ASA 5505 i Cisco ISR VPN problemPostoje dve lokacije povezane IPSec Site-to-site vezom. Klijent je odlučio da na jednoj od te dve lokacije umesto rutera stavi ASA. Međutim, ta dva uređaja ne uspevaju da uspostave VPN konekciju. Podešavanja na ruteru su praktično ista koja funkcionišu (još uvek) sa drugim Cisco ISR-om, dok je konfiguracija ASA-e sa njihovog sajta za ovakve kombinacije. Naravno, internet kroz ASA mi funkcioniše normalno. Evo i konfiguracija:
Ruter (oni interesantni delovi):
!This is the running config of the router: A.B.C.D
!----------------------------------------------------------------------------
!
version 12.4
...
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp key vpntunel address E.F.G.H - ovo je postojeći tunel prema drugom ruteru koji radi OK
crypto isakmp key isrtoasa address x.y.z.q - ovo je tunel prema ASA kod mene (trenutno) i ne radi
!
!
crypto ipsec transform-set vpntunel esp-3des esp-sha-hmac
crypto ipsec transform-set isrtoasa esp-3des esp-sha-hmac
!
crypto map vpntunel 1 ipsec-isakmp (ovaj radi)
set peer E.F.G.H
set transform-set vpntunel
match address 100
crypto map vpntunel 10 ipsec-isakmp (ovaj ne radi)
set peer x.y.z.q
set transform-set isrtoasa
match address 110
!
archive
log config
hidekeys
!
!
!
!
!
interface FastEthernet0
spanning-tree portfast
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface FastEthernet4
ip address dhcp
duplex auto
speed auto
crypto map vpntunel
!
interface Vlan1
ip address 192.168.101.5 255.255.255.0
!
ip forward-protocol nd
ip route 192.168.1.0 255.255.255.0 FastEthernet4 permanent (veza prema ASA)
ip route 192.168.102.0 255.255.255.0 FastEthernet4 permanent (veza prema drugom ISR)
!
!
no ip http server
ip http secure-server
!
access-list 100 permit ip 192.168.101.0 0.0.0.255 192.168.102.0 0.0.0.255 (ISR)
access-list 110 permit ip 192.168.101.0 0.0.0.255 192.168.1.0 0.0.0.255 (ASA)
!
...
ASA (takodje skraceno):
ASA Version 7.2(4)
!
hostname ASA
...
names
ddns update method dyndns
ddns both
interval maximum 0 1 0 0
!
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ddns update hostname nesto.dyndns.org
ddns update dyndns
dhcp client update dns
pppoe client vpdn group Eunet
ip address pppoe setroute
!
interface Vlan3
no forward interface Vlan1
nameif dmz
security-level 50
ip address 192.168.2.1 255.255.255.0
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
switchport access vlan 3
!
ftp mode passive
clock timezone CEST 1
clock summer-time CEDT recurring last Sun Mar 2:00 last Sun Oct 3:00
dns server-group DefaultDNS
domain-name mojklijent.com
access-list inside_access_in extended permit ip any any
access-list nonat extended permit ip 192.168.1.0 255.255.255.0 192.168.101.0 255.255.255.0
access-list ICMP extended permit icmp any any
access-list 100 extended permit ip 192.168.1.0 255.255.255.0 192.168.101.0 255.255.255.0
pager lines 24
logging enable
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu dmz 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-524.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list nonat
nat (inside) 1 0.0.0.0 0.0.0.0
access-group ICMP in interface outside
access-group inside_access_in in interface inside
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
aaa authentication telnet console LOCAL
aaa authentication ssh console LOCAL
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set isrtoasa esp-3des esp-sha-hmac
crypto map vpntunel 10 match address 100
crypto map vpntunel 10 set peer A.B.C.D
crypto map vpntunel 10 set transform-set isrtoasa
crypto map vpntunel interface outside
crypto isakmp enable outside
crypto isakmp policy 1
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet 192.168.1.0 255.255.255.0 inside
telnet timeout 5
ssh 192.168.1.0 255.255.255.0 inside
ssh timeout 5
console timeout 0
vpdn group Eunet request dialout pppoe
vpdn group Eunet localname adsl.mojnalog@eunet
vpdn group Eunet ppp authentication pap
vpdn username adsl.mojnalog@eunet password ********* store-local
dhcpd auto_config outside
!
dhcpd address 192.168.1.2-192.168.1.129 inside
dhcpd dns 194.247.192.33 194.247.192.1 interface inside
dhcpd enable inside
!
ntp server 212.200.82.130 source outside prefer
username nestosakriveno password z6m/IBhen2yfC78C encrypted privilege 15
tunnel-group A.B.C.D type ipsec-l2l
tunnel-group A.B.C.D ipsec-attributes
pre-shared-key *
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:471ef2a9f4d5238202c9acfbc668e1d0
: end
Svaki savet je dobrodošao ...
Iskustvo je srazmerno količini uništene opreme ...
