更新资料
最终升级到9.1.4。我完成了所有配置,重新启用了VPN,但仍然遇到同样的问题。因此,我清除了所有VPN配置信息并从头开始。以下是我当前的配置。我能够连接和访问内部网络上的资源。但是,我无法通过VPN访问互联网。
xlate per-session deny tcp any4 any4
xlate per-session deny tcp any4 any6
xlate per-session deny tcp any6 any4
xlate per-session deny tcp any6 any6
xlate per-session deny udp any4 any4 eq domain
xlate per-session deny udp any4 any6 eq domain
xlate per-session deny udp any6 any4 eq domain
xlate per-session deny udp any6 any6 eq domain
ip local pool VPNPool 192.168.3.1-192.168.3.30
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
switchport access vlan 2
!
interface Ethernet0/2
switchport access vlan 2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
interface Vlan1
description Private-Interface
nameif inside
security-level 100
ip address 10.3.3.1 255.255.255.0
!
interface Vlan2
description Public-Interface
nameif outside
security-level 0
ip address xx.xx.xx.xx 255.255.255.248
!
boot system disk0:/asa914-k8.bin
object network obj-10.3.3.0
subnet 10.3.3.0 255.255.255.0
object network vpn_nat
subnet 192.168.3.0 255.255.255.0
object-group service Internet-udp udp
description UDP Standard Internet Services
port-object eq domain
port-object eq ntp
object-group service Internet-tcp tcp
description TCP Standard Internet Services
port-object eq www
port-object eq https
port-object eq smtp
port-object eq 465
port-object eq pop3
port-object eq 995
port-object eq ftp
port-object eq ftp-data
port-object eq domain
port-object eq ssh
object-group network Internal-Subnet
object-group network obj-vpnpool
access-list inside-in remark -=[Access Lists for Outgoing Packets from Inside interface]=-
access-list inside-in extended permit udp 10.3.3.0 255.255.255.0 any4 object-group Internet-udp
access-list inside-in extended permit tcp 10.3.3.0 255.255.255.0 any4 object-group Internet-tcp
access-list inside-in extended permit icmp 10.3.3.0 255.255.255.0 any4
access-list outside-in remark -=[Access Lists for Incoming Packets on OUTSIDE interface]=-
access-list outside-in extended permit icmp any4 any4 echo-reply
access-list outside-in extended permit icmp any4 any4 echo
access-list vpn_splitTunnelAcl standard permit 10.3.3.0 255.255.255.0
nat (inside,outside) source static obj-10.3.3.0 obj-10.3.3.0 destination static vpn_nat vpn_nat no-proxy-arp route-lookup
object network obj-10.3.3.0
nat (inside,outside) dynamic interface
access-group inside-in in interface inside
access-group outside-in in interface outside
route outside 0.0.0.0 0.0.0.0 xx.xx.xx.xx 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
aaa authentication telnet console LOCAL
aaa authentication http console LOCAL
aaa authentication ssh console LOCAL
http server enable
http 10.3.3.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec ikev1 transform-set vpn-transform-set-ikev1 esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set vpn-transform-set-ikev1 mode transport
crypto ipsec security-association pmtu-aging infinite
crypto dynamic-map dyno 10 set ikev1 transform-set vpn-transform-set-ikev1
crypto map vpn 20 ipsec-isakmp dynamic dyno
crypto map vpn interface outside
crypto ca trustpool policy
crypto isakmp nat-traversal 3600
crypto ikev1 enable outside
crypto ikev1 policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet timeout 5
ssh 10.3.3.0 255.255.255.0 inside
ssh timeout 20
ssh version 2
ssh key-exchange group dh-group1-sha1
console timeout 0
dhcpd address 10.3.3.100-10.3.3.150 inside
dhcpd dns xx.xx.xx.xx xx.xx.xx.xx interface inside
dhcpd enable inside
!
