我们配置了站点到站点 VPN,以下是拓扑图。我控制左侧的网络,但不控制右侧的网络。我们网络中的所有设备都有公共 IP。
服务器---ASA5505---Cisco887======Internet=====ASA5510---设备
我可以看到隧道已启动,并且可以使用环回接口进行扩展 ping。从 10.175 和 10.165 网络,它们也可以 ping 我的环回地址。我还可以使用 Cisco VPN 客户端拨号,并可以连接到右侧的设备。
#show crypto session
Crypto session current status
Interface: Vlan3
Profile: xxx-profile
Session status: UP-ACTIVE
Peer: 213.121.x.x port 500
IKEv1 SA: local 77.245.x.x/500 remote 213.121.x.x/500 Active
IPSEC FLOW: permit ip 10.0.20.0/255.255.255.240 10.175.0.0/255.255.128.0
Active SAs: 0, origin: crypto map
IPSEC FLOW: permit ip 10.0.20.0/255.255.255.240 10.165.0.0/255.255.192.0
Active SAs: 2, origin: crypto map
#ping 10.165.29.39 source loopback 2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.165.29.39, timeout is 2 seconds:
Packet sent with a source address of 10.0.20.1
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 16/17/20 ms
我的问题是右侧的设备无法访问我的服务器。它们只能 ping 回环地址,无法执行任何其他操作。
我正在粘贴一些与路由相关的诊断信息,认为路由可能是我的问题。如果需要,我可以粘贴我这边网络的所有运行配置。
#show ip int brief
Interface IP-Address OK? Method Status Protocol
ATM0 unassigned YES NVRAM administratively down down
Ethernet0 unassigned YES NVRAM administratively down down
FastEthernet0 unassigned YES unset up up connected to ASA
FastEthernet1 unassigned YES unset administratively down down
FastEthernet2 unassigned YES unset administratively down down
FastEthernet3 unassigned YES unset up up
Loopback1 10.0.20.65 YES NVRAM up up
Loopback2 10.0.20.1 YES NVRAM up up
Virtual-Template1 77.245.x.x YES unset up down
Virtual-Template2 77.245.x.x YES unset up down
Vlan1 unassigned YES unset down down
Vlan3 77.245.x.x YES NVRAM up up connected to the Internet
#show run | section ip route
ip route 0.0.0.0 0.0.0.0 77.245.x.x
ip route 213.121.240.36 255.255.255.255 Vlan3
#show access-list
Extended IP access list 102
10 permit ip 10.0.20.0 0.0.0.15 10.175.0.0 0.0.127.255 (3332 matches)
20 permit ip 10.0.20.0 0.0.0.15 10.165.0.0 0.0.63.255 (3498 matches)
#show vlan-switch
VLAN Name Status Ports
---- -------------------------------- --------- -------------------------------
1 default active
3 VLAN0003 active Fa0, Fa1, Fa2, Fa3
1002 fddi-default act/unsup
1003 token-ring-default act/unsup
1004 fddinet-default act/unsup
1005 trnet-default act/unsup
#show ip route
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
+ - replicated route, % - next hop override
Gateway of last resort is 77.245.x.x to network 0.0.0.0
S* 0.0.0.0/0 [1/0] via 77.245.x.x
10.0.0.0/8 is variably subnetted, 5 subnets, 3 masks
C 10.0.20.0/28 is directly connected, Loopback2
L 10.0.20.1/32 is directly connected, Loopback2
C 10.0.20.64/28 is directly connected, Loopback1
L 10.0.20.65/32 is directly connected, Loopback1
S 10.165.0.0/18 [1/0] via 213.121.x.x
77.0.0.0/8 is variably subnetted, 3 subnets, 3 masks
S 77.0.0.0/8 [1/0] via 77.245.x.x
C 77.245.x.x/29 is directly connected, Vlan3
L 77.245.x.x/32 is directly connected, Vlan3
213.121.x.0/32 is subnetted, 1 subnets
S 213.121.x.x is directly connected, Vlan3
我读了这里的一些帖子,它们导致了 NATing 问题,但我不确定下一步该怎么做。我应该将我的公共地址转换为私有地址并将其路由到环回地址吗?(只能猜测)
两个 ASA 5505 之间的站点到站点 VPN 仅在一个方向上工作
希望有人能帮忙。提前谢谢!