Não é possível acessar o L2L VPN a partir do cliente conectado ao RA VPN no Cisco ASA 5510

1

Temos um roteador Cisco 1921 executando o IOS 15.1 em uma de nossas filiais, que é conectado por meio de uma VPN IPsec L2L a um ASA5510 executando o ASA 7.2 em nossa sede. O ASA também fornece VPN de Acesso Remoto IPSec para usuários baseados em campo usando o Cisco VPN Client.

A rede parece com algo assim:

192.168.14.0/24 - RT - Internet - ASA - 192.168.10.0/24
                   |----L2L VPN----||
                                    |----RA VPN---- 192.168.10.223-192.168.10.242

(a VPN de acesso remoto usa endereços dentro da rede 192.168.10.0/24)

O problema é que, embora os usuários do RA VPN possam acessar o 192.168.10.0/24 (e outras VPNs L2L conectadas) muito bem, eles não podem acessar a rede 192.168.14.0/24.

Aqui estão algumas partes interessantes da configuração do ASA:

interface Ethernet0/0
 nameif outside
 security-level 0
 ip address EXTERNAL_IP 255.255.255.240 
!
interface Ethernet0/3
 nameif inside
 security-level 100
 ip address 192.168.10.252 255.255.255.0 
!

same-security-traffic permit inter-interface
same-security-traffic permit intra-interface

access-list acl_in extended permit ip 192.168.8.0 255.255.248.0 192.168.8.0 255.255.248.0 
access-list acl_out extended permit ip 192.168.8.0 255.255.248.0 192.168.8.0 255.255.248.0 
access-list acl_nonat-inside extended permit ip 192.168.8.0 255.255.248.0 192.168.8.0 255.255.248.0 
access-list vpngrint_splitTunnelAcl standard permit 192.168.10.0 255.255.255.0 
access-list vpngrint_splitTunnelAcl standard permit 192.168.14.0 255.255.255.0 
access-list acl_vpn-berlin extended permit ip 192.168.14.0 255.255.255.0 192.168.8.0 255.255.248.0 
access-list acl_vpn-berlin extended permit ip 192.168.8.0 255.255.248.0 192.168.14.0 255.255.255.0 

ip local pool poolvpnclients 192.168.10.223-192.168.10.242
ip verify reverse-path interface outside
ip verify reverse-path interface web
ip verify reverse-path interface inside

nat-control
global (outside) 1 EXTERNAL_IP
nat (inside) 0 access-list acl_nonat-inside
nat (inside) 1 192.168.10.0 255.255.255.0

access-group acl_out in interface outside
access-group acl_in in interface inside

crypto dynamic-map outside_dyn_map 20 set pfs 
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA
crypto map outside_map 200 match address acl_vpn-berlin
crypto map outside_map 200 set peer IOS_ROUTER_EXTERNAL_IP 
crypto map outside_map 200 set transform-set ESP-AES-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside

group-policy vpngrint internal
group-policy vpngrint attributes
 wins-server value 192.168.10.5
 dns-server value 192.168.10.5
 vpn-simultaneous-logins 2147483647
 vpn-idle-timeout 7200
 vpn-tunnel-protocol IPSec 
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value vpngrint_splitTunnelAcl
 default-domain value domain.local
 split-dns value domain.local domain.com

tunnel-group vpngrint type ipsec-ra
tunnel-group vpngrint general-attributes
 address-pool poolvpnclients
 default-group-policy vpngrint
tunnel-group vpngrint ipsec-attributes
 pre-shared-key SECRET
tunnel-group IOS_ROUTER_EXTERNAL_IP type ipsec-l2l
tunnel-group IOS_ROUTER_EXTERNAL_IP ipsec-attributes
 pre-shared-key SECRET

A ACL do túnel dividido está combinando, o 192.168.14.0 aparece na tabela de roteamento do cliente e os pacotes de saída podem ser capturados na interface VPN do cliente. Eles também aparecem em uma das capturas que eu configurei no ASA, mas eles não alcançam o roteador conectado à VPN L2L. A nonat ACL deve ser compatível, bem como as listas de acesso ligadas às interfaces e a interessante definição de tráfego para a L2L VPN (que também é idêntica em ambos os lados do túnel), então não vejo onde o problema poderia estar no momento.

asa# sh capture
capture frzberlin type raw-data access-list capture_frzberlin interface outside [Capturing - 280 bytes]
capture frzberlin_inside type raw-data access-list capture_frzberlin interface inside [Capturing - 0 bytes]
asa# sh capture frzberlin

4 packets captured
   1: 17:46:41.563508 192.168.10.239.58452 > 192.168.14.1.22: R 1017791382:1017791382(0) ack 2592136529 win 65535
   2: 17:46:44.853334 192.168.10.239.58455 > 192.168.14.1.22: R 668258002:668258002(0) ack 1048856085 win 65535
   3: 17:46:47.602889 192.168.10.239.58458 > 192.168.14.1.22: R 2479281909:2479281909(0) ack 2603933177 win 65535
   4: 17:47:42.913877 192.168.10.239.58490 > 192.168.14.1.22: R 1494613342:1494613342(0) ack 344737469 win 65535
4 packets shown

Qualquer ideia sobre depuração seria muito apreciada.

