Jump to content

Добавление туннеля Cisco ASA5505

fomik2
 Share

Recommended Posts

fomik2

fomik2

Posted
Posted (edited)

Господа, возникла проблема с подятием VPN на Cisco ASA 5505. Точнее, добавления к уже существующему каналу ещё одного канала к другому офису.

Конфиг такой:

 

nat (inside,outside) source static inside-net inside-net destination static GO-nets GO-nets description NoNAT

 

 

 

 

 

access-list 100 extended permit ip 192.168.235.0 255.255.255.240 172.16.0.0 255.255.0.0

access-list 100 extended permit ip 192.168.235.0 255.255.255.240 192.168.2.0 255.255.255.0

access-list 100 extended permit ip 192.168.235.0 255.255.255.240 192.168.3.0 255.255.255.0

access-list 100 extended permit ip 192.168.235.0 255.255.255.240 172.17.0.0 255.255.0.0

access-list 100 extended permit ip 192.168.235.0 255.255.255.240 192.168.32.0 255.255.254.0

access-list 100 extended permit ip 192.168.235.0 255.255.255.240 192.168.1.0 255.255.255.0

access-list 101 extended permit ip 192.168.212.0 255.255.255.240 192.168.38.0 255.255.254.0 (добавляю access-list)

 

 

 

 

 

crypto isakmp enable outside

crypto isakmp policy 10

authentication pre-share

encryption des

hash sha

group 2

lifetime 86400

 

 

 

crypto ipsec transform-set myset esp-des esp-md5-hmac

crypto ipsec security-association lifetexitime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

crypto map outside_map 20 match address 100

crypto map outside_map 20 set peer з.з.з.з х.х.х.х

crypto map outside_map 20 set transform-set myset

--- добавляю crypto-map

crypto map outside_map 30 match address 101

crypto map outside_map 30 set peer щ.щ.щ.щ

crypto map outside_map 30 set transform-set myset

crypto map outside_map 30 set nat-t-disable

crypto map outside_map interface outside

 

 

 

 

 

 

tunnel-group х.х.х.х type ipsec-l2l

tunnel-group х.х.х.х ipsec-attributes

pre-shared-key ****

 

tunnel-group з.з.з.з type ipsec-l2l

tunnel-group з.з.з.з ipsec-attributes

pre-shared-key ***

 

Добавляю этот tunnel-group

tunnel-group щ.щ.щ.щ type ipsec-l2l

tunnel-group щ.щ.щ.щ ipsec-attributes

pre-shared-key ****

 

 

!!!!Enable for DMZ-host

 

crypto map outside_map 20 set nat-t-disable

end

 

 

В итоге никакие пакеты IKE не приходят на щ.щ.щ.щ

 

Что я сделал не так??

 

 

sh crypto isakmp sa

Active SA: 1

Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)

Total IKE SA: 1

 

1 IKE Peer: x.x.x.x

Type : L2L Role : initiator

Rekey : no State : MM_ACTIVE

 

т.е. только до одного офиса, а того, который я добавляю и в помине нет.

Edited by fomik2

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing
×
×
  • Create New...
На сайте используются файлы cookie и сервисы аналитики для корректной работы форума и улучшения качества обслуживания. Продолжая использовать сайт, вы соглашаетесь с использованием файлов cookie и с Политикой конфиденциальности.