Есть ASA 5510. Есть внутренняя сеть 192.168.40.0/24 и удаленная сеть 10.10.30.0/24. 2 сети связанны между собой через Internet. C одной стороны ADSL с другой - хз. Наш ip статический, получаем его через dhcp от прова, удаленный ip - статика - хх.хх.29.38. Настроен IPSEC с preshared key.
В обе стороны трафик ходит отлично, но есть одно но: не получаться пропинговать локальный (192.168.40.243) интерфейс ASA с удаленной сети (к поимеру 10.10.30.1) и невозможно пропинговать удаленную сеть (к примеру 10,10,30,1) с локального интерфейса (192.168.40.243). Всю голову сломал, не пойму в чем проблема.
конфиг:
Код: Выделить всё
ASA Version 8.0(2)
!
hostname asa5510
domain-name pcb
enable password ******************** encrypted
names
!
interface Ethernet0/0
description OutSide ADSL PPPoE link
nameif outside
security-level 0
pppoe client vpdn group pppoe-adsl
ip address pppoe setroute
!
interface Ethernet0/1
description GPRS sublan on our side. Connect to 192.168.40.0/24
nameif gprs
security-level 50
ip address 192.168.40.243 255.255.255.0
!
interface Ethernet0/2
description DMZ interface. Connect to 10.10.110.0/24
nameif dmz
security-level 50
ip address 10.10.110.1 255.255.255.0
!
interface Ethernet0/3
description InSide interface. Connect to 172.16.1.0/24
nameif inside
security-level 100
ip address 172.16.1.254 255.255.255.0
!
interface Management0/0
description Management interface. Connect to 192.168.1.0/24 only
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
management-only
!
passwd *************************** encrypted
ftp mode passive
clock timezone KIEV 2
clock summer-time KIEV recurring last Sun Mar 3:00 last Sun Oct 3:00
dns server-group DefaultDNS
domain-name pcb
same-security-traffic permit intra-interface
access-list Split_Tunnel_List2 standard permit 10.10.0.0 255.255.0.0
access-list Split_Tunnel_List2 standard permit 172.16.0.0 255.255.0.0
access-list DMZ-10.10.10.2 extended permit ip 10.10.100.0 255.255.255.0 host 10.10.10.2
access-list DMZ-10.10.10.2 extended permit tcp any host 10.10.10.2 eq smtp
access-list DMZ-10.10.10.2 extended permit tcp any host 10.10.10.2 eq www
access-list DMZ-10.10.10.2 extended permit udp any host 10.10.10.2 eq domain
access-list DMZ-10.10.10.2 extended permit ip 10.10.100.0 255.255.255.0 host 10.10.110.2
access-list DMZ-10.10.10.2 extended permit tcp any host 10.10.110.2 eq smtp
access-list DMZ-10.10.10.2 extended permit tcp any host 10.10.110.2 eq www
access-list DMZ-10.10.10.2 extended permit udp any host 10.10.110.2 eq domain
access-list OUTSIDE-ACCEPT extended permit tcp any interface outside eq www
access-list OUTSIDE-ACCEPT extended permit udp any interface outside eq domain
access-list OUTSIDE-ACCEPT extended permit tcp any interface outside eq smtp
access-list IPS-acl1 extended permit ip any 10.10.10.0 255.255.255.0
access-list IPS-acl1 extended permit ip any interface outside
access-list IPS-acl1 extended permit ip any 10.10.110.0 255.255.255.0
access-list IPS-acl2 extended permit ip 10.10.100.0 255.255.255.0 any
access-list Split_Tunnel_List standard permit 10.10.0.0 255.255.0.0
access-list gprsLifeAcl extended permit ip 192.168.40.0 255.255.255.0 10.10.20.0 255.255.255.0
access-list gprsLifeAcl extended permit ip 10.10.20.0 255.255.255.0 192.168.40.0 255.255.255.0
access-list gprsKSacl extended permit ip 192.168.40.0 255.255.255.0 10.10.30.0 255.255.255.0
access-list gprsKSacl extended permit ip 10.10.30.0 255.255.255.0 192.168.40.0 255.255.255.0
pager lines 57
logging enable
logging asdm warnings
mtu outside 1469
mtu gprs 1500
mtu dmz 1500
mtu inside 1500
mtu management 1500
ip verify reverse-path interface outside
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-602.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (dmz) 1 10.10.10.0 255.255.255.0
nat (dmz) 1 10.10.110.0 255.255.255.0
static (dmz,outside) tcp interface smtp 10.10.110.2 smtp netmask 255.255.255.255
static (dmz,outside) tcp interface www 10.10.110.2 www netmask 255.255.255.255
static (dmz,outside) udp interface domain 10.10.110.2 domain netmask 255.255.255.255
access-group OUTSIDE-ACCEPT in interface outside
access-group DMZ-10.10.10.2 out interface dmz
route dmz 10.10.10.0 255.255.255.0 10.10.110.2 1
route inside 172.16.0.0 255.255.0.0 172.16.1.239 1
route inside 192.168.103.0 255.255.255.0 172.16.1.239 1
route inside 192.168.104.0 255.255.255.0 172.16.1.239 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
aaa-server RADIUS protocol radius
aaa-server RADIUS host 172.16.1.10
key ********************************
authentication-port 1812
accounting-port 1813
http server enable
