多子网Cisco ASA to AWS IPSEC ××× 问题
Posted
tags:
篇首语:本文由小常识网(cha138.com)小编为大家整理,主要介绍了多子网Cisco ASA to AWS IPSEC ××× 问题相关的知识,希望对你有一定的参考价值。
最近遇到一个很妖的问题,Cisco ASA to AWS IPSEC CPN
Asa 这边有多个子网,每次只能一个子网和AWS 通信,别的就是不通。
配置如下。
ASA
10.10.55.0 255.255.255.0
10.10.66.0 255.255.255.0
10.10.77.0 255.255.255.0
To
AWS 172.21.84.0 255.255.252.0
比如 10.10.55.0 to 172.21.84.0 通了,那别的肯定不通。
CISCO ASA to AWS
object-group network IPSEC-AMAZON-LOCAL
network-object 10.10.55.0 255.255.255.0
network-object 10.10.66.0 255.255.255.0
network-object 10.10.77.0 255.255.255.0
object-group network IPSEC-AMAZON-REMOTE
network-object 172.21.84.0 255.255.252.0
access-list IPSEC-AMAZON extended permit ip object-group IPSEC-AMAZON-LOCAL object-group IPSEC-AMAZON-REMOTE
nat (×××ide,outside) source static tr-db tr-db destination static IPSEC-AMAZON-REMOTE IPSEC-AMAZON-REMOTE
crypto map mycryptomap 90 match address IPSEC-AMAZON
crypto map mycryptomap 90 set peer 8.8.8.8
crypto map mycryptomap 90 set ikev1 transform-set transform-amzn
crypto map mycryptomap 90 set security-association lifetime seconds 3600
tunnel-group 8.8.8.8 type ipsec-l2l
tunnel-group 8.8.8.8 ipsec-attributes
ikev1 pre-shared-key <PSK>
ACL 本地改成 any 试一下 过两天再看结果
access-list IPSEC-AMAZON extended permit ip any4 object-group IPSEC-AMAZON-REMOTE
一下 是AWS 官方说明
! --------------------------------------------------------------------------------
! #2: Access List Configuration
!
! Access lists are configured to permit creation of tunnels and to send applicable traffic over them.
! This policy may need to be applied to an inbound ACL on the outside interface that is used to manage control-plane traffic.
! This is to allow ××× traffic into the device from the Amazon endpoints.
!
access-list <outside_access_in> extended permit ip host 34.227.189.221 host 38.105.116.50
access-list <outside_access_in> extended permit ip host 34.238.204.97 host 38.105.116.50
! The following access list named acl-amzn specifies all traffic that needs to be routed to the VPC. Traffic will
! be encrypted and transmitted through the tunnel to the VPC. Association with the IPSec security association
! is done through the "crypto map" command.
!
! This access list should contain a static route corresponding to your VPC CIDR and allow traffic from any subnet.
! If you do not wish to use the "any" source, you must use a single access-list entry for accessing the VPC range.
! If you specify more than one entry for this ACL without using "any" as the source, the ××× will function erratically.
! The any rule is also used so the security association will include the ASA outside interface where the SLA monitor
! traffic will be sourced from.
! See section #4 regarding how to restrict the traffic going over the tunnel
!
!
access-list acl-amzn extended permit ip any4 <vpc_subnet> <vpc_subnet_mask>
!---------------------------------------------------------------------------------
以上是关于多子网Cisco ASA to AWS IPSEC ××× 问题的主要内容,如果未能解决你的问题,请参考以下文章
Cisco ASA 实现 IPSec 虚拟专用网(内附故障排查)
Cisco ASA 5505配置Ipsec VPN,Cisco vpn客户端可以拔上来,也可以获取IP,但是无法访问内网。