Cisco ASA - Sophos站点到站点VPN没有其他网络的响应
Cisco ASA - Sophos站点到站点VPN没有其他网络的响应
提问于 2016-03-14 18:51:55
我正在尝试建立一个站点来站点VPN隧道,在两个网络之间,一个与索福斯UTM,另一个思科5515 X。隧道的ASA端配置了一个公共对等私有地址子网(192.168.71.0),而索弗斯端被迫使用与隧道对等端和主机相同的IP地址(3.3.3.50 --这是一个假地址)。隧道关闭了,我可以看到流量通过索福斯UTM的网络,但没有什么从思科方面回来。这是我第一次不得不为这个配置一个ASA,我完全感到困惑。
谁能告诉我我错过了什么吗?我的Cisco ASA配置在下面。
crypto ipsec ikev1 transform-set REMOTE_LOCAL esp-3des esp-md5-hmac
crypto ipsec security-association pmtu-aging infinite
crypto map REMOTE2LOCAL 1 match address REMOTE_to_LOCAL
crypto map REMOTE2LOCAL 1 set pfs
crypto map REMOTE2LOCAL 1 set peer 3.3.3.50
crypto map REMOTE2LOCAL 1 set ikev1 transform-set REMOTE_LOCAL
crypto map REMOTE2LOCAL interface outside
crypto ca trustpool policy
crypto ikev1 enable outside
crypto ikev1 policy 10
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
crypto ipsec ikev1 transform-set REMOTE_LOCAL esp-3des esp-md5-hmac
object network mgmt71vpn
subnet 192.168.71.0 255.255.255.0
object network REMOTE.50
host 3.3.3.50
nat (inside,outside) source static mgmt71vpn mgmt71vpn destination static REMOTE.50 REMOTE.50 no-proxy-arp route-lookup
access-list REMOTE_to_LOCAL extended permit ip object mgmt71vpn object REMOTE.50
access-list outside_in extended permit ip host 3.3.3.50 192.168.71.0 255.255.255.0
access-group outside_in in interface outside谢谢!
回答 1
Network Engineering用户
回答已采纳
发布于 2016-03-14 19:59:26
下面是ASA的配置:
route outside 192.168.26.50 255.255.255.255 <default gateway IP address>
crypto ipsec ikev1 transform-set REMOTE_LOCAL esp-3des esp-md5-hmac
crypto ipsec security-association pmtu-aging infinite
crypto map REMOTE2LOCAL 1 match address REMOTE_to_LOCAL
crypto map REMOTE2LOCAL 1 set pfs
crypto map REMOTE2LOCAL 1 set peer 3.3.3.50
crypto map REMOTE2LOCAL 1 set ikev1 transform-set REMOTE_LOCAL
crypto map REMOTE2LOCAL interface outside
crypto ca trustpool policy
crypto ikev1 enable outside
crypto ikev1 policy 10
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
crypto ipsec ikev1 transform-set REMOTE_LOCAL esp-3des esp-md5-hmac
object network mgmt71vpn
subnet 192.168.71.0 255.255.255.0
object network REMOTE.50
host 192.168.26.50
nat (inside,outside) source static mgmt71vpn mgmt71vpn destination static REMOTE.50 REMOTE.50
access-list REMOTE_to_LOCAL extended permit ip object mgmt71vpn object REMOTE.50
access-list outside_in extended permit ip host 192.168.26.50 192.168.71.0 255.255.255.0
access-group outside_in in interface outside然后在Sophos框上,将您的受保护子网发送到192.168.26.50地址,当目的地是192.168.71.0/24网络时。如果你对此有任何意见或者需要更多的帮助,请告诉我。
页面原文内容由Network Engineering提供。腾讯云小微IT领域专用引擎提供翻译支持
原文链接:
https://networkengineering.stackexchange.com/questions/28674
复制相关文章
相似问题
腾讯云开发者
Copyright © 2013 - 2026 Tencent Cloud. All Rights Reserved. 腾讯云 版权所有
深圳市腾讯计算机系统有限公司 ICP备案/许可证号:粤B2-20090059 
粤公网安备44030502008569号
腾讯云计算(北京)有限责任公司 京ICP证150476号 | 京ICP备11018762号