购买或续订
购买或续订
取消
开启建议
自动建议可通过在您键入时建议可能的匹配,而快速缩小您的搜索结果范围。
显示结果 
搜索替代 
您的意思是: 
cancel
开始对话
16493
查看次数
0
有帮助
21
回复

h3c MSR5006与cisco ASA 5506 组建IPSEC vpn问题 急求解

查看解答
httpurl
Level 1
Level 1

发布时间 ‎09-13-2017 09:34 PM

本帖最后由 httpurl 于 2017-9-19 08:38 编辑
公司是H3C MSR5006 主路由 先通过IPSEC vpn 与苏州办事处、香港办事处实现内网互通。办事处设备为CISCO ASA 5506-X。现在遇到问题为 公司与香港VPN正常,苏州与香港VPN正常 ,而公司与苏州VPN异常,PING测试H3C页面查看隧道已经建立也有发送包过去,但是没有收到包,苏州VPN查看看到收包没有发送包。求各路大神给点意见,因为我在测试环境一切正常,头疼。。。。
环境:公司H3C MSR5006 G0/1 地址A.A.A.A. vpn连苏州 异常
G0/2 地址B.B.B.B VPN连香港 正常

苏州CISCO ASA5506 地址S,S,S,S. vpn连公司 异常
VPN连香港 正常

香港CISCO ASA5506 地址X.X.X.X. vpn连苏州 正常
VPN连公司 正常
VPN隧道状态如下:只看到公司的数据包 苏州无任何数据包
1. 公司
123321ab7w5mrxfywrxd4z.jpg
2. 苏州
123346qtauemktthmmzute.jpg
全部使用点对点 IPSEC VPN 具体配置如下:
H3C MSR5006
sysname H3C
#
clock timezone #Web#8#01 add 08:00:00
#
undocopyright-info enable
#
l2tpenable
#
firewall enable
firewall fragments-inspect
#
nataddress-group 1 a.a.a.a
#
domain default enable system
#
dnsproxy enable
dnsserver 218.2.135.1
dnsserver 61.147.37.1
dnsserver 221.6.4.67
dnsserver 8.8.8.8
dnsserver 8.8.4.4
#
telnet server enable

acl number 3003 name ipsec-danyang-HK 香港
rule1 permit ip source 192.168.116.0 0.0.0.255 destination 172.24.16.0 0.0.3.255
rule2 permit ip source 192.168.116.0 0.0.0.255 destination 172.24.32.0 0.0.3.255
rule3 permit ip source 192.168.116.0 0.0.0.255 destination 172.24.48.0 0.0.3.255
rule4 permit ip source 192.168.116.0 0.0.0.255 destination 172.24.96.0 0.0.3.255
rule5 permit ip source 192.168.116.0 0.0.0.255 destination 172.24.112.0 0.0.3.255
rule6 permit ip source 192.168.116.0 0.0.0.255 destination 172.25.48.0 0.0.3.255
rule7 permit ip source 192.168.116.0 0.0.0.255 destination 172.25.64.0 0.0.3.255
rule8 permit ip source 192.168.116.0 0.0.0.255 destination 172.25.96.0 0.0.3.255
rule9 permit ip source 192.168.116.0 0.0.0.255 destination 172.25.16.0 0.0.3.255
rule10 permit ip source 192.168.116.0 0.0.0.255 destination 172.25.32.0 0.0.3.255
rule11 permit ip source 192.168.116.0 0.0.0.255 destination 172.25.112.0 0.0.3.255

acl number 3004 name ipsec-danyang-suzhou 苏州
rule1 permit ip source 192.168.116.0 0.0.0.255 destination 192.168.1.0 0.0.0.255

