|
|
|
|
Страница 1 из 1
|
[ Сообщений: 2 ] |
|
cisco asa 5506-x IpSec ikev2 с robustel r2000-3p
Автор |
Сообщение |
Sawyer815
Зарегистрирован: 17 авг 2018, 16:20 Сообщения: 2
|
Коллеги, добрый день. Столкнулся с cisco asa 5506-x firmware 9.9.2. Нужно поднять ipsec туннель ikev2 sha256 с авторизацией по сертификатам с модемом robustel r2000-3p. По мануалам через ASDM cisco asa VPN Wizard был настроем туннель, точно по такому же мануалу был настроен туннель на robustel. На робустеле пишет, что tunnel connected, а на циске - нет. Ранее с ASA не работал, интерфейс сложен для восприятия, поэтому прошу помощи. прикрепляю конфиг циски и карту сети. Вот что packet tracer выдаёт:
ciscoasa# packet-tracer input inside_1 tcp 192.168.1.5 1024 192.168.0.26 80
Phase: 1 Type: ROUTE-LOOKUP Subtype: Resolve Egress Interface Result: ALLOW Config: Additional Information: found next-hop 213.27.39.1 using egress ifc outside
Phase: 2 Type: UN-NAT Subtype: static Result: ALLOW Config: nat (inside_1,outside) source static NETWORK_OBJ_192.168.1.0_24 NETWORK_OBJ_192.168.1.0_24 destination static NETWORK_OBJ_192.168.0.0_24 NETWORK_OBJ_192.168.0.0_24 no-proxy-arp route-lookup Additional Information: NAT divert to egress interface outside Untranslate 192.168.0.26/80 to 192.168.0.26/80
Phase: 3 Type: ACCESS-LIST Subtype: log Result: ALLOW Config: access-group global_access global access-list global_access extended permit object-group DM_INLINE_SERVICE_1 any any object-group service DM_INLINE_SERVICE_1 service-object ip service-object icmp service-object tcp-udp destination eq www service-object tcp destination eq https Additional Information:
Phase: 4 Type: NAT Subtype: Result: ALLOW Config: nat (inside_1,outside) source static NETWORK_OBJ_192.168.1.0_24 NETWORK_OBJ_192.168.1.0_24 destination static NETWORK_OBJ_192.168.0.0_24 NETWORK_OBJ_192.168.0.0_24 no-proxy-arp route-lookup Additional Information: Static translate 192.168.1.5/1024 to 192.168.1.5/1024
Phase: 5 Type: NAT Subtype: per-session Result: ALLOW Config: Additional Information:
Phase: 6 Type: IP-OPTIONS Subtype: Result: ALLOW Config: Additional Information:
Phase: 7 Type: ACCESS-LIST Subtype: log Result: ALLOW Config: access-group global_access global access-list global_access extended permit object-group DM_INLINE_SERVICE_1 any any object-group service DM_INLINE_SERVICE_1 service-object ip service-object icmp service-object tcp-udp destination eq www service-object tcp destination eq https Additional Information:
Phase: 8 Type: NAT Subtype: per-session Result: ALLOW Config: Additional Information:
Phase: 9 Type: IP-OPTIONS Subtype: Result: ALLOW Config: Additional Information:
Phase: 10 Type: VPN Subtype: encrypt Result: ALLOW Config: Additional Information:
Phase: 11 Type: VPN Subtype: encrypt Result: ALLOW Config: Additional Information:
Phase: 12 Type: NAT Subtype: rpf-check Result: ALLOW Config: nat (inside_1,outside) source static NETWORK_OBJ_192.168.1.0_24 NETWORK_OBJ_192.168.1.0_24 destination static NETWORK_OBJ_192.168.0.0_24 NETWORK_OBJ_192.168.0.0_24 no-proxy-arp route-lookup Additional Information:
Phase: 13 Type: VPN Subtype: ipsec-tunnel-flow Result: ALLOW Config: Additional Information:
Phase: 14 Type: NAT Subtype: per-session Result: ALLOW Config: Additional Information:
Phase: 15 Type: IP-OPTIONS Subtype: Result: ALLOW Config: Additional Information:
Phase: 16 Type: VPN Subtype: ipsec-tunnel-flow Result: ALLOW Config: Additional Information:
Phase: 17 Type: NAT Subtype: per-session Result: ALLOW Config: Additional Information:
Phase: 18 Type: IP-OPTIONS Subtype: Result: ALLOW Config: Additional Information:
Phase: 19 Type: FLOW-CREATION Subtype: Result: ALLOW Config: Additional Information: New flow created with id 11992, packet dispatched to next module
Result: input-interface: inside_1 input-status: up input-line-status: up output-interface: outside output-status: up output-line-status: up Action: allow
