请选择 进入手机版 | 继续访问电脑版

设为首页 收藏本站
思科社区 关注
思科社区

搜索
热搜: 邮件服务器
查看: 323|回复: 3

国际组网ipsec问题

[复制链接]
发表于 2019-12-17 10:16:51 | 显示全部楼层 |阅读模式
0可用金钱
本帖最后由 seasonli72658 于 2019-12-17 12:55 编辑

有谁做过国际组网呢,现在和美国那面做了国际组网后,美国说他们的网速慢,这个是什么原因呢

在做IPsec隧道的时候还要做隧道分离吗,,,,,是不是不做分离他们所用的网络都会从中国的网络出口呢,配置如下
要把上海和北京的内网分离开来吗

还有就是美国办公室人员原来用的是有线网络,现在用的是AP2702I 胖AP设备,不知道这个设备最高可以达到多少M呢
还有我看美国的公网IP是IPV6的这和这个有关系吗,会影响网络速度吗


:
ASA Version 9.8(2)
!
hostname ASA5506X-NewYork
domain-name default.domain.invalid
enable password $sha512$5000$Kdp14pedLKeMsmGKtV1UUQ==$ZyePktSUZ1qjHpDCn9jEqw== pbkdf2
names
!
interface GigabitEthernet1/1
nameif outside
security-level 0
ip address 38.105.210.197 255.255.255.224
!
interface GigabitEthernet1/2
nameif inside
security-level 100
ip address 192.168.66.1 255.255.252.0
!
interface GigabitEthernet1/3
shutdown     
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/4
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/5
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/6
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/7
shutdown     
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/8
shutdown
no nameif
no security-level
no ip address
!
interface Management1/1
management-only
shutdown
no nameif
no security-level
no ip address
!
ftp mode passive
clock timezone BeiJing 8
dns server-group DefaultDNS
domain-name default.domain.invalid
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object network objGlobal
subnet 0.0.0.0 0.0.0.0
object-group network objGrpshanghai
network-object 10.66.0.0 255.255.0.0
network-object 10.77.0.0 255.255.0.0
network-object 192.168.6.0 255.255.255.0
object-group network objGrpNewYork
network-object 192.168.66.1 255.255.252.0
object-group network url_filter_group
network-object 192.168.66.1 255.255.252.0
object-group network objGrpBeijing
network-object 192.168.60.0 255.255.255.0
access-list acl-fr-outside extended permit icmp any any
access-list acl-fr-outside extended permit ip any any
access-list acl-NewYork-to-shanghai extended permit ip object-group objGrpNewYork object-group objGrpshanghai
access-list acl-NewYork-to-Beijing extended permit ip object-group objGrpNewYork object-group objGrpBeijing
access-list url_filter_list extended permit tcp object-group url_filter_group any eq www
pager lines 24
logging enable
logging timestamp
logging monitor errors
logging buffered errors
logging trap errors
logging history errors
logging asdm errors
mtu outside 1500
mtu inside 1500
icmp unreachable rate-limit 1 burst-size 1
icmp permit any outside
icmp permit any inside
icmp permit any echo inside
icmp permit any echo-reply inside
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
arp rate-limit 16384
nat (inside,outside) source static objGrpNewYork objGrpNewYork destination static objGrpSHnew objGrpSHnew no-proxy-arp route-lookup
nat (inside,outside) source static objGrpNewYork objGrpNewYork destination static objGrpKuanhuiIDC objGrpKuanhuiIDC
!
object network objGlobal
nat (inside,outside) dynamic interface
access-group acl-fr-outside in interface outside
route outside 0.0.0.0 0.0.0.0 33.106.230.183 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 sctp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
timeout conn-holddown 0:00:15
timeout igp stale-route 0:01:10
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL
aaa authentication telnet console LOCAL
aaa authentication http console LOCAL
aaa authentication login-history
http server enable
no snmp-server location
no snmp-server contact
snmp-server enable traps syslog
service sw-reset-button
crypto ipsec ikev1 transform-set transet-ks esp-3des esp-md5-hmac
crypto ipsec security-association pmtu-aging infinite
crypto map l2l-map 15 match address acl-NewYork-to-KuanhuiIDC
crypto map l2l-map 15 set peer 49.234.253.230
crypto map l2l-map 15 set ikev1 transform-set transet-ks
crypto map l2l-map 30 match address acl-NewYork-to-SHnew
crypto map l2l-map 30 set peer 136.238.198.59
crypto map l2l-map 30 set ikev1 transform-set transet-ks
crypto map l2l-map interface outside
crypto ca trustpool policy
crypto ikev1 enable outside
crypto ikev1 policy 1
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet 0.0.0.0 0.0.0.0 inside
telnet timeout 10
ssh stricthostkeycheck
ssh 0.0.0.0 0.0.0.0 outside
ssh 0.0.0.0 0.0.0.0 inside
ssh timeout 30
ssh key-exchange group dh-group1-sha1
console timeout 30
management-access inside
dhcpd dns 208.67.222.222 208.67.220.220
!
dhcpd address 192.168.66.50-192.168.66.200 inside
dhcpd enable inside
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
dynamic-access-policy-record DfltAccessPolicy
username admincisco password $sha512$5000$kSyu2Kq2/2+H61D8XsVBlA==$mVKIbqfRJY29zX+3t4UaxQ== pbkdf2 privilege 15
tunnel-group 136.238.198.59 type ipsec-l2l
tunnel-group 136.238.198.59 ipsec-attributes
ikev1 pre-shared-key *****
tunnel-group 49.234.253.230 type ipsec-l2l
tunnel-group 49.234.253.230 ipsec-attributes
ikev1 pre-shared-key *****
!
policy-map type inspect dns preset_dns_map
parameters
  message-length maximum client auto
  message-length maximum 512
  no tcp-inspection
policy-map global_policy
class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny  
  inspect sunrpc
  inspect xdmcp
  inspect sip  
  inspect netbios
  inspect tftp
  inspect ip-options
  inspect http
  inspect icmp
policy-map type inspect http url_policy_inspect
parameters
class url_class_inspect
  drop-connection log
policy-map url_policy
class url_class
  inspect http url_policy_inspect
!
service-policy global_policy global
service-policy url_policy interface inside
prompt hostname context
no call-home reporting anonymous
call-home
profile CiscoTAC-1
  no active
  destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
  destination address email callhome@cisco.com
  destination transport-method http
  subscribe-to-alert-group diagnostic
  subscribe-to-alert-group environment
  subscribe-to-alert-group inventory periodic monthly
  subscribe-to-alert-group configuration periodic monthly
  subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:c49ddf29e93d778ef66a635c204bad19
: end



最佳答案

查看完整内容

-是不是流量都从VPN走了? -AP2702I是wave 1 AP,支持802.11ac,物理层最高支持 1.3 Gbps (80 MHz in 5 GHz),即便是协商的802.11n,也最高支持450 Mbps (40 MHz with 5 GHz) -我觉得不会是IPv6公网IP的问题
  • 1
  • 2
  • 3
  • 4
  • 5
  • 1
  • 2
  • 3
  • 4
  • 5
平均得分0 (0 评价)
发表于 2019-12-17 10:16:52 | 显示全部楼层
-是不是流量都从VPN走了?
-AP2702I是wave 1 AP,支持802.11ac,物理层最高支持  1.3 Gbps (80 MHz in 5 GHz),即便是协商的802.11n,也最高支持450 Mbps (40 MHz with 5 GHz)
-我觉得不会是IPv6公网IP的问题
  • 1
  • 2
  • 3
  • 4
  • 5
  • 1
  • 2
  • 3
  • 4
  • 5
平均得分0 (0 评价)
发表于 2019-12-17 16:57:46 | 显示全部楼层
ipv4和ipv6都受到了DNS污染和DNS劫持
  • 1
  • 2
  • 3
  • 4
  • 5
  • 1
  • 2
  • 3
  • 4
  • 5
平均得分0 (0 评价)
 楼主| 发表于 2019-12-17 17:36:57 | 显示全部楼层
binlin3978550 发表于 2019-12-17 16:57
ipv4和ipv6都受到了DNS污染和DNS劫持

能具体解释一下吗,没太懂
  • 1
  • 2
  • 3
  • 4
  • 5
  • 1
  • 2
  • 3
  • 4
  • 5
平均得分0 (0 评价)
您需要登录后才可以回帖 思科 CCO 登录 | 思科 CCO 注册   

本版积分规则

Archiver | 思科社区  

GMT+8, 2020-1-29 06:40 , Processed in 0.116610 second(s), 36 queries .

京ICP备09041801号-187

版权所有 :copyright:1992-2019 思科系统  重要声明 | 保密声明 | 隐私权政策 | 商标 |

快速回复 返回顶部 返回列表