#
ike proposal 1
encryption-algorithm aes-cbc 256
dhgroup2
authentication-algorithm md5
#
ike proposal 2
encryption-algorithm aes-cbc 256
dhgroup2
authentication-algorithm md5
#
ike peer danyang
proposal 1
pre-shared-key cipher$c$3$+ZV+GT+4wp8f5neCQFIEQXy76qZvbs3ou7t3gw==
remote-address x.x.x.x 香港
nattraversal
#
ike peer suzhou
proposal 2
pre-shared-key cipher$c$3$QyGjdpSUAigaFmqRHyHT9z6hIUTLJTh/
remote-address s.s.s.s 苏州
nattraversal
#
ipsec proposal danyang
espencryption-algorithm aes 256
#
ipsec proposal suzhou
espencryption-algorithm aes 256
#
ipsec policy 1048577 1 isakmp 苏州
connection-name suzhou
security acl 3004
ike-peer suzhou
proposal suzhou
saduration traffic-based 4608000
saduration time-based 28800
#
ipsec policy 1048578 1 isakmp 香港
connection-name danyang
security acl 3003
ike-peer danyang
proposal danyang
saduration traffic-based 4608000
saduration time-based 28800
#
attack-defense policy 86 interfaceGigabitEthernet0/1 流控
signature-detect action drop-packet
signature-detect fraggle enable
signature-detect land enable
signature-detect winnuke enable
signature-detect tcp-flag enable
signature-detect icmp-unreachable enable
signature-detect icmp-redirect enable
signature-detect tracert enable
signature-detect smurf enable
signature-detect source-route enable
signature-detect route-record enable
signature-detect large-icmp enable
defense scan enable
defense scan add-to-blacklist
defense syn-flood enable
defense syn-flood action drop-packet
defense udp-flood enable
defense udp-flood action drop-packet
defense icmp-flood enable
defense icmp-flood action drop-packet
#
attack-defense policy 87 流控
signature-detect action drop-packet
signature-detect fraggle enable
signature-detect land enable
signature-detect winnuke enable
signature-detect tcp-flag enable
signature-detect icmp-unreachable enable
signature-detect icmp-redirect enable
signature-detect tracert enable
signature-detect smurf enable
signature-detect source-route enable
signature-detect route-record enable
signature-detect large-icmp enable
defense scan enable
defense scan add-to-blacklist
defense syn-flood enable
defense syn-flood action drop-packet
defense udp-flood enable
defense udp-flood action drop-packet
defense icmp-flood enable
defense icmp-flood action drop-packet
#
interface GigabitEthernet0/1
portlink-mode route
description it
natoutbound
ip address a.a.a.a 255.255.255.224 连接苏州外网地址
darenable
darprotocol-statistic flow-interval 10
ipsec no-nat-process enable
ipsec policy 1048577
mirroring-group 1 mirroring-port both
attack-defense apply policy 86
flow-statistic enable inbound
flow-statistic enable outbound
ipflow-ordering external

#
interface GigabitEthernet0/2
portlink-mode route
description liantong
natoutbound
ipaddress b.b.b.b 255.255.255.192 连接香港地址
darenable
darprotocol-statistic flow-interval 10
ipsec no-nat-process enable
ipsec policy 1048578
mirroring-group 1 mirroring-port both
attack-defense apply policy 87
flow-statistic enable inbound
flow-statistic enable outbound
ipflow-ordering external
#

苏州 CISCO ASA 5506
: Serial Number: JAD20220ELA
: Hardware: ASA5506, 4096 MB RAM, CPU Atom C2000 series1250 MHz, 1 CPU (4 cores)
:
ASA Version 9.6(1)
!interface GigabitEthernet1/1 苏州外网地址
nameif OUTSIDE
security-level 0
ipaddress S,S,S,S
!
interface GigabitEthernet1/2 苏州内网地址
nameif INSIDE
security-level 100
ipaddress 192.168.1.1 255.255.255.0
!
ftp mode passive
dns server-group DefaultDNS
domain-name zennioptical.com
same-security-traffic permitinter-interface
same-security-traffic permitintra-interface
object network NET.IN-192.168.1.0-24
subnet 192.168.1.0 255.255.255.0
object network 192.168.116.10
host192.168.116.10
object network NETWORK_OBJ_192.168.1.0_24 本地内网
subnet 192.168.1.0 255.255.255.0
object network 192.168.116.0
subnet 192.168.116.0 255.255.255.0
object-group network NET-IP-RACKSPACE-HK 香港内网
network-object 172.25.112.0 255.255.252.0
network-object 172.25.16.0 255.255.252.0
network-object 172.25.32.0 255.255.252.0
network-object 172.25.48.0 255.255.252.0
network-object 172.25.64.0 255.255.252.0
network-object 172.25.96.0 255.255.252.0
network-object 172.24.16.0 255.255.252.0
network-object 172.24.32.0 255.255.252.0
network-object 172.24.48.0 255.255.252.0
network-object 172.24.96.0 255.255.252.0
network-object 172.24.112.0 255.255.252.0
object-group network net-danyang 公司内网
network-object object 192.168.116.0
access-list OUTSIDE remark ALLOWANCE FORTRACEROUTE
access-list OUTSIDE extended permit icmpany any source-quench
access-list OUTSIDE extended permit icmpany any echo-reply
access-list OUTSIDE extended permit icmpany any time-exceeded
access-list OUTSIDE extended permit icmp anyany unreachable
access-list OUTSIDE remark IP SECTIONBEGINS
access-list OUTSIDE remark -
access-list OUTSIDE extended permit ip host2.2.2.2 any
access-list OUTSIDE extended permit ip 1.1.1.10 any
access-list OUTSIDE extended permit icmpany any
access-list OUTSIDE remark -
access-list OUTSIDE remark UDP SECTIONBEGINS
access-list OUTSIDE remark -
access-list OUTSIDE remark -
access-list OUTSIDE remark -
access-list OUTSIDE remark -
access-list OUTSIDE remark TCP SECTIONBEGINS
access-list OUTSIDE remark TCP SECTIONBEGINS
access-list OUTSIDE remark -
access-list OUTSIDE remark -
access-list OUTSIDE remark -
access-list OUTSIDE remark -
access-list OUTSIDE_cryptomap extendedpermit ip object NET.IN-192.168.1.0-24 object-group NET-IP-RACKSPACE-HK
access-list OUTSIDE_cryptomap_1 extendedpermit ip object NET.IN-192.168.1.0-24 object-group net-danyang
pager lines 24
logging enable
logging asdm debugging
mtu OUTSIDE 1500
mtu INSIDE 1500
icmp unreachable rate-limit 1 burst-size 1
icmp permit any OUTSIDE
icmp permit any INSIDE
asdm image disk0:/asdm-761.bin
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
NAT创建
nat (INSIDE,OUTSIDE) source staticNET.IN-192.168.1.0-24 NET.IN-192.168.1.0-24 destination staticNET-IP-RACKSPACE-HK NET-IP-RACKSPACE-HK no-proxy-arp route-lookup 香港
nat (INSIDE,OUTSIDE) source staticNET.IN-192.168.1.0-24 NET.IN-192.168.1.0-24 destination static net-danyangnet-danyang no-proxy-arp route-lookup 公司
!
object network NET.IN-192.168.1.0-24
nat(INSIDE,OUTSIDE) dynamic interface
access-group OUTSIDE in interface OUTSIDE
route OUTSIDE 0.0.0.0 0.0.0.0 3.3.3.3 1 外网静态路由
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00udp 0:02:00 sctp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h2251:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL
aaa authentication http console LOCAL
配置外网访问设备
http server enable
http 192.168.1.0 255.255.255.0 INSIDE
http 1.1.1.10.0 255.255.255.0 OUTSIDE
http 1.1.1.1 255.255.255.255 OUTSIDE
http 1.1.1.1255.255.255.224 OUTSIDE
snmp-server host OUTSIDE 1.1.1.1 community *****
snmp-server host OUTSIDE 1.1.1.1 community *****
no snmp-server location
no snmp-server contact
snmp-server community *****
service sw-reset-button
crypto ipsec ikev1 transform-setESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-setESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec ikev1 transform-setESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-setESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHAesp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-setESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-setESP-AES-128-SHA-TRANS esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-setESP-AES-128-SHA-TRANS mode transport
crypto ipsec ikev1 transform-setESP-AES-128-MD5-TRANS esp-aes esp-md5-hmac
crypto ipsec ikev1 transform-setESP-AES-128-MD5-TRANS mode transport
crypto ipsec ikev1 transform-setESP-AES-192-SHA-TRANS esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-setESP-AES-192-SHA-TRANS mode transport
crypto ipsec ikev1 transform-setESP-AES-192-MD5-TRANS esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-setESP-AES-192-MD5-TRANS mode transport
crypto ipsec ikev1 transform-setESP-AES-256-SHA-TRANS esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-setESP-AES-256-SHA-TRANS mode transport
crypto ipsec ikev1 transform-setESP-AES-256-MD5-TRANS esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-setESP-AES-256-MD5-TRANS mode transport
crypto ipsec ikev1 transform-setESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-setESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-setESP-3DES-SHA-TRANS esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-setESP-3DES-SHA-TRANS mode transport
crypto ipsec ikev1 transform-setESP-3DES-MD5-TRANS esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-setESP-3DES-MD5-TRANS mode transport
crypto ipsec ikev1 transform-setESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5esp-des esp-md5-hmac
crypto ipsec ikev1 transform-setESP-DES-SHA-TRANS esp-des esp-sha-hmac
crypto ipsec ikev1 transform-setESP-DES-SHA-TRANS mode transport
crypto ipsec ikev1 transform-setESP-DES-MD5-TRANS esp-des esp-md5-hmac
crypto ipsec ikev1 transform-setESP-DES-MD5-TRANS mode transport
crypto ipsec ikev2 ipsec-proposal AES256
protocol esp encryption aes-256
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES192
protocol esp encryption aes-192
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES
protocol esp encryption aes
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal 3DES
protocol esp encryption 3des
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal DES
protocol esp encryption des
protocol esp integrity sha-1 md5

