Jump to content
Калькуляторы

Cisc EasyVPN между Server ASA5520 и Client ios router 881 Cisco, EzVPN, ASA, IOS, Router, 800 series, 880 series, 880

Задача: соединить VPN сетью Cisco ASA 5520 и 881 router. ASA будет сервером, router клиентом.

Из всех немногих решений ломаюсь над EasyVPN. Почему именно оно? Во-первых, поддерживается обоими платформами - ASA,IOS. Во-вторых, решение нужно масштабируемое, 880 будут сотни, site-2-site vpn похоронит меня ручной работой по настройке и поддержке. В-третьих, многие из 880 сидят за натом и без постоянного внешнего ип.

 

post-8630-083443500 1360601330_thumb.gif

 

Строение сети понятно из схемы.

 

На 881 задаем EasyVPN

 

crypto ipsec client ezvpn ASA

connect auto

group MAGAZ_TUNNEL_GROUP key *

mode network-extension

peer 1.1.1.90

virtual-interface

username user2 password user2

xauth userid mode local

 

Построение туннеля проходит нормально, на ASA добавляется статик на 10.120.120.0\24, на 881 поднимается интерфейс Virtual-Access1, появляется маршрут [1/0] via 0.0.0.0, Virtual-Access1. С утра сегодня эта конструкция даже пинговалась со стороны ASA. Т.е.

FIXASA#ping 10.120.120.253 
FIXASA#ping 10.120.120.2

заканчивались успехом.

 

С обратной стороны - нет. Собственно, тут первая проблема? А куда пинговать с 881? Маршрутов на что-то типа 10.5.0.0 нет. Добавить? Что указать в качестве destination?

В настойках EasyVpn client пробовал задавать

[b]mode cleint[/b]

[b]mode network-plus[/b]

Это позволяет 880 роутеру получить ip 172.20.1.1/32. И что с ним дальше делать? Можно пытаться использовать в голом виде, можно прикреплять к различным loopback, virtual-template и прочему. Маршрут вида

ip route 10.5.0.0 255.255.0.0 loopback10000

гоняет пакетик по роутеру до скончания ттл.

 

К вечером опытами и экспериментами и этот небольшой успех был уничтожен.

FIXASA# ping 10.120.120.253
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.120.120.253, timeout is 2 seconds:
?????
Success rate is 0 percent (0/5)

Реакция на это 881:

881#debug ip icmp
881#
Feb 11 16:07:32.175: ICMP: echo reply sent, src 10.120.120.253, dst 1.1.1.90, topology BASE, dscp 0 topoid 0
Feb 11 16:07:34.163: ICMP: echo reply sent, src 10.120.120.253, dst 1.1.1.90, topology BASE, dscp 0 topoid 0
Feb 11 16:07:36.163: ICMP: echo reply sent, src 10.120.120.253, dst 1.1.1.90, topology BASE, dscp 0 topoid 0
Feb 11 16:07:38.163: ICMP: echo reply sent, src 10.120.120.253, dst 1.1.1.90, topology BASE, dscp 0 topoid 0
Feb 11 16:07:40.163: ICMP: echo reply sent, src 10.120.120.253, dst 1.1.1.90, topology BASE, dscp 0 topoid 0

Реакция Real-time log viewer ASA:

post-8630-093327100 1360601923_thumb.jpg

 

Пакет трейсером проверяем

FIXASA# packet-tracer input inside icmp 10.5.90.90 0 0 1 10.120.120.253 detail$

Phase: 1
Type: FLOW-LOOKUP
Subtype:
Result: ALLOW
Config:
Additional Information:
Found no matching flow, creating a new flow

Phase: 2
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in   10.120.120.0    255.255.255.0   inet

Phase: 3
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:
Forward Flow based lookup yields rule:
in  id=0xccc44e20, priority=500, domain=permit, deny=true
       hits=0, user_data=0x6, cs_id=0x0, reverse, flags=0x0, protocol=0
       src ip=10.5.90.90, mask=255.255.255.255, port=0
       dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: inet
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule

Он ссылается на правило, которое запрещается ip. Но, ведь раньше стоит правило разрешающее icmp!

post-8630-011945100 1360602054_thumb.jpg

 

Похоже, проблема в том, что где-то запретил icmp. Чем-то другим кроме пинга проверить сложно, система в стадии "стенд".

Прошу вызволить меня из тупика настройки EasyVPN.

 

Если возможно дружить ASA с ios router другими способами, буду рад их изучить.

До этого пробовал L2TP over IPSec. С компа win7 на асу строилось, а роутера - нет. Не удалось осилить наcтройку, предположительно не удалось согласовать параметры безопасности. Еще раз отмечу, что Site 2 Site (Lan 2 Lan) VPN неприемлем.

