思科ASA-5505 -可以从局域网连接的设备平互联网，但我不能从局域网接口到互联网

Question

我是思科ASA和ASDM的新手。努力解决与IOS设备不同的问题。网络布局如下：

AWS - IPsec隧道- ASA-5505 - LAN

目前：

1. IPsec隧道上了。
2. AWS可以到达局域网连接的设备。
3. 局域网连接的设备可以到达互联网。

然而，我有以下两个问题：

1. ASA的局域网接口不能接入Internet。
2. SLA监控不起作用。(可能与第1点有关？)

下面我插入了大部分运行配置(和路由表)。我删除了密码配置，并用xxx隐藏了一些八位数的广域网地址。希望这里有足够的配置来帮助进行故障排除。如果需要更多的信息，请询问。

(对不起，可能有一种更好的方式来格式化下面的运行配置。)

ciscoasa# show running-config  
: Saved  
:  
ASA Version 9.1(2)8  
!  
interface Ethernet0/0  
 switchport access vlan 2  
!  
interface Ethernet0/1  
!  
interface Ethernet0/2  
!  
interface Ethernet0/3  
!  
interface Ethernet0/4  
!  
interface Ethernet0/5  
!  
interface Ethernet0/6  
!  
interface Ethernet0/7  
!  
interface Vlan1  
 nameif inside  
 security-level 100  
 ip address 192.168.0.1 255.255.255.0  
!  
interface Vlan2  
 nameif outside  
 security-level 0  
 ip address xxx.152.29.xxx 255.255.255.240  
!  
ftp mode passive  
object network inside-subnet-1  
 subnet 192.168.0.0 255.255.255.0  
object network AWS-inside-subnet  
 subnet 172.19.254.128 255.255.255.128  
object network NETWORK_OBJ_192.168.0.0_24  
 subnet 192.168.0.0 255.255.255.0  
object-group protocol DM_INLINE_PROTOCOL_1  
 protocol-object ip  
 protocol-object icmp  
access-list outside_cryptomap extended permit object-group DM_INLINE_PROTOCOL_1 192.168.0.0 255.255.255.0 object AWS-inside-subnet  
pager lines 24  
logging enable  
logging asdm informational  
mtu outside 1500  
mtu inside 1500  
no failover  
icmp unreachable rate-limit 1 burst-size 1  
no asdm history enable  
arp timeout 14400  
no arp permit-nonconnected  
nat (inside,outside) source static NETWORK_OBJ_192.168.0.0_24 NETWORK_OBJ_192.168.0.0_24 destination static AWS-inside-subnet AWS-inside-subnet  
!  
object network inside-subnet-1  
 nat (inside,outside) dynamic interface  
route outside 0.0.0.0 0.0.0.0 xxx.152.29.xxx 1  

http server enable  
http 192.168.0.0 255.255.255.0 inside  
no snmp-server location  
no snmp-server contact  

sla monitor 1  
 type echo protocol ipIcmpEcho 172.19.254.129 interface outside  
 frequency 30  
sla monitor schedule 1 life forever start-time now  
!  
ssh 192.168.0.0 255.255.255.0 inside  
ssh timeout 20  
ssh key-exchange group dh-group1-sha1  
console timeout 0  
!  
!  
class-map inspection_default  
 match default-inspection-traffic  
!  
!  
policy-map type inspect dns preset_dns_map  
 parameters  
  message-length maximum client auto  
  message-length maximum 512  
policy-map global_policy  
 class inspection_default  
  inspect dns preset_dns_map  
  inspect ftp  
  inspect h323 h225  
  inspect h323 ras  
  inspect rsh  
  inspect rtsp  
  inspect esmtp  
  inspect sqlnet  
  inspect skinny  
  inspect sunrpc  
  inspect xdmcp  
  inspect sip  
  inspect netbios  
  inspect tftp  
  inspect ip-options  
  inspect icmp  
!   
: end  
ciscoasa# show route  

Gateway of last resort is xxx.152.29.xxx to network 0.0.0.0  

C    xxx.152.29.xxx 255.255.255.240 is directly connected, outside  
C    192.168.0.0 255.255.255.0 is directly connected, inside  
S*   0.0.0.0 0.0.0.0 [1/0] via xxx.152.29.xxx, outside  
ciscoasa#  

Answer 1

若要使IP SLA工作，请将密码ACL更改为：

access-list outside_cryptomap extended permit object-group DM_INLINE_PROTOCOL_1 192.168.0.0 255.255.255.0 object AWS-inside-subnet  

致：

access-list outside_cryptomap extended permit object-group DM_INLINE_PROTOCOL_1 any4 object AWS-inside-subnet

当然，在远程对等点上也做同样的操作(相反)。

这样，IP (来源于ASA的外部ip地址)也会被隧道化。

src：http://www.tunnelsup.com/troubleshooting-vpn-between-cisco-asa-and-amazon-aws

编辑:注意，如果AWS和Internet之间有任何通信量，建议的配置更改可能会中断一些事情，因为它可能导致流量现在穿越隧道(取决于另一方的配置方式)。

Edit2:如果您从外部接口获取它，这也会使其正常工作。老实说，我不确定来自内部接口的ping是否能工作--如果您启用management-access inside，它可能会工作。这至少应该允许您从AWS中平移内部接口。

Answer 2

在CLI中键入以下命令(从您提供的配置开始)：

management-access inside
access-list outside_cryptomap extended permit ip object NETWORK_OBJ_192.168.0.0_24 object AWS-inside-subnet
no access-list outside_cryptomap extended permit object-group DM_INLINE_PROTOCOL_1 192.168.0.0 255.255.255.0 object AWS-inside-subnet
nat (inside,outside) source static NETWORK_OBJ_192.168.0.0_24 NETWORK_OBJ_192.168.0.0_24 destination static AWS-inside-subnet AWS-inside-subnet no-proxy-arp route-lookup
nat (inside outside) after-auto source dynamic any interface
object network inside-subnet-1
no nat (inside,outside) dynamic interface
exit
ip sla monitor 1
no type echo protocol ipIcmpEcho 172.19.254.129 interface outside
type echo protocol ipIcmpEcho 172.19.254.129 source-ipaddr 192.168.0.1
exit
track 1 rtr 1 reachability

键入上述命令后，退出配置模式并清除ipsec sa以重新启动隧道。SLA监视器应该开始工作了。如果不是，您可能希望为源-ip参数尝试另一个192.168.0.x地址。

此外，您的ASA IOS图像是非常古老的！您可能遇到了VPN错误。我强烈建议升级到9.1(7)19 (asa917 917-19-k8.bin)

有关更多信息，请参见https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160210-asa-ike