Asa odbiera pakiety z VPN ale nie wysyła
-
- wannabe
- Posty: 187
- Rejestracja: 17 kwie 2010, 21:48
- Kontakt:
Asa odbiera pakiety z VPN ale nie wysyła
Witam
Mam problem z VPN'em
odbieram pakiety ale nie wysyłam odp w tunel
może być pomocne
mam 2 łącza eth1 i eth2
trasa domyślna jest na eth1
ale dodałem routing do peera na eth2 oraz to co ma iść w tunel
Mam problem z VPN'em
odbieram pakiety ale nie wysyłam odp w tunel
może być pomocne
mam 2 łącza eth1 i eth2
trasa domyślna jest na eth1
ale dodałem routing do peera na eth2 oraz to co ma iść w tunel
Michał
-
- wannabe
- Posty: 187
- Rejestracja: 17 kwie 2010, 21:48
- Kontakt:
cisco 5510 wersja 9.1(3)
S 172.17.4.101 255.255.255.255 [1/0] via 217.....67, toNet
S 172.17.4.100 255.255.255.255 [1/0] via 217.....67, toNet
S 193.xxx.yyy.179 255.255.255.255 [1/0] via 217.....67, toNet
tunnel-group 193.xxx.yyy.179 type ipsec-l2l
tunnel-group 193.xxx.yyy.179 general-attributes
default-group-policy GroupPolicy2
tunnel-group 193.xxx.yyy.179 ipsec-attributes
ikev1 pre-shared-key *****
crypto map toNet_map 1 match address toNet_cryptomap_1
crypto map toNet_map 1 set pfs
crypto map toNet_map 1 set peer 193.xxx.yyy.179
crypto map toNet_map 1 set ikev1 transform-set ESP-AES-256-SHA
crypto map toNet_map 1 set security-association lifetime seconds 86400
crypto map toNet_map 1 set nat-t-disable
access-list toNet_cryptomap_1 line 1 extended permit ip host 172.20.58.10 host 172.17.4.100
sh cry is sa
4 IKE Peer: 193.xxx.yyy.179
Type : L2L Role : responder
Rekey : no State : MM_ACTIVE
nie widzę nic w logach jedynie zwiększają mi countery
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 42, #pkts decrypt: 42, #pkts verify: 42
S 172.17.4.101 255.255.255.255 [1/0] via 217.....67, toNet
S 172.17.4.100 255.255.255.255 [1/0] via 217.....67, toNet
S 193.xxx.yyy.179 255.255.255.255 [1/0] via 217.....67, toNet
tunnel-group 193.xxx.yyy.179 type ipsec-l2l
tunnel-group 193.xxx.yyy.179 general-attributes
default-group-policy GroupPolicy2
tunnel-group 193.xxx.yyy.179 ipsec-attributes
ikev1 pre-shared-key *****
crypto map toNet_map 1 match address toNet_cryptomap_1
crypto map toNet_map 1 set pfs
crypto map toNet_map 1 set peer 193.xxx.yyy.179
crypto map toNet_map 1 set ikev1 transform-set ESP-AES-256-SHA
crypto map toNet_map 1 set security-association lifetime seconds 86400
crypto map toNet_map 1 set nat-t-disable
access-list toNet_cryptomap_1 line 1 extended permit ip host 172.20.58.10 host 172.17.4.100
sh cry is sa
4 IKE Peer: 193.xxx.yyy.179
Type : L2L Role : responder
Rekey : no State : MM_ACTIVE
nie widzę nic w logach jedynie zwiększają mi countery
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 42, #pkts decrypt: 42, #pkts verify: 42
Michał
-
- wannabe
- Posty: 187
- Rejestracja: 17 kwie 2010, 21:48
- Kontakt:
w crypto acl masz:
a w nat exempt:
powinno byc:
musisz wiec zdefiniowac dodatkowo obiekty i uwzglednic je w powyzszej regule nat
Kod: Zaznacz cały
access-list toNet_cryptomap_1 line 1 extended permit ip host 172.20.58.10 host 172.17.4.100
Kod: Zaznacz cały
nat (toNet,any) source static 172.17.4.100 bph_172.17.4.100 destination static 172.20.58.10 172.20.58.10 unidirectional
Kod: Zaznacz cały
nat (toNet,any) source static obj_172.20.58.10 obj_172.20.58.10 destination static obj_172.17.4.100 obj_172.17.4.100
"....Inwestowanie w wiedzę daje największe dywidendy."
-
- wannabe
- Posty: 187
- Rejestracja: 17 kwie 2010, 21:48
- Kontakt:
Kod: Zaznacz cały
nat (toNet,any) source static obj_172.20.58.10 obj_172.20.58.10 destination static obj_172.17.4.100 obj_172.17.4.100
a
jest po drugiej stronie jest obj_172.17.4.100
Michał
ok to użyj w regule nat exempt interfejs na ktory wskazuje routing do 172.20.58.10 np inside i interfejs na ktory wskazuje routing do 172.17.4.100 np: outside
Kod: Zaznacz cały
nat (inside,outside) source static obj_172.20.58.10 obj_172.20.58.10 destination static obj_172.17.4.100 obj_172.17.4.100
"....Inwestowanie w wiedzę daje największe dywidendy."
-
- wannabe
- Posty: 187
- Rejestracja: 17 kwie 2010, 21:48
- Kontakt:
-
- wannabe
- Posty: 187
- Rejestracja: 17 kwie 2010, 21:48
- Kontakt:
Kod: Zaznacz cały
packet-tracer input extwaf tcp 172.20.58.10 1025 172.17.4.100 443 detailed
Phase: 1
Type: CAPTURE
Subtype:
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0xafeddf10, priority=13, domain=capture, deny=false
hits=34249, user_data=0xaea5b478, cs_id=0x0, l3_type=0x0
src mac=0000.0000.0000, mask=0000.0000.0000
dst mac=0000.0000.0000, mask=0000.0000.0000
input_ifc=extwaf, output_ifc=any
Phase: 2
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
Forward Flow based lookup yields rule:
in id=0xacf63048, priority=1, domain=permit, deny=false
hits=41149066, user_data=0x0, cs_id=0x0, l3_type=0x8
src mac=0000.0000.0000, mask=0000.0000.0000
dst mac=0000.0000.0000, mask=0100.0000.0000
input_ifc=extwaf, output_ifc=any
Phase: 3
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
nat (toNet,extwaf) source static obj_172.17.4.100 obj_172.17.4.100 destination static obj-waf-vip obj-waf-vip no-proxy-arp
Additional Information:
NAT divert to egress interface toNet
Untranslate 172.17.4.100/443 to 172.17.4.100/443
Phase: 4
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group in_extwaf in interface extwaf
access-list in_extwaf extended permit tcp object-group pota-waf object-group BPH-vpn eq https
object-group network obj-waf
network-object 172.20.58.10 255.255.255.255
object-group network OBJ-vpn
network-object object obj_172.17.4.100
Additional Information:
Forward Flow based lookup yields rule:
in id=0xafb35cc0, priority=13, domain=permit, deny=false
hits=14, user_data=0xaa464a00, cs_id=0x0, use_real_addr, flags=0x0, protocol=6
src ip/id=172.20.58.10, mask=255.255.255.255, port=0, tag=0
dst ip/id=172.17.4.100, mask=255.255.255.255, port=443, tag=0, dscp=0x0
input_ifc=extwaf, output_ifc=any
Phase: 5
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (toNet,extwaf) source static bph_172.17.4.100 bph_172.17.4.100 destination static pota-waf-vip pota-waf-vip no-proxy-arp
Additional Information:
Static translate 172.20.58.10/1025 to 172.20.58.10/1025
Forward Flow based lookup yields rule:
in id=0xaea0cd18, priority=6, domain=nat, deny=false
hits=1, user_data=0xacf01668, cs_id=0x0, flags=0x0, protocol=0
src ip/id=172.20.58.10, mask=255.255.255.255, port=0, tag=0
dst ip/id=172.17.4.100, mask=255.255.255.255, port=0, tag=0, dscp=0x0
input_ifc=extwaf, output_ifc=toNet
Phase: 6
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0xacb6ff98, priority=1, domain=nat-per-session, deny=true
hits=28610526, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=6
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
input_ifc=any, output_ifc=any
Phase: 7
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0xacf688e8, priority=0, domain=inspect-ip-options, deny=true
hits=13419095, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
input_ifc=extwaf, output_ifc=any
Phase: 8
Type: FOVER
Subtype: standby-update
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0xad06ffd8, priority=20, domain=lu, deny=false
hits=116913, user_data=0x0, cs_id=0x0, flags=0x0, protocol=6
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
input_ifc=extwaf, output_ifc=any
Phase: 9
Type: VPN
Subtype: encrypt
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
out id=0xafed1780, priority=70, domain=encrypt, deny=false
hits=2, user_data=0x85e644, cs_id=0xada983f8, reverse, flags=0x0, protocol=0
src ip/id=172.20.58.10, mask=255.255.255.255, port=0, tag=0
dst ip/id=172.17.4.100, mask=255.255.255.255, port=0, tag=0, dscp=0x0
input_ifc=any, output_ifc=toNet
Phase: 10
Type: ACCESS-LIST
Subtype: vpn-user
Result: DROP
Config:
Additional Information:
Forward Flow based lookup yields rule:
out id=0xac730420, priority=12, domain=vpn-user, deny=true
hits=38, user_data=0xaa47fa00, filter_id=0x0(-implicit deny-), protocol=0
src ip=0.0.0.0, mask=0.0.0.0, port=0
dst ip=0.0.0.0, mask=0.0.0.0, port=0
Result:
input-interface: extwaf
input-status: up
input-line-status: up
output-interface: toNet
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule
Michał
A nie masz czasem przypietego vpn-filtra w .
Sprobuj tymczasowo wylaczyc filter i wygeneruj ruch jeszcze raz.
Kod: Zaznacz cały
GroupPolicy2
Sprobuj tymczasowo wylaczyc filter i wygeneruj ruch jeszcze raz.
"....Inwestowanie w wiedzę daje największe dywidendy."
-
- wannabe
- Posty: 187
- Rejestracja: 17 kwie 2010, 21:48
- Kontakt:
tak mam filtr odpiłem filtr i wynik jest ten sam
Kod: Zaznacz cały
Phase: 10
Type: ACCESS-LIST
Subtype: vpn-user
Result: DROP
Config:
Additional Information:
Forward Flow based lookup yields rule:
out id=0xac730420, priority=12, domain=vpn-user, deny=true
hits=40, user_data=0xaa47fa00, filter_id=0x0(-implicit deny-), protocol=0
src ip=0.0.0.0, mask=0.0.0.0, port=0
dst ip=0.0.0.0, mask=0.0.0.0, port=0
Michał
-
- wannabe
- Posty: 187
- Rejestracja: 17 kwie 2010, 21:48
- Kontakt: