取消
显示结果 
搜索替代 
您的意思是: 
cancel
2099
查看次数
0
有帮助
3
回复

国际组网ipsec问题

seasonli72658
Spotlight
Spotlight
本帖最后由 seasonli72658 于 2019-12-17 12:55 编辑
有谁做过国际组网呢,现在和美国那面做了国际组网后,美国说他们的网速慢,这个是什么原因呢
在做IPsec隧道的时候还要做隧道分离吗,,,,,是不是不做分离他们所用的网络都会从中国的网络出口呢,配置如下
要把上海和北京的内网分离开来吗
还有就是美国办公室人员原来用的是有线网络,现在用的是
AP2702I 胖AP设备,不知道这个设备最高可以达到多少M呢

还有我看美国的公网IP是IPV6的这和这个有关系吗,会影响网络速度吗
:
ASA Version 9.8(2)
!
hostname ASA5506X-NewYork
domain-name default.domain.invalid
enable password $sha512$5000$Kdp14pedLKeMsmGKtV1UUQ==$ZyePktSUZ1qjHpDCn9jEqw== pbkdf2
names
!
interface GigabitEthernet1/1
nameif outside
security-level 0
ip address 38.105.210.197 255.255.255.224
!
interface GigabitEthernet1/2
nameif inside
security-level 100
ip address 192.168.66.1 255.255.252.0
!
interface GigabitEthernet1/3
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/4
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/5
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/6
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/7
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/8
shutdown
no nameif
no security-level
no ip address
!
interface Management1/1
management-only
shutdown
no nameif
no security-level
no ip address
!
ftp mode passive
clock timezone BeiJing 8
dns server-group DefaultDNS
domain-name default.domain.invalid
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object network objGlobal
subnet 0.0.0.0 0.0.0.0
object-group network objGrpshanghai
network-object 10.66.0.0 255.255.0.0
network-object 10.77.0.0 255.255.0.0
network-object 192.168.6.0 255.255.255.0
object-group network objGrpNewYork
network-object 192.168.66.1 255.255.252.0
object-group network url_filter_group
network-object 192.168.66.1 255.255.252.0
object-group network objGrpBeijing
network-object 192.168.60.0 255.255.255.0
access-list acl-fr-outside extended permit icmp any any
access-list acl-fr-outside extended permit ip any any
access-list acl-NewYork-to-shanghai extended permit ip object-group objGrpNewYork object-group objGrpshanghai
access-list acl-NewYork-to-Beijing extended permit ip object-group objGrpNewYork object-group objGrpBeijing
access-list url_filter_list extended permit tcp object-group url_filter_group any eq www
pager lines 24
logging enable
logging timestamp
logging monitor errors
logging buffered errors
logging trap errors
logging history errors
logging asdm errors
mtu outside 1500
mtu inside 1500
icmp unreachable rate-limit 1 burst-size 1
icmp permit any outside
icmp permit any inside
icmp permit any echo inside
icmp permit any echo-reply inside
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
arp rate-limit 16384
nat (inside,outside) source static objGrpNewYork objGrpNewYork destination static objGrpSHnew objGrpSHnew no-proxy-arp route-lookup
nat (inside,outside) source static objGrpNewYork objGrpNewYork destination static objGrpKuanhuiIDC objGrpKuanhuiIDC
!
object network objGlobal
nat (inside,outside) dynamic interface
access-group acl-fr-outside in interface outside
route outside 0.0.0.0 0.0.0.0 33.106.230.183 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 sctp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
timeout conn-holddown 0:00:15
timeout igp stale-route 0:01:10
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL
aaa authentication telnet console LOCAL
aaa authentication http console LOCAL
aaa authentication login-history
http server enable
no snmp-server location
no snmp-server contact
snmp-server enable traps syslog
service sw-reset-button
crypto ipsec ikev1 transform-set transet-ks esp-3des esp-md5-hmac
crypto ipsec security-association pmtu-aging infinite
crypto map l2l-map 15 match address acl-NewYork-to-KuanhuiIDC
crypto map l2l-map 15 set peer 49.234.253.230
crypto map l2l-map 15 set ikev1 transform-set transet-ks
crypto map l2l-map 30 match address acl-NewYork-to-SHnew
crypto map l2l-map 30 set peer 136.238.198.59
crypto map l2l-map 30 set ikev1 transform-set transet-ks
crypto map l2l-map interface outside
crypto ca trustpool policy
crypto ikev1 enable outside
crypto ikev1 policy 1
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet 0.0.0.0 0.0.0.0 inside
telnet timeout 10
ssh stricthostkeycheck
ssh 0.0.0.0 0.0.0.0 outside
ssh 0.0.0.0 0.0.0.0 inside
ssh timeout 30
ssh key-exchange group dh-group1-sha1
console timeout 30
management-access inside
dhcpd dns 208.67.222.222 208.67.220.220
!
dhcpd address 192.168.66.50-192.168.66.200 inside
dhcpd enable inside
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
dynamic-access-policy-record DfltAccessPolicy
username admincisco password $sha512$5000$kSyu2Kq2/2+H61D8XsVBlA==$mVKIbqfRJY29zX+3t4UaxQ== pbkdf2 privilege 15
tunnel-group 136.238.198.59 type ipsec-l2l
tunnel-group 136.238.198.59 ipsec-attributes
ikev1 pre-shared-key *****
tunnel-group 49.234.253.230 type ipsec-l2l
tunnel-group 49.234.253.230 ipsec-attributes
ikev1 pre-shared-key *****
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
no tcp-inspection
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
inspect http
inspect icmp
policy-map type inspect http url_policy_inspect
parameters
class url_class_inspect
drop-connection log
policy-map url_policy
class url_class
inspect http url_policy_inspect
!
service-policy global_policy global
service-policy url_policy interface inside
prompt hostname context
no call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email callhome@cisco.com
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:c49ddf29e93d778ef66a635c204bad19
: end
1 个已接受解答

已接受的解答

-是不是流量都从VPN走了?
-AP2702I是wave 1 AP,支持802.11ac,物理层最高支持 1.3 Gbps (80 MHz in 5 GHz),即便是协商的802.11n,也最高支持450 Mbps (40 MHz with 5 GHz)
-我觉得不会是IPv6公网IP的问题
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Rps-Cheers | If it solves your problem, please mark as answer. Thanks !

在原帖中查看解决方案

3 条回复3

-是不是流量都从VPN走了?
-AP2702I是wave 1 AP,支持802.11ac,物理层最高支持 1.3 Gbps (80 MHz in 5 GHz),即便是协商的802.11n,也最高支持450 Mbps (40 MHz with 5 GHz)
-我觉得不会是IPv6公网IP的问题
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Rps-Cheers | If it solves your problem, please mark as answer. Thanks !

binlin3978550
Spotlight
Spotlight
ipv4和ipv6都受到了DNS污染和DNS劫持

seasonli72658
Spotlight
Spotlight
binlin3978550 发表于 2019-12-17 16:57
ipv4和ipv6都受到了DNS污染和DNS劫持

能具体解释一下吗,没太懂
入门指南

使用上面的搜索栏输入关键字、短语或问题,搜索问题的答案。

我们希望您在这里的旅程尽可能顺利,因此这里有一些链接可以帮助您快速熟悉思科社区:









快捷链接