Cisco VPN Client por trás do ASA 5505

2

Estou tentando me conectar a outro ASA via Cisco VPN Client. Eu estou por trás de um ASA 5505 e estou tentando VPN para um 5510.

Eu recebo a mensagem:

Conexão VPN Segura terminada localmente pelo Cliente. Razão 412: O ponto remoto não está mais respondendo.

Eu posso me conectar ao outro ASA se eu usar um Linksys normal e barato.

Aqui está a versão do meu ASA:

Resultado do comando: "sh ver"

Versão do Software Cisco Adaptive Security Appliance 8.4 (1)

Qualquer ajuda seria ótima.

Obrigado

running-config


    : Saved
: Written by enable_15 at 23:12:32.378 UTC Fri Jul 1 2011
!
ASA Version 8.4(1) 
!
hostname aaaasa
domain-name aaa.local
enable password xxxxxxxxxxxxxxx encrypted
passwd xxxxxxxxxxxxxxxxxxxx encrypted
names
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 192.168.1.254 255.255.255.0 
!
interface Vlan2
 nameif outside
 security-level 0
 ip address xxx.xxx.xxx.xxx 255.255.254.0 
!
interface Vlan5
 no nameif
 security-level 50
 ip address 172.16.0.254 255.255.255.0 
!
interface Vlan500
 no nameif
 security-level 100
 ip address 10.10.10.1 255.255.255.0 
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
boot system disk0:/asa841-k8.bin
ftp mode passive
dns domain-lookup inside
dns domain-lookup outside
dns server-group DefaultDNS
 name-server 4.2.2.2
 domain-name aaa.local
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object network obj_any 
 subnet 0.0.0.0 0.0.0.0
object network A_93.97.168.1 
 host 93.97.168.1
object network rdp 
 host 192.168.1.2
object network NETWORK_OBJ_192.168.1.0_24 
 subnet 192.168.1.0 255.255.255.0
access-list 101 extended permit tcp any host 192.168.1.2 eq 3389 
access-list 101 extended permit icmp any any echo-reply 
access-list 101 extended permit icmp any any source-quench 
access-list 101 extended permit icmp any any time-exceeded 
access-list 101 extended permit icmp any any unreachable 
access-list 102 extended permit ip any any 
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1492
ip local pool VPNPool 192.168.2.200-192.168.2.210 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-641.bin
no asdm history enable
arp timeout 14400
!
object network rdp
 nat (inside,outside) static interface service tcp 3389 3389 
!
nat (inside,outside) after-auto source dynamic any interface
access-group 101 in interface outside
access-group 102 out interface outside
!
router ospf 1
 network 192.168.1.0 255.255.255.0 area 0
 log-adj-changes
!
route outside 0.0.0.0 0.0.0.0 93.97.168.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec ikev2 ipsec-proposal DES
 protocol esp encryption des
 protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal 3DES
 protocol esp encryption 3des
 protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES
 protocol esp encryption aes
 protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES192
 protocol esp encryption aes-192
 protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES256
 protocol esp encryption aes-256
 protocol esp integrity sha-1 md5
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev2 ipsec-proposal AES256 AES192 AES 3DES DES
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto ca trustpoint ASDM_TrustPoint0
 enrollment self
 subject-name CN=ciscoasa
 proxy-ldc-issuer
 crl configure
crypto ca certificate chain ASDM_TrustPoint0
 certificate 8877d64d
    30820248 308201b1 a0030201 02020488 77d64d30 0d06092a 864886f7 0d010105 
    05003036 3111300f 06035504 03130863 6973636f 61736131 21301f06 092a8648 
    86f70d01 09021612 63697363 6f617361 2e6e6a64 2e6c6f63 616c301e 170d3131 
    30353231 30383533 34325a17 0d323130 35313830 38353334 325a3036 3111300f 
    06035504 03130863 6973636f 61736131 21301f06 092a8648 86f70d01 09021612 
    63697363 6f617361 2e6e6a64 2e6c6f63 616c3081 9f300d06 092a8648 86f70d01 
    01010500 03818d00 30818902 818100ea 1aa95141 480e616c efee6816 a96d6511 
    313b6776 cd3dd57b cd84b4d2 5e108aee 7c980086 4d92e2eb b6c7bf66 4585af0a 
    ccbf153a db9270be c6f5c67b db9dd8d1 2f78d033 3348b056 df4be0da 70e08953 
    53adf294 9db6c020 597d250f bf448b43 b90179c8 ff0b15d8 744632d9 31c1945f 
    0b11e258 b4c1d224 692efff4 7b2f5102 03010001 a3633061 300f0603 551d1301 
    01ff0405 30030101 ff300e06 03551d0f 0101ff04 04030201 86301f06 03551d23 
    04183016 8014493c 19db183a ab1af9e9 b1e44ad4 2a408b3c 89d1301d 0603551d 
    0e041604 14493c19 db183aab 1af9e9b1 e44ad42a 408b3c89 d1300d06 092a8648 
    86f70d01 01050500 03818100 1dd1760a fdd15941 4803fb9a cd6f44a7 2e275854 
    a1c0fbe1 d19f2cc9 182d43ef a547f854 8df96d15 3ea79c62 cf3fcb1c 5820360b 
    c607dbfc 4de8bb16 19f727e9 b928a085 665816d8 138e4a35 ed610950 7910dd4a 
    0b1a9dd9 0e26f1c8 b78bc0cc cbf19eb2 4c4c3931 45199ea5 249e3266 661e44fd 
    7a00d376 dcfc6e4e d43f10b8
  quit
crypto isakmp nat-traversal 30
crypto ikev2 policy 1
 encryption aes-256
 integrity sha
 group 5
 prf sha
 lifetime seconds 86400
crypto ikev2 policy 10
 encryption aes-192
 integrity sha
 group 5
 prf sha
 lifetime seconds 86400
crypto ikev2 policy 20
 encryption aes
 integrity sha
 group 5
 prf sha
 lifetime seconds 86400
crypto ikev2 policy 30
 encryption 3des
 integrity sha
 group 5
 prf sha
 lifetime seconds 86400
crypto ikev2 policy 40
 encryption des
 integrity sha
 group 5
 prf sha
 lifetime seconds 86400
crypto ikev2 enable outside client-services port 443
crypto ikev2 remote-access trustpoint ASDM_TrustPoint0
telnet timeout 5
ssh 192.168.1.0 255.255.255.0 inside
ssh timeout 5
console timeout 0