 

Cisco ASA config

FIXASA# sh run
: Saved
:
ASA Version 8.2(2)
!
hostname FIXASA
names
dns-guard
!
interface GigabitEthernet0/0
description == INET ==
nameif inet
security-level 100
ip address 1.1.1.90 255.255.255.240
!
interface GigabitEthernet0/1
description == LAN ==
nameif inside
security-level 100
ip address 10.5.90.90 255.255.0.0
boot system disk0:/asa822-k8.bin
ftp mode passive
dns server-group DefaultDNS
domain-name 
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object-group service any
service-object tcp-udp
service-object ip
service-object udp
object-group network DM_INLINE_NETWORK_1
network-object 0.0.0.0 0.0.0.0
network-object 1.1.1.80 255.255.255.240
access-list TELNET extended permit ip any any
access-list ANYBODY extended permit ip any any
access-list inet_access_in extended permit object-group any any object-group DM_INLINE_NETWORK_1
access-list inet_access_in extended permit icmp any any
access-list NO-NAT extended permit ip 10.5.0.0 255.255.0.0 10.120.120.0 255.255.255.0
access-list EZVPN extended permit ip 10.5.0.0 255.255.0.0 10.120.120.0 255.255.255.0
access-list inside_access_in extended permit icmp any any
access-list inet_access_out extended permit icmp any any
access-list inside_access_out extended permit icmp any any
pager lines 50
logging enable
logging asdm informational
logging debug-trace
mtu inet 1500
mtu inside 1500
ip local pool OFFICEVPN 10.5.13.1-10.5.13.255 mask 255.255.0.0
ip local pool MAGAZ_172_POOL 172.20.1.0-172.20.1.254 mask 255.255.255.0
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-625.bin
no asdm history enable
arp timeout 14400
nat (inside) 0 access-list NO-NAT
access-group inet_access_in in interface inet
access-group inet_access_out out interface inet
access-group inside_access_in in interface inside
access-group inside_access_out out interface inside
!
router eigrp 1
no auto-summary
eigrp stub connected static redistributed
network 10.5.0.0 255.255.0.0
passive-interface inet
!
route inet 0.0.0.0 0.0.0.0 1.1.1.81 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication telnet console LOCAL
aaa authentication http console LOCAL
http server enable
http 1.1.1.0 255.255.255.0 inet
no snmp-server location
no snmp-server contact
crypto ipsec transform-set MAGAZ esp-des esp-sha-hmac
crypto ipsec transform-set TRANS_ESP_3DES_SHA esp-3des esp-sha-hmac
crypto ipsec transform-set TRANS_ESP_3DES_SHA mode transport
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set MAGAZ
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set reverse-route
crypto map inside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map inside_map interface inside
crypto map inet_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map inet_map interface inet
crypto isakmp enable inet
crypto isakmp enable inside
crypto isakmp policy 10
authentication pre-share
encryption des
hash sha
group 2
lifetime 86400
crypto isakmp policy 65535
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet 0.0.0.0 0.0.0.0 inet
telnet timeout 30
ssh timeout 5
console timeout 0
management-access inet
no threat-detection basic-threat
no threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ssl encryption 3des-sha1 aes128-sha1 aes256-sha1 des-sha1 null-sha1 rc4-md5 rc4-sha1
webvpn
group-policy DefaultRAGroup internal
group-policy DefaultRAGroup attributes
dns-server value 10.5.0.1
group-policy DefaultRAGroup_1 internal
group-policy DefaultRAGroup_1 attributes
dns-server value 10.5.0.1
vpn-tunnel-protocol l2tp-ipsec
group-policy DfltGrpPolicy attributes
vpn-tunnel-protocol IPSec
password-storage enable
ipsec-udp enable
nem enable
msie-proxy method no-proxy
address-pools value MAGAZ_172_POOL
group-policy DiffGrpPolicy internal
group-policy DiffGrpPolicy attributes
vpn-simultaneous-logins 3
vpn-idle-timeout none
vpn-session-timeout none
vpn-filter none
vpn-tunnel-protocol l2tp-ipsec
address-pools value OFFICEVPN
username user1 password ALLIXd+9jMgWAtb8c0DrCw== nt-encrypted
username user2 password G1SInyx0A0./Dx3t encrypted
tunnel-group DefaultRAGroup general-attributes
address-pool (inet) OFFICEVPN
address-pool (inside) OFFICEVPN
address-pool OFFICEVPN
authentication-server-group (inet) LOCAL
authorization-server-group LOCAL
tunnel-group DefaultRAGroup ipsec-attributes
pre-shared-key *****
peer-id-validate nocheck
tunnel-group DefaultRAGroup ppp-attributes
no authentication chap
authentication ms-chap-v2
tunnel-group STORES type ipsec-l2l
tunnel-group MAGAZ_TUNNEL_GROUP type remote-access
tunnel-group MAGAZ_TUNNEL_GROUP general-attributes
address-pool MAGAZ_172_POOL
authorization-server-group LOCAL
tunnel-group MAGAZ_TUNNEL_GROUP ipsec-attributes
pre-shared-key *****
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns migrated_dns_map_1
parameters
 message-length maximum client auto
 message-length maximum 512
policy-map global_policy
class inspection_default
 inspect dns migrated_dns_map_1
 inspect ftp
 inspect h323 h225
 inspect h323 ras
 inspect netbios
 inspect rsh
 inspect rtsp
 inspect skinny
 inspect esmtp
 inspect sqlnet
 inspect sunrpc
 inspect tftp
 inspect sip
 inspect xdmcp
 inspect ip-options
!
service-policy global_policy global
prompt hostname context
call-home
profile CiscoTAC-1
 no active
 destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
 destination address email callhome@cisco.com
 destination transport-method http
 subscribe-to-alert-group diagnostic
 subscribe-to-alert-group environment
 subscribe-to-alert-group inventory periodic monthly
 subscribe-to-alert-group configuration periodic monthly
 subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:b8767f3f668af448658facaaca8f4a20
: end
FIXASA#