Вложения:
cisco asa 5506-x.txt [7.37 КБ]
Скачиваний: 710
карта сети.jpg [ 36.34 КБ | Просмотров: 3507 ]
|
20 авг 2018, 09:29 |
|
|
Sawyer815
Зарегистрирован: 17 авг 2018, 16:20 Сообщения: 2
|
вот файл конфига для тех, кому лень скачивать txt:
ciscoasa# sh run : Saved
: : Serial Number: JAD21290937 : Hardware: ASA5506, 4096 MB RAM, CPU Atom C2000 series 1250 MHz, 1 CPU (4 cores) : ASA Version 9.9(2) ! hostname ciscoasa enable password $sha512$5000$MgJkzBp7LtrxmQJfYKZBEQ==$I2wJuzyZqRrzAgr9k1rqgA== pbkdf2 passwd RWb38nGQJEedhEPh encrypted names
! interface GigabitEthernet1/1 nameif outside security-level 0 ip address 213.27.39.14 255.255.255.192 ! interface GigabitEthernet1/2 bridge-group 1 nameif inside_1 security-level 100 ! interface GigabitEthernet1/3 bridge-group 1 nameif inside_2 security-level 100 ! interface GigabitEthernet1/4 bridge-group 1 nameif inside_3 security-level 100 ! interface GigabitEthernet1/5 bridge-group 1 nameif inside_4 security-level 100 ! interface GigabitEthernet1/6 bridge-group 1 nameif inside_5 security-level 100 ! interface GigabitEthernet1/7 bridge-group 1 nameif inside_6 security-level 100 ! interface GigabitEthernet1/8 bridge-group 1 nameif inside_7 security-level 100 ! interface Management1/1 management-only nameif manage security-level 100 ip address 192.168.233.242 255.255.255.0 ! interface BVI1 nameif inside security-level 100 ip address 192.168.1.1 255.255.255.0 ! ftp mode passive same-security-traffic permit inter-interface object network obj_any1 subnet 0.0.0.0 0.0.0.0 object network obj_any2 subnet 0.0.0.0 0.0.0.0 object network obj_any3 subnet 0.0.0.0 0.0.0.0 object network obj_any4 subnet 0.0.0.0 0.0.0.0 object network obj_any5 subnet 0.0.0.0 0.0.0.0 object network obj_any6 subnet 0.0.0.0 0.0.0.0 object network obj_any7 subnet 0.0.0.0 0.0.0.0 object network lan object network OBJ_NAT_LAN subnet 192.168.1.0 255.255.255.0 object network NETWORK_OBJ_192.168.0.0_24 subnet 192.168.0.0 255.255.255.0 object network NETWORK_OBJ_192.168.1.0_24 subnet 192.168.1.0 255.255.255.0 object network 192.168.1.0 host 192.168.1.0 object network 192.168.0.0 host 192.168.0.0 object network 192.168.0.5 host 192.168.0.5 object network LANCISCO host 192.168.1.5 object network LANROB host 192.168.0.26 object-group service DM_INLINE_SERVICE_1 service-object ip service-object icmp service-object tcp-udp destination eq www service-object tcp destination eq https access-list global_access extended permit object-group DM_INLINE_SERVICE_1 any any access-list outside_cryptomap extended permit ip 192.168.1.0 255.255.255.0 192.168.0.0 255.255.255.0 pager lines 24 logging enable logging timestamp logging emblem logging buffered notifications logging asdm informational mtu outside 1500 mtu inside_1 1500 mtu inside_2 1500 mtu inside_3 1500 mtu inside_4 1500 mtu inside_5 1500 mtu inside_6 1500 mtu inside_7 1500 mtu manage 1500 icmp unreachable rate-limit 1 burst-size 1 no asdm history enable arp timeout 14400 no arp permit-nonconnected arp rate-limit 16384 nat (inside_1,outside) source static NETWORK_OBJ_192.168.1.0_24 NETWORK_OBJ_192.168.1.0_24 destination static NETWORK_OBJ_192.168.0.0_24 NETWORK_OBJ_192.168.0.0_24 no-proxy-arp route-lookup ! object network obj_any1 nat (inside_1,outside) dynamic interface object network obj_any2 nat (inside_2,outside) dynamic interface object network obj_any3 nat (inside_3,outside) dynamic interface object network obj_any4 nat (inside_4,outside) dynamic interface object network obj_any5 nat (inside_5,outside) dynamic interface object network obj_any6 nat (inside_6,outside) dynamic interface object network obj_any7 nat (inside_7,outside) dynamic interface object network OBJ_NAT_LAN nat (inside_1,outside) dynamic interface access-group global_access global route outside 0.0.0.0 0.0.0.0 213.27.39.1 1 timeout xlate 