dhcpd auto_config outside
!
dhcpd address 192.168.1.5-192.168.1.36 inside
dhcpd dns 4.2.2.2 interface inside
dhcpd enable inside
!
threat-detection basic-threat
threat-detection statistics host number-of-rate 3
threat-detection statistics port
threat-detection statistics protocol
threat-detection statistics access-list
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
ntp server 82.219.4.31 source outside prefer
ssl trust-point ASDM_TrustPoint0 outside
webvpn
 enable outside
 anyconnect image disk0:/anyconnect-win-2.4.1012-k9.pkg 1
 anyconnect profiles AnyConnectVPN_client_profile disk0:/AnyConnectVPN_client_profile.xml
 anyconnect profiles SSLAnyConnectVPN_client_profile disk0:/SSLAnyConnectVPN_client_profile.xml
 anyconnect enable
 tunnel-group-list enable
group-policy GroupPolicy_AnyConnectVPN internal
group-policy GroupPolicy_AnyConnectVPN attributes
 wins-server none
 dns-server value 4.2.2.2
 vpn-tunnel-protocol ikev2 ssl-client ssl-clientless
 default-domain value aaa.local
 webvpn
  url-list none
  anyconnect profiles value AnyConnectVPN_client_profile type user
group-policy GroupPolicy_SSLAnyConnectVPN internal
group-policy GroupPolicy_SSLAnyConnectVPN attributes
 wins-server none
 dns-server value 4.2.2.2
 vpn-tunnel-protocol ikev2 ssl-client 
 default-domain value aaa.local
 webvpn
  anyconnect profiles value SSLAnyConnectVPN_client_profile type user
username testuser password xxxxxxxxxxxxxxxxx encrypted privilege 0
username testuser attributes
 vpn-group-policy GroupPolicy_AnyConnectVPN
tunnel-group SSLPOL type remote-access
tunnel-group SSLPOL general-attributes
 default-group-policy GroupPolicy_AnyConnectVPN
tunnel-group SSLAnyConnectVPN type remote-access
tunnel-group SSLAnyConnectVPN general-attributes
 address-pool VPNPool
 default-group-policy GroupPolicy_SSLAnyConnectVPN
tunnel-group SSLAnyConnectVPN webvpn-attributes
 group-alias SSLAnyConnectVPN enable
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map 
  inspect esmtp 
  inspect ftp 
  inspect h323 h225 
  inspect h323 ras 
  inspect ip-options 
  inspect netbios 
  inspect rsh 
  inspect rtsp 
  inspect sip  
  inspect skinny  
  inspect sqlnet 
  inspect sunrpc 
  inspect tftp 
  inspect xdmcp 
!
service-policy global_policy global
prompt hostname context 
call-home
 profile CiscoTAC-1
  no active
  destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
  destination address email [email protected]
  destination transport-method http
  subscribe-to-alert-group diagnostic
  subscribe-to-alert-group environment
  subscribe-to-alert-group inventory periodic monthly
  subscribe-to-alert-group configuration periodic monthly
  subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:94a65341aa27d3929d5e92a32ba22120
: end
    
por fdf33 01.07.2011 / 21:56

3 respostas

2

É bem possível que seja um problema de NAT. Você precisa configurar o NAT traversal no 5510. Faça assim:

crypto isakmp nat-traversal 30

Se isso não funcionar, você pode nos fornecer exibições em ambos os dispositivos?

    
por 01.07.2011 / 22:22
2

Estou assumindo que sua estação de trabalho está por trás da interface interna do ASA5505 na rede 192.168.1.0/24. Sua estação de trabalho, o iniciador IKE / IPSec, está se conectando a um ASA5510 distante, o respondente IKE / IPSec, na interface externa do seu ASA5505 (a Internet). Sua estação de trabalho é dinâmica PAT quando o tráfego cruza dentro - > fora.

Sem ver a configuração ASA5510 remota e a saída de depuração adicional, é difícil determinar o problema. Em vez disso, descreverei as três maneiras possíveis de fazer o IKE / IPSec funcionar nos limites do NAT / PAT. Cada um dos abaixo é uma solução completa.

As entradas de configuração do ASA abaixo são válidas para o ASA 8.4.

1. Ative o IKE NAT Traversal (IKE NAT-T) no respondedor (ASA5510) e configure o cliente Cisco VPN para usar o IPSec sobre UDP / NAT-T. IKE NAT-T não deve ser confundido com a passagem NAT geral, como STUN, etc. IKE NAT-T é definido no RFC3947 e é suportado em muitos iniciadores e respondedores - tanto de software como de hardware. O IKE NAT-T também foi chamado IPSec over UDP e usa UDP / 500 e UDP / 4500 (geralmente) no respondedor. Certifique-se de que o iniciador possa se conectar ao respondedor no UDP / 500 e no UDP / 4500.

crypto isakmp nat-traversal 30

2. Habilite o IPSec sobre TCP no respondente (ASA5510) e configure o cliente Cisco VPN para usar o IPSec sobre TCP. Com o IPSec sobre TCP, a conectividade e as sessões IKE e IPSec usam somente a porta TCP especificada. TCP / 10000 é o padrão. Certifique-se de que o iniciador possa se conectar ao respondedor na porta TCP escolhida.

crypto ikev1 ipsec-over-tcp 10000

3. Configurar o NAT estático para a estação de trabalho / iniciador - não dinâmico PAT ou PAT estático - e habilitar inspecionar ipsec-pass-thru ALG / inspeção no lado do iniciador (seu) COMO UM. De acordo com a documentação do ASA 8.4 (e inferior), o ALG ipsec-pass-thru do ASA é suportado apenas em tráfego estático de NAT (NAT tradicional) e não-NAT, não em tráfego PAT.

object network hst-192.168.1.100
 description WS01
 host 192.168.1.100
 nat (inside,outside) static 1.2.3.4

class-map default_inspection_class
 match default-inspection-traffic    

policy-map example_policy
 class default_inspection_class
  inspect ipsec-pass-thru

Até onde sei, essas são as únicas formas conhecidas de fazer com que o IPSec funcione através do NAT - seja PAT ou NAT. Veja a sua situação com o seu ASA, o ASA remoto, e faça a sua escolha.

-Weaver

    
por 16.07.2011 / 19:47
0

talvez você precise permitir o tráfego IPSEC de passagem.

aqui está um exemplo de configuração:

PIX 7.X and up Configuration:
interface Ethernet0
nameif outside
security-level 0
ip address 10.99.99.1 255.255.255.0
!
interface Ethernet1
nameif inside
security-level 100
ip address 10.1.1.1 255.255.255.0
!

global (outside) 1 interface
nat (inside) 0 0.0.0.0 0.0.0.0
static (inside,outside) 10.99.99.12 10.1.1.2 netmask 255.255.255.255 0 0

access-list acl-out permit esp host 10.99.99.2 host 10.99.99.12
access-list acl-out permit udp host 10.99.99.2 host 10.99.99.12 eq isakmp
access-list acl-out permit udp host 10.99.99.2 host 10.99.99.12 eq 4500

access-group acl-out in interface outside
    
por 01.07.2011 / 22:31