Cisco ASA - 在多个站点到站点隧道之间路由流量

Question

类似这样的内容 -192.168.168.0/24似乎有点小；如果需要，那么也为它们创建一个对象组。

same-security-traffic permit intra-interface

object-group network Client_Networks
 ! Load up client network assignments here, so the ACLs don't get huge:
 network-object 192.0.2.0 255.255.255.0
 network-object 198.51.100.0 255.255.255.0

! ACL for tunnel to an example client - this one's on the 192.0.2.0 range.
! The entry covers traffic between the local net and the client
access-list outside_cryptomap_client_1 extended permit ip 172.16.89.0 255.255.255.0 192.0.2.0 255.255.255.0
! And this is needed for the traffic between the employee nets and the client
access-list outside_cryptomap_client_1 extended permit ip 192.168.168.0 255.255.255.0 192.0.2.0 255.255.255.0

! ACL for the tunnel to an employee - we'll stick them on 192.168.168.32/30;
! For the purposes of the tunnel, the client networks are local networks.
! The entry's going to create a ton of IPSec SAs -- makes a mess, but not a lot of choice.
access-list outside_cryptomap_employee_1 extended permit ip object-group Client_Networks 192.168.168.32 255.255.255.252
! And, the local whatnot.
access-list outside_cryptomap_employee_1 extended permit ip 172.16.89.0 255.255.255.0 192.168.168.32 255.255.255.252

! all the other config for the site-to-site tunnels..
crypto map outside_map 1 match address outside_cryptomap_client_1
! ...
crypto map outside_map 501 match address outside_cryptomap_employee_1

如果你有任何 NAT继续，由于您使用的是 RFC1918 范围，因此您可能会这样做，您需要全面 NAT 豁免，以匹配加密 ACL 中的所有流量。

! add to an existing NAT exemption ACL, if you have one.  Otherwise, make one..
! local to clients
access-list outside_nat0_outbound extended permit ip 172.16.89.0 255.255.255.0 object-group Client_Networks
! local to employees
access-list outside_nat0_outbound extended permit ip 172.16.89.0 255.255.255.0 192.168.168.0 255.255.255.0
! employees to clients
access-list outside_nat0_outbound extended permit ip 192.168.168.0 255.255.255.0 object-group Client_Networks
nat (Public) 0 access-list outside_nat0_outbound

当然，您需要在员工所在地配置远程 VPN 端点，将客户端网络作为远程网络，并与站点到站点连接的加密 ACL 相匹配。

Answer 1

类似这样的内容 -192.168.168.0/24似乎有点小；如果需要，那么也为它们创建一个对象组。

same-security-traffic permit intra-interface

object-group network Client_Networks
 ! Load up client network assignments here, so the ACLs don't get huge:
 network-object 192.0.2.0 255.255.255.0
 network-object 198.51.100.0 255.255.255.0

! ACL for tunnel to an example client - this one's on the 192.0.2.0 range.
! The entry covers traffic between the local net and the client
access-list outside_cryptomap_client_1 extended permit ip 172.16.89.0 255.255.255.0 192.0.2.0 255.255.255.0
! And this is needed for the traffic between the employee nets and the client
access-list outside_cryptomap_client_1 extended permit ip 192.168.168.0 255.255.255.0 192.0.2.0 255.255.255.0

! ACL for the tunnel to an employee - we'll stick them on 192.168.168.32/30;
! For the purposes of the tunnel, the client networks are local networks.
! The entry's going to create a ton of IPSec SAs -- makes a mess, but not a lot of choice.
access-list outside_cryptomap_employee_1 extended permit ip object-group Client_Networks 192.168.168.32 255.255.255.252
! And, the local whatnot.
access-list outside_cryptomap_employee_1 extended permit ip 172.16.89.0 255.255.255.0 192.168.168.32 255.255.255.252

! all the other config for the site-to-site tunnels..
crypto map outside_map 1 match address outside_cryptomap_client_1
! ...
crypto map outside_map 501 match address outside_cryptomap_employee_1

如果你有任何 NAT继续，由于您使用的是 RFC1918 范围，因此您可能会这样做，您需要全面 NAT 豁免，以匹配加密 ACL 中的所有流量。

! add to an existing NAT exemption ACL, if you have one.  Otherwise, make one..
! local to clients
access-list outside_nat0_outbound extended permit ip 172.16.89.0 255.255.255.0 object-group Client_Networks
! local to employees
access-list outside_nat0_outbound extended permit ip 172.16.89.0 255.255.255.0 192.168.168.0 255.255.255.0
! employees to clients
access-list outside_nat0_outbound extended permit ip 192.168.168.0 255.255.255.0 object-group Client_Networks
nat (Public) 0 access-list outside_nat0_outbound

当然，您需要在员工所在地配置远程 VPN 端点，将客户端网络作为远程网络，并与站点到站点连接的加密 ACL 相匹配。

Cisco ASA - 在多个站点到站点隧道之间路由流量

答案1

相关内容