3:00:00 timeout pat-xlate 0:00:30 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 sctp 0:02:00 icmp 0:00:02 timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00 timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00 timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute timeout tcp-proxy-reassembly 0:01:00 timeout floating-conn 0:00:00 timeout conn-holddown 0:00:15 timeout igp stale-route 0:01:10 user-identity default-domain LOCAL aaa authentication login-history http server enable http 192.168.1.0 255.255.255.0 inside_1 http 192.168.1.0 255.255.255.0 inside_2 http 192.168.1.0 255.255.255.0 inside_3 http 192.168.1.0 255.255.255.0 inside_4 http 192.168.1.0 255.255.255.0 inside_5 http 192.168.1.0 255.255.255.0 inside_6 http 192.168.1.0 255.255.255.0 inside_7 http 192.168.233.0 255.255.255.0 manage no snmp-server location no snmp-server contact service sw-reset-button crypto ipsec ikev2 ipsec-proposal sha256 protocol esp encryption aes-256 protocol esp integrity sha-256 crypto ipsec ikev2 ipsec-proposal DES protocol esp encryption des protocol esp integrity sha-1 md5 crypto ipsec ikev2 ipsec-proposal 3DES protocol esp encryption 3des protocol esp integrity sha-1 md5 crypto ipsec ikev2 ipsec-proposal AES protocol esp encryption aes protocol esp integrity sha-1 md5 crypto ipsec ikev2 ipsec-proposal AES192 protocol esp encryption aes-192 protocol esp integrity sha-1 md5 crypto ipsec ikev2 ipsec-proposal AES256 protocol esp encryption aes-256 protocol esp integrity sha-1 md5 crypto ipsec security-association pmtu-aging infinite crypto map outside_map 1 match address outside_cryptomap crypto map outside_map 1 set pfs crypto map outside_map 1 set peer 85.115.239.250 crypto map outside_map 1 set ikev2 ipsec-proposal sha256 crypto map outside_map interface outside crypto ca trustpool policy crypto ikev2 policy 1 encryption aes-256 integrity sha256 group 2 prf sha256 lifetime seconds 86400 crypto ikev2 enable outside telnet 192.168.233.0 255.255.255.0 manage telnet timeout 5 ssh stricthostkeycheck ssh 192.168.233.0 255.255.255.0 manage ssh timeout 5 ssh version 2 ssh key-exchange group dh-group1-sha1 console timeout 0
dhcpd auto_config outside ! dhcpd address 192.168.1.5-192.168.1.254 inside dhcpd enable inside ! threat-detection basic-threat threat-detection statistics access-list no threat-detection statistics tcp-intercept group-policy GroupPolicy_85.115.239.250 internal group-policy GroupPolicy_85.115.239.250 attributes vpn-tunnel-protocol ikev2 dynamic-access-policy-record DfltAccessPolicy username admin password $sha512$5000$+tZa8ABECi8zXggg3vz04w==$aTGPhdLNkkjXAlv96e+gRw== pbkdf2 tunnel-group 85.115.239.250 type ipsec-l2l tunnel-group 85.115.239.250 general-attributes default-group-policy GroupPolicy_85.115.239.250 tunnel-group 85.115.239.250 ipsec-attributes ikev2 remote-authentication pre-shared-key ***** ikev2 local-authentication pre-shared-key ***** ! class-map inspection_default match default-inspection-traffic ! ! policy-map type inspect dns preset_dns_map parameters message-length maximum client auto message-length maximum 512 no tcp-inspection policy-map global_policy class inspection_default inspect dns preset_dns_map inspect ftp inspect h323 h225 inspect h323 ras inspect rsh inspect rtsp inspect esmtp inspect sqlnet inspect skinny inspect sunrpc inspect xdmcp inspect sip inspect netbios inspect tftp inspect ip-options inspect icmp ! service-policy global_policy global prompt hostname context Cryptochecksum:aa18db8c055947e64ef8ca9eba0ffdbd : end
|
20 авг 2018, 09:31 |
|
|
|
Страница 1 из 1
|
[ Сообщений: 2 ] |
|
Кто сейчас на конференции |
Сейчас этот форум просматривают: Google [Bot] и гости: 67 |
|
Вы не можете начинать темы Вы не можете отвечать на сообщения Вы не можете редактировать свои сообщения Вы не можете удалять свои сообщения Вы не можете добавлять вложения
|
|
|
|