VPN site a site entre 5505 e 5512x

1

Estou tentando configurar um túnel IPsec vpn site-a-site entre um ASA 5512x e 5505 em uma rede isolada.

Eu corri o assistente de VPN IPsec em ambos os dispositivos e usei a mesma configuração, mas eles parecem nunca tentar falar uns com os outros.

5512

  • interface externa: 172.16.1.1
  • dentro da interface: 10.10.254.254

5505

  • interface externa 172.16.1.2
  • dentro da interface: 192.168.1.1

Atualmente, só tenho um cabo de rede sendo executado entre a interface externa em cada dispositivo, e posso fazer o ping dos IP do 172.16.1.x de cada dispositivo.

Existe algo que me falta? Desculpe se é óbvio, mas nunca trabalhei com configuração de site para site antes.

O 5512 está executando o ASA 8.6 (1) 2 e o 5505 está executando o ASA 8.2 (5) ... Não tenho certeza se isso é simplesmente incompatível, não consegui encontrar uma resposta online. Eu tentaria atualizar o 5505, mas atualmente não tenho acesso a imagens de download de conta da Cisco, estou aguardando para receber uma resposta de um colega com as credenciais.

Aqui estão as configurações para os dois dispositivos:

5512 config:

: Saved  
:  
ASA Version 8.6(1)2   
!  
hostname asa5512  
domain-name test.com  
enable password 8Ry2YjIyt7RRXU24 encrypted  
passwd 2KFQnbNIdI.2KYOU encrypted  
names  
!  
interface GigabitEthernet0/0  
 nameif outside  
 security-level 0  
 ip address 172.16.1.2 255.255.255.0   
!  
interface GigabitEthernet0/1  
 nameif inside  
 security-level 100  
 ip address 10.10.254.254 255.255.0.0   
!  
interface GigabitEthernet0/2  
 shutdown  
 no nameif  
 no security-level  
 no ip address  
!  
interface GigabitEthernet0/3  
 shutdown  
 no nameif  
 no security-level  
 no ip address  
!  
interface GigabitEthernet0/4  
 shutdown  
 no nameif  
 no security-level  
 no ip address  
!  
interface GigabitEthernet0/5  
 shutdown  
 no nameif  
 no security-level  
 no ip address  
!  
interface Management0/0  
 nameif management  
 security-level 0  
 ip address 192.168.1.1 255.255.255.0   
!  
ftp mode passive  
dns server-group DefaultDNS  
 domain-name test.com  
object network 192.168.1.0_24  
 subnet 192.168.1.0 255.255.255.0  
access-list outside_cryptomap extended permit ip object 192.168.1.0_24 host 172.16.1.2   
pager lines 24  
mtu management 1500  
mtu inside 1500  
mtu outside 1500  
icmp unreachable rate-limit 1 burst-size 1  
no asdm history enable  
arp timeout 14400  
timeout xlate 3:00:00  
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02  
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00  
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00  
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute  
timeout tcp-proxy-reassembly 0:01:00  
timeout floating-conn 0:00:00  
dynamic-access-policy-record DfltAccessPolicy  
user-identity default-domain LOCAL  
http server enable  
http 192.168.1.15 255.255.255.255 management  
no snmp-server location  
no snmp-server contact  
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart  
crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac   
crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac   
crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac   
crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac   
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac   
crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac   
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac   
crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac   
crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac   
crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac   
crypto ipsec ikev2 ipsec-proposal DES  
 protocol esp encryption des  
 protocol esp integrity sha-1 md5  
crypto ipsec ikev2 ipsec-proposal 3DES  
 protocol esp encryption 3des  
 protocol esp integrity sha-1 md5  
crypto ipsec ikev2 ipsec-proposal AES  
 protocol esp encryption aes  
 protocol esp integrity sha-1 md5  
crypto ipsec ikev2 ipsec-proposal AES192  
 protocol esp encryption aes-192  
 protocol esp integrity sha-1 md5  
crypto ipsec ikev2 ipsec-proposal AES256  
 protocol esp encryption aes-256  
 protocol esp integrity sha-1 md5  
crypto map outside_map1 1 match address outside_cryptomap  
crypto map outside_map1 1 set peer 172.16.1.2   
crypto map outside_map1 1 set ikev1 transform-set ESP-3DES-SHA  
crypto map outside_map1 1 set ikev2 ipsec-proposal AES256 AES192 AES 3DES DES  
crypto map outside_map1 interface outside  
crypto ikev2 policy 1  
 encryption aes-256  
 integrity sha  
 group 5 2  
 prf sha  
 lifetime seconds 86400  
crypto ikev2 policy 10  
 encryption aes-192  
 integrity sha  
 group 5 2  
 prf sha  
 lifetime seconds 86400  
crypto ikev2 policy 20  
 encryption aes  
 integrity sha  
 group 5 2  
 prf sha  
 lifetime seconds 86400  
crypto ikev2 policy 30  
 encryption 3des  
 integrity sha  
 group 5 2  
 prf sha  
 lifetime seconds 86400  
crypto ikev2 policy 40  
 encryption des  
 integrity sha  
 group 5 2  
 prf sha  
 lifetime seconds 86400  
crypto ikev1 policy 120  
 authentication pre-share  
 encryption 3des  
 hash sha  
 group 2  
 lifetime 86400  
telnet timeout 5  
ssh timeout 5  
console timeout 0  
threat-detection basic-threat  
threat-detection statistics access-list  
no threat-detection statistics tcp-intercept  
webvpn  
tunnel-group 172.16.1.2 type ipsec-l2l  
tunnel-group 172.16.1.2 ipsec-attributes  
 ikev1 pre-shared-key *****  
 ikev2 remote-authentication pre-shared-key *****  
 ikev2 local-authentication pre-shared-key *****  
!  
class-map inspection_default  
 match default-inspection-traffic  
!  
!  
policy-map type inspect dns preset_dns_map  
 parameters  
  message-length maximum client auto  
  message-length maximum 512  
policy-map global_policy  
 class inspection_default  
  inspect dns preset_dns_map   
  inspect ftp   
  inspect h323 h225   
  inspect h323 ras   
  inspect ip-options   
  inspect netbios   
  inspect rsh   
  inspect rtsp   
  inspect skinny    
  inspect esmtp   
  inspect sqlnet   
  inspect sunrpc   
  inspect tftp   
  inspect sip    
  inspect xdmcp   
!  
service-policy global_policy global  
prompt hostname context   
no call-home reporting anonymous  
call-home  
 profile CiscoTAC-1  
  no active  
  destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService  
  destination address email [email protected]  
  destination transport-method http  
  subscribe-to-alert-group diagnostic  
  subscribe-to-alert-group environment  
  subscribe-to-alert-group inventory periodic monthly 27  
  subscribe-to-alert-group configuration periodic monthly 27  
  subscribe-to-alert-group telemetry periodic daily  
Cryptochecksum:aafae49415856e6cd5c44dedd3984999  
: end  
no asdm history enable  

5505 config:

: Saved

:

ASA Version 8.2(5) 

!

hostname ciscoasa

enable password 8Ry2YjIyt7RRXU24 encrypted

passwd 2KFQnbNIdI.2KYOU encrypted

names

!

interface Ethernet0/0

 switchport access vlan 2

!

interface Ethernet0/1

!

interface Ethernet0/2

!

interface Ethernet0/3

!

interface Ethernet0/4

!

interface Ethernet0/5

!

interface Ethernet0/6

!

interface Ethernet0/7

!

interface Vlan1

 nameif inside

 security-level 100

 ip address 192.168.1.1 255.255.255.0 

!

interface Vlan2

 nameif outside

 security-level 0

 ip address 172.16.1.1 255.255.255.0 

!

ftp mode passive

access-list outside_1_cryptomap extended permit ip 192.168.1.0 255.255.255.0 host 172.16.1.2 

access-list inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 any 

pager lines 24

logging enable

logging asdm informational

mtu inside 1500

mtu outside 1500

icmp unreachable rate-limit 1 burst-size 1

no asdm history enable

arp timeout 14400

nat (inside) 0 access-list inside_nat0_outbound

nat (inside) 1 0.0.0.0 0.0.0.0

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

http server enable

http 192.168.1.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac 

crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac 

crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac 

crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac 

crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac 

crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac 

crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac 

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac 

crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac 

crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac 

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

crypto map outside_map 1 match address outside_1_cryptomap

crypto map outside_map 1 set peer 172.16.1.2 

crypto map outside_map 1 set transform-set ESP-3DES-SHA

crypto map outside_map interface outside

crypto isakmp enable inside

crypto isakmp enable outside

crypto isakmp policy 10

 authentication pre-share

 encryption 3des

 hash sha

 group 2

 lifetime 86400

telnet timeout 5

ssh timeout 5

console timeout 0

dhcpd auto_config outside

!

dhcpd address 192.168.1.5-192.168.1.132 inside

!



threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

webvpn

tunnel-group 172.16.1.2 type ipsec-l2l

tunnel-group 172.16.1.2 ipsec-attributes

 pre-shared-key *****

!

class-map inspection_default

 match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

 parameters

  message-length maximum client auto

  message-length maximum 512

policy-map global_policy

 class inspection_default

  inspect dns preset_dns_map 

  inspect ftp 

  inspect h323 h225 

  inspect h323 ras 

  inspect rsh 

  inspect rtsp 

  inspect esmtp 

  inspect sqlnet 

  inspect skinny  

  inspect sunrpc 

  inspect xdmcp 

  inspect sip  

  inspect netbios 

  inspect tftp 

  inspect ip-options 

!

service-policy global_policy global

prompt hostname context 

no call-home reporting anonymous

Cryptochecksum:6a787924fbd2678c0c41685cbbf16b81

: end

no asdm history enable  

Qualquer ajuda seria muito apreciada, obrigado!

    
por Gregg 11.02.2014 / 21:04

1 resposta

1

Um ASA não tentará estabelecer um túnel até que o tráfego tente usar o túnel (combinando a ACL criptografada).

Existem algumas alterações necessárias na sua configuração atual antes de chegar a esse ponto.

  • Altere as sub-redes internas da interface. Ambos estão em 192.168.1.0/24 agora, então eles nunca seriam capazes de se comunicar com os nós da mesma sub-rede do outro lado da VPN.
  • Mude sua ACL criptografada para onde, em cada ASA, a origem é a rede interna e o destino é a rede interna remota.

    Então, por exemplo, se você mudou a rede interna no 5505 para ser 192.168.2.0, então você gostaria de configurar suas ACLs cryto assim:

    5512:

    access-list outside_cryptomap extended permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0
    

    5505:

    access-list outside_1_cryptomap extended permit ip 192.168.2.0 255.255.255.0 192.168.1.0 255.255.255.0
    

Em seguida, o encapsulamento deve tentar estabelecer quando o tráfego é enviado de uma sub-rede para a outra - portanto, de um nó em 192.168.1.0/24, tente fazer ping 192.168.2.1. Como alternativa, você pode usar o comando packet-tracer para simular o tráfego - um pacote simulado de um para o outro também deve acender o túnel.

    
por 11.02.2014 / 21:35