Mam w centrali asa5506-x, natomiast w oddziale 5505, pomiedzy nimi jest zestawiony ipsec vpn l2l, założenie jest takie, że cały ruch z oddziału ma wychodzić przez vpn (czyli nie chce, split tunnelingu). Na asa w oddziale nie mam w ogóle nata. Przez asdma ustawiłem VPN w ten sposób że w configuration > vpn>ipsec rules mam regółę w której w zakładce traffic selection mam tak:
interface = outside, action = protect, source = ip address, ip address = 10.10.10.0 netmask = 255.255.255.0 destination = any protocol = IP
W oddziale nie działa internet ale działa dostęp do zasobów w centrali (widać dyski sieciowe z centrali itp)
Na asa w odziale wykonuje packet trace i wyglada to tak:
Kod: Zaznacz cały
asa-odzial# packet-tracer input inside rawip 10.10.10.10 1 8.8.8.8 detail
Phase: 1
Type: FLOW-LOOKUP
Subtype:
Result: ALLOW
Config:
Additional Information:
Found no matching flow, creating a new flow
Phase: 2
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 0.0.0.0 0.0.0.0 outside
Phase: 3
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x39c3050, priority=0, domain=permit-ip-option, deny=true
hits=27423, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip=0.0.0.0, mask=0.0.0.0, port=0
dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
Phase: 4
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x39c23c8, priority=66, domain=inspect-icmp-error, deny=false
hits=1996, user_data=0x39c22f8, cs_id=0x0, use_real_addr, flags=0x0, protocol=1
src ip=0.0.0.0, mask=0.0.0.0, port=0
dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
Phase: 5
Type: HOST-LIMIT
Subtype:
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x39a57f8, priority=0, domain=host-limit, deny=false
hits=22522, user_data=0x0, cs_id=0x0, flags=0x0, protocol=0
src ip=0.0.0.0, mask=0.0.0.0, port=0
dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
Phase: 6
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
class-map icmp-class
match default-inspection-traffic
policy-map icmp_policy
class icmp-class
inspect icmp
service-policy icmp_policy interface outside
Additional Information:
Forward Flow based lookup yields rule:
out id=0x40cdca8, priority=72, domain=inspect-icmp, deny=false
hits=1996, user_data=0x40cd9d8, cs_id=0x0, flags=0x0, protocol=1
src ip=0.0.0.0, mask=0.0.0.0, port=0
dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
Phase: 7
Type: VPN
Subtype: encrypt
Result: DROP
Config:
Additional Information:
Forward Flow based lookup yields rule:
out id=0x41027a0, priority=70, domain=encrypt, deny=false
hits=47, user_data=0x0, cs_id=0x39faff8, reverse, flags=0x0, protocol=0
src ip=10.10.10.0, mask=255.255.255.0, port=0
dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule
Dziękuję za pomoc