PleskovGrad Опубликовано 11 февраля, 2013 · Жалоба Задача: соединить VPN сетью Cisco ASA 5520 и 881 router. ASA будет сервером, router клиентом. Из всех немногих решений ломаюсь над EasyVPN. Почему именно оно? Во-первых, поддерживается обоими платформами - ASA,IOS. Во-вторых, решение нужно масштабируемое, 880 будут сотни, site-2-site vpn похоронит меня ручной работой по настройке и поддержке. В-третьих, многие из 880 сидят за натом и без постоянного внешнего ип. Строение сети понятно из схемы. На 881 задаем EasyVPN crypto ipsec client ezvpn ASA connect auto group MAGAZ_TUNNEL_GROUP key * mode network-extension peer 1.1.1.90 virtual-interface username user2 password user2 xauth userid mode local Построение туннеля проходит нормально, на ASA добавляется статик на 10.120.120.0\24, на 881 поднимается интерфейс Virtual-Access1, появляется маршрут [1/0] via 0.0.0.0, Virtual-Access1. С утра сегодня эта конструкция даже пинговалась со стороны ASA. Т.е. FIXASA#ping 10.120.120.253 FIXASA#ping 10.120.120.2 заканчивались успехом. С обратной стороны - нет. Собственно, тут первая проблема? А куда пинговать с 881? Маршрутов на что-то типа 10.5.0.0 нет. Добавить? Что указать в качестве destination? В настойках EasyVpn client пробовал задавать [b]mode cleint[/b] [b]mode network-plus[/b] Это позволяет 880 роутеру получить ip 172.20.1.1/32. И что с ним дальше делать? Можно пытаться использовать в голом виде, можно прикреплять к различным loopback, virtual-template и прочему. Маршрут вида ip route 10.5.0.0 255.255.0.0 loopback10000 гоняет пакетик по роутеру до скончания ттл. К вечером опытами и экспериментами и этот небольшой успех был уничтожен. FIXASA# ping 10.120.120.253 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 10.120.120.253, timeout is 2 seconds: ????? Success rate is 0 percent (0/5) Реакция на это 881: 881#debug ip icmp 881# Feb 11 16:07:32.175: ICMP: echo reply sent, src 10.120.120.253, dst 1.1.1.90, topology BASE, dscp 0 topoid 0 Feb 11 16:07:34.163: ICMP: echo reply sent, src 10.120.120.253, dst 1.1.1.90, topology BASE, dscp 0 topoid 0 Feb 11 16:07:36.163: ICMP: echo reply sent, src 10.120.120.253, dst 1.1.1.90, topology BASE, dscp 0 topoid 0 Feb 11 16:07:38.163: ICMP: echo reply sent, src 10.120.120.253, dst 1.1.1.90, topology BASE, dscp 0 topoid 0 Feb 11 16:07:40.163: ICMP: echo reply sent, src 10.120.120.253, dst 1.1.1.90, topology BASE, dscp 0 topoid 0 Реакция Real-time log viewer ASA: Пакет трейсером проверяем FIXASA# packet-tracer input inside icmp 10.5.90.90 0 0 1 10.120.120.253 detail$ Phase: 1 Type: FLOW-LOOKUP Subtype: Result: ALLOW Config: Additional Information: Found no matching flow, creating a new flow Phase: 2 Type: ROUTE-LOOKUP Subtype: input Result: ALLOW Config: Additional Information: in 10.120.120.0 255.255.255.0 inet Phase: 3 Type: ACCESS-LIST Subtype: Result: DROP Config: Implicit Rule Additional Information: Forward Flow based lookup yields rule: in id=0xccc44e20, priority=500, domain=permit, deny=true hits=0, user_data=0x6, cs_id=0x0, reverse, flags=0x0, protocol=0 src ip=10.5.90.90, mask=255.255.255.255, port=0 dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0 Result: input-interface: inside input-status: up input-line-status: up output-interface: inet output-status: up output-line-status: up Action: drop Drop-reason: (acl-drop) Flow is denied by configured rule Он ссылается на правило, которое запрещается ip. Но, ведь раньше стоит правило разрешающее icmp! Похоже, проблема в том, что где-то запретил icmp. Чем-то другим кроме пинга проверить сложно, система в стадии "стенд". Прошу вызволить меня из тупика настройки EasyVPN. Если возможно дружить ASA с ios router другими способами, буду рад их изучить. До этого пробовал L2TP over IPSec. С компа win7 на асу строилось, а роутера - нет. Не удалось осилить наcтройку, предположительно не удалось согласовать параметры безопасности. Еще раз отмечу, что Site 2 Site (Lan 2 Lan) VPN неприемлем. Cisco ASA config FIXASA# sh run : Saved : ASA Version 8.2(2) ! hostname FIXASA names dns-guard ! interface GigabitEthernet0/0 description == INET == nameif inet security-level 100 ip address 1.1.1.90 255.255.255.240 ! interface GigabitEthernet0/1 description == LAN == nameif inside security-level 100 ip address 10.5.90.90 255.255.0.0 boot system disk0:/asa822-k8.bin ftp mode passive dns server-group DefaultDNS domain-name same-security-traffic permit inter-interface same-security-traffic permit intra-interface object-group service any service-object tcp-udp service-object ip service-object udp object-group network DM_INLINE_NETWORK_1 network-object 0.0.0.0 0.0.0.0 network-object 1.1.1.80 255.255.255.240 access-list TELNET extended permit ip any any access-list ANYBODY extended permit ip any any access-list inet_access_in extended permit object-group any any object-group DM_INLINE_NETWORK_1 access-list inet_access_in extended permit icmp any any access-list NO-NAT extended permit ip 10.5.0.0 255.255.0.0 10.120.120.0 255.255.255.0 access-list EZVPN extended permit ip 10.5.0.0 255.255.0.0 10.120.120.0 255.255.255.0 access-list inside_access_in extended permit icmp any any access-list inet_access_out extended permit icmp any any access-list inside_access_out extended permit icmp any any pager lines 50 logging enable logging asdm informational logging debug-trace mtu inet 1500 mtu inside 1500 ip local pool OFFICEVPN 10.5.13.1-10.5.13.255 mask 255.255.0.0 ip local pool MAGAZ_172_POOL 172.20.1.0-172.20.1.254 mask 255.255.255.0 no failover icmp unreachable rate-limit 1 burst-size 1 asdm image disk0:/asdm-625.bin no asdm history enable arp timeout 14400 nat (inside) 0 access-list NO-NAT access-group inet_access_in in interface inet access-group inet_access_out out interface inet access-group inside_access_in in interface inside access-group inside_access_out out interface inside ! router eigrp 1 no auto-summary eigrp stub connected static redistributed network 10.5.0.0 255.255.0.0 passive-interface inet ! route inet 0.0.0.0 0.0.0.0 1.1.1.81 1 timeout xlate 3:00:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02 timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00 timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00 timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute timeout tcp-proxy-reassembly 0:01:00 dynamic-access-policy-record DfltAccessPolicy aaa authentication telnet console LOCAL aaa authentication http console LOCAL http server enable http 1.1.1.0 255.255.255.0 inet no snmp-server location no snmp-server contact crypto ipsec transform-set MAGAZ esp-des esp-sha-hmac crypto ipsec transform-set TRANS_ESP_3DES_SHA esp-3des esp-sha-hmac crypto ipsec transform-set TRANS_ESP_3DES_SHA mode transport crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac crypto ipsec security-association lifetime seconds 28800 crypto ipsec security-association lifetime kilobytes 4608000 crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set MAGAZ crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set reverse-route crypto map inside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP crypto map inside_map interface inside crypto map inet_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP crypto map inet_map interface inet crypto isakmp enable inet crypto isakmp enable inside crypto isakmp policy 10 authentication pre-share encryption des hash sha group 2 lifetime 86400 crypto isakmp policy 65535 authentication pre-share encryption 3des hash sha group 2 lifetime 86400 telnet 0.0.0.0 0.0.0.0 inet telnet timeout 30 ssh timeout 5 console timeout 0 management-access inet no threat-detection basic-threat no threat-detection statistics access-list no threat-detection statistics tcp-intercept ssl encryption 3des-sha1 aes128-sha1 aes256-sha1 des-sha1 null-sha1 rc4-md5 rc4-sha1 webvpn group-policy DefaultRAGroup internal group-policy DefaultRAGroup attributes dns-server value 10.5.0.1 group-policy DefaultRAGroup_1 internal group-policy DefaultRAGroup_1 attributes dns-server value 10.5.0.1 vpn-tunnel-protocol l2tp-ipsec group-policy DfltGrpPolicy attributes vpn-tunnel-protocol IPSec password-storage enable ipsec-udp enable nem enable msie-proxy method no-proxy address-pools value MAGAZ_172_POOL group-policy DiffGrpPolicy internal group-policy DiffGrpPolicy attributes vpn-simultaneous-logins 3 vpn-idle-timeout none vpn-session-timeout none vpn-filter none vpn-tunnel-protocol l2tp-ipsec address-pools value OFFICEVPN username user1 password ALLIXd+9jMgWAtb8c0DrCw== nt-encrypted username user2 password G1SInyx0A0./Dx3t encrypted tunnel-group DefaultRAGroup general-attributes address-pool (inet) OFFICEVPN address-pool (inside) OFFICEVPN address-pool OFFICEVPN authentication-server-group (inet) LOCAL authorization-server-group LOCAL tunnel-group DefaultRAGroup ipsec-attributes pre-shared-key ***** peer-id-validate nocheck tunnel-group DefaultRAGroup ppp-attributes no authentication chap authentication ms-chap-v2 tunnel-group STORES type ipsec-l2l tunnel-group MAGAZ_TUNNEL_GROUP type remote-access tunnel-group MAGAZ_TUNNEL_GROUP general-attributes address-pool MAGAZ_172_POOL authorization-server-group LOCAL tunnel-group MAGAZ_TUNNEL_GROUP ipsec-attributes pre-shared-key ***** ! class-map inspection_default match default-inspection-traffic ! ! policy-map type inspect dns migrated_dns_map_1 parameters message-length maximum client auto message-length maximum 512 policy-map global_policy class inspection_default inspect dns migrated_dns_map_1 inspect ftp inspect h323 h225 inspect h323 ras inspect netbios inspect rsh inspect rtsp inspect skinny inspect esmtp inspect sqlnet inspect sunrpc inspect tftp inspect sip inspect xdmcp inspect ip-options ! service-policy global_policy global prompt hostname context call-home profile CiscoTAC-1 no active destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService destination address email callhome@cisco.com destination transport-method http subscribe-to-alert-group diagnostic subscribe-to-alert-group environment subscribe-to-alert-group inventory periodic monthly subscribe-to-alert-group configuration periodic monthly subscribe-to-alert-group telemetry periodic daily Cryptochecksum:b8767f3f668af448658facaaca8f4a20 : end FIXASA# Cisco 881 router config 881#sh run Building configuration... Current configuration : 4094 bytes ! ! Last configuration change at 16:00:19 UTC Mon Feb 11 2013 by admin ! NVRAM config last updated at 16:00:20 UTC Mon Feb 11 2013 by admin ! NVRAM config last updated at 16:00:20 UTC Mon Feb 11 2013 by admin version 15.1 no service pad service timestamps debug datetime msec service timestamps log datetime msec service password-encryption ! hostname 881 ! boot-start-marker boot system flash c880data-universalk9-mz.151-4.M5.bin boot-end-marker logging buffered 51200 warnings aaa new-model aaa session-id common memory-size iomem 10 crypto pki token default removal timeout 0 ! crypto pki trustpoint TP-self-signed-3988300521 enrollment selfsigned subject-name cn=IOS-Self-Signed-Certificate-3988300521 revocation-check none rsakeypair TP-self-signed-3988300521 ! ! crypto pki certificate chain TP-self-signed-3988300521 certificate self-signed 01 3082022B .... quit ip source-route ! ip dhcp excluded-address 10.10.10.1 ! ip dhcp pool ccp-pool import all network 10.10.10.0 255.255.255.248 default-router 10.10.10.1 lease 0 2 ! ! ip cef no ip domain lookup ip domain name fix-price.ru no ipv6 cef ! ! multilink bundle-name authenticated license udi pid CISCO881-K9 sn FC license boot module c880-data level advipservices no spanning-tree vlan 1 ip tftp source-interface Vlan1 ! crypto ipsec client ezvpn ASA connect auto group MAGAZ_TUNNEL_GROUP key * mode network-extension peer 1.1.1.90 virtual-interface username user2 password user2 xauth userid mode local ! interface FastEthernet4 ip address 1.1.1.106 255.255.255.252 ip virtual-reassembly in duplex full speed 100 crypto ipsec client ezvpn ASA ! interface Vlan1 ip address 10.120.120.253 255.255.255.0 ip nat inside ip virtual-reassembly in ip tcp adjust-mss 1452 crypto ipsec client ezvpn ASA inside ! ip forward-protocol nd ip http server ip http authentication local ip http secure-server ip http timeout-policy idle 60 life 86400 requests 10000 ! ip nat inside source route-map EZVPN interface FastEthernet4 overload ip route 0.0.0.0 0.0.0.0 1.1.1.105 ip route 1.1.1.0 255.255.255.0 1.1.1.105 ip route 1.1.1.90 255.255.255.255 1.1.1.105 ! route-map EZVPN permit 1 match ip address 103 ! end Routes and interfaces 881#sh ip route Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2 E1 - OSPF external type 1, E2 - OSPF external type 2 i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2 ia - IS-IS inter area, * - candidate default, U - per-user static route o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP + - replicated route, % - next hop override Gateway of last resort is 1.1.1.105 to network 0.0.0.0 S* 0.0.0.0/0 [1/0] via 1.1.1.105 [1/0] via 0.0.0.0, Virtual-Access1 10.0.0.0/8 is variably subnetted, 2 subnets, 2 masks C 10.120.120.0/24 is directly connected, Vlan1 L 10.120.120.253/32 is directly connected, Vlan1 91.0.0.0/8 is variably subnetted, 4 subnets, 3 masks S 1.1.1.0/24 [1/0] via 1.1.1.105 S 1.1.1.90/32 [1/0] via 1.1.1.105 C 1.1.1.104/30 is directly connected, FastEthernet4 L 1.1.1.106/32 is directly connected, FastEthernet4 881# 881# 881#sh ip int 881#sh ip interface br 881#sh ip interface brief Interface IP-Address OK? Method Status Protocol FastEthernet0 unassigned YES unset down down FastEthernet1 unassigned YES unset down down FastEthernet2 unassigned YES unset up up FastEthernet3 unassigned YES unset down down FastEthernet4 1.1.1.106 YES NVRAM up up NVI0 1.1.1.106 YES unset up up Virtual-Access1 1.1.1.106 YES unset up up Vlan1 10.120.120.253 YES NVRAM up up FIXASA# sh route Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2 E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area * - candidate default, U - per-user static route, o - ODR P - periodic downloaded static route Gateway of last resort is 1.1.1.81 to network 0.0.0.0 S 10.120.120.0 255.255.255.0 [1/0] via 1.1.1.81, inet C 10.5.0.0 255.255.0.0 is directly connected, inside C 1.1.1.80 255.255.255.240 is directly connected, inet S* 0.0.0.0 0.0.0.0 [1/0] via 1.1.1.81, inet Versions 881#sh ver Cisco IOS Software, C880 Software (C880DATA-UNIVERSALK9-M), Version 15.1(4)M5, RELEASE SOFTWARE (fc1) Technical Support: http://www.cisco.com/techsupport Copyright (c) 1986-2012 by Cisco Systems, Inc. Compiled Tue 04-Sep-12 21:03 by prod_rel_team ROM: System Bootstrap, Version 12.4(22r)YB5, RELEASE SOFTWARE (fc1) 881 uptime is 3 hours, 39 minutes System returned to ROM by reload at 12:25:12 UTC Mon Feb 11 2013 System restarted at 12:25:48 UTC Mon Feb 11 2013 System image file is "flash:c880data-universalk9-mz.151-4.M5.bin" Last reload type: Normal Reload Last reload reason: Reload Command Cisco 881 (MPC8300) processor (revision 1.0) with 236544K/25600K bytes of memory. Processor board ID FCZ 5 FastEthernet interfaces 1 Virtual Private Network (VPN) Module 256K bytes of non-volatile configuration memory. 125496K bytes of ATA CompactFlash (Read/Write) License Info: License UDI: ------------------------------------------------- Device# PID SN ------------------------------------------------- *0 CISCO881-K9 FC License Information for 'c880-data' License Level: advipservices Type: EvalRightToUse Next reboot license Level: advipservices Configuration register is 0x2102 FIXASA# sh ver Cisco Adaptive Security Appliance Software Version 8.2(2) Device Manager Version 6.2(5) Compiled on Mon 11-Jan-10 14:19 by builders System image file is "disk0:/asa822-k8.bin" Config file at boot was "startup-config" FIXASA up 2 hours 30 mins Hardware: ASA5520, 512 MB RAM, CPU Pentium 4 Celeron 2000 MHz Internal ATA Compact Flash, 256MB BIOS Flash M50FW080 @ 0xffe00000, 1024KB Encryption hardware device : Cisco ASA-55x0 on-board accelerator (revision 0x0) Boot microcode : CN1000-MC-BOOT-2.00 SSL/IKE microcode: CNLite-MC-SSLm-PLUS-2.03 IPSec microcode : CNlite-MC-IPSECm-MAIN-2.04 0: Ext: GigabitEthernet0/0 : address is 0021.d8cb.c5d8, irq 9 1: Ext: GigabitEthernet0/1 : address is 0021.d8cb.c5d9, irq 9 2: Ext: GigabitEthernet0/2 : address is 0021.d8cb.c5da, irq 9 3: Ext: GigabitEthernet0/3 : address is 0021.d8cb.c5db, irq 9 4: Ext: Management0/0 : address is 0021.d8cb.c5d7, irq 11 5: Int: Internal-Data0/0 : address is 0000.0001.0002, irq 11 6: Int: Internal-Control0/0 : address is 0000.0001.0001, irq 5 Licensed features for this platform: Maximum Physical Interfaces : Unlimited Maximum VLANs : 150 Inside Hosts : Unlimited Failover : Active/Active VPN-DES : Enabled VPN-3DES-AES : Enabled Security Contexts : 2 GTP/GPRS : Disabled SSL VPN Peers : 2 Total VPN Peers : 750 Shared License : Disabled AnyConnect for Mobile : Disabled AnyConnect for Cisco VPN Phone : Disabled AnyConnect Essentials : Disabled Advanced Endpoint Assessment : Disabled UC Phone Proxy Sessions : 2 Total UC Proxy Sessions : 2 Botnet Traffic Filter : Disabled This platform has an ASA 5520 VPN Plus license. Serial Number: J Running Activation Key: 0x1722c167 Configuration register is 0x1 Configuration last modified by admin at 05:16:48.229 UTC Wed Oct 15 2003 Вставить ник Цитата Ответить с цитированием Поделиться сообщением Ссылка на сообщение Поделиться на других сайтах More sharing options...