.1.0 255.255.255.0 management

--cut-- snmp entries here

crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set firebox esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set Client-3DES-MD5 esp-3des esp-md5-hmac
crypto map watchguardmap 1 match address outside_cryptomap_1
crypto map watchguardmap 1 set peer 63.74.224.5
crypto map watchguardmap 1 set transform-set Client-3DES-MD5
crypto map watchguardmap 1 set security-association lifetime seconds 86400
crypto map watchguardmap 10 match address watchguard
crypto map watchguardmap 10 set pfs
crypto map watchguardmap 10 set peer 74.128.54.15
crypto map watchguardmap 10 set transform-set firebox
crypto map watchguardmap 10 set security-association lifetime seconds 2592000
crypto map watchguardmap 10 set security-association lifetime kilobytes 2147483647
crypto map watchguardmap interface outside
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 9
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 2592000
crypto isakmp policy 30
 authentication pre-share
 encryption 3des
 hash md5
 group 2
 lifetime 86400
tunnel-group 74.128.54.15 type ipsec-l2l
tunnel-group 74.128.54.15 ipsec-attributes
 pre-shared-key *
tunnel-group 63.74.224.5 type ipsec-l2l
tunnel-group 63.74.224.5 ipsec-attributes
 pre-shared-key *
no tunnel-group-map enable ou
telnet int-vpn 255.255.255.255 inside
telnet timeout 5
ssh int-vpn 255.255.255.255 inside
ssh timeout 5
console timeout 0
dhcpd address 192.168.1.20-192.168.1.25 management
dhcpd enable management
!
!
!
ntp server 206.246.118.250 source outside
smtp-server 10.10.10.50
prompt hostname context
Cryptochecksum:19372
: end