本站已运行 15年14天10小时6分48秒

攻城狮论坛

作者: blacke
查看: 2169|回复: 20

主题标签Tag

more +今日重磅推荐Recommend No.1

所有IT类厂商认证考试题库下载所有IT类厂商认证考试题库下载

more +随机图赏Gallery

【新盟教育】2023最新华为HCIA全套视频合集【网工基础全覆盖】---国sir公开课合集【新盟教育】2023最新华为HCIA全套视频合集【网工基础全覆盖】---国sir公开课合集
【新盟教育】网工小白必看的!2023最新版华为认证HCIA Datacom零基础全套实战课【新盟教育】网工小白必看的!2023最新版华为认证HCIA Datacom零基础全套实战课
原创_超融合自动化运维工具cvTools原创_超融合自动化运维工具cvTools
重量级~~30多套JAVA就业班全套 视频教程(请尽快下载,链接失效后不补)重量级~~30多套JAVA就业班全套 视频教程(请尽快下载,链接失效后不补)
链接已失效【超过几百G】EVE 国内和国外镜像 全有了 百度群分享链接已失效【超过几百G】EVE 国内和国外镜像 全有了 百度群分享
某linux大佬,积累多年的电子书(约300本)某linux大佬,积累多年的电子书(约300本)
乾颐堂现任明教教主Python完整版乾颐堂现任明教教主Python完整版
乾颐堂 教主技术进化论 2018-2019年 最新31-50期合集视频(各种最新技术杂谈视频)乾颐堂 教主技术进化论 2018-2019年 最新31-50期合集视频(各种最新技术杂谈视频)
Python学习视频 0起点视频 入门到项目实战篇 Python3.5.2视频教程 共847集 能学102天Python学习视频 0起点视频 入门到项目实战篇 Python3.5.2视频教程 共847集 能学102天
约21套Python视频合集 核心基础视频教程(共310G,已压缩)约21套Python视频合集 核心基础视频教程(共310G,已压缩)
最新20180811录制 IT爱好者-清风羽毛 - 网络安全IPSec VPN实验指南视频教程最新20180811录制 IT爱好者-清风羽毛 - 网络安全IPSec VPN实验指南视频教程
最新20180807录制EVE开机自启动虚拟路由器并桥接物理网卡充当思科路由器最新20180807录制EVE开机自启动虚拟路由器并桥接物理网卡充当思科路由器

[安全] 请教asa5505 remote access ipsec vpn问题

  [复制链接]
查看: 2169|回复: 20
开通VIP 免金币+免回帖+批量下载+无广告
第一次调asa,按照文档配完remote access ipsec vpn后客户端连不上,请调过的朋友指点一下,十分感谢
# L  n3 ?: }1 J" o' q' n& C设备:asa5505 sec-k8
4 _2 M. j) V( z& y+ R版本:8.4.1# P% b4 h8 y. q
客户端版本:5.0.07
9 ?5 o) K, ]8 A: [- L, Q拓扑:pc(ip add 192.168.21.207)--(e0/1 ip add192.168.21.1)router(e0/0 ip add 2.2.2.1)--(e0/1 ip add2.2.2.2)asa& X- \' z5 h% k$ e% [
报错:pc到2.2.2.2能ping通,客户端提示错误412,对端无应答
6 q- d6 T' K& ^: R客户端设置信息:
9 M8 I3 E3 e2 ghost:2.2.2.2& \2 g" w7 E5 ]% W8 `
group authentication
2 m6 ^; n' {' t2 pname:testgroup password:1234567
$ a# \' D! T3 y3 i$ Ztransport:ipsec/tcp(udp依然连不上,报错信息相同)+ I. k$ A% S2 Q4 s7 L8 U  _
以下是asa配置8 e- h, V4 }+ x  x7 V: F+ p
CR-FW# sh run
! T5 }- n  D# v: Saved) c2 z5 i( [; f: f& U
:: J3 \5 z8 s' a5 z
ASA Version 8.4(1)
3 D3 k0 l+ U' p!# ^& a8 o/ A! {6 `3 h
hostname CR-FW9 s$ U5 V/ H0 X0 c  b9 U5 v
enable password D.LmdJJBxAq5/UlM encrypted1 A/ K1 e9 ]/ N) W
passwd D.LmdJJBxAq5/UlM encrypted
( E9 V$ _" u2 a, ~% J: n! E% Y0 Znames
- C" M4 @3 X2 ^3 {!
- D" @/ s; k9 \& p% K2 Ginterface Vlan2) N9 _# b4 a+ @/ ~, x: g
nameif outside
$ n0 w8 G4 A" H- v security-level 0
# i( L1 c" L! U+ ^% I" F- Q ip address 2.2.2.2 255.0.0.0

