Temos um roteador Cisco 1921 executando o IOS 15.1 em uma de nossas filiais, que é conectado por meio de uma VPN IPsec L2L a um ASA5510 executando o ASA 7.2 em nossa sede. O ASA também fornece VPN de Acesso Remoto IPSec para usuários baseados em campo usando o Cisco VPN Client.
A rede parece com algo assim:
192.168.14.0/24 - RT - Internet - ASA - 192.168.10.0/24
|----L2L VPN----||
|----RA VPN---- 192.168.10.223-192.168.10.242
(a VPN de acesso remoto usa endereços dentro da rede 192.168.10.0/24)
O problema é que, embora os usuários do RA VPN possam acessar o 192.168.10.0/24 (e outras VPNs L2L conectadas) muito bem, eles não podem acessar a rede 192.168.14.0/24.
Aqui estão algumas partes interessantes da configuração do ASA:
interface Ethernet0/0
nameif outside
security-level 0
ip address EXTERNAL_IP 255.255.255.240
!
interface Ethernet0/3
nameif inside
security-level 100
ip address 192.168.10.252 255.255.255.0
!
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
access-list acl_in extended permit ip 192.168.8.0 255.255.248.0 192.168.8.0 255.255.248.0
access-list acl_out extended permit ip 192.168.8.0 255.255.248.0 192.168.8.0 255.255.248.0
access-list acl_nonat-inside extended permit ip 192.168.8.0 255.255.248.0 192.168.8.0 255.255.248.0
access-list vpngrint_splitTunnelAcl standard permit 192.168.10.0 255.255.255.0
access-list vpngrint_splitTunnelAcl standard permit 192.168.14.0 255.255.255.0
access-list acl_vpn-berlin extended permit ip 192.168.14.0 255.255.255.0 192.168.8.0 255.255.248.0
access-list acl_vpn-berlin extended permit ip 192.168.8.0 255.255.248.0 192.168.14.0 255.255.255.0
ip local pool poolvpnclients 192.168.10.223-192.168.10.242
ip verify reverse-path interface outside
ip verify reverse-path interface web
ip verify reverse-path interface inside
nat-control
global (outside) 1 EXTERNAL_IP
nat (inside) 0 access-list acl_nonat-inside
nat (inside) 1 192.168.10.0 255.255.255.0
access-group acl_out in interface outside
access-group acl_in in interface inside
crypto dynamic-map outside_dyn_map 20 set pfs
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA
crypto map outside_map 200 match address acl_vpn-berlin
crypto map outside_map 200 set peer IOS_ROUTER_EXTERNAL_IP
crypto map outside_map 200 set transform-set ESP-AES-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
group-policy vpngrint internal
group-policy vpngrint attributes
wins-server value 192.168.10.5
dns-server value 192.168.10.5
vpn-simultaneous-logins 2147483647
vpn-idle-timeout 7200
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value vpngrint_splitTunnelAcl
default-domain value domain.local
split-dns value domain.local domain.com
tunnel-group vpngrint type ipsec-ra
tunnel-group vpngrint general-attributes
address-pool poolvpnclients
default-group-policy vpngrint
tunnel-group vpngrint ipsec-attributes
pre-shared-key SECRET
tunnel-group IOS_ROUTER_EXTERNAL_IP type ipsec-l2l
tunnel-group IOS_ROUTER_EXTERNAL_IP ipsec-attributes
pre-shared-key SECRET
A ACL do túnel dividido está combinando, o 192.168.14.0 aparece na tabela de roteamento do cliente e os pacotes de saída podem ser capturados na interface VPN do cliente. Eles também aparecem em uma das capturas que eu configurei no ASA, mas eles não alcançam o roteador conectado à VPN L2L. A nonat ACL deve ser compatível, bem como as listas de acesso ligadas às interfaces e a interessante definição de tráfego para a L2L VPN (que também é idêntica em ambos os lados do túnel), então não vejo onde o problema poderia estar no momento.
asa# sh capture
capture frzberlin type raw-data access-list capture_frzberlin interface outside [Capturing - 280 bytes]
capture frzberlin_inside type raw-data access-list capture_frzberlin interface inside [Capturing - 0 bytes]
asa# sh capture frzberlin
4 packets captured
1: 17:46:41.563508 192.168.10.239.58452 > 192.168.14.1.22: R 1017791382:1017791382(0) ack 2592136529 win 65535
2: 17:46:44.853334 192.168.10.239.58455 > 192.168.14.1.22: R 668258002:668258002(0) ack 1048856085 win 65535
3: 17:46:47.602889 192.168.10.239.58458 > 192.168.14.1.22: R 2479281909:2479281909(0) ack 2603933177 win 65535
4: 17:47:42.913877 192.168.10.239.58490 > 192.168.14.1.22: R 1494613342:1494613342(0) ack 344737469 win 65535
4 packets shown
Qualquer ideia sobre depuração seria muito apreciada.
