请选择 进入手机版 | 继续访问电脑版

设为首页 收藏本站
思科社区 关注
思科社区

  思科 CCO 登录
 找回密码
 立即注册

扫一扫,访问微社区

搜索
热搜: 邮件服务器
查看: 2907|回复: 26

咨询下ipsec vpn 的问题

[复制链接]
发表于 2018-8-10 17:14:32 | 显示全部楼层 |阅读模式
10可用金钱
本帖最后由 wuleihen 于 2018-8-10 17:32 编辑

客户这里两地方,需要互联,配置IPsecvpn,A点是深信服的VPN设备,B点是asa5508,配置配完后,测试发现A点可以ping通B点内的设备,但B点却ping不通A点的设备地址,麻烦大神排查下,配置如下

A点的地址段是10.132.0.0 255.255.240.0  10.133.0.0 255.255.240.0  10.137.0.0 255.255.240.0
B点的地址段是10.145.0.0 255.255.240.0


: Hardware:   ASA5508, 8192 MB RAM, CPU Atom C2000 series 2000 MHz, 1 CPU (8 cores)
:
ASA Version 9.8(1)
!
hostname asa

enable password $sha512$5000$Xre5nuZUSefXJxmsCK3WLw==$258TRrfyVQE031EHivl13g== pbkdf2
passwd PmWaOgPwdORk/oke encrypted
names
!
interface GigabitEthernet1/1
nameif outside
security-level 0
ip address
!
interface GigabitEthernet1/2
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/2.100
vlan 100
nameif wire
security-level 100
ip address 10.145.0.253 255.255.255.0
!
interface GigabitEthernet1/2.102
vlan 102
nameif wireless-guest
security-level 100
ip address 10.145.2.253 255.255.255.0
!
interface GigabitEthernet1/2.103
vlan 103
nameif other-management
security-level 100
ip address 10.145.3.125 255.255.255.128
!
interface GigabitEthernet1/2.104
vlan 104
nameif management
security-level 100
ip address 10.145.3.254 255.255.255.128
!
interface GigabitEthernet1/2.105
vlan 105
nameif wireless-employeer
security-level 100
ip address 10.145.1.253 255.255.255.0
!
ftp mode passive
dns server-group DefaultDNS