IKE协商方面:
苏州与香港采用 EPS-AES-256-SHA 使用了IKEV1IKEV2加密
苏州与公司采用 eps-aes-256-md5 只使用IKEV1加密
公司与香港采用 eps-aes-256-md5 只使用IKEV1加密
在测试中我测过2条通道使用相同或不同IKE加密都是隧道建立但是苏州没有回包。

crypto ipsec security-associationpmtu-aging infinite
crypto map OUTSIDE_map 1 match addressOUTSIDE_cryptomap
crypto map OUTSIDE_map 1 set peer x.x.x.x 指向香港地址
crypto map OUTSIDE_map 1 set ikev1transform-set ESP-AES-256-SHA
crypto map OUTSIDE_map 1 set ikev2ipsec-proposal AES256 AES192 AES 3DES DES
crypto map OUTSIDE_map 2 match addressOUTSIDE_cryptomap_1
crypto map OUTSIDE_map 2 set peer a.a.a.a 指向公司地址
crypto map OUTSIDE_map 2 set ikev1transform-set ESP-AES-256-MD5
crypto map OUTSIDE_map interface OUTSIDE
crypto ca trustpool policy
crypto ikev2 policy 1
encryption aes-256
integrity sha
group 5 2
prfsha
lifetime seconds 86400
crypto ikev2 policy 10
encryption aes-192
integrity sha
group 5 2
prfsha
lifetime seconds 86400
crypto ikev2 policy 20
encryption aes
integrity sha
group 5 2
prfsha
lifetime seconds 86400
crypto ikev2 policy 30
encryption 3des
integrity sha
group 5 2
prfsha
lifetime seconds 86400
crypto ikev2 policy 40
encryption des
integrity sha
group 5 2
prfsha
lifetime seconds 86400
crypto ikev2 enable OUTSIDE
crypto ikev1 enable OUTSIDE
crypto ikev1 policy 20
authentication rsa-sig
encryption aes-256
hashsha
group 2
lifetime 86400
crypto ikev1 policy 30
authentication pre-share
encryption aes-256
hashsha
group 2
lifetime 86400
crypto ikev1 policy 50
authentication rsa-sig
encryption aes-192
hashsha
group 2
lifetime 86400
crypto ikev1 policy 60
authentication pre-share
encryptionaes-192
hashsha
group 2
lifetime 86400
crypto ikev1 policy 80
authentication rsa-sig
encryption aes
hashsha
group 2
lifetime 86400
crypto ikev1 policy 90
authentication pre-share
encryption aes
hashsha
group 2
lifetime 86400
crypto ikev1 policy 110
authentication rsa-sig
encryption 3des
hashsha
group 2
lifetime 86400
crypto ikev1 policy 120
authentication pre-share
encryption 3des
hashsha
group 2
lifetime 86400
crypto ikev1 policy 140
authentication rsa-sig
encryption des
hashsha
group 2
lifetime 86400
crypto ikev1 policy 150
authentication pre-share
encryption des
hashsha
group 2
lifetime 86400
crypto ikev1 policy 200
authentication pre-share
encryption aes-256
hashmd5
group 2
lifetime 86400
telnet timeout 5
no ssh stricthostkeycheck