threat-detection basic-threat
threat-detection statistics host number-of-rate 2
threat-detection statistics port number-of-rate 2
threat-detection statistics protocol number-of-rate 2
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
group-policy vpn_policy internal
group-policy vpn_policy attributes
vpn-tunnel-protocol l2tp-ipsec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value vpn_splitTunnelAcl
username mike password x
username mike attributes
vpn-tunnel-protocol l2tp-ipsec
username admin password x encrypted privilege 15
tunnel-group DefaultRAGroup general-attributes
address-pool VPNPool
default-group-policy vpn_policy
tunnel-group DefaultRAGroup ipsec-attributes
ikev1 pre-shared-key *
tunnel-group DefaultRAGroup ppp-attributes
authentication ms-chap-v2
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect ip-options
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
class class-default
user-statistics accounting
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email callhome@cisco.com
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
: end
老东西
我正在尝试在ASA 5505版本8.2(5)上通过IPSec远程访问VPN设置L2TP。我可以进行身份验证并建立连接。但是,我无法访问内部网络上的资源或访问Internet。此外,ASA无法ping通已连接的客户端。
在连接的客户端上,我可以ping ASA的外部IP。当我这样做时,我什至看到ASA上加密和解密的数据包数量都增加了show crypto ipsec sa
。
我已经尝试使用NAT和路由进行一些操作,但是无法使其正常工作。
我的内部网络是10.3.3.0/24,我的VPN池是192.168.3.0/24。在下面,我复制了配置的相关部分。
object-group service Internet-udp udp
description UDP Standard Internet Services
port-object eq domain
port-object eq ntp
object-group service Internet-tcp tcp
description TCP Standard Internet Services
port-object eq www
port-object eq https
port-object eq smtp
port-object eq 465
port-object eq pop3
port-object eq 995
port-object eq ftp
port-object eq ftp-data
port-object eq domain
port-object eq ssh
port-object eq 993
object-group network Internal-Subnet
object-group network obj-vpnpool
access-list inside-in remark -=[Access Lists for Outgoing Packets from Inside interface]=-
access-list inside-in extended permit udp 10.3.3.0 255.255.255.0 any object-group Internet-udp
access-list inside-in extended permit tcp 10.3.3.0 255.255.255.0 any object-group Internet-tcp
access-list inside-in extended permit icmp 10.3.3.0 255.255.255.0 any
access-list outside-in remark -=[Access Lists for Incoming Packets on OUTSIDE interface]=-
access-list outside-in extended permit icmp any any echo-reply
access-list DefaultRAGroup_splitTunnelAcl standard permit 10.3.3.0 255.255.255.0
access-list DefaultRAGroup_splitTunnelAcl standard permit 192.168.3.96 255.255.255.224
access-list inside_nat0_outbound extended permit ip 10.3.3.0 255.255.255.0 192.168.3.0 255.255.255.0
ip local pool VPNPool 192.168.3.100-192.168.3.120 mask 255.255.255.0
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 10.3.3.0 255.255.255.0
access-group inside-in in interface inside
access-group outside-in in interface outside
route outside 0.0.0.0 0.0.0.0 **.**.**.** 1
group-policy DefaultRAGroup internal
group-policy DefaultRAGroup attributes
dns-server value **.**.**.** **.**.**.**
vpn-tunnel-protocol l2tp-ipsec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value DefaultRAGroup_splitTunnelAcl
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set TRANS_ESP_3DES_SHA esp-3des esp-sha-hmac
crypto ipsec transform-set TRANS_ESP_3DES_SHA mode transport
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set TRANS_ESP_3DES_SHA ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
更新1
我接受了罗恩的建议,并了解了packet-tracer
命令的功能。这是我发行后发现的一些东西packet-tracer input inside icmp 10.3.3.100 8 0 192.168.3.100
Phase: 1
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 192.168.3.100 255.255.255.255 outside
Phase: 2
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group inside-in in interface inside
access-list inside-in extended permit icmp 10.3.3.0 255.255.255.0 any
Additional Information:
Phase: 3
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 4
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