same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object network obj_any
subnet 0.0.0.0 0.0.0.0
object network wire
subnet 10.145.0.0 255.255.255.0
object network wireless-employeer
subnet 10.145.1.0 255.255.255.0
object network other-management
subnet 10.145.3.0 255.255.255.128
object network management
subnet 10.145.3.128 255.255.255.128
object network wireless-guest
subnet 10.145.2.0 255.255.255.0
object network local-lan
subnet 10.145.0.0 255.255.240.0
object network remote
subnet 10.132.0.0 255.255.240.0
object network remote-df
subnet 10.137.0.0 255.255.240.0
object network remote-usa
subnet 10.133.0.0 255.255.240.0
access-list ipsecvpn extended permit ip object management object remote
access-list ipsecvpn extended permit ip object management object remote-df
access-list ipsecvpn extended permit ip object management object remote-usa
access-list ipsecvpn extended permit ip object wireless-employeer object remote-df
access-list ipsecvpn extended permit ip object wireless-employeer object remote
access-list ipsecvpn extended permit ip object wireless-employeer object remote-usa
access-list ipsecvpn extended permit ip object wire object remote
access-list ipsecvpn extended permit ip object wire object remote-df
access-list ipsecvpn extended permit ip object wire object remote-usa
access-list ipsecvpn extended permit ip object other-management object remote
access-list ipsecvpn extended permit ip object other-management object remote-df
access-list ipsecvpn extended permit ip object other-management object remote-usa
pager lines 24
logging enable
logging buffered debugging
logging asdm informational
mtu outside 1500
mtu wire 1500
mtu wireless-employeer 1500
mtu wireless-guest 1500
mtu other-management 1500
mtu management 1500
no failover
no monitor-interface service-module
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
arp rate-limit 16384
nat (other-management,outside) source static other-management other-management destination static remote remote no-proxy-arp route-lookup
nat (management,outside) source static management management destination static remote remote no-proxy-arp route-lookup
nat (management,outside) source static management management destination static remote-df remote-df no-proxy-arp route-lookup
nat (management,outside) source static management management destination static remote-usa remote-usa no-proxy-arp route-lookup
nat (wireless-employeer,outside) source static wireless-employeer wireless-employeer destination static remote remote no-proxy-arp route-lookup
nat (wireless-employeer,outside) source static wireless-employeer wireless-employeer destination static remote-df remote-df no-proxy-arp route-lookup
nat (wireless-employeer,outside) source static wireless-employeer wireless-employeer destination static remote-usa remote-usa no-proxy-arp route-lookup
nat (other-management,outside) source static other-management other-management destination static remote-df remote-df no-proxy-arp route-lookup
nat (other-management,outside) source static other-management other-management destination static remote-usa remote-usa no-proxy-arp route-lookup
nat (wire,outside) source static wire wire destination static remote remote no-proxy-arp route-lookup
nat (wire,outside) source static wire wire destination static remote-df remote-df no-proxy-arp route-lookup
nat (wire,outside) source static wire wire destination static remote-usa remote-usa no-proxy-arp route-lookup
!
object network obj_any
nat (any,outside) dynamic interface
route outside 0.0.0.0 0.0.0.0 ****** 1
route management 10.128.0.0 255.240.0.0 10.132.0.1 1
route wire 10.145.0.0 255.255.255.0 10.145.3.253 1
route wireless-employeer 10.145.1.0 255.255.255.0 10.145.3.253 1
route wireless-employeer 10.132.0.0 255.255.240.0 10.132.0.1 1
route wireless-employeer 10.133.0.0 255.255.240.0 10.132.0.1 1
route wireless-employeer 10.137.0.0 255.255.240.0 10.132.0.1 1
route wireless-guest 10.145.2.0 255.255.255.0 10.145.3.253 1
route other-management 10.145.3.0 255.255.255.128 10.145.3.253 1
route management 10.145.3.128 255.255.255.128 10.145.3.253 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 sctp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
timeout conn-holddown 0:00:15
timeout igp stale-route 0:01:10
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL
aaa authentication login-history
http server enable
http 10.145.3.0 255.255.255.128 other-management
http 10.145.3.128 255.255.255.128 management
http 10.145.0.0 255.255.255.0 wire
no snmp-server location
no snmp-server contact
service sw-reset-button
crypto ipsec ikev1 transform-set transform esp-aes esp-sha-hmac
crypto ipsec security-association pmtu-aging infinite
crypto map crymap 1 match address ipsecvpn
crypto map crymap 1 set peer *.*.*.*
crypto map crymap 1 set ikev1 transform-set transform
crypto map crymap interface outside
crypto ca trustpool policy
no crypto isakmp nat-traversal
crypto ikev1 enable outside
crypto ikev1 policy 1
authentication pre-share
encryption aes
hash sha
group 2
lifetime 86400
telnet timeout 5
ssh stricthostkeycheck
ssh 0.0.0.0 0.0.0.0 outside
ssh 10.145.0.0 255.255.255.0 wire
ssh 10.145.3.128 255.255.255.128 management
ssh timeout 5
ssh version 2
ssh key-exchange group dh-group14-sha1
console timeout 0

dhcpd lease 36000
!
dhcpd address 10.145.0.1-10.145.0.249 wire
dhcpd dns 10.132.0.5 61.147.37.1 interface wire
dhcpd lease 36000 interface wire
dhcpd enable wire
!
dhcpd address 10.145.1.1-10.145.1.249 wireless-employeer
dhcpd dns 10.132.0.5 61.147.37.1 interface wireless-employeer
dhcpd lease 36000 interface wireless-employeer
dhcpd enable wireless-employeer
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
group-policy gp internal
group-policy gp attributes
vpn-tunnel-protocol ikev1
dynamic-access-policy-record DfltAccessPolicy
username admin password $sha512$5000$VeNcuhzHn/sy0eQMQtWXnA==$9n/wFy2uUi1GwjwATBWblA== pbkdf2
tunnel-group *.*.*.* type ipsec-l2l
tunnel-group *.*.*.* general-attributes
default-group-policy gp
tunnel-group *.*.*.* ipsec-attributes
ikev1 pre-shared-key *****
isakmp keepalive threshold 60 retry 5
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
  message-length maximum client auto
  message-length maximum 512
  no tcp-inspection
policy-map global_policy
class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny  
  inspect sunrpc
  inspect xdmcp
  inspect sip  
  inspect netbios
  inspect tftp
  inspect ip-options
  inspect icmp
  inspect icmp error
!



show crypto ikev1 sa detail

IKEv1 SAs:

   Active SA: 1
    Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 1

1   IKE Peer: *.*.*.*
    Type    : L2L             Role    : responder
    Rekey   : no              State   : MM_ACTIVE
    Encrypt : aes             Hash    : SHA      
    Auth    : preshared       Lifetime: 86400
    Lifetime Remaining: 82425





  • 1
  • 2
  • 3
  • 4
  • 5
  • 1
  • 2
  • 3
  • 4
  • 5
平均得分3 (2 评价)
发表于 2018-8-13 10:23:57 | 显示全部楼层
一边能通说明中间设备的来回路径都没问题。
B到A不通的话,看看故障点在哪,再针对性的排查。
先在去方向的B设备,A设备,目的server上抓包,看看是数据包没到导致的不通,
还是数据包到了,目标没发送回包。或者发送回包中间没转发。
  • 1
  • 2
  • 3
  • 4
  • 5
  • 1
  • 2
  • 3
  • 4
  • 5
平均得分3 (1 评价)
发表于 2018-8-13 13:06:33 | 显示全部楼层
测试一下感兴趣流匹配的对不对,确认b到a的流量有没有网ipsec里面走
  • 1
  • 2
  • 3
  • 4
  • 5
  • 1
  • 2
  • 3
  • 4
  • 5
平均得分3 (1 评价)
 楼主| 发表于 2018-8-13 13:30:50 | 显示全部楼层
Wubin2010 发表于 2018-8-13 13:06
测试一下感兴趣流匹配的对不对,确认b到a的流量有没有网ipsec里面走

怎么测试是否匹配感兴趣流 ??我对照了两边的访问控制列表都是对应的
  • 1
  • 2
  • 3
  • 4
  • 5
  • 1
  • 2
  • 3
  • 4
  • 5
平均得分2 (1 评价)
发表于 2018-8-13 13:42:21 | 显示全部楼层
和深信服我就没配置成功过,建议不要配置
  • 1
  • 2
  • 3
  • 4
  • 5
  • 1
  • 2
  • 3
  • 4
  • 5
平均得分3 (1 评价)
 楼主| 发表于 2018-8-13 14:30:44 | 显示全部楼层
13nash 发表于 2018-8-13 13:42
和深信服我就没配置成功过,建议不要配置

之前是有配置成功过的,只是不稳定,后来重新配置了,导致现在的情况
  • 1
  • 2
  • 3
  • 4
  • 5
  • 1
  • 2
  • 3
  • 4
  • 5
平均得分0 (0 评价)
发表于 2018-8-13 15:43:55 | 显示全部楼层
wuleihen 发表于 2018-8-13 14:30
之前是有配置成功过的,只是不稳定,后来重新配置了,导致现在的情况

重启下深信服试试呢。。

我们这深信服的行为管理,上个月已经帮他们发现一大一小两个bug了。
大的bug导致断网,小bug是他们给升级过程中发现的.
  • 1
  • 2
  • 3
  • 4
  • 5
  • 1
  • 2
  • 3
  • 4
  • 5
平均得分0 (0 评价)
发表于 2018-8-16 07:30:30 | 显示全部楼层
我遇到过 深信服对Polota的设备,起初从Polota那边Ping不通深信服,但是 由深信服先Ping一下就可以了,后来 400 也没找到问题所在,再后来就没再跟那个问题了。
  • 1
  • 2
  • 3
  • 4
  • 5
  • 1
  • 2
  • 3
  • 4
  • 5
平均得分0 (0 评价)
 楼主| 发表于 2018-8-16 08:52:47 | 显示全部楼层
yssqt5211 发表于 2018-8-16 07:30
我遇到过 深信服对Polota的设备,起初从Polota那边Ping不通深信服,但是 由深信服先Ping一下就可以了,后来 ...

唉,不过你的是没问题了,但我这还没通呢。等通了我也不想烦了
  • 1
  • 2
  • 3
  • 4
  • 5
  • 1
  • 2
  • 3
  • 4
  • 5
平均得分0 (0 评价)
发表于 2018-8-16 15:05:19 | 显示全部楼层
asa does not support
  • 1
  • 2
  • 3
  • 4
  • 5
  • 1
  • 2
  • 3
  • 4
  • 5
平均得分0 (0 评价)
您需要登录后才可以回帖 登录 | 立即注册

本版积分规则

Archiver | 思科社区  

GMT+8, 2018-10-24 05:23 , Processed in 0.104714 second(s), 53 queries .

京ICP备09041801号-187

版权所有 :copyright:1992-2019 思科系统  重要声明 | 保密声明 | 隐私权政策 | 商标 |

快速回复 返回顶部 返回列表