ASA VPN configureren met overlappende scenario's
Inhoud
Inleiding
Dit document beschrijft de stappen die worden gebruikt om het VPN-verkeer te vertalen dat over een LAN-naar-LAN (L2L) IPsec-tunnel reist tussen twee Adaptive Security Appliances (ASA) in overlappende scenario's en ook Port Address Translation (PAT) het internetverkeer.
Voorwaarden
Vereisten
Zorg ervoor dat u de Cisco Adaptive Security Appliance hebt geconfigureerd met IP-adressen op de interfaces en dat u basisconnectiviteit hebt voordat u doorgaat met dit configuratievoorbeeld.
Gebruikte componenten
De informatie in dit document is gebaseerd op deze softwareversie:
-
Cisco Adaptive Security Appliance Software versie 8.3 en hoger.
De informatie in dit document is gebaseerd op de apparaten in een specifieke laboratoriumomgeving. Alle apparaten die in dit document worden beschreven, hadden een opgeschoonde (standaard)configuratie. Als uw netwerk live is, moet u zorgen dat u de potentiële impact van elke opdracht begrijpt.
Achtergrondinformatie
Elk apparaat heeft een privé, beschermd netwerk erachter. In overlappende scenario's gebeurt communicatie over de VPN nooit omdat de pakketten nooit het lokale subnet verlaten omdat het verkeer naar een IP-adres van hetzelfde subnet wordt verzonden. Dit kan worden bereikt met Network Address Translation (NAT), zoals uitgelegd in de volgende secties.
Vertaling op beide VPN-eindpunten
Wanneer de VPN-beveiligde netwerken elkaar overlappen en de configuratie op beide eindpunten kan worden gewijzigd, kan NAT worden gebruikt om het lokale netwerk naar een ander subnet te vertalen wanneer u naar het extern vertaalde subnet gaat.
ASA 1
De benodigde objecten maken voor de gebruikte subnetten
object network LOCAL subnet 192.168.1.0 255.255.255.0 object network XLATED-LOCAL subnet 192.168.2.0 255.255.255.0 object network XLATED-REMOTE subnet 192.168.3.0 255.255.255.0
De NAT-instructie configureren
Maak een handmatige instructie om het lokale netwerk alleen naar een ander subnet te vertalen wanneer u naar het externe subnet gaat (ook vertaald)
nat (inside,outside) source static LOCAL XLATED-LOCAL destination static XLATED-REMOTE XLATED-REMOTE
De crypto-ACL configureren met de vertaalde subnetten
access-list VPN-TRAFFIC extended permit ip object XLATED-LOCAL object XLATED-REMOTE Rele
Relevante crypto-configuratie
crypto ikev1 enable outside crypto ikev1 policy 1 authentication pre-share encryption aes-256 hash sha group 2 lifetime 86400 crypto ipsec ikev1 transform-set AES256-SHA esp-aes-256 esp-sha-hmac crypto ipsec security-association pmtu-aging infinite crypto map MYMAP 10 match address VPN-TRAFFIC crypto map MYMAP 10 set peer 172.16.2.1 crypto map MYMAP 10 set ikev1 transform-set AES256-SHA crypto map MYMAP interface outside tunnel-group 172.16.2.1 type ipsec-l2l tunnel-group 172.16.2.1 ipsec-attributes ikev1 pre-shared-key secure_PSK
ASA 2
De benodigde objecten maken voor de gebruikte subnetten
object network LOCAL subnet 192.168.1.0 255.255.255.0 object network XLATED-LOCAL subnet 192.168.3.0 255.255.255.0 object network XLATED-REMOTE subnet 192.168.2.0 255.255.255.0
De NAT-instructie configureren
Maak een handmatige instructie om het lokale netwerk alleen naar een ander subnet te vertalen wanneer u naar het externe subnet gaat (ook vertaald)
nat (inside,outside) source static LOCAL XLATED-LOCAL destination static XLATED-REMOTE XLATED-REMOTE
De crypto-ACL configureren met de vertaalde subnetten
access-list VPN-TRAFFIC extended permit ip object XLATED-LOCAL object XLATED-REMOTE Rele
Relevante crypto-configuratie
crypto ikev1 enable outside crypto ikev1 policy 1 authentication pre-share encryption aes-256 hash sha group 2 lifetime 86400 crypto ipsec ikev1 transform-set AES256-SHA esp-aes-256 esp-sha-hmac crypto ipsec security-association pmtu-aging infinite crypto map MYMAP 10 match address VPN-TRAFFIC crypto map MYMAP 10 set peer 172.16.1.1 crypto map MYMAP 10 set ikev1 transform-set AES256-SHA crypto map MYMAP interface outside tunnel-group 172.16.1.1 type ipsec-l2l tunnel-group 172.16.1.1 ipsec-attributes ikev1 pre-shared-key secure_PSK
Verifiëren
Gebruik deze sectie om te controleren of uw configuratie goed werkt.