Editar: saída de pacote-rastreador adicionada:
asa# packet-tracer input outside tcp 192.168.10.238 1337 192.168.14.1 22 detailed
Phase: 1
Type: CAPTURE
Subtype:
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x481b320, priority=12, domain=capture, deny=false
hits=12333239, user_data=0x49a4ba8, cs_id=0x0, l3_type=0x0
src mac=0000.0000.0000, mask=0000.0000.0000
dst mac=0000.0000.0000, mask=0000.0000.0000
Phase: 2
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
Forward Flow based lookup yields rule:
in id=0x3d81c88, priority=1, domain=permit, deny=false
hits=4437186449, user_data=0x0, cs_id=0x0, l3_type=0x8
src mac=0000.0000.0000, mask=0000.0000.0000
dst mac=0000.0000.0000, mask=0100.0000.0000
Phase: 3
Type: FLOW-LOOKUP
Subtype:
Result: ALLOW
Config:
Additional Information:
Found no matching flow, creating a new flow
Phase: 4
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 0.0.0.0 0.0.0.0 outside
Phase: 5
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 192.168.10.238 255.255.255.255 outside
Phase: 6
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group acl_out in interface outside
access-list acl_out extended permit ip 192.168.8.0 255.255.248.0 192.168.8.0 255.255.248.0
Additional Information:
Forward Flow based lookup yields rule:
in id=0x401f738, priority=12, domain=permit, deny=false
hits=9263075, user_data=0x401f6f8, cs_id=0x0, flags=0x0, protocol=0
src ip=192.168.8.0, mask=255.255.248.0, port=0
dst ip=192.168.8.0, mask=255.255.248.0, port=0, dscp=0x0
Phase: 7
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x3d84930, priority=0, domain=permit-ip-option, deny=true
hits=115197791, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip=0.0.0.0, mask=0.0.0.0, port=0
dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
Phase: 8
Type: CP-PUNT
Subtype:
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x4e53c10, priority=79, domain=punt, deny=true
hits=8524, user_data=0x3a2e750, cs_id=0x0, flags=0x0, protocol=0
src ip=192.168.10.238, mask=255.255.255.255, port=0
dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
Phase: 9
Type: VPN
Subtype: ipsec-tunnel-flow
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x3e43da8, priority=69, domain=ipsec-tunnel-flow, deny=false
hits=396, user_data=0x265722ac, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip=192.168.10.238, mask=255.255.255.255, port=0
dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
Phase: 10
Type: VPN
Subtype: encrypt
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
out id=0x4a2f450, priority=70, domain=encrypt, deny=false
hits=1499, user_data=0x252bccdc, cs_id=0x4729788, reverse, flags=0x0, protocol=0
src ip=192.168.8.0, mask=255.255.248.0, port=0
dst ip=192.168.14.0, mask=255.255.255.0, port=0, dscp=0x0
Phase: 11
Type: VPN
Subtype: ipsec-tunnel-flow
Result: ALLOW
Config:
Additional Information:
Reverse Flow based lookup yields rule:
in id=0x490a410, priority=69, domain=ipsec-tunnel-flow, deny=false
hits=1547, user_data=0x252c08dc, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip=192.168.14.0, mask=255.255.255.0, port=0
dst ip=192.168.8.0, mask=255.255.248.0, port=0, dscp=0x0
Phase: 12
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Reverse Flow based lookup yields rule:
in id=0x3d84930, priority=0, domain=permit-ip-option, deny=true
hits=115197792, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip=0.0.0.0, mask=0.0.0.0, port=0
dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
Phase: 13
Type: VPN
Subtype: encrypt
Result: ALLOW
Config:
Additional Information:
Reverse Flow based lookup yields rule:
out id=0x402da30, priority=70, domain=encrypt, deny=false
hits=0, user_data=0x266af5ac, cs_id=0x4729788, reverse, flags=0x0, protocol=0
src ip=192.168.14.0, mask=255.255.255.0, port=0
dst ip=192.168.8.0, mask=255.255.248.0, port=0, dscp=0x0
Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (ipsec-spoof) IPSEC Spoof detected