/ R' t+ z% u3 O3 E+ e- g  Z+ G7 K!
: g( k; ], f" S8 B0 i1 iinterface Vlan61 k2 @8 |/ i+ E6 ^. V
nameif server1 b7 R9 P6 r3 m7 s8 o/ t; R
security-level 50
& f% |: U+ P0 M  V" z$ |2 y4 ] ip address 192.168.0.254 255.255.255.0 & O" R' X# w) y# y0 u
!0 P3 E5 C# e7 [: {* @- z
interface Vlan10
# |; p0 w+ }# L5 D1 @ nameif inside_10! m4 x6 b5 `  h# N8 b( [
security-level 80
  P. L! ~' a# s ip address 192.168.10.254 255.255.255.0
1 [2 ?" F; i- V: a) o( f!' v. I' R# L) t! _7 Y* o3 ~
interface Vlan20# @0 B% i; D2 X
nameif inside_20
' K% ^% O& \$ M: P security-level 80
- x* e( ^& I9 i6 t* q* X! ]4 q ip address 192.168.20.254 255.255.255.0 , I5 R3 n! Q& P0 P7 ^* V4 ~
!
  P/ o  @8 ?. j% \. i& G' T7 l+ v* Minterface Vlan30
' @/ U, v1 j3 G4 n. A; C1 b5 ` nameif inside_30
) l3 I" B# e7 Q% p, H- C security-level 808 H+ R9 `" l2 q9 u3 P' |  e8 W
ip address 192.168.30.254 255.255.255.0
: ?6 i) E, U. H6 g!
+ a% V& U  O7 C" p& {4 Hinterface Vlan407 [  I/ d0 `) p' f" {
nameif inside_40
7 V/ |- I; g9 g( ^3 U2 A" E security-level 80
9 Y. ^+ A& B4 Z( u. O ip address 192.168.40.254 255.255.255.0
) N& v' K  y/ O% G  E+ d!
7 f3 O. f! J) rinterface Vlan50
" J7 V& O: u9 @! C, l% T nameif inside_50
/ H/ @1 N" D; Q$ H- D6 b4 \ security-level 80* N! M$ @( f# z9 S
ip address 192.168.50.254 255.255.255.0
8 u( `4 ^1 i: n( W. [!8 K+ T- t3 m* d4 V% d8 x' B9 i
interface Vlan60
+ M* P8 w0 D+ G. Q- G* f8 l nameif inside_60
5 N' R! b- i  W# }$ y security-level 80
, \3 i' M" c6 C/ l& j, H3 G ip address 192.168.60.254 255.255.255.0 - i- ^4 `8 `. M* x& Z7 \# I- u/ j
!+ C" P1 M2 n) Q+ ^  [1 g( d; P! o
interface Ethernet0/0
% e, p- p, x2 b switchport trunk allowed vlan 1-6,10,20,30,40,50,60,70( R* e* `4 ^" A4 S4 P) X
switchport mode trunk! X" d# a3 W/ A: F  T( V8 _3 Z
speed 100
* T9 \& ?# T5 X5 n& _9 d duplex full
9 d# a. O0 O5 p( H( Z7 Z1 R$ k!  U7 |% g, W1 \- Q* [
interface Ethernet0/11 [! ?( Y: L% B0 F# V
switchport access vlan 2