Additional Information:
Phase: 5
Type: NAT-EXEMPT
Subtype:
Result: ALLOW
Config:
match ip inside 10.3.3.0 255.255.255.0 outside 192.168.3.0 255.255.255.0
NAT exempt
translate_hits = 16, untranslate_hits = 2
Additional Information:
Phase: 6
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (inside) 1 10.3.3.0 255.255.255.0
match ip inside 10.3.3.0 255.255.255.0 outside any
dynamic translation to pool 1 (**.**.**.** [Interface PAT])
translate_hits = 21582, untranslate_hits = 2392
Additional Information:
Phase: 7
Type: NAT
Subtype: host-limits
Result: ALLOW
Config:
nat (inside) 1 10.3.3.0 255.255.255.0
match ip inside 10.3.3.0 255.255.255.0 inside any
dynamic translation to pool 1 (No matching global)
translate_hits = 0, untranslate_hits = 0
Additional Information:
Phase: 8
Type: HOST-LIMIT
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 9
Type: L2TP-PPP
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 10
Type: PPP
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 11
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 23037, packet dispatched to next module
Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: allow
阶段6显示了NAT转换。然后,我使用来检查echo-reply packet-tracer input outside icmp 192.168.3.100 0 0 10.3.3.100
。
Phase: 1
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 10.3.3.0 255.255.255.0 inside
Phase: 2
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group outside-in in interface outside
access-list outside-in extended permit icmp any any echo-reply
Additional Information:
Phase: 3
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 4
Type: CP-PUNT
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 5
Type: L2TP-PPP
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 6
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
Additional Information:
Phase: 7
Type: VPN
Subtype: ipsec-tunnel-flow
Result: ALLOW
Config:
Additional Information:
Phase: 8
Type: NAT-EXEMPT
Subtype: rpf-check
Result: ALLOW
Config:
Additional Information:
Phase: 9
Type: HOST-LIMIT
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 10
Type: NAT
Subtype: rpf-check
Result: ALLOW
Config:
nat (inside) 1 10.3.3.0 255.255.255.0
match ip inside 10.3.3.0 255.255.255.0 outside any
dynamic translation to pool 1 (**.**.**.** [Interface PAT])
translate_hits = 21589, untranslate_hits = 2392
Additional Information:
Phase: 11
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 23079, packet dispatched to next module
Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: inside
output-status: up
output-line-status: up
Action: allow
阶段8显示NAT-EXEMPT
但阶段10显示NAT转换。那将是有问题的。
更新2
当前show vpn-sessiondb detail remote filter protocol L2TPOverIPSec
在连接客户端时不返回任何内容。
另一方面show vpn-sessiondb detail remote filter protocol L2TPOverIPSecOverNatT
显示已连接的客户端。在尝试在客户端上执行操作时,Bytes Rx和Pkts Rx增加。字节Tx和Pkts Tx不会增加(Pkts Tx保持为17)。Pkts Tx Drop和Pkts Rx Drop均为0。如果我ping 192.168.3.100(vpn客户端),则每次ping的Pkts Tx都会增加。
更新3
我启用了在ASA上的登录并建立了连接。这是我看到的一些有趣的日志消息
%ASA-6-737026: IPAA: Client assigned 192.168.3.100 from local pool
ppp_virtual_interface_id is 1, client_dynamic_ip is 192.168.3.100
%ASA-7-609001: Built local-host outside:192.168.3.100
%ASA-2-106001: Inbound TCP connection denied from 192.168.3.100/57013 to **.**.**.**/443 flags SYN on interface outside
%ASA-2-106001: Inbound TCP connection denied from 192.168.3.100/57013 to **.**.**.**/443 flags SYN on interface outside
%ASA-2-106001: Inbound TCP connection denied from 192.168.3.100/57013 to **.**.**.**/443 flags SYN on interface outside
%ASA-2-106007: Deny inbound UDP from 192.168.3.100/9562 to **.**.**.**/53 due to DNS Query
%ASA-2-106007: Deny inbound UDP from 192.168.3.100/61529 to **.**.**.**/53 due to DNS Query
%ASA-2-106007: Deny inbound UDP from 192.168.3.100/38824 to **.**.**.**/53 due to DNS Query
%ASA-3-713042: IKE Initiator unable to find policy: Intf inside, Src: 10.3.3.100, Dst: 192.168.3.100
%ASA-3-713042: IKE Initiator unable to find policy: Intf inside, Src: 10.3.3.100, Dst: 192.168.3.100