我有两台运行 8.4 的 ASA 5505。两台都可以访问互联网。ASA#1 后面有一个 VoIP 网关,该网关正在进行 NAT,因此有额外的规则。
这是 ASA #1:
interface Vlan1
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address 10.10.10.1 255.255.255.224
!
object network server
host 192.168.1.100
object service voip-range
service udp source range 9000 9049
object service sip-tcp
service tcp source eq sip
object service sip-udp
service udp source eq sip
object service sip-secure
service tcp source eq 5061
object service sip-tcp-remote
service tcp source eq 5090
object service sip-udp-remote
service udp source eq 5090
object network Remote_Network
subnet 192.168.2.0 255.255.255.0
description Travis network
object network My_Network
subnet 192.168.1.0 255.255.255.0
access-list l2l_list extended permit ip object My_Network object Remote_Network
access-list outside_access_in extended permit tcp any object server eq sip log errors
access-list outside_access_in extended permit udp any object server eq sip log errors
access-list outside_access_in extended permit udp any object server range 9000 9049 log errors
access-list outside_access_in extended permit object sip-secure any object server log errors
access-list outside_access_in extended permit object sip-tcp-remote any object server log errors
access-list outside_access_in extended permit object sip-udp-remote any object server log errors
access-list outside_access_in extended deny ip any any log alerts
access-list inside_access_in extended permit ip any any log debugging
nat (inside,outside) source static server interface service voip-range voip-range
nat (inside,outside) source static server interface service sip-tcp sip-tcp
nat (inside,outside) source static server interface service sip-udp sip-udp
nat (inside,outside) source static server interface service sip-secure sip-secure
nat (inside,outside) source static server interface service sip-tcp-remote sip-tcp-remote
nat (inside,outside) source static server interface service sip-udp-remote sip-udp-remote
nat (inside,outside) source dynamic any interface
access-group inside_access_in in interface inside
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 10.10.10.2 1
crypto ipsec ikev1 transform-set FirstSet esp-3des esp-md5-hmac
crypto ipsec ikev2 ipsec-proposal sec
protocol esp encryption aes 3des des
protocol esp integrity sha-1
crypto map kernelvpn 1 match address l2l_list
crypto map kernelvpn 1 set peer 10.10.10.8
crypto map kernelvpn 1 set ikev1 transform-set FirstSet
crypto map kernelvpn 1 set ikev2 ipsec-proposal sec
crypto map kernelvpn interface outside
crypto ikev2 policy 1
encryption 3des
integrity sha
group 2
prf sha
lifetime seconds 86400
crypto ikev2 enable outside
crypto ikev1 enable outside
crypto ikev1 policy 1
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
!
tunnel-group 10.10.10.8 type ipsec-l2l
tunnel-group 10.10.10.8 ipsec-attributes
ikev1 pre-shared-key abcd1234
以下是 ASA #2 的内容
interface Vlan1
nameif inside
security-level 100
ip address 192.168.2.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address 10.10.10.8 255.255.255.224
!
object network Remote_Network
subnet 192.168.1.0 255.255.255.0
description Travis network
object network My_Network
subnet 192.168.2.0 255.255.255.0
access-list l2l_list extended permit ip object My_Network object Remote_Network
access-list outside_access_in extended deny ip any any log alerts
access-list inside_access_in extended permit ip any any log debugging
nat (inside,outside) source dynamic any interface
access-group inside_access_in in interface inside
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 10.10.10.9 1
crypto ipsec ikev1 transform-set FirstSet esp-3des esp-md5-hmac
crypto ipsec ikev2 ipsec-proposal sec
protocol esp encryption aes 3des des
protocol esp integrity sha-1
crypto map kernelvpn 1 match address l2l_list
crypto map kernelvpn 1 set peer 10.10.10.1
crypto map kernelvpn 1 set ikev1 transform-set FirstSet
crypto map kernelvpn 1 set ikev2 ipsec-proposal sec
crypto map kernelvpn interface outside
crypto ikev2 policy 1
encryption 3des
integrity sha
group 2
prf sha
lifetime seconds 86400
crypto ikev2 enable outside
crypto ikev1 enable outside
crypto ikev1 policy 1
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
!
tunnel-group 10.10.10.1 type ipsec-l2l
tunnel-group 10.10.10.1 ipsec-attributes
ikev1 pre-shared-key *****
一些有用的输出:
ciscoasa(config)# show crypto isakmp sa
There are no IKEv1 SAs
There are no IKEv2 SAs
show crypto ipsec sa doesn't show a thing!
不确定这里还有什么其他选择...我尝试进行以下 ping 但没有成功:
ping inside 192.168.2.1
数据包跟踪结果如下:
ciscoasa(config)# packet-trace input inside tcp 192.168.1.11 22 192.168.2.1 22
Phase: 1
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 0.0.0.0 0.0.0.0 outside
Phase: 2
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group inside_access_in in interface inside
access-list inside_access_in extended permit ip any any log debugging
Additional Information:
Phase: 3
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 4
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (inside,outside) source dynamic any interface
Additional Information:
Dynamic translate 192.168.1.11/22 to 10.10.10.2/22
Phase: 5
Type: HOST-LIMIT
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 6
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 7
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 475091, packet dispatched to next module
Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: allow
答案1
我在任一 ASA 上都未看到隧道的 NAT 语句。对于新代码 ASA 8.4,您应该使用“两次 nat”输入这些 vpn 隧道。
nat (inside,any) source static My_Network My_Network destination static Remote_Network Remote_Network