dhcpd dns 3.3.3.3 DNS 为运营商网关
!
dhcpd address 192.168.1.5-192.168.1.254INSIDE
dhcpd enable INSIDE
!
group-policy GroupPolicy_xianggang internal
group-policy GroupPolicy_ xianggangattributes
vpn-tunnel-protocol ikev1 ikev2
group-policy GroupPolicy1 internal
group-policy GroupPolicy1 attributes
vpn-tunnel-protocol ikev1
dynamic-access-policy-recordDfltAccessPolicy
username guestmin password VNM4zYPEVwZEDQOdencrypted privilege 15
username joe password 9d0Zbb5vniFMEC2tencrypted privilege 15
username tan password wf7On0i5n41YhRUJencrypted privilege 15
username davidsm password sRzlsSdAfQ.ImAFlencrypted privilege 15
username itadmin password AJi448PhOZIXFSyjencrypted privilege 15

tunnel-group x.x.x.x type ipsec-l2l 香港隧道
tunnel-group x.x.x.x general-attributes
default-group-policy GroupPolicy_xianggang
tunnel-group x.x.x.x ipsec-attributes
ikev1 pre-shared-key *****
ikev2 remote-authentication pre-shared-key*****
ikev2 local-authentication pre-shared-key*****
tunnel-group a.a.a.a type ipsec-l2l 公司隧道
tunnel-group a.a.a.a general-attributes
default-group-policy GroupPolicy1
tunnel-group a.a.a.a ipsec-attributes
ikev1 pre-shared-key *****
isakmp keepalive disable
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
inspect icmp
inspect icmp error
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:a647868a5d45d9af6bee841097a52f46
: end

标签:
0 有帮助
1 个已接受解答

已接受的解答

查看解答
jingjian
Spotlight
Spotlight

发布时间 ‎09-13-2017 09:34 PM

本帖最后由 arvinjing 于 2017-9-14 17:29 编辑
httpurl 发表于 2017-9-14 16:24
查了一圈 看到ASA把内部地址 做PAT转换出外网 是不是会有影响

object network NETWORK_OBJ_192.168.1.0_24 本地内网
subnet 192.168.1.0 255.255.255.0
用这个Object 做PAT,
删掉下面的语句
object network NET.IN-192.168.1.0-24
nat(INSIDE,OUTSIDE) dynamic interface
我已经在测试环境中确认了,PAT和NAT旁路需要使用不同的object,即使表示同一地址

在原帖中查看解决方案

0 有帮助
21 条回复21

查看解答
jingjian
Spotlight
Spotlight

发布时间 ‎09-13-2017 09:34 PM

本帖最后由 arvinjing 于 2017-9-14 17:29 编辑
httpurl 发表于 2017-9-14 16:24
查了一圈 看到ASA把内部地址 做PAT转换出外网 是不是会有影响

object network NETWORK_OBJ_192.168.1.0_24 本地内网
subnet 192.168.1.0 255.255.255.0
用这个Object 做PAT,
删掉下面的语句
object network NET.IN-192.168.1.0-24
nat(INSIDE,OUTSIDE) dynamic interface
我已经在测试环境中确认了,PAT和NAT旁路需要使用不同的object,即使表示同一地址
0 有帮助