Editar: saída de pacote-rastreador adicionada:

asa# packet-tracer input outside tcp 192.168.10.238 1337 192.168.14.1 22 detailed

Phase: 1
Type: CAPTURE
Subtype:
Result: ALLOW
Config:
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0x481b320, priority=12, domain=capture, deny=false
        hits=12333239, user_data=0x49a4ba8, cs_id=0x0, l3_type=0x0
        src mac=0000.0000.0000, mask=0000.0000.0000
        dst mac=0000.0000.0000, mask=0000.0000.0000

Phase: 2
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0x3d81c88, priority=1, domain=permit, deny=false
        hits=4437186449, user_data=0x0, cs_id=0x0, l3_type=0x8
        src mac=0000.0000.0000, mask=0000.0000.0000
        dst mac=0000.0000.0000, mask=0100.0000.0000

Phase: 3
Type: FLOW-LOOKUP
Subtype:
Result: ALLOW
Config:
Additional Information:
Found no matching flow, creating a new flow

Phase: 4
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in   0.0.0.0         0.0.0.0         outside

Phase: 5
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in   192.168.10.238  255.255.255.255 outside

Phase: 6
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group acl_out in interface outside
access-list acl_out extended permit ip 192.168.8.0 255.255.248.0 192.168.8.0 255.255.248.0
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0x401f738, priority=12, domain=permit, deny=false
        hits=9263075, user_data=0x401f6f8, cs_id=0x0, flags=0x0, protocol=0
        src ip=192.168.8.0, mask=255.255.248.0, port=0
        dst ip=192.168.8.0, mask=255.255.248.0, port=0, dscp=0x0

Phase: 7
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0x3d84930, priority=0, domain=permit-ip-option, deny=true
        hits=115197791, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
        src ip=0.0.0.0, mask=0.0.0.0, port=0
        dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

Phase: 8
Type: CP-PUNT
Subtype:
Result: ALLOW
Config:
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0x4e53c10, priority=79, domain=punt, deny=true
        hits=8524, user_data=0x3a2e750, cs_id=0x0, flags=0x0, protocol=0
        src ip=192.168.10.238, mask=255.255.255.255, port=0
        dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

Phase: 9
Type: VPN
Subtype: ipsec-tunnel-flow
Result: ALLOW
Config:
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0x3e43da8, priority=69, domain=ipsec-tunnel-flow, deny=false
        hits=396, user_data=0x265722ac, cs_id=0x0, reverse, flags=0x0, protocol=0
        src ip=192.168.10.238, mask=255.255.255.255, port=0
        dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

Phase: 10
Type: VPN
Subtype: encrypt
Result: ALLOW
Config:
Additional Information:
 Forward Flow based lookup yields rule:
 out id=0x4a2f450, priority=70, domain=encrypt, deny=false
        hits=1499, user_data=0x252bccdc, cs_id=0x4729788, reverse, flags=0x0, protocol=0
        src ip=192.168.8.0, mask=255.255.248.0, port=0
        dst ip=192.168.14.0, mask=255.255.255.0, port=0, dscp=0x0

Phase: 11
Type: VPN
Subtype: ipsec-tunnel-flow
Result: ALLOW
Config:
Additional Information:
 Reverse Flow based lookup yields rule:
 in  id=0x490a410, priority=69, domain=ipsec-tunnel-flow, deny=false
        hits=1547, user_data=0x252c08dc, cs_id=0x0, reverse, flags=0x0, protocol=0
        src ip=192.168.14.0, mask=255.255.255.0, port=0
        dst ip=192.168.8.0, mask=255.255.248.0, port=0, dscp=0x0

Phase: 12
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
 Reverse Flow based lookup yields rule:
 in  id=0x3d84930, priority=0, domain=permit-ip-option, deny=true
        hits=115197792, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
        src ip=0.0.0.0, mask=0.0.0.0, port=0
        dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

Phase: 13
Type: VPN
Subtype: encrypt
Result: ALLOW
Config:
Additional Information:
 Reverse Flow based lookup yields rule:
 out id=0x402da30, priority=70, domain=encrypt, deny=false
        hits=0, user_data=0x266af5ac, cs_id=0x4729788, reverse, flags=0x0, protocol=0
        src ip=192.168.14.0, mask=255.255.255.0, port=0
        dst ip=192.168.8.0, mask=255.255.248.0, port=0, dscp=0x0

Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (ipsec-spoof) IPSEC Spoof detected
    
por Mtz 11.12.2013 / 18:37

0 respostas