我正在尝试建立从我们的本地机架到我们的 Amazon VPC 的 VPN 连接。我们的路由器/防火墙是运行软件版本 9.1(7)23 的 Cisco ASA 5505。根据 Amazon 的文档,5505 经过测试可成功用于 VPN 连接,并且支持任何高于 8.2 的软件版本。但我遇到了一些困难。
我已根据从 AWS 站点下载的示例配置配置了 ASA。AWS 和 ASA 都报告隧道存在且已启动并正在运行。但我似乎无法让任何流量真正流过隧道。查看 ASA 上的路由表,我不确定它应该如何知道通过 VPN 路由我们 VPC 子网的流量。我一直在尝试研究和查看文档,但到目前为止还没有找到解决方案。
我附上了我们 ASA 配置中的相关行(IP 地址已隐藏)。如果有人认为它有用,我可以发布我们的完整配置,但它很庞大且难以处理。任何帮助都将不胜感激!
谢谢。
编辑添加:我添加了来自我们 ASA 的唯一路由语句以及 ASA 的当前路由表。我还添加了 VPC 路由表的图像。出于某种原因,有两个单独的路由表连接到 VPC,其中一个标记为“主”。
与 VPN 相关的 ASA 配置项
object network obj-SrcNet
subnet 0.0.0.0 0.0.0.0
object network obj-amzn
subnet 10.47.0.0 255.255.0.0
access-list amzn_access_is extended permit ip host 18.x.x.x host 52.x.x.x
access-list amzn_access_is extended permit ip host 18.x.x.x host 52.x.x.x
access-list acl-amzn extended permit ip any 10.47.0.0 255.255.0.0
access-list amzn-filter extended deny ip any any
access-list amzn-filter extended permit ip 10.47.0.0 255.255.0.0 192.168.0.0 255.255.255.0
nat (inside,outside) source static obj-SrcNet obj-SrcNet destination static obj-amzn obj-amzn
icmp permit any outside
sysopt connection tcpmss 1379
sla monitor 1
type echo protocol ipIcmpEcho 10.47.1.148 interface outside
frequency 5
sla monitor schedule 1 life forever start-time now
crypto ipsec ikev1 transform-set transform-amzn esp-aes esp-sha-hmac
crypto ipsec security-association replay window-size 128
crypto ipsec df-bit clear-df outside
crypto map amzn_vpn_map 11 match address acl-amzn
crypto map amzn_vpn_map 11 set pfs
crypto map amzn_vpn_map 11 set peer 18.x.x.x 18.x.x.x
crypto map amzn_vpn_map 11 set ikev1 transform-set transform-amzn
crypto map amzn_vpn_map 11 set security-association lifetime seconds 3600
crypto map amzn_vpn_map interface outside
crypto isakmp identity address
crypto ikev1 enable outside
crypto ikev1 policy 200
authentication pre-share
encryption aes
hash sha
group 2
lifetime 28800
crypto ipsec ikev1 transform-set transform-amzn esp-aes esp-sha-hmac
tunnel-group 18.x.x.x type ipsec-l2l
tunnel-group 18.x.x.x general-attributes
default-group-policy filter
tunnel-group 18.x.x.x ipsec-attributes
ikev1 pre-shared-key *****
isakmp keepalive threshold 10 retry 10
tunnel-group 18.x.x.x type ipsec-l2l
tunnel-group 18.x.x.x general-attributes
default-group-policy filter
tunnel-group 18.x.x.x ipsec-attributes
ikev1 pre-shared-key *****
isakmp keepalive threshold 10 retry 10
group-policy filter internal
group-policy filter attributes
vpn-filter value amzn-filter
ASA 的路由声明
route outside 0.0.0.0 0.0.0.0 54.144.x.x 1
来自 ASA 的路由表
Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
* - candidate default, U - per-user static route, o - ODR
P - periodic downloaded static route
Gateway of last resort is 54.144.x.x to network 0.0.0.0
C 192.168.8.0 255.255.255.0 is directly connected, failover
C 52.144.x.x 255.255.255.240 is directly connected, outside
C 192.168.0.0 255.255.255.0 is directly connected, inside
S* 0.0.0.0 0.0.0.0 [1/0] via 54.144.x.x, outside