查看解答
httpurl
Level 1
Level 1

发布时间 ‎09-13-2017 09:35 PM

求解 在线等 谢谢 !!!!!
0 有帮助

查看解答
jingjian
Spotlight
Spotlight

发布时间 ‎09-13-2017 10:03 PM

已经定义了object了
object network 192.168.116.0
subnet 192.168.116.0 255.255.255.0
object-group network net-danyang
network-object object 192.168.116.0 我觉得没有必要在定义一个ogject-group
access-list OUTSIDE_cryptomap_1 extendedpermit ip object NET.IN-192.168.1.0-24 object-group net-danyang
更改为:object 192.168.116.0
nat (INSIDE,OUTSIDE) source staticNET.IN-192.168.1.0-24 NET.IN-192.168.1.0-24 destination static net-danyangnet-danyang no-proxy-arp route-lookup
也更改为 192.168.116.0
或许这样配置更精简一些,当然你的配置我觉得也没问题。
0 有帮助

查看解答
httpurl
Level 1
Level 1

发布时间 ‎09-13-2017 10:25 PM

arvinjing 发表于 2017-9-14 13:03
已经定义了object了
object network 192.168.116.0
subnet 192.168.116.0 255.255.255.0

那就很奇怪了 为什么不通呢 对了 原来H3C设备上定义了一个IP POOL地址池 192.168.10.-192.168.1.253
当时建隧道的时候 ASA 报错说 地址池有冲突 会不会这个问题 然后我ASA设备没重启 在H3C上直接NO掉地址池了
0 有帮助

查看解答
jingjian
Spotlight
Spotlight

发布时间 ‎09-13-2017 10:32 PM

httpurl 发表于 2017-9-14 13:25
那就很奇怪了 为什么不通呢 对了 原来H3C设备上定义了一个IP POOL地址池 192.168.10.-192.168. ...

192.168.1.0/24 这个网段是和ASA5506的inside地址冲突,你需要在H3C设备在确认一下,是否还有其他相关配置。可以把ASA outside 接口 shutdown 然后no shutdown, VPN隧道会重新建立,如果条件允许的话,最好重启一下ASA设备
0 有帮助

查看解答
httpurl
Level 1
Level 1

发布时间 ‎09-13-2017 11:21 PM

arvinjing 发表于 2017-9-14 13:32
192.168.1.0/24 这个网段是和ASA5506的inside地址冲突,你需要在H3C设备在确认一下,是否还有其他相关配 ...

好的 谢谢了 我想办法去重启设备吧
0 有帮助

查看解答
jingjian
Spotlight
Spotlight

发布时间 ‎09-13-2017 11:42 PM

本帖最后由 arvinjing 于 2017-9-14 14:43 编辑
httpurl 发表于 2017-9-14 14:21
好的 谢谢了 我想办法去重启设备吧

ASA设备并没有把流量发送去成,而且H3C设备也有接收到VPN流量。所以问题是出现在ASA这侧。先检查VPN的第一阶段和第二阶段的状态是否正常。
然后可以尝试把ACL和NAT的配置更改一下
access-list OUTSIDE_cryptomap_1 extendedpermit ip object NET.IN-192.168.1.0-24 object-group net-danyang
更改为:object 192.168.116.0
nat (INSIDE,OUTSIDE) source staticNET.IN-192.168.1.0-24 NET.IN-192.168.1.0-24 destination static net-danyangnet-danyang no-proxy-arp route-lookup
也更改为 192.168.116.0
0 有帮助

查看解答
fortune
VIP Alumni
VIP Alumni

发布时间 ‎09-14-2017 12:47 AM

我建议你重新连接一下,然后看看ASA 跟H3C的日志,一般会有报错,H3C 页面上也看看IPSec 在哪个过程失败,ASA 如果流量不是很大的情况下,我建议你debug一下IPSec 看看什么原因没有简历起来
0 有帮助

查看解答
httpurl
Level 1
Level 1

发布时间 ‎09-14-2017 01:24 AM

arvinjing 发表于 2017-9-14 14:42
ASA设备并没有把流量发送去成,而且H3C设备也有接收到VPN流量。所以问题是出现在ASA这侧。先检查VPN的第 ...

查了一圈 看到ASA把内部地址 做PAT转换出外网 是不是会有影响
0 有帮助

查看解答
httpurl
Level 1
Level 1

发布时间 ‎09-14-2017 01:28 AM

arvinjing 发表于 2017-9-14 14:42
ASA设备并没有把流量发送去成,而且H3C设备也有接收到VPN流量。所以问题是出现在ASA这侧。先检查VPN的第 ...

这个使用组 是因为后面还会加其他内部地址
0 有帮助

查看解答
jingjian
Spotlight
Spotlight

发布时间 ‎09-14-2017 01:29 AM

httpurl 发表于 2017-9-14 16:24
查了一圈 看到ASA把内部地址 做PAT转换出外网 是不是会有影响

NAT肯定会影响VPN通道的建立的,因为NAT之后,ESP所有的信息就会不修改了。
但是你的配置已经排除了NAT的配置了
所以我建议你更改一下NAT的配置,
已经定义了object了
object network 192.168.116.0
subnet 192.168.116.0 255.255.255.0
object-group network net-danyang
network-object object 192.168.116.0 我觉得没有必要在定义一个ogject-group
access-list OUTSIDE_cryptomap_1 extendedpermit ip object NET.IN-192.168.1.0-24 object-group net-danyang
更改为:object 192.168.116.0
nat (INSIDE,OUTSIDE) source staticNET.IN-192.168.1.0-24 NET.IN-192.168.1.0-24 destination static net-danyangnet-danyang no-proxy-arp route-lookup
也更改为 192.168.116.0
直接调用object, 不调用object-group
有可能只有一个object的时候,object-group会有问题
0 有帮助

查看解答
jingjian
Spotlight
Spotlight

发布时间 ‎09-14-2017 01:37 AM

httpurl 发表于 2017-9-14 16:28
这个使用组 是因为后面还会加其他内部地址

我明白了,可以等到加了其他地址的时候,在启用object-group。
你可以参考一下HK ASA5506的配置,也是一个内部地址吗?也使用object-group了吗
在检查一下第一阶段参数、第二阶段参数 是否和H3C的设备一致
0 有帮助

查看解答
httpurl
Level 1
Level 1

发布时间 ‎09-14-2017 01:50 AM

arvinjing 发表于 2017-9-14 16:29
NAT肯定会影响VPN通道的建立的,因为NAT之后,ESP所有的信息就会不修改了。
但是你的配置已经排除了NAT ...

使用你说的那个唯一地址了 不用组 问题依旧
付创建时报的我说的地址池错误:
[WARNING] nat (INSIDE,OUTSIDE) 2 source static NET.IN-192.168.1.0-24 NET.IN-192.168.1.0-24 destination static 192.168.116.0 192.168.116.0 no-proxy-arp route-lookup
Pool (192.168.1.0-192.168.1.255) overlap with existing pool.
WARNING: Pool (192.168.116.0-192.168.116.255) overlap with existing pool.
麻烦看下谢谢!!
0 有帮助

查看解答
jingjian
Spotlight
Spotlight

发布时间 ‎09-14-2017 01:59 AM

本帖最后由 arvinjing 于 2017-9-14 17:28 编辑
httpurl 发表于 2017-9-14 16:50
使用你说的那个唯一地址了 不用组 问题依旧
付创建时报的我说的地址池错误:
[WARNING] nat (INSID ...

我在测试环境中确认了,NAT配置有问题,PAT 和NAT旁路应该使用不同的object,即使都表示同一地址。
0 有帮助
入门指南

使用上面的搜索栏输入关键字、短语或问题,搜索问题的答案。

我们希望您在这里的旅程尽可能顺利,因此这里有一些链接可以帮助您快速熟悉思科社区:









快捷链接

浏览社区快速链接并以您的母语获取个性化内容:

发布或浏览文章 分享想法或新闻 观看我们的所有视频视频
Customers Also Viewed These Support Documents