ASA 1
ASA1(config)# sh cry isa sa
IKEv1 SAs:
Active SA: 1
Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 1
1 IKE Peer: 172.16.2.1
Type : L2L Role : initiator
Rekey : no State : MM_ACTIVE
There are no IKEv2 SAsASA1(config)# show crypto ipsec sa
interface: outside
Crypto map tag: MYMAP, seq num: 10, local addr: 172.16.1.1
access-list VPN-TRAFFIC extended permit ip 192.168.2.0 255.255.255.0 192.168.3.0 255.255.255.0
local ident (addr/mask/prot/port): (192.168.2.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (192.168.3.0/255.255.255.0/0/0)
current_peer: 172.16.2.1
#pkts encaps: 9, #pkts encrypt: 9, #pkts digest: 9
#pkts decaps: 9, #pkts decrypt: 9, #pkts verify: 9
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 9, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#TFC rcvd: 0, #TFC sent: 0
#Valid ICMP Errors rcvd: 0, #Invalid ICMP Errors rcvd: 0
#send errors: 0, #recv errors: 0
local crypto endpt.: 172.16.1.1/0, remote crypto endpt.: 172.16.2.1/0
path mtu 1500, ipsec overhead 74(44), media mtu 1500
PMTU time remaining (sec): 0, DF policy: copy-df
ICMP error validation: disabled, TFC packets: disabled
current outbound spi: F90C149A
current inbound spi : 6CE656C7
inbound esp sas:
spi: 0x6CE656C7 (1827034823)
transform: esp-aes-256 esp-sha-hmac no compression
in use settings ={L2L, Tunnel, IKEv1, }
slot: 0, conn_id: 16384, crypto-map: MYMAP
sa timing: remaining key lifetime (kB/sec): (3914999/28768)
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x000003FF
outbound esp sas:
spi: 0xF90C149A (4178318490)
transform: esp-aes-256 esp-sha-hmac no compression
in use settings ={L2L, Tunnel, IKEv1, }
slot: 0, conn_id: 16384, crypto-map: MYMAP
sa timing: remaining key lifetime (kB/sec): (3914999/28768)
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001
ASA 2
ASA2(config)# show crypto isa sa
IKEv1 SAs:
Active SA: 1
Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 1
1 IKE Peer: 172.16.1.1
Type : L2L Role : responder
Rekey : no State : MM_ACTIVE
There are no IKEv2 SAsASA2(config)# show crypto ipsec sa
interface: outside
Crypto map tag: MYMAP, seq num: 10, local addr: 172.16.2.1
access-list VPN-TRAFFIC extended permit ip 192.168.3.0 255.255.255.0 192.168.2.0 255.255.255.0
local ident (addr/mask/prot/port): (192.168.3.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (192.168.2.0/255.255.255.0/0/0)
current_peer: 172.16.1.1
#pkts encaps: 9, #pkts encrypt: 9, #pkts digest: 9
#pkts decaps: 9, #pkts decrypt: 9, #pkts verify: 9
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 9, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#TFC rcvd: 0, #TFC sent: 0
#Valid ICMP Errors rcvd: 0, #Invalid ICMP Errors rcvd: 0
#send errors: 0, #recv errors: 0
local crypto endpt.: 172.16.2.1/0, remote crypto endpt.: 172.16.1.1/0
path mtu 1500, ipsec overhead 74(44), media mtu 1500
PMTU time remaining (sec): 0, DF policy: copy-df
ICMP error validation: disabled, TFC packets: disabled
current outbound spi: 6CE656C7
current inbound spi : F90C149A
inbound esp sas:
spi: 0xF90C149A (4178318490)
transform: esp-aes-256 esp-sha-hmac no compression
in use settings ={L2L, Tunnel, IKEv1, }
slot: 0, conn_id: 12288, crypto-map: MYMAP
sa timing: remaining key lifetime (kB/sec): (4373999/28684)
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x000003FF
outbound esp sas:
spi: 0x6CE656C7 (1827034823)
transform: esp-aes-256 esp-sha-hmac no compression
in use settings ={L2L, Tunnel, IKEv1, }
slot: 0, conn_id: 12288, crypto-map: MYMAP
sa timing: remaining key lifetime (kB/sec): (4373999/28683)
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001
Hub- en spaaktopologie met overlappende spaken
In de volgende topologie hebben beide spaken hetzelfde subnet dat over de IPsec-tunnel naar de hub moet worden beschermd. Om het beheer van de spaken te vergemakkelijken, wordt de NAT-configuratie om het overlappende probleem op te lossen alleen op de hub uitgevoerd.