Cisco 881 router config

881#sh run
Building configuration...

Current configuration : 4094 bytes
!
! Last configuration change at 16:00:19 UTC Mon Feb 11 2013 by admin
! NVRAM config last updated at 16:00:20 UTC Mon Feb 11 2013 by admin
! NVRAM config last updated at 16:00:20 UTC Mon Feb 11 2013 by admin
version 15.1
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname 881
!
boot-start-marker
boot system flash c880data-universalk9-mz.151-4.M5.bin
boot-end-marker
logging buffered 51200 warnings
aaa new-model
aaa session-id common
memory-size iomem 10
crypto pki token default removal timeout 0
!
crypto pki trustpoint TP-self-signed-3988300521
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-3988300521
revocation-check none
rsakeypair TP-self-signed-3988300521
!
!
crypto pki certificate chain TP-self-signed-3988300521
certificate self-signed 01
 3082022B 	....
 quit
ip source-route
!
ip dhcp excluded-address 10.10.10.1
!
ip dhcp pool ccp-pool
import all
network 10.10.10.0 255.255.255.248
default-router 10.10.10.1
lease 0 2
!
!
ip cef
no ip domain lookup
ip domain name fix-price.ru
no ipv6 cef
!
!
multilink bundle-name authenticated
license udi pid CISCO881-K9 sn FC
license boot module c880-data level advipservices
no spanning-tree vlan 1
ip tftp source-interface Vlan1
!
crypto ipsec client ezvpn ASA
connect auto
group MAGAZ_TUNNEL_GROUP key *
mode network-extension
peer 1.1.1.90
virtual-interface
username user2 password user2
xauth userid mode local
!
interface FastEthernet4
ip address 1.1.1.106 255.255.255.252
ip virtual-reassembly in
duplex full
speed 100
crypto ipsec client ezvpn ASA
!
interface Vlan1
ip address 10.120.120.253 255.255.255.0
ip nat inside
ip virtual-reassembly in
ip tcp adjust-mss 1452
crypto ipsec client ezvpn ASA inside
!
ip forward-protocol nd
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
ip nat inside source route-map EZVPN interface FastEthernet4 overload
ip route 0.0.0.0 0.0.0.0 1.1.1.105
ip route 1.1.1.0 255.255.255.0 1.1.1.105
ip route 1.1.1.90 255.255.255.255 1.1.1.105
!
route-map EZVPN permit 1
match ip address 103
!
end

Routes and interfaces

881#sh ip route
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
      D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
      N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
      E1 - OSPF external type 1, E2 - OSPF external type 2
      i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
      ia - IS-IS inter area, * - candidate default, U - per-user static route
      o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
      + - replicated route, % - next hop override

Gateway of last resort is 1.1.1.105 to network 0.0.0.0

S*    0.0.0.0/0 [1/0] via 1.1.1.105
               [1/0] via 0.0.0.0, Virtual-Access1
     10.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
C        10.120.120.0/24 is directly connected, Vlan1
L        10.120.120.253/32 is directly connected, Vlan1
     91.0.0.0/8 is variably subnetted, 4 subnets, 3 masks
S        1.1.1.0/24 [1/0] via 1.1.1.105
S        1.1.1.90/32 [1/0] via 1.1.1.105
C        1.1.1.104/30 is directly connected, FastEthernet4
L        1.1.1.106/32 is directly connected, FastEthernet4
881#
881#
881#sh ip int
881#sh ip interface br
881#sh ip interface brief
Interface                  IP-Address      OK? Method Status                Protocol
FastEthernet0              unassigned      YES unset  down                  down
FastEthernet1              unassigned      YES unset  down                  down
FastEthernet2              unassigned      YES unset  up                    up
FastEthernet3              unassigned      YES unset  down                  down
FastEthernet4              1.1.1.106   YES NVRAM  up                    up
NVI0                       1.1.1.106   YES unset  up                    up
Virtual-Access1            1.1.1.106   YES unset  up                    up
Vlan1                      10.120.120.253  YES NVRAM  up                    up

