Cisco到的L2L ACL问题

Question

需要帮助看一下我现在看不到的东西。我已经为AWS云构建了一个l2l，我运行了一个包跟踪出站，这是通过的，但是当我运行包跟踪程序出站时，我一直被隐式规则拒绝。我已经考虑过我的秘密，我看不出什么是否定的，也许一双新的眼睛会看到我看不到的东西。

这是我的配置

object network dw01
host 10.20.10.103

object network dw01-NATLDN
host 10.180.0.103


object-group network Amazon.LocalLDN
network-object 10.180.0.0 255.255.255.0

object-group network Amazon-RemoteLDN
network-object 10.30.0.0 255.255.0.0


access-list OUTSIDE_cryptomap_10 extended permit ip object-group Amazon.LocalLDN object-group Amazon-RemoteLDN
access-list OUTSIDE_cryptomap_10 extended permit ip object-group Amazon-RemoteLDN object-group Amazon.LocalLDN

access-list amznLDN-filter extended permit ip host 52.56.71.96 host 208.126.125.10
access-list amznLDN-filter extended permit ip 10.30.0.0 255.255.0.0 10.180.0.0 255.255.255.0


nat (INSIDE,OUTSIDE) source static dw01 dw01-NATLDN destination static Amazon-RemoteLDN Amazon-RemoteLDN


crypto ipsec ikev1 transform-set transform-amzn esp-aes esp-sha-hmac

crypto map OUTSIDE_map 15 match address OUTSIDE_cryptomap_10
crypto map OUTSIDE_map 15 set pfs group2
crypto map OUTSIDE_map 15 set peer 52.56.71.96 
crypto map OUTSIDE_map 15 set ikev1 transform-set transform-amzn
crypto map OUTSIDE_map 15 set security-association lifetime seconds 3600
crypto map OUTSIDE_map 15 set nat-t-disable

tunnel-group 52.56.71.96 type ipsec-l2l
tunnel-group 52.56.71.96 general-attributes
default-group-policy Amazon-LDN
tunnel-group 52.56.71.96 ipsec-attributes
ikev1 pre-shared-key *****
isakmp keepalive threshold 10 retry 10

group-policy Amazon-LDN internal
group-policy Amazon-LDN attributes
vpn-idle-timeout none
vpn-session-timeout none
vpn-filter value amznLDN-filter
vpn-tunnel-protocol ikev1

追踪：

Phase: 1
Type: CAPTURE
Subtype:
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x738e6b38, priority=13, domain=capture, deny=false
hits=2884362251, user_data=0x73831aa0, cs_id=0x0, l3_type=0x0
src mac=0000.0000.0000, mask=0000.0000.0000
dst mac=0000.0000.0000, mask=0000.0000.0000
input_ifc=OUTSIDE, output_ifc=any

Phase: 2
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
Forward Flow based lookup yields rule:
in id=0x72f221c0, priority=1, domain=permit, deny=false
hits=31054542779, user_data=0x0, cs_id=0x0, l3_type=0x8
src mac=0000.0000.0000, mask=0000.0000.0000
dst mac=0000.0000.0000, mask=0100.0000.0000
input_ifc=OUTSIDE, output_ifc=any

Phase: 3
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 10.0.0.0 255.0.0.0 INSIDE

Phase: 4
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:
Forward Flow based lookup yields rule:
in id=0x73cd1e50, priority=11, domain=permit, deny=true
hits=28748828, user_data=0x5, cs_id=0x0, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
input_ifc=OUTSIDE, output_ifc=any

提前感谢您的帮助！！

Answer 1

当涉及到直接在ASA上终止的隧道时，您不能使用包追踪器来处理外部到内部的交通。你真的用真正的交通测试过隧道的双向运行吗？

而且，您也不能以自己的方式定义隧道到AWS，因为AWS隧道是基于路由的。

AWS要求在密码库匹配ACL中使用“任意”，并且所有限制都要通过VPN过滤器或路由来完成。尽管如此，请发出以下命令以更正您的密码密码ACL：

access-list OUTSIDE_cryptomap_10 extended permit ip any object-group Amazon-RemoteLDN
no access-list OUTSIDE_cryptomap_10 extended permit ip object-group Amazon.LocalLDN object-group Amazon-RemoteLDN
no access-list OUTSIDE_cryptomap_10 extended permit ip object-group Amazon-RemoteLDN object-group Amazon.LocalLDN

VPN-过滤来自远程端的流量，并在隧道形成后应用(这意味着它对限制公共对等IP没有影响，就像您试图做的那样)。如需说明，请发出以下命令以更正您的VPN过滤器：

no access-list amznLDN-filter extended permit ip host 52.56.71.96 host 208.126.125.10

要添加冗余/容错隧道配置，请找到AWS为您创建的用于复制/粘贴的配置脚本，并找到第二个隧道的密码映射部分和隧道组部分。然后，在你的ASA上，你需要做：

crypto map OUTSIDE_map 15 set peer 52.56.71.96 <secondary tunnel peer IP address goes here after the existing peer IP address>
!
tunnel-group <secondary peer IP address here> type ipsec-l2l
tunnel-group <secondary peer IP address here> general-attributes
default-group-policy Amazon-LDN
tunnel-group <secondary peer IP address here> ipsec-attributes
ikev1 pre-shared-key *****
isakmp keepalive threshold 10 retry 10