ASA1
De benodigde objecten maken voor de gebruikte subnetten
object network LOCAL subnet 10.10.10.0 255.255.255.0 object network SPOKES-NETWORK subnet 192.168.2.0 255.255.255.0 object network LOCAL-XLATE-TO-SPOKE1 subnet 10.20.20.0 255.255.255.0 object network LOCAL-XLATE-TO-SPOKE2 subnet 10.30.30.0 255.255.255.0 object network REMOTE-XLATE-SPOKE1 subnet 192.168.3.0 255.255.255.0 object network REMOTE-XLATE-SPOKE2 subnet 192.168.4.0 255.255.255.0
Maak handmatige instructies om te vertalen:
- Het lokale netwerk 10.10.10.0 / 24 tot 10.20.20.0 / 24 bij het gaan naar de SPOKE1 (192.168.2.0 / 24).
- Het SPOKE1-netwerk 192.168.2.0 / 24 tot 192.168.3.0 / 24 bij het komen tot 10.20.20.0 / 24.
- Het lokale netwerk 10.10.10.0 / 24 tot 10.30.30.0 / 24 bij het gaan naar de SPOKE3 (192.168.2.0 / 24).
- Het SPOKE2-netwerk 192.168.2.0 / 24 tot 192.168.4.0 / 24 bij het komen tot 10.30.30.0 / 24.
nat (inside,outside) source static LOCAL LOCAL-XLATE-SPOKE1 destination static REMOTE-XLATE-SPOKE1 SPOKES-NETWORK nat (inside,outside) source static LOCAL LOCAL-XLATE-SPOKE2 destination static REMOTE-XLATE-SPOKE2 SPOKES-NETWORK
De crypto-ACL configureren met de vertaalde subnetten
access-list VPN-to-SPOKE1 extended permit ip object LOCAL-XLATE-SPOKE1 object SPOKES-NETWORKS access-list VPN-to-SPOKE2 extended permit ip object LOCAL-XLATE-SPOKE2 object SPOKES-NETWORKS
Relevante crypto-configuratie
crypto ikev1 enable outside crypto ikev1 policy 1 authentication pre-share encryption aes-256 hash sha group 2 lifetime 86400 crypto ipsec ikev1 transform-set AES256-SHA esp-aes-256 esp-sha-hmac crypto ipsec security-association pmtu-aging infinite crypto map MYMAP 10 match address VPN-to-SPOKE1 crypto map MYMAP 10 set peer 172.16.2.1 crypto map MYMAP 10 set ikev1 transform-set AES256-SHA crypto map MYMAP 20 match address VPN-to-SPOKE2 crypto map MYMAP 20 set peer 172.16.3.1 crypto map MYMAP 20 set ikev1 transform-set AES256-SHA crypto map MYMAP interface outside tunnel-group 172.16.2.1 type ipsec-l2l tunnel-group 172.16.2.1 ipsec-attributes ikev1 pre-shared-key secure_PSK tunnel-group 172.16.3.1 type ipsec-l2l tunnel-group 172.16.3.1 ipsec-attributes ikev1 pre-shared-key secure_PSK
ASA2 (SPOKE1)
Configureer de crypto-ACL die naar het vertaalde subnet gaat (10.20.20.0 /24)
access-list VPN-TRAFFIC extended permit ip 192.168.2.0 255.255.255.0 10.20.20.0 255.255.255.0
Relevante crypto-configuratie
crypto ikev1 enable outside crypto ikev1 policy 1 authentication pre-share encryption aes-256 hash sha group 2 lifetime 86400 crypto ipsec ikev1 transform-set esp-aes-256 esp-sha-hmac crypto ipsec security-association pmtu-aging infinite crypto map MYMAP 10 match address VPN-TRAFFIC crypto map MYMAP 10 set peer 172.16.1.1 crypto map MYMAP 10 set ikev1 transform-set AES256-SHA crypto map MYMAP interface outside tunnel-group 172.16.1.1 type ipsec-l2l tunnel-group 172.16.1.1 ipsec-attributes ikev1 pre-shared-key secure_PSK
R1 (SPOKE2)
Configureer de crypto-ACL die naar het vertaalde subnet gaat (10.30.30.0 /24)
ip access-list extended VPN-TRAFFIC permit ip 192.168.2.0 0.0.0.255 10.30.30.0 0.0.0.255
Relevante crypto-configuratie
crypto isakmp policy 1
encr aes 256
authentication pre-share
group 2
crypto isakmp key secure_PSK address 172.16.1.1
crypto ipsec transform-set AES256-SHA esp-aes 256 esp-sha-hmac
mode tunnel
crypto map MYMAP 10 ipsec-isakmp
set peer 172.16.1.1
set transform-set AES256-SHA
match address VPN-TRAFFIC
interface GigabitEthernet0/1
ip address 172.16.3.1 255.255.255.0
duplex auto
speed auto
media-type rj45
crypto map MYMAPVerifiëren
ASA 1
ASA1(config)# show crypto isakmp sa
IKEv1 SAs:
Active SA: 2
Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 2
1 IKE Peer: 172.16.3.1
Type : L2L Role : responder
Rekey : no State : MM_ACTIVE
2 IKE Peer: 172.16.2.1
Type