Mam dwie lokalizację spięte ze sobą takimi samymi urządzeniami (CISCO ASA 5505), natomiast z jednej strony coś mi się sypnęło.
Mogę się połączyć przez VPN z siecią (ROG-NET), dostaję adres IP z puli (192.168.1.X) ale nie mogę nikogo PINGOWAC i również z sieci nie można tego urządzenia pingowac. Natomiast mogę pingować adres zewnętrzny ASA (81.81.81.106).
Co może być przyczyną? Urządzenie CISCO wydaje mi się że jest dobrze skonfigurowane, mógłby ktoś swoim fachowym okiem zerknąć czy przypadkiem gdzieś jakiegoś byka nie strzeliłem?
: Saved
:
ASA Version 8.2(5)
!
hostname rog-net
enable password KSkqCPJxSVa5eo2P encrypted
passwd kjYn5zQFYz7tre1W encrypted
names
name 10.10.10.0 bog-net
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.1.106 255.255.0.0
!
interface Vlan2
nameif outside
security-level 0
ip address 81.81.81.106 255.255.255.240
!
ftp mode passive
clock timezone CEST 1
clock summer-time CEDT recurring last Sun Mar 2:00 last Sun Oct 3:00
object-group network obj_any
object-group network NETWORK_OBJ_192.168.0.0_16
object-group network wawa
access-list inside_access_in extended permit ip 192.168.0.0 255.255.0.0 any
access-list inside_nat_outbound extended permit ip 192.168.0.0 255.255.0.0 any
access-list outside_1_cryptomap extended permit ip 192.168.0.0 255.255.0.0 bog-net 255.255.255.0
access-list outside_access_in extended permit ip any any
access-list inside_nat0_outbound extended permit ip 192.168.0.0 255.255.0.0 bog-net 255.255.255.0
access-list inside_nat0_outbound extended permit ip any 192.168.1.192 255.255.255.192
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
ip local pool VPN1 192.168.1.185-192.168.1.199 mask 255.255.255.0
ip local pool vpn 192.168.1.215-192.168.1.225 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
nat-control
global (outside) 101 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 101 access-list inside_nat_outbound
access-group inside_access_in in interface inside
access-group outside_access_in in interface outside
!
router rip
!
route outside 0.0.0.0 0.0.0.0 81.81.81.97 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 172.1.1.0 255.255.255.0 inside
http 192.168.0.0 255.255.0.0 inside
http 81.81.81.105 255.255.255.255 outside
http 79.79.79.130 255.255.255.255 outside
no snmp-server location
no snmp-server contact
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set pfs group1
crypto map outside_map 1 set peer 82.82.82.222
crypto map outside_map 1 set transform-set ESP-3DES-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto ca trustpoint ASDM_TrustPoint0
enrollment self
subject-name CN=rog-net
crl configure
crypto ca certificate chain ASDM_TrustPoint0
certificate c3b04751
308201e3 3082014c a0030201 020204c3 b0475130 0d06092a 864886f7 0d010105
05003036 31163014 06035504 03130d72 6f676f77 6965632d 6d656761 311c301a
06092a86 4886f70d 01090216 0d726f67 6f776965 632d6d65 6761301e 170d3133
30333230 31383238 35325a17 0d323330 33313831 38323835 325a3036 31163014
06035504 03130d72 6f676f77 6965632d 6d656761 311c301a 06092a86 4886f70d
01090216 0d726f67 6f776965 632d6d65 67613081 9f300d06 092a8648 86f70d01
01010500 03818d00 30818902 818100f2 3dd57b68 dfe003d3 e2f808e0 2ef71b36
0243860f 7b487a6f 08085f74 00371611 9e0239cb 4eaf3a83 5a7cfaf3 d3929d8b
ffe67561 5688d547 c88976dc dd26c074 cf7f53d6 89695ad3 f20bf001 ec41d6c0
e5343c40 8b62a89b 392f8ccd bf5f6adb ae8e8870 9291afd3 02aa5826 7a8c3441
99a14807 20e620aa 4aba07ac 5b842502 03010001 300d0609 2a864886 f70d0101
05050003 81810009 8291fc8a 988f3092 d0e4a485 6f04a01b 21018305 02fe8d71
a7cf128d 512b15fb 36fbec9a 48a523e2 59837edb d4eb135f 08be4f4b c48f2685
66483cd9 88e9ae88 67c3f833 78ace353 d58ffe19 e63cde1e 53e47ca1 fdbe54fc
e1292b88 8410e70c 5cd1bd81 5712ee5a 95c03f7a e2c0e05c 6ca0eebc c4d6a690
a90b42b4 794120
quit
crypto isakmp enable outside
crypto isakmp policy 10
authentication crack
encryption aes-256
hash sha
group 2
lifetime 86400
crypto isakmp policy 20
authentication rsa-sig
encryption aes-256
hash sha
group 2
lifetime 86400
crypto isakmp policy 30
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400
crypto isakmp policy 40
authentication crack
encryption aes-192
hash sha
group 2
lifetime 86400
crypto isakmp policy 50
authentication rsa-sig
encryption aes-192
hash sha
group 2
lifetime 86400
crypto isakmp policy 60
authentication pre-share
encryption aes-192
hash sha
group 2
lifetime 86400
crypto isakmp policy 70
authentication crack
encryption aes
hash sha
group 2
lifetime 86400
crypto isakmp policy 80
authentication rsa-sig
encryption aes
hash sha
group 2
lifetime 86400
crypto isakmp policy 90
authentication pre-share
encryption aes
hash sha
group 2
lifetime 86400
crypto isakmp policy 100
authentication crack
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp policy 110
authentication rsa-sig
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp policy 120
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp policy 130
authentication crack
encryption des
hash sha
group 2
lifetime 86400
crypto isakmp policy 140
authentication rsa-sig
encryption des
hash sha
group 2
lifetime 86400
crypto isakmp policy 150
authentication pre-share
encryption des
hash sha
group 2
lifetime 86400
crypto isakmp policy 170
authentication pre-share
encryption des
hash md5
group 2
lifetime 86400
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd auto_config outside
!
threat-detection basic-threat
threat-detection statistics access-list
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
webvpn
group-policy DfltGrpPolicy attributes
group-policy vega internal
group-policy vega attributes
vpn-tunnel-protocol IPSec svc
username bartosz password xx.xxxxxxxxxxx encrypted
username bartosz attributes
vpn-group-policy vega
tunnel-group bog type ipsec-l2l
tunnel-group bog ipsec-attributes
pre-shared-key *****
tunnel-group 82.82.82.222 type ipsec-l2l
tunnel-group 82.82.82.222 ipsec-attributes
pre-shared-key *****
tunnel-group vega type remote-access
tunnel-group vega general-attributes
address-pool VPN1
default-group-policy vega
tunnel-group vega ipsec-attributes
pre-shared-key *****
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:ba8673287f16d28d41990fb131a36d46
: end
asdm location bog-net 255.255.255.0 inside
no asdm history enable