购买或续订
购买或续订
取消
开启建议
自动建议可通过在您键入时建议可能的匹配,而快速缩小您的搜索结果范围。
显示结果 
搜索替代 
您的意思是: 
cancel
开始对话
5071
查看次数
0
有帮助
11
回复

ASA点到多点直接的VPN

savi_bj
Level 1
Level 1

发布时间 ‎10-26-2017 11:37 PM

各位:
点到多点的VPN 分支机构怎么才能互访呢?
标签:
0 有帮助
11 条回复11

YilinChen
Spotlight
Spotlight

发布时间 ‎10-27-2017 01:29 AM

听说过 DMVPN 么?
0 有帮助

RenxChen
Spotlight
Spotlight

发布时间 ‎10-27-2017 01:47 AM

还有MPLS:)
0 有帮助

savi_bj
Level 1
Level 1

发布时间 ‎10-27-2017 03:11 AM

new-asa(config)# sh crypto ipsec sa
interface: outside
Crypto map tag: csd, seq num: 13, local addr: 122.115.45.XX
access-list vpn-new permit ip 172.16.30.0 255.255.255.0 172.16.10.0 255.255.255.0
local ident (addr/mask/prot/port): (172.16.30.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (172.16.10.0/255.255.255.0/0/0)
current_peer: 140.210.5.XXX
#pkts encaps: 92, #pkts encrypt: 92, #pkts digest: 92
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 92, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#send errors: 0, #recv errors: 0
local crypto endpt.: 122.115.45.XX, remote crypto endpt.: 140.210.5.XX
path mtu 1500, ipsec overhead 58, media mtu 1500
current outbound spi: BC2F1E8B
inbound esp sas:
spi: 0x4289D274 (1116328564)
transform: esp-3des esp-md5-hmac no compression
in use settings ={L2L, Tunnel, }
slot: 0, conn_id: 610304, crypto-map: csd
sa timing: remaining key lifetime (kB/sec): (3915000/28709)
IV size: 8 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001
outbound esp sas:
spi: 0xBC2F1E8B (3157204619)
transform: esp-3des esp-md5-hmac no compression
in use settings ={L2L, Tunnel, }
slot: 0, conn_id: 610304, crypto-map: csd
sa timing: remaining key lifetime (kB/sec): (3914992/28709)
IV size: 8 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001
怎么隧道建立了 就是 相互PING 不通
0 有帮助

savi_bj
Level 1
Level 1

发布时间 ‎10-27-2017 03:13 AM

new-asa(config)# sh crypto ipsec sa
interface: outside
Crypto map tag: csd, seq num: 13, local addr: 122.115.45.xx
access-list vpn-new permit ip 172.16.30.0 255.255.255.0 172.16.10.0 255.255.255.0
local ident (addr/mask/prot/port): (172.16.30.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (172.16.10.0/255.255.255.0/0/0)
current_peer: 140.210.5.xx
#pkts encaps: 92, #pkts encrypt: 92, #pkts digest: 92
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 92, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#send errors: 0, #recv errors: 0
local crypto endpt.: 122.115.45.xx, remote crypto endpt.: 140.210.5.xx
path mtu 1500, ipsec overhead 58, media mtu 1500
current outbound spi: BC2F1E8B
inbound esp sas:
spi: 0x4289D274 (1116328564)
transform: esp-3des esp-md5-hmac no compression
in use settings ={L2L, Tunnel, }
slot: 0, conn_id: 610304, crypto-map: csd
sa timing: remaining key lifetime (kB/sec): (3915000/28709)
IV size: 8 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001
outbound esp sas:
spi: 0xBC2F1E8B (3157204619)
transform: esp-3des esp-md5-hmac no compression
in use settings ={L2L, Tunnel, }
slot: 0, conn_id: 610304, crypto-map: csd
sa timing: remaining key lifetime (kB/sec): (3914992/28709)
IV size: 8 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001
0 有帮助

savi_bj
Level 1
Level 1

发布时间 ‎10-27-2017 03:15 AM

YilinChen 发表于 2017-10-27 16:29
听说过 DMVPN 么?

您好 我做的是IPSEC 总部和两个分支 都可以通讯,然后 我把分支有相互对指了一下,隧道也起来,但是就不是不能PING 通
new-asa(config)# sh crypto ipsec sa
interface: outside
Crypto map tag: csd, seq num: 13, local addr:
access-list vpn-new permit ip 172.16.30.0 255.255.255.0 172.16.10.0 255.255.255.0
local ident (addr/mask/prot/port): (172.16.30.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (172.16.10.0/255.255.255.0/0/0)
current_peer:
#pkts encaps: 92, #pkts encrypt: 92, #pkts digest: 92
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 92, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#send errors: 0, #recv errors: 0
local crypto endpt.: 122., remote crypto endpt.: 140
path mtu 1500, ipsec overhead 58, media mtu 1500
current outbound spi: BC2F1E8B
inbound esp sas:
spi: 0x4289D274 (1116328564)
transform: esp-3des esp-md5-hmac no compression
in use settings ={L2L, Tunnel, }
slot: 0, conn_id: 610304, crypto-map: csd
sa timing: remaining key lifetime (kB/sec): (3915000/28709)
IV size: 8 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001
outbound esp sas:
spi: 0xBC2F1E8B (3157204619)
transform: esp-3des esp-md5-hmac no compression
in use settings ={L2L, Tunnel, }
slot: 0, conn_id: 610304, crypto-map: csd
sa timing: remaining key lifetime (kB/sec): (3914992/28709)
IV size: 8 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001
0 有帮助

13nash
Level 8
Level 8

发布时间 ‎10-27-2017 08:06 PM

DMVPN,不过好像是Cisco路由器才支持
0 有帮助

fortune
VIP Alumni
VIP Alumni

发布时间 ‎10-28-2017 06:50 PM

DMVPN 吧 感兴趣流包含了各分支网络网段就行了
0 有帮助

savi_bj
Level 1
Level 1

发布时间 ‎10-29-2017 10:07 PM

需要把inside 接口的流量都给放开
0 有帮助

RenxChen
Spotlight
Spotlight

发布时间 ‎10-30-2017 03:18 AM

duxingxia 发表于 2017-10-27 18:15
您好 我做的是IPSEC 总部和两个分支 都可以通讯,然后 我把分支有相互对指了一下,隧道也起来,但是就 ...

我尝试想象了一下,防火墙上 packet-tracer 工具应该能查ICMP包的问题。
正常结果应该是:
Result:
Action: allow
如果有failed,再针对性查一遍吧。
ICMP的包比较特殊。
0 有帮助

savi_bj
Level 1
Level 1

发布时间 ‎11-02-2017 11:31 PM

是的 需要放开 inside 接口的 流量
0 有帮助

Yanli Sun
Community Manager
Community Manager
回复 savi_bj

发布时间 ‎11-13-2017 01:13 AM

感谢分享,如果您的问题已解决,请记得标记最佳答案。谢谢。
0 有帮助
快捷链接

浏览社区快速链接并以您的母语获取个性化内容:

发布或浏览文章 分享想法或新闻 观看我们的所有视频视频
Customers Also Viewed These Support Documents