http 172.16.1.0 255.255.255.0 inside
http 172.16.1.137 255.255.255.255 inside
http 192.168.1.0 255.255.255.0 management
http 172.16.3.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
fragment chain 5 outside
fragment chain 5 dmz
fragment chain 5 inside
fragment chain 1 management
crypto ipsec transform-set FirstSet esp-3des esp-md5-hmac
crypto ipsec transform-set FirstSet mode transport
crypto ipsec transform-set SecondSet esp-3des esp-sha-hmac
crypto ipsec transform-set ThirdSet esp-3des esp-sha-hmac
crypto ipsec transform-set ThirdSet mode transport
crypto ipsec transform-set gprsLifeSet esp-3des esp-md5-hmac
crypto ipsec transform-set gprsKSset esp-3des esp-md5-hmac
crypto ipsec df-bit clear-df outside
crypto dynamic-map dyn1 1 set transform-set FirstSet SecondSet ThirdSet
crypto map OutsideMap 20 match address gprsKSacl
crypto map OutsideMap 20 set pfs
crypto map OutsideMap 20 set peer xx.xx.29.38
crypto map OutsideMap 20 set transform-set gprsKSset
crypto map OutsideMap 20 set security-association lifetime seconds 86400
crypto map OutsideMap 100 ipsec-isakmp dynamic dyn1
crypto map OutsideMap interface outside
crypto map InsideMap 1 ipsec-isakmp dynamic dyn1
crypto map InsideMap interface inside
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp enable inside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 3600
no crypto isakmp nat-traversal
telnet timeout 5
ssh xxx.xxx.xxx.xxx 255.255.255.255 outside
ssh 172.16.254.137 255.255.255.255 outside
ssh 172.16.1.137 255.255.255.255 inside
ssh 172.16.0.0 255.255.0.0 inside
ssh 192.168.1.0 255.255.255.0 management
ssh timeout 60
console timeout 0
vpdn group pppoe-adsl request dialout pppoe
vpdn group pppoe-adsl localname ********************@dsl.ukrtel.net
vpdn group pppoe-adsl ppp authentication pap
vpdn username ******************@dsl.ukrtel.net password **********************
threat-detection basic-threat
threat-detection statistics
!
class-map IPS
match any
class-map inspection_default
match default-inspection-traffic
class-map IPS2
match access-list IPS-acl2
class-map IPS1
match access-list IPS-acl1
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect icmp
class IPS
ips inline fail-close
!
service-policy global_policy global
ntp server 172.16.1.11
group-policy DefaultRAGroup2 internal
group-policy DefaultRAGroup2 attributes
vpn-tunnel-protocol IPSec l2tp-ipsec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value Split_Tunnel_List2
group-policy DefaultRAGroup internal
group-policy DefaultRAGroup attributes
vpn-session-timeout none
vpn-tunnel-protocol IPSec l2tp-ipsec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value Split_Tunnel_List
tunnel-group DefaultL2LGroup ipsec-attributes
isakmp keepalive threshold 120 retry 5
tunnel-group DefaultRAGroup general-attributes
authentication-server-group RADIUS
accounting-server-group RADIUS
default-group-policy DefaultRAGroup
password-management
tunnel-group DefaultRAGroup ipsec-attributes
pre-shared-key ********************
isakmp keepalive threshold 3600 retry 2
tunnel-group DefaultWEBVPNGroup ipsec-attributes
isakmp keepalive threshold 120 retry 5
tunnel-group DefaultRAGroup2 type remote-access
tunnel-group DefaultRAGroup2 general-attributes
authentication-server-group RADIUS
accounting-server-group RADIUS
default-group-policy DefaultRAGroup2
password-management
tunnel-group DefaultRAGroup2 ipsec-attributes
pre-shared-key ****************
isakmp keepalive threshold 3600 retry 2
tunnel-group xxx.xxx.xxx.xxx type ipsec-l2l
tunnel-group xxx.xxx.xxx.xxx ipsec-attributes
pre-shared-key ****************
isakmp keepalive threshold 3600 retry 2
tunnel-group xx.xx.29.38 type ipsec-l2l
tunnel-group xx.xx.29.38 ipsec-attributes
pre-shared-key *************
isakmp keepalive threshold 120 retry 5
prompt hostname context
Cryptochecksum:6e96e593d75471baacd8ee7252165ef0238d
: end
пакет трэйсер говорит вот что:
Код: Выделить всё
asa5510# packet-tracer input gprs icmp 192.168.40.243 8 0 10.10.30.1 detailed
Phase: 1
Type: FLOW-LOOKUP
Subtype:
Result: ALLOW
Config:
Additional Information:
Found no matching flow, creating a new flow
Phase: 2
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 0.0.0.0 0.0.0.0 outside
Phase: 3
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:
Forward Flow based lookup yields rule:
in id=0xd50d2c48, priority=500, domain=permit, deny=true
hits=43, user_data=0x6, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip=192.168.40.243, mask=255.255.255.255, port=0
dst ip=0.0.0.0, mask=0.0.0.0, port=0
Result:
input-interface: gprs
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule