取消
显示结果 
搜索替代 
您的意思是: 
cancel
13978
查看次数
0
有帮助
13
回复

5555防火墙与1921 ipsecvpn无法建立

q634153517
Level 1
Level 1
本帖最后由 q634153517 于 2018-10-30 10:53 编辑
如题,求大神指导哪里有问题,配置如下
ASA配置
interface GigabitEthernet0/0
nameif outside
security-level 0
ip address 1.1.1.1 255.255.255.0
interface GigabitEthernet0/3
nameif inside
security-level 100
ip address 10.136.25.254 255.255.255.0
object network go-internet
subnet 10.136.0.0 255.255.0.0
object network pat-pool
range 1.1.1.1 1.1.1.2
object network Inside
subnet 10.136.64.0 255.255.192.0
object network IDC
subnet 10.132.0.0 255.255.0.0
access-list out-to-in extended permit icmp any any
access-list out-to-in extended permit ip any any
access-list out-to-in extended permit tcp any any
access-list out-to-in extended permit udp any any
access-list vpn extended permit ip object Inside object IDC
nat (inside,outside) source dynamic go-internet pat-pool pat-pool
nat (inside,outside) source static Inside Inside destination static IDC IDC
access-group out-to-in in interface outside
route outside 0.0.0.0 0.0.0.0 1.1.1.254
route inside 10.136.0.0 255.255.0.0 10.136.25.1
crypto ipsec ikev1 transform-set To-IDC esp-3des esp-md5-hmac
crypto ipsec security-association pmtu-aging infinite
crypto map cry-map 10 match address vpn
crypto map cry-map 10 set peer 2.2.2.2
crypto map cry-map 10 set ikev1 transform-set To-IDC
crypto map cry-map interface outside
crypto ca trustpool policy
crypto ikev1 enable outside
crypto ikev1 policy 1
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
!
tunnel-group 2.2.2.2 type ipsec-l2l
tunnel-group 2.2.2.2 ipsec-attributes
ikev1 pre-shared-key 123
路由器配置
crypto isakmp policy 2
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp key 123 address 1.1.1.1
crypto ipsec transform-set NEW-BJBAK-OA esp-3des esp-md5-hmac
mode tunnel
crypto map vpnpeer 1 ipsec-isakmp
set peer 1.1.1.1
set transform-set NEW-BJBAK-OA
match address 125
interface GigabitEthernet0/0
ip address 2.2.2.2 255.255.255.0
ip access-group DenyPort in
ip access-group DenyPort out
ip nat outside
ip virtual-reassembly in
duplex auto
speed auto
crypto map vpnpeer
interface GigabitEthernet0/1
ip address 10.132.4.1 255.255.252.0
ip nat inside
ip virtual-reassembly in
duplex auto
speed auto
ip nat inside source list 100 interface GigabitEthernet0/0 overload
ip route 0.0.0.0 0.0.0.0 2.2.2.254
ip access-list extended DenyPort
deny udp any any eq 445 135 netbios-ns netbios-ss 5357
deny tcp any any eq 445 135 137 139 5357
permit ip any any
access-list 100 deny ip 10.132.0.0 0.0.255.255 10.136.64.0 0.0.63.255
access-list 100 permit ip 10.132.4.0 0.0.3.255 any
access-list 125 permit ip 10.132.0.0 0.0.255.255 10.136.64.0 0.0.63.255
13 条回复13

cisco.feng
Spotlight
Spotlight
show crypto isakmp sa
show crypto ipsec sa
看看是卡在那里

q634153517
Level 1
Level 1
cisco.feng 发表于 2018-10-30 12:13
show crypto isakmp sa
show crypto ipsec sa

完全没有建立
ASA-2# sh crypto isakmp sa
There are no IKEv1 SAs
There are no IKEv2 SAs
ASA-2# sh crypto ipsec sa
There are no ipsec sas
ASA-2#

wuleihen
Spotlight
Spotlight
q634153517 发表于 2018-10-30 12:46
完全没有建立
ASA-2# sh crypto isakmp sa

你的第一阶段都还没有建立呢
show crypto ikev1 sa detail-----这是查看第一阶段是否有建立
show crypto ipsec sa detail-----这是查看第二阶段是否有流量通过

q634153517
Level 1
Level 1
wuleihen 发表于 2018-10-30 14:42
你的第一阶段都还没有建立呢
show crypto ikev1 sa detail-----这是查看第一阶段是否有建立
show crypt ...

就是在找是什么原因建立不起来

wuleihen
Spotlight
Spotlight
q634153517 发表于 2018-10-30 15:29
就是在找是什么原因建立不起来

底层通吗??

q634153517
Level 1
Level 1
wuleihen 发表于 2018-10-30 15:54
底层通吗??

重启防火墙后,从路由器发起流量能建立VPN,且能访问防火墙侧主机,反之无效

cisco.feng
Spotlight
Spotlight
q634153517 发表于 2018-10-30 20:26
重启防火墙后,从路由器发起流量能建立VPN,且能访问防火墙侧主机,反之无效

ASA的版本多少
access-list vpn extended permit ip object Inside object IDC
ACL不用object,改成ip试试
access-list vpn extended permit ip 10.136.64.0 255.255.192.0 10.132.0.0 255.255.0.0

YilinChen
Spotlight
Spotlight
要触发感兴趣流才会建立通信呀,没有流量是不建立IPSEC VPN会话的

q634153517
Level 1
Level 1
YilinChen 发表于 2018-10-31 16:59
要触发感兴趣流才会建立通信呀,没有流量是不建立IPSEC VPN会话的

从路由器端可以触发,可以远程桌面防火墙端服务器,反过来就不行了:Q

q634153517
Level 1
Level 1
问题原因已找到,nat问题必须得先写nat (inside,outside) source static Inside Inside destination static IDC IDC在写nat (inside,outside) source dynamic go-internet pat-pool pat-pool就Ok了,希望能帮到其他遇到同样问题的人

q634153517
Level 1
Level 1

问题原因已找到,nat问题必须得先写nat (inside,outside) source static Inside Inside destination static IDC IDC在写nat (inside,outside) source dynamic go-internet pat-pool pat-pool就Ok了,希望能帮到其他遇到同样问题的人

one-time
Level 13
Level 13
q634153517 发表于 2018-11-2 11:41
问题原因已找到,nat问题必须得先写nat (inside,outside) source static Inside Inside destination stat ...

恭喜问题解决~为您移除悬赏喽!

Yanli Sun
Community Manager
Community Manager
q634153517 发表于 2018-11-2 11:41
问题原因已找到,nat问题必须得先写nat (inside,outside) source static Inside Inside destination stat ...

感谢楼主分享解决方案,希望可以帮到更多小伙伴
入门指南

使用上面的搜索栏输入关键字、短语或问题,搜索问题的答案。

我们希望您在这里的旅程尽可能顺利,因此这里有一些链接可以帮助您快速熟悉思科社区:









快捷链接