FIXASA# sh route

Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP
      D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
      N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
      E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
      i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
      * - candidate default, U - per-user static route, o - ODR
      P - periodic downloaded static route

Gateway of last resort is 1.1.1.81 to network 0.0.0.0

S    10.120.120.0 255.255.255.0 [1/0] via 1.1.1.81, inet
C    10.5.0.0 255.255.0.0 is directly connected, inside
C    1.1.1.80 255.255.255.240 is directly connected, inet
S*   0.0.0.0 0.0.0.0 [1/0] via 1.1.1.81, inet

Versions

881#sh ver
Cisco IOS Software, C880 Software (C880DATA-UNIVERSALK9-M), Version 15.1(4)M5, RELEASE SOFTWARE (fc1)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2012 by Cisco Systems, Inc.
Compiled Tue 04-Sep-12 21:03 by prod_rel_team

ROM: System Bootstrap, Version 12.4(22r)YB5, RELEASE SOFTWARE (fc1)

881 uptime is 3 hours, 39 minutes
System returned to ROM by reload at 12:25:12 UTC Mon Feb 11 2013
System restarted at 12:25:48 UTC Mon Feb 11 2013
System image file is "flash:c880data-universalk9-mz.151-4.M5.bin"
Last reload type: Normal Reload
Last reload reason: Reload Command




Cisco 881 (MPC8300) processor (revision 1.0) with 236544K/25600K bytes of memory.
Processor board ID FCZ

5 FastEthernet interfaces
1 Virtual Private Network (VPN) Module
256K bytes of non-volatile configuration memory.
125496K bytes of ATA CompactFlash (Read/Write)


License Info:

License UDI:

-------------------------------------------------
Device#   PID                   SN
-------------------------------------------------
*0        CISCO881-K9           FC



License Information for 'c880-data'
   License Level: advipservices   Type: EvalRightToUse
   Next reboot license Level: advipservices


Configuration register is 0x2102

FIXASA#  sh ver

Cisco Adaptive Security Appliance Software Version 8.2(2)
Device Manager Version 6.2(5)

Compiled on Mon 11-Jan-10 14:19 by builders
System image file is "disk0:/asa822-k8.bin"
Config file at boot was "startup-config"

FIXASA up 2 hours 30 mins

Hardware:   ASA5520, 512 MB RAM, CPU Pentium 4 Celeron 2000 MHz
Internal ATA Compact Flash, 256MB
BIOS Flash M50FW080 @ 0xffe00000, 1024KB

Encryption hardware device : Cisco ASA-55x0 on-board accelerator (revision 0x0)
                            Boot microcode   : CN1000-MC-BOOT-2.00
                            SSL/IKE microcode: CNLite-MC-SSLm-PLUS-2.03
                            IPSec microcode  : CNlite-MC-IPSECm-MAIN-2.04
0: Ext: GigabitEthernet0/0  : address is 0021.d8cb.c5d8, irq 9
1: Ext: GigabitEthernet0/1  : address is 0021.d8cb.c5d9, irq 9
2: Ext: GigabitEthernet0/2  : address is 0021.d8cb.c5da, irq 9
3: Ext: GigabitEthernet0/3  : address is 0021.d8cb.c5db, irq 9
4: Ext: Management0/0       : address is 0021.d8cb.c5d7, irq 11
5: Int: Internal-Data0/0    : address is 0000.0001.0002, irq 11
6: Int: Internal-Control0/0 : address is 0000.0001.0001, irq 5

Licensed features for this platform:
Maximum Physical Interfaces    : Unlimited
Maximum VLANs                  : 150
Inside Hosts                   : Unlimited
Failover                       : Active/Active
VPN-DES                        : Enabled
VPN-3DES-AES                   : Enabled
Security Contexts              : 2
GTP/GPRS                       : Disabled
SSL VPN Peers                  : 2
Total VPN Peers                : 750
Shared License                 : Disabled
AnyConnect for Mobile          : Disabled
AnyConnect for Cisco VPN Phone : Disabled
AnyConnect Essentials          : Disabled
Advanced Endpoint Assessment   : Disabled
UC Phone Proxy Sessions        : 2
Total UC Proxy Sessions        : 2
Botnet Traffic Filter          : Disabled

This platform has an ASA 5520 VPN Plus license.

Serial Number: J
Running Activation Key: 0x1722c167 
Configuration register is 0x1
Configuration last modified by admin at 05:16:48.229 UTC Wed Oct 15 2003

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this