# }: {/ {% V4 t9 d0 l4 `!& v/ `! y# W4 E7 P
interface Ethernet0/24 Q: e9 o# A7 O( D0 M7 Y
shutdown
2 W! ]$ l/ T1 h/ @!
! R  F) W) m$ ]3 N' Einterface Ethernet0/3( y% N, `! J/ l9 V  N; o3 p
shutdown% l( X$ b* D- h) q
!7 O, Y7 s: w. l( d2 k3 r: B
interface Ethernet0/4
6 S, X0 w8 a: p shutdown
6 y' N" K2 L% u2 e!
( X% M+ W5 @8 tinterface Ethernet0/54 ^1 c4 W7 C) e" t' v
shutdown( m% m, m/ [1 y8 f" r( x
!2 D6 N* E4 l; i/ ^
interface Ethernet0/6
# S+ `7 X+ h. Z, D!
: Z* I9 _+ K0 q$ {# ]9 m3 Rinterface Ethernet0/7
; h* f6 G+ U* n2 U, c9 k/ L switchport access vlan 6
, C8 y3 b* q9 v* E' F8 O* j# d!
# W/ e% j, K1 e& n9 p8 zftp mode passive
: h# m9 {5 R+ @7 w2 |. t  Usame-security-traffic permit inter-interface
$ |6 Q! C0 J" D+ V( U  {8 {9 ssame-security-traffic permit intra-interface
& a: d5 j; z5 L0 w" Qobject network meinsnet
0 G: i: W8 Z6 I2 `; l% P subnet 192.168.10.0 255.255.255.0
3 s! w: T* P5 K% \; U1 Mobject network 20-6 5 Z) p; x& z% ]& D5 k4 E8 u2 @
subnet 192.168.20.0 255.255.255.0* \( R$ N( U+ c$ U# t- S
object network 30-6 " U* S2 O4 @; }+ V$ X
subnet 192.168.30.0 255.255.255.0& T; m; k/ I* r9 }4 J7 Q2 w
object network 40-6
  s8 I- R! E' Y7 g subnet 192.168.40.0 255.255.255.0, Q, E) M2 K& H) \2 f% I. a
object network 50-6 ) B9 H4 D$ f% a. ]( `
subnet 192.168.50.0 255.255.255.0, q  f$ M' k/ q+ ]: R
object network 60-6 % w* K7 ], P9 T" _
subnet 192.168.60.0 255.255.255.0
: }7 A1 h' A8 E# [% h3 Q  S8 Bobject network 40-50
* w9 o0 W% q1 W" K1 w1 ? subnet 192.168.40.0 255.255.255.0
6 v2 @" z. ^5 O, l& B1 {access-list 101 extended permit ip any any $ \. d& \' t/ q# S, ^4 J7 w( s7 a
access-list 101 extended permit icmp any any
4 y) Y* i0 R( J9 {% bpager lines 24
$ b3 m* p6 I4 j: G1 smtu outside 1500
) F& h' Y' p! }& `1 R7 Y" Mmtu server 1500- o3 l. ]& x" l3 R; s
mtu inside_10 1500) G$ L6 c5 J* d$ U8 l
mtu inside_20 15002 o& q3 Q: M3 L
mtu inside_30 1500- _( X: o  x; ]; `6 r$ Q
mtu inside_40 15003 C. K. F/ Y; B" |! ]8 r
mtu inside_50 1500
- [" M" u3 }  O) tmtu inside_60 15003 _) J  v0 L7 K  R9 g
ip local pool testpool 192.168.50.220-192.168.50.240
5 f0 |, N$ P. e" z; ~no failover5 @( R" m# ^; a5 m1 b( Q
icmp unreachable rate-limit 1 burst-size 1
5 _- N  J1 x2 Z: n) g3 Ono asdm history enable
1 Y0 e4 o' [3 f0 ?$ E* \arp timeout 14400
% O3 G: {4 w1 h2 V# Q!
# o' o6 }4 I7 Qobject network meinsnet
% F0 @1 d0 y- q$ s( O, b nat (inside_10,server) dynamic interface
# d5 |2 }% o' p  N  g4 vobject network 20-65 {2 p" M8 C8 I& i) g* z- t: T) ^
nat (inside_20,server) dynamic interface
9 v, ?+ C8 z( r, {9 z' {object network 30-6' T* n% a) \, l( _; T7 Z
nat (inside_30,server) dynamic interface! g. O- k8 A) Q0 A! m# [6 s
object network 40-6
% F, ^! |* `4 a3 U# T1 F nat (inside_40,server) dynamic interface" t/ ^  |) X; p  i4 r% A
object network 50-6) F. \% s5 ~- \' h
nat (inside_50,server) dynamic interface
5 [/ _4 t# T2 q( Jobject network 60-6
: |/ W8 C" {* v3 u  P8 ?, N nat (inside_60,server) dynamic interface
: X% f# Y# ~& p. |object network 40-50
6 K1 G! @2 t; |  ?0 q* n nat (inside_40,inside_50) dynamic interface- ]! s9 z# ?' u- R) H; d
access-group 101 in interface server
, N8 k( I+ r$ U! V2 ^' Eaccess-group 101 out interface server
; |, p+ P1 {: m4 b7 S3 f5 B& \# O+ |route server 0.0.0.0 0.0.0.0 192.168.0.1 1
9 B7 M! |5 `( B% h- Z, atimeout xlate 3:00:004 v- ]4 @- n- E) [6 O; o4 ~8 ]
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02/ C. v* k9 ]9 `& V2 Q. V
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
+ L, u. V; k6 {! |. ^* \timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00* t. x3 Z- {+ h' e5 T8 q; C
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute8 ]& n9 m0 z1 s& T  H5 R! e0 m
timeout tcp-proxy-reassembly 0:01:00, d+ R4 I3 R- g5 e" S& q
dynamic-access-policy-record DfltAccessPolicy
/ D' H* P8 b; r# uno snmp-server location
& I% Q2 M" y. i1 D, Bno snmp-server contact" J7 M, k6 ?' t% y: G! p
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
9 f' Z3 w5 O) o) K7 Icrypto ipsec ikev1 transform-set firstset esp-des esp-md5-hmac * p% H! l$ V. y; F$ v9 b
crypto dynamic-map dyn1 1 set ikev1 transform-set firstset
2 }8 G2 l1 x/ o) A* z' Ycrypto dynamic-map dyn1 1 set reverse-route
, f" e& _8 L% t. A% Y- Ccrypto map mymap 1 ipsec-isakmp dynamic dyn1
; g0 ~0 `$ @+ W0 b# s: gcrypto map mymap interface outside3 o' H; o  k, X) o% B4 Z" |
crypto ikev1 enable outside8 E2 g# _0 ?% r
crypto ikev1 policy 1+ x4 B; w: A" h; {' m
authentication pre-share
/ s5 p/ k& h$ ~; o6 S: L* U# s# O encryption des
6 x8 y  r$ D4 M1 l$ U. K0 }* E hash sha
  P: C+ P6 `" U& A% x4 h group 2
0 U, a" B! K8 v" Y& s5 Q lifetime 43200

5 }$ j" I3 T: ^: D- }/ ttelnet 0.0.0.0 0.0.0.0 inside_50
, }% a: t; ]# l# ?: Btelnet timeout 60# {! O5 n; D+ k8 }; k
ssh timeout 52 m$ d. @6 M5 w9 d5 ~
console timeout 0, z7 O9 t2 W$ B9 v4 z6 H( k) F
9 [/ e. i, j3 V( b
threat-detection basic-threat2 A3 h3 B9 @. x+ y$ j( k; z
threat-detection statistics access-list( @# G- S3 `, P5 A
no threat-detection statistics tcp-intercept- N/ V! ~5 M' F: q; M6 ~. Z
username testuser password 12345678 encrypted
5 N; h  l$ M; Itunnel-group testgroup type remote-access  H9 n1 k; g- V
tunnel-group testgroup general-attributes: C- V0 e$ y! B
address-pool testpool
' ^: \' p" M) p; \+ }3 y5 g0 Wtunnel-group testgroup ipsec-attributes
  L8 E+ J' g& V2 ` ikev1 pre-shared-key 1234567

! q: A3 A& v4 E; o% o( s!/ r3 H4 J1 v* E6 t8 |, ^
class-map inspection_default1 T- \1 u: p: ~2 z/ R% |
match default-inspection-traffic
# A9 A, L- \) g0 s7 P7 o!
! C* @( X9 l# @* Q+ _!
7 y) j! ^$ _* E$ R- npolicy-map type inspect dns preset_dns_map, P4 H- H  ]8 A( Q
parameters
- P8 ]9 k! ?( Y: s  y% i message-length maximum client auto
" g1 U" j: S/ K: O2 F0 ^$ Z! U message-length maximum 5129 \: I  Y( u: {( z6 S; E& R2 W
policy-map global_policy: \! k- e8 l9 ^$ l
class inspection_default8 B. Y8 ~, U+ Z8 Q
inspect dns preset_dns_map $ u6 {6 e' N+ F9 k
inspect ftp ( S4 `, w, a) ], j! Z. t
inspect h323 h225
2 F  d0 _& B5 Y; Z1 p1 l inspect h323 ras ) K) G2 T; ]( `7 Z) z( D9 E
inspect rsh
; `4 ]$ E3 ^* i: J/ }5 H4 { inspect rtsp
& [' ?' ]+ V$ z! y( y) [2 {* c) ? inspect esmtp
4 \+ _5 ^7 \) Z inspect sqlnet
3 O! X9 f! S: w, E, ? inspect skinny 9 @* p' A5 W) h: v& [7 c* n$ e: y
inspect sunrpc / ^( R: q; ^1 z% V, i" j3 M
inspect xdmcp 6 @! E# ?0 r% `& N' f
inspect sip . k* X: }. y  s2 p3 B* C0 l
inspect netbios - {( `( V& d! p( X! b& V* h  r+ [
inspect tftp
% M, k" [- ~$ B( F4 O* @ inspect ip-options
3 [$ o" X& c1 I!$ x6 w2 I4 Y3 x+ ?5 T) C! D
service-policy global_policy global
" @4 R2 H6 k( |prompt hostname context 2 t! H1 y. J- }; J, s
call-home9 C% x+ T+ c- n# ~/ T% a0 E% L
profile CiscoTAC-1
2 t0 r+ T7 ^. B1 j no active
  ?8 ^  U6 z/ x3 [; k# w, N4 S destination address http https://tools.cisco.com/its/service/...es/DDCEService* z5 e* @0 y  a) N
destination address email callhome@cisco.com, U2 `7 f& M$ l) {
destination transport-method http! V) o* k6 d) R  x& o
subscribe-to-alert-group diagnostic
% M$ Z( J9 o% N2 F0 Y% i subscribe-to-alert-group environment
  b5 x/ E5 L9 L" C0 S) n/ S  ]: r: V8 g subscribe-to-alert-group inventory periodic monthly
% F6 p, r% Z/ B* i, B( G subscribe-to-alert-group configuration periodic monthly
8 t9 W0 @% O; t( E# {% w( s subscribe-to-alert-group telemetry periodic daily. P3 S* ?- m$ z; L$ v5 U2 r8 I
Cryptochecksum:6fce6c1bd89ca8fbe0f2f82c6a92796e7 g7 y4 ^" N7 C$ w6 y9 W
: end
CCNA考试 官方正规报名 仅需1500元
回复 论坛版权

举报

wmjzb3 [Lv4 初露锋芒] 发表于 2013-8-8 15:32:30 | 显示全部楼层
route 是否做了nat or pat ,如有,在asa上启用NAT穿越
回复 支持 反对

举报

kalor [Lv5 不断成长] 发表于 2013-8-8 15:35:49 | 显示全部楼层
没做nat呢,准备调通vpn在做nat
回复 支持 反对

举报

lsly [Lv4 初露锋芒] 发表于 2013-8-8 15:40:18 | 显示全部楼层
interface Vlan50
& {. e8 d; T5 j0 C/ o$ Dnameif inside_50* p& K7 p7 Z4 Z( }0 S; b, v
security-level 80
. i7 n% x, b/ G% ?2 P6 w2 jip address 192.168.50.254 255.255.255.0 " ^/ l& t6 K0 F' t* y7 [
和ip local pool testpool 192.168.50.220-192.168.50.240地址重叠。可以去掉int vlan 50.
+ t, l5 b5 z: t" X+ Sobject-group network inside_vlan10-segments
1 ]% n4 t2 V8 w/ K9 H- m9 r, t! Onetwork-object 192.168.10.0 255.255.255.0
. i3 y+ X! Q1 C5 Y% K2 mobject-group network remote-vpn-segments
0 ?9 L# Y& t5 p9 wnetwork-object 192.168.50.240 255.255.255.224
% M% B2 o. ~$ s( ?
! A. j$ Y, \; z4 D( rstatic (inside_10,any) source inside_vlan10-segments inside_vlan10-segments destination static remote-vpn-segments remote-vpn-segments9 U% B' \( D! j
其它的类似。
回复 支持 反对

举报

ming_a [Lv4 初露锋芒] 发表于 2013-8-8 17:32:55 | 显示全部楼层
感谢tailor老师的指点,我现在吧nat都去掉了,可是依然报错412,对端无响应
回复 支持 反对

举报

woyiqie [Lv4 初露锋芒] 发表于 2013-8-8 20:25:35 | 显示全部楼层
问题已解决( q/ H7 |1 H' G! p8 L' A2 g' D
crypto ikev1 policy 1
( X) W5 x0 Z4 w% V2 L* `" I, Sauthentication pre-share
' A% ^; k6 {: z* p+ U" P0 J! bencryption des3 Q7 G8 `6 d. t! r( p% ~/ O
hash sha
! W" B- A2 d8 O- i2 M. i
group 2
" X; @/ J2 c5 g$ w7 N3 m8 Q6 Plifetime 43200- E3 m/ U) i. ~( c

! l: F+ |  B' s% k; s( C% O+ x- z我的asa是k8的,只能用des加密,照抄文档时只把3des改成了des,没有注意hash算法,des对应的只能用md5,还有下面的转换集也要修改成md5,谢谢各位老师支持
回复 支持 反对

举报

fucking [Lv8 技术精悍] 发表于 2013-10-18 13:37:23 | 显示全部楼层
有道理。。。感谢攻城狮论坛
回复 支持 反对

举报

dadahaoren [VIP@钻石] 发表于 2013-10-21 18:23:15 | 显示全部楼层
回复 支持 反对

举报

润土 [Lv8 技术精悍] 发表于 2013-10-22 09:47:27 | 显示全部楼层
小手一抖,金币到手!
回复 支持 反对

举报

mjf1125 [Lv8 技术精悍] 发表于 2013-11-10 16:40:17 | 显示全部楼层
相当不错,感谢无私分享精神!
回复 支持 反对

举报

您需要登录后才可以回帖 登录 | 立即注册

本版积分规则

QQ|无图浏览|手机版|网站地图|攻城狮论坛

GMT+8, 2025-7-30 10:02 , Processed in 0.141950 second(s), 15 queries , Gzip On, MemCache On.

Powered by Discuz! X3.4 © 2001-2013 Comsenz Inc.

Designed by ARTERY.cn