[fomik2]

Господа, возникла проблема с подятием VPN на Cisco ASA 5505. Точнее, добавления к уже существующему каналу ещё одного канала к другому офису.

Конфиг такой:

 

nat (inside,outside) source static inside-net inside-net destination static GO-nets GO-nets description NoNAT

 

 

 

 

 

access-list 100 extended permit ip 192.168.235.0 255.255.255.240 172.16.0.0 255.255.0.0

access-list 100 extended permit ip 192.168.235.0 255.255.255.240 192.168.2.0 255.255.255.0

access-list 100 extended permit ip 192.168.235.0 255.255.255.240 192.168.3.0 255.255.255.0

access-list 100 extended permit ip 192.168.235.0 255.255.255.240 172.17.0.0 255.255.0.0

access-list 100 extended permit ip 192.168.235.0 255.255.255.240 192.168.32.0 255.255.254.0

access-list 100 extended permit ip 192.168.235.0 255.255.255.240 192.168.1.0 255.255.255.0

access-list 101 extended permit ip 192.168.212.0 255.255.255.240 192.168.38.0 255.255.254.0 (добавляю access-list)

 

 

 

 

 

crypto isakmp enable outside

crypto isakmp policy 10

authentication pre-share

encryption des

hash sha

group 2

lifetime 86400

 

 

 

crypto ipsec transform-set myset esp-des esp-md5-hmac

crypto ipsec security-association lifetexitime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

crypto map outside_map 20 match address 100

crypto map outside_map 20 set peer з.з.з.з х.х.х.х

crypto map outside_map 20 set transform-set myset

--- добавляю crypto-map

crypto map outside_map 30 match address 101

crypto map outside_map 30 set peer щ.щ.щ.щ

crypto map outside_map 30 set transform-set myset

crypto map outside_map 30 set nat-t-disable

crypto map outside_map interface outside

 

 

 

 

 

 

tunnel-group х.х.х.х type ipsec-l2l

tunnel-group х.х.х.х ipsec-attributes

pre-shared-key ****

 

tunnel-group з.з.з.з type ipsec-l2l

tunnel-group з.з.з.з ipsec-attributes

pre-shared-key ***

 

Добавляю этот tunnel-group

tunnel-group щ.щ.щ.щ type ipsec-l2l

tunnel-group щ.щ.щ.щ ipsec-attributes

pre-shared-key ****

 

 

!!!!Enable for DMZ-host

 

crypto map outside_map 20 set nat-t-disable

end

 

 

В итоге никакие пакеты IKE не приходят на щ.щ.щ.щ

 

Что я сделал не так??

 

 

sh crypto isakmp sa

Active SA: 1

Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)

Total IKE SA: 1

 

1 IKE Peer: x.x.x.x

Type : L2L Role : initiator

Rekey : no State : MM_ACTIVE

 

т.е. только до одного офиса, а того, который я добавляю и в помине нет.

Edited September 11, 2012 by fomik2

[detx]

packet-tracer очень хорошо помогает.