已在 10.xyz 网络和 122.abc 之间创建隧道。隧道已启动并处于活动状态,但当我尝试数据包跟踪器输出时,我得到了ACTION 丢弃信息。我还启用了same-security-traffic permit intra-interface。有人能帮我看看这个丢弃信息是什么意思吗?
Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule
Packet Tracer 输出
@Shane Madden:请查看下面的数据包跟踪器输出。
CASA5K-A#
CASA5K-A# config t
CASA5K-A(config)# packet-tracer input inside tcp 10.x.y.112 0 122.a.b.c 0
Phase: 1
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 0.0.0.0 0.0.0.0 outside
Phase: 2
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:
Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule
CASA5K-A(config)#
========================================================================
访问组如下:
接口外部的访问组 acl-inbound 接口内部的访问组 acl-outbound 和
访问列表是
访问列表 acl-inbound 扩展允许 tcp any any gt 1023 访问列表 acl-outbound 扩展允许 ip 对象组 net-Source 对象 net-dest
+===================================================================================
@SHANEMADDEN:我看到 acl-outbound 上的命中数增加了...但我仍然看到数据包跟踪器 ACTION 被丢弃 :(
答案1
Cisco L2L VPN 的典型问题往往与为“有趣”流量设置 NAT 豁免规则有关。您是否通过sh ipsec sa和验证了隧道已启动sh isakmp sa?您只使用 CLI,还是通过 ASDM 设置了隧道?