我们的一个分支机构有一台运行 IOS 15.1 的 Cisco 1921 路由器,该路由器通过 L2L IPsec VPN 连接到总部运行 ASA 7.2 的 ASA5510。ASA 还使用 Cisco VPN 客户端为现场用户提供 IPSec 远程访问 VPN。
该网络看起来像这样:
192.168.14.0/24 - RT - Internet - ASA - 192.168.10.0/24
|----L2L VPN----||
|----RA VPN---- 192.168.10.223-192.168.10.242
(远程访问 VPN 使用 192.168.10.0/24 网络内的地址)
问题是,虽然 RA VPN 用户可以正常访问 192.168.10.0/24(和其他连接的 L2L VPN),但他们无法访问 192.168.14.0/24 网络。
以下是 ASA 配置的一些有趣部分:
interface Ethernet0/0
nameif outside
security-level 0
ip address EXTERNAL_IP 255.255.255.240
!
interface Ethernet0/3
nameif inside
security-level 100
ip address 192.168.10.252 255.255.255.0
!
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
access-list acl_in extended permit ip 192.168.8.0 255.255.248.0 192.168.8.0 255.255.248.0
access-list acl_out extended permit ip 192.168.8.0 255.255.248.0 192.168.8.0 255.255.248.0
access-list acl_nonat-inside extended permit ip 192.168.8.0 255.255.248.0 192.168.8.0 255.255.248.0
access-list vpngrint_splitTunnelAcl standard permit 192.168.10.0 255.255.255.0
access-list vpngrint_splitTunnelAcl standard permit 192.168.14.0 255.255.255.0
access-list acl_vpn-berlin extended permit ip 192.168.14.0 255.255.255.0 192.168.8.0 255.255.248.0
access-list acl_vpn-berlin extended permit ip 192.168.8.0 255.255.248.0 192.168.14.0 255.255.255.0
ip local pool poolvpnclients 192.168.10.223-192.168.10.242
ip verify reverse-path interface outside
ip verify reverse-path interface web
ip verify reverse-path interface inside
nat-control
global (outside) 1 EXTERNAL_IP
nat (inside) 0 access-list acl_nonat-inside
nat (inside) 1 192.168.10.0 255.255.255.0
access-group acl_out in interface outside
access-group acl_in in interface inside
crypto dynamic-map outside_dyn_map 20 set pfs
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA
crypto map outside_map 200 match address acl_vpn-berlin
crypto map outside_map 200 set peer IOS_ROUTER_EXTERNAL_IP
crypto map outside_map 200 set transform-set ESP-AES-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
group-policy vpngrint internal
group-policy vpngrint attributes
wins-server value 192.168.10.5
dns-server value 192.168.10.5
vpn-simultaneous-logins 2147483647
vpn-idle-timeout 7200
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value vpngrint_splitTunnelAcl
default-domain value domain.local
split-dns value domain.local domain.com
tunnel-group vpngrint type ipsec-ra
tunnel-group vpngrint general-attributes
address-pool poolvpnclients
default-group-policy vpngrint
tunnel-group vpngrint ipsec-attributes
pre-shared-key SECRET
tunnel-group IOS_ROUTER_EXTERNAL_IP type ipsec-l2l
tunnel-group IOS_ROUTER_EXTERNAL_IP ipsec-attributes
pre-shared-key SECRET
分割隧道 ACL 匹配,192.168.14.0 显示在客户端的路由表中,并且可在客户端的 VPN 接口上捕获传出数据包。它们还显示在我在 ASA 上设置的捕获之一中,但它们未到达 L2L VPN 连接的路由器。nonat ACL 应该匹配,绑定到接口的访问列表和 L2L VPN 的相关流量定义(在隧道的两侧也相同),所以我目前看不出问题可能出在哪里。
asa# sh capture
capture frzberlin type raw-data access-list capture_frzberlin interface outside [Capturing - 280 bytes]
capture frzberlin_inside type raw-data access-list capture_frzberlin interface inside [Capturing - 0 bytes]
asa# sh capture frzberlin
4 packets captured
1: 17:46:41.563508 192.168.10.239.58452 > 192.168.14.1.22: R 1017791382:1017791382(0) ack 2592136529 win 65535
2: 17:46:44.853334 192.168.10.239.58455 > 192.168.14.1.22: R 668258002:668258002(0) ack 1048856085 win 65535
3: 17:46:47.602889 192.168.10.239.58458 > 192.168.14.1.22: R 2479281909:2479281909(0) ack 2603933177 win 65535
4: 17:47:42.913877 192.168.10.239.58490 > 192.168.14.1.22: R 1494613342:1494613342(0) ack 344737469 win 65535
4 packets shown
任何有关调试此问题的想法都将非常感激。
编辑:添加了数据包跟踪器输出:
asa# packet-tracer input outside tcp 192.168.10.238 1337 192.168.14.1 22 detailed
Phase: 1
Type: CAPTURE
Subtype:
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x481b320, priority=12, domain=capture, deny=false
hits=12333239, user_data=0x49a4ba8, cs_id=0x0, l3_type=0x0
src mac=0000.0000.0000, mask=0000.0000.0000
dst mac=0000.0000.0000, mask=0000.0000.0000
Phase: 2
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
Forward Flow based lookup yields rule:
in id=0x3d81c88, priority=1, domain=permit, deny=false
hits=4437186449, user_data=0x0, cs_id=0x0, l3_type=0x8
src mac=0000.0000.0000, mask=0000.0000.0000
dst mac=0000.0000.0000, mask=0100.0000.0000
Phase: 3
Type: FLOW-LOOKUP
Subtype:
Result: ALLOW
Config:
Additional Information:
Found no matching flow, creating a new flow
Phase: 4
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 0.0.0.0 0.0.0.0 outside
Phase: 5
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 192.168.10.238 255.255.255.255 outside
Phase: 6
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group acl_out in interface outside
access-list acl_out extended permit ip 192.168.8.0 255.255.248.0 192.168.8.0 255.255.248.0
Additional Information:
Forward Flow based lookup yields rule:
in id=0x401f738, priority=12, domain=permit, deny=false
hits=9263075, user_data=0x401f6f8, cs_id=0x0, flags=0x0, protocol=0
src ip=192.168.8.0, mask=255.255.248.0, port=0
dst ip=192.168.8.0, mask=255.255.248.0, port=0, dscp=0x0
Phase: 7
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x3d84930, priority=0, domain=permit-ip-option, deny=true
hits=115197791, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip=0.0.0.0, mask=0.0.0.0, port=0
dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
Phase: 8
Type: CP-PUNT
Subtype:
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x4e53c10, priority=79, domain=punt, deny=true
hits=8524, user_data=0x3a2e750, cs_id=0x0, flags=0x0, protocol=0
src ip=192.168.10.238, mask=255.255.255.255, port=0
dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
Phase: 9
Type: VPN
Subtype: ipsec-tunnel-flow
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x3e43da8, priority=69, domain=ipsec-tunnel-flow, deny=false
hits=396, user_data=0x265722ac, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip=192.168.10.238, mask=255.255.255.255, port=0
dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
Phase: 10
Type: VPN
Subtype: encrypt
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
out id=0x4a2f450, priority=70, domain=encrypt, deny=false
hits=1499, user_data=0x252bccdc, cs_id=0x4729788, reverse, flags=0x0, protocol=0
src ip=192.168.8.0, mask=255.255.248.0, port=0
dst ip=192.168.14.0, mask=255.255.255.0, port=0, dscp=0x0
Phase: 11
Type: VPN
Subtype: ipsec-tunnel-flow
Result: ALLOW
Config:
Additional Information:
Reverse Flow based lookup yields rule:
in id=0x490a410, priority=69, domain=ipsec-tunnel-flow, deny=false
hits=1547, user_data=0x252c08dc, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip=192.168.14.0, mask=255.255.255.0, port=0
dst ip=192.168.8.0, mask=255.255.248.0, port=0, dscp=0x0
Phase: 12
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Reverse Flow based lookup yields rule:
in id=0x3d84930, priority=0, domain=permit-ip-option, deny=true
hits=115197792, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip=0.0.0.0, mask=0.0.0.0, port=0
dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
Phase: 13
Type: VPN
Subtype: encrypt
Result: ALLOW
Config:
Additional Information:
Reverse Flow based lookup yields rule:
out id=0x402da30, priority=70, domain=encrypt, deny=false
hits=0, user_data=0x266af5ac, cs_id=0x4729788, reverse, flags=0x0, protocol=0
src ip=192.168.14.0, mask=255.255.255.0, port=0
dst ip=192.168.8.0, mask=255.255.248.0, port=0, dscp=0x0
Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (ipsec-spoof) IPSEC Spoof detected