Hoppa till innehåll

  • Logga in via Facebook Logga in via Twitter Logga in via Windows Live Log In with LinkedIn Log In with Google      Logga in   
  • Registrera dig nu!

Har problem med att koppla två AS5505 via VPN

asa 5505 ssl vpn

Den här tråden har blivit arkiverad. Det betyder att du inte kan skriva något inlägg i tråden.
2 svar i denna tråden

#1 edit

edit

  • 3 inlägg

Skriven 12 August 2012 - 13:01

1.) (85) får inte kontakt med internet, men får kontakt med server och nätverk på HK
2.) Ser att router (90) kopplas upp via VPN till HK men kommuniserar inte. 90 skickar packet men HK skickar inte paket till 90. vad är fel i konfig.

Hoppas någon kan hjälpa

-Fred


: Saved
:
ASA Version 8.2(5)
!
hostname HK
enable password **** encrypted
passwd **** encrypted
names
name 192.168.25.5 Server1_inside description Mdeamon
!
interface Ethernet0/0
nameif Outside
security-level 0
ip address 217.72.111.111 255.255.255.248
!
interface Ethernet0/1
nameif Inside
security-level 100
ip address 192.168.25.254 255.255.255.0
!
interface Ethernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
management-only
!
ftp mode passive
clock timezone CEST 1
clock summer-time CEDT recurring last Sun Mar 2:00 last Sun Oct 3:00
dns domain-lookup Outside
dns domain-lookup management
dns domain-lookup Inside
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object-group service DM_INLINE_TCP_1 tcp
port-object eq www
port-object eq https
access-list dsgrp_splitTunnelAcl standard permit 192.168.25.0 255.255.255.0
access-list dsgrp_splitTunnelAcl standard permit 192.168.80.0 255.255.255.0
access-list dsgrp_splitTunnelAcl remark ASA 35
access-list dsgrp_splitTunnelAcl standard permit 192.168.35.0 255.255.255.0
access-list dsgrp_splitTunnelAcl remark ASA 45
access-list dsgrp_splitTunnelAcl standard permit 192.168.45.0 255.255.255.0
access-list dsgrp_splitTunnelAcl remark ASA 55
access-list dsgrp_splitTunnelAcl standard permit 192.168.55.0 255.255.255.0
access-list dsgrp_splitTunnelAcl remark AS A65
access-list dsgrp_splitTunnelAcl standard permit 192.168.65.0 255.255.255.0
access-list dsgrp_splitTunnelAcl remark ASA 75
access-list dsgrp_splitTunnelAcl standard permit 192.168.75.0 255.255.255.0
access-list dsgrp_splitTunnelAcl remark ASA 85
access-list dsgrp_splitTunnelAcl standard permit 192.168.85.0 255.255.255.0
access-list dsgrp_splitTunnelAcl remark ASA90
access-list dsgrp_splitTunnelAcl standard permit 192.168.90.0 255.255.255.0
access-list Inside_nat0_outbound remark VPN Client users
access-list Inside_nat0_outbound extended permit ip 192.168.25.0 255.255.255.0 172.16.1.0 255.255.255.128
access-list Inside_nat0_outbound remark ASA 35
access-list Inside_nat0_outbound extended permit ip 192.168.25.0 255.255.255.0 192.168.35.0 255.255.255.0
access-list Inside_nat0_outbound remark ASA 45
access-list Inside_nat0_outbound extended permit ip 192.168.25.0 255.255.255.0 192.168.45.0 255.255.255.0
access-list Inside_nat0_outbound remark ASA 55
access-list Inside_nat0_outbound extended permit ip 192.168.25.0 255.255.255.0 192.168.55.0 255.255.255.0
access-list Inside_nat0_outbound remark ASA 65
access-list Inside_nat0_outbound extended permit ip 192.168.25.0 255.255.255.0 192.168.65.0 255.255.255.0
access-list Inside_nat0_outbound remark ASA 75
access-list Inside_nat0_outbound extended permit ip 192.168.25.0 255.255.255.0 192.168.75.0 255.255.255.0
access-list Inside_nat0_outbound extended permit ip 192.168.25.0 255.255.255.0 192.168.80.0 255.255.255.0
access-list Inside_nat0_outbound extended permit ip 192.168.25.0 255.255.255.0 192.168.85.0 255.255.255.0
access-list Inside_nat0_outbound extended permit ip 192.168.25.0 255.255.255.0 192.168.90.0 255.255.255.0
access-list Inside_nat0_outbound extended permit ip 172.16.1.0 255.255.255.0 192.168.35.0 255.255.255.0
access-list Inside_nat0_outbound extended permit ip 172.16.1.0 255.255.255.0 192.168.45.0 255.255.255.0
access-list Inside_nat0_outbound extended permit ip 172.16.1.0 255.255.255.0 192.168.55.0 255.255.255.0
access-list Inside_nat0_outbound extended permit ip 172.16.1.0 255.255.255.0 192.168.65.0 255.255.255.0
access-list Inside_nat0_outbound extended permit ip 172.16.1.0 255.255.255.0 192.168.75.0 255.255.255.0
access-list Inside_nat0_outbound extended permit ip 172.16.1.0 255.255.255.0 192.168.80.0 255.255.255.0
access-list Inside_nat0_outbound extended permit ip 172.16.1.0 255.255.255.0 192.168.85.0 255.255.255.0
access-list Inside_nat0_outbound remark ASA90
access-list Inside_nat0_outbound extended permit ip 172.16.1.0 255.255.255.0 192.168.90.0 255.255.255.0
access-list Outside_access_in extended permit icmp any any
access-list Outside_access_in extended permit tcp any host 217.72.111.111 object-group DM_INLINE_TCP_1 log debugging
access-list Outside_access_in extended permit tcp any host 217.72.111.107 eq smtp log debugging
access-list Inside_access_in extended permit icmp any any
access-list Inside_access_in extended permit ip any any
access-list usrgp_SplitTunnelACL standard permit 192.168.25.0 255.255.255.0
access-list agrp standard permit 192.168.25.0 255.255.255.0
access-list agrp remark Vpn client users
access-list agrp standard permit 172.16.1.0 255.255.255.0
pager lines 24
logging enable
logging asdm informational
mtu Outside 1500
mtu management 1500
mtu Inside 1500
ip local pool vpnpool 172.16.1.1-172.16.1.100 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (Outside) 1 interface
nat (Inside) 0 access-list Inside_nat0_outbound
nat (Inside) 1 0.0.0.0 0.0.0.0
static (Inside,Outside) tcp 217.72.111.108 https 192.168.25.2 https netmask 255.255.255.255  dns
static (Inside,Outside) tcp 217.72.111.108 www 192.168.25.2 www netmask 255.255.255.255  dns
static (Inside,Outside) tcp 217.72.111.107 smtp 192.168.25.2 smtp netmask 255.255.255.255  dns
access-group Outside_access_in in interface Outside
access-group Inside_access_in in interface Inside
route Outside 0.0.0.0 0.0.0.0 217.72.111.105 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
action terminate
dynamic-access-policy-record Remote_AD
description "Users in ad group remote_ad"
aaa-server GH_LDAP protocol ldap
aaa-server GH_LDAP (Inside) host 192.168.25.2
ldap-base-dn dc=garahovsbygg,DC=com
ldap-scope subtree
ldap-naming-attribute samAccountName
ldap-login-password *****
ldap-login-dn CN=asauser,CN=users,DC=garahovsbygg,DC=com
server-type microsoft
aaa authentication ssh console LOCAL
aaa authentication enable console LOCAL
aaa authentication http console LOCAL
aaa authentication serial console LOCAL
http server enable
http 192.168.1.0 255.255.255.0 management
http 192.168.25.0 255.255.255.0 Inside
http 146.66.235.51 255.255.255.255 Outside
http 172.16.1.0 255.255.255.0 Inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map Outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map Outside_map interface Outside
crypto ca trustpoint ASDM_TrustPoint0
enrollment self
subject-name CN=Garahov-HK
proxy-ldc-issuer
crl configure
crypto ca certificate chain ASDM_TrustPoint0
certificate
*****
   quit
crypto isakmp enable Outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet timeout 5
ssh timeout 5
console timeout 0
management-access Inside
dhcpd auto_config Inside vpnclient-wins-override
!
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd enable management
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ntp server 193.228.143.13 source Outside prefer
ntp server 193.228.143.12 source Outside
webvpn
group-policy agrp internal
group-policy agrp attributes
dns-server value 192.168.25.2 8.8.8.8
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
split-tunnel-network-list none
default-domain none
nem enable
group-policy usrgrp internal
group-policy usrgrp attributes
dns-server value 192.168.25.2 8.8.8.8
vpn-tunnel-protocol IPSec l2tp-ipsec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value usrgp_SplitTunnelACL
default-domain none
address-pools value vpnpool
group-policy dsgrp internal
group-policy dsgrp attributes
dns-server value 194.18.231.5
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value dsgrp_splitTunnelAcl
username afw90 password **** encrypted
username afw90 attributes
vpn-group-policy agrp
service-type remote-access
username afw35 password **** encrypted
username afw35 attributes
vpn-group-policy agrp
service-type remote-access
username afw45 password **** encrypted
username afw45 attributes
vpn-group-policy agrp
service-type remote-access
username afw55 password **** encrypted
username afw55 attributes
vpn-group-policy agrp
service-type remote-access
username afw65 password **** encrypted
username afw65 attributes
vpn-group-policy agrp
service-type remote-access
username afw75 password **** encrypted
username afw75 attributes
vpn-group-policy agrp
service-type remote-access
username afw85 password **** encrypted
username afw85 attributes
vpn-group-policy agrp
service-type remote-access
username **** password **** encrypted privilege 15
username Koneo attributes
vpn-group-policy dsgrp
tunnel-group dsgrp type remote-access
tunnel-group dsgrp general-attributes
address-pool vpnpool
default-group-policy dsgrp
tunnel-group dsgrp ipsec-attributes
pre-shared-key *****
tunnel-group agrp type remote-access
tunnel-group agrp general-attributes
address-pool vpnpool
default-group-policy agrp
tunnel-group agrp ipsec-attributes
pre-shared-key *****
tunnel-group usrgrp type remote-access
tunnel-group usrgrp general-attributes
authentication-server-group GH_LDAP
default-group-policy usrgrp
tunnel-group usrgrp ipsec-attributes
pre-shared-key *****
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
  message-length maximum client auto
  message-length maximum 512
policy-map global_policy
class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
  inspect ip-options
  inspect snmp
  inspect icmp
  inspect icmp error
  inspect http
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
: end
asdm location Server1_inside 255.255.255.255 Inside
asdm location 192.168.85.0 255.255.255.0 Inside
asdm location 192.168.90.0 255.255.255.0 Inside
no asdm history enable








------------------------------------------------------------------------------------------------------------------
: Saved
:
ASA Version 8.4(3)
!
hostname asa85
enable password **** encrypted
passwd **** encrypted
names
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.85.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address dhcp setroute
!
boot system disk0:/asa825-k8.bin
ftp mode passive
object network obj_any
subnet 0.0.0.0 0.0.0.0
access-list outside_access_in extended permit icmp any any
access-list inside_access_in extended permit icmp any any
access-list inside_access_in extended permit ip any any
access-list inside_nat_static extended permit tcp host 192.168.1.2 eq https any
pager lines 24
logging asdm informational
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-647.bin
no asdm history enable
arp timeout 14400
!
object network obj_any
nat (inside,outside) dynamic interface
access-group inside_access_in in interface inside
access-group outside_access_in in interface outside
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
aaa authentication enable console LOCAL
aaa authentication http console LOCAL
aaa authentication serial console LOCAL
aaa authentication ssh console LOCAL
http server enable
http 192.168.1.0 255.255.255.0 inside
http 192.168.25.0 255.255.255.0 inside
http 172.16.1.0 255.255.255.0 inside
http 192.168.85.0 255.255.255.0 inside
http 146.66.235.51 255.255.255.255 outside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
telnet timeout 5
ssh timeout 5
console timeout 0
management-access inside
vpnclient server 217.72.111.111
vpnclient mode network-extension-mode
vpnclient vpngroup agrp password *****
vpnclient username afw85 password *****
vpnclient enable
dhcp-client client-id interface outside
dhcpd auto_config outside
!
dhcpd address 192.168.85.100-192.168.85.120 inside
dhcpd dns 192.168.25.2 8.8.8.8 interface inside
dhcpd enable inside
!
threat-detection basic-threat
threat-detection statistics access-list
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
webvpn
username **** password **** encrypted privilege 15
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
  message-length maximum client auto
  message-length maximum 512
policy-map global_policy
class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
  inspect ip-options
  inspect ipsec-pass-thru
  inspect pptp
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:2b6b7bebc0d14611f71008c490591dcb
: end
asdm image disk0:/asdm-647.bin
no asdm history enable
------------------------------------------------------------------------------------------------------------
: Saved
:
ASA Version 8.4(4)1
!
hostname asa90
enable password **** encrypted
passwd **** encrypted
names
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.90.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address dhcp setroute
!
boot system disk0:/asa825-k8.bin
ftp mode passive
clock timezone CEST 1
clock summer-time CEDT recurring last Sun Mar 2:00 last Sun Oct 3:00
object network obj_any
subnet 0.0.0.0 0.0.0.0
access-list outside_access_in extended permit icmp any any
access-list inside_access_in extended permit icmp any any
access-list inside_access_in extended permit ip any any
access-list inside_nat_static extended permit tcp host 192.168.1.2 eq https any
pager lines 24
logging asdm informational
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-649.bin
no asdm history enable
arp timeout 14400
!
object network obj_any
nat (inside,outside) dynamic interface
access-group inside_access_in in interface inside
access-group outside_access_in in interface outside
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
aaa authentication enable console LOCAL
aaa authentication http console LOCAL
aaa authentication serial console LOCAL
aaa authentication ssh console LOCAL
http server enable
http 192.168.1.0 255.255.255.0 inside
http 192.168.25.0 255.255.255.0 inside
http 172.16.1.0 255.255.255.0 inside
http 192.168.90.0 255.255.255.0 inside
http 146.66.235.51 255.255.255.255 outside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
telnet timeout 5
ssh timeout 5
ssh key-exchange group dh-group1-sha1
console timeout 0
management-access inside
vpnclient server 217.72.111.111
vpnclient mode network-extension-mode
vpnclient vpngroup agrp password *****
vpnclient username afw_90 password *****
vpnclient enable
dhcp-client client-id interface outside
dhcpd auto_config outside
!
dhcpd address 192.168.90.100-192.168.90.120 inside
dhcpd dns 192.168.25.2 8.8.8.8 interface inside
dhcpd enable inside
!
threat-detection basic-threat
threat-detection statistics access-list
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
webvpn
username **** password **** encrypted privilege 15
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
  message-length maximum client auto
  message-length maximum 512
policy-map global_policy
class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
  inspect ip-options
  inspect ipsec-pass-thru
  inspect pptp
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:157b221b8198ecd1bc97f841928949f9
: end
asdm image disk0:/asdm-649.bin
no asdm history enable

#2 direktörn

direktörn

  • 3603 inlägg

Skriven 12 August 2012 - 17:43

Tyvärr lite för jobbigt att läsa igenom config. Vad säger diagnostic i ASDM om du testar reglerna?

#3 martyboy

martyboy

  • 790 inlägg

Skriven 13 August 2012 - 10:03

Hej!


Det är lite mycket kod att gå igenom men utifrån de felbeskrivningar du anger så brukar de nästan alltid bero på felkonfigurering i NAT reglerna. Och då menar jag undanta NAT för VPN trafik respektive NAT trafik som skall ut på nätet.  Kolla dessutom igenom dina ACL på HK Asan, det är lite rörigt där.


Sen ett tips, även om det bara är godhjärtade personer här på itproffs så skulle jag maskera de publika IP numrena. Man vet aldrig vilka som är här och tittar...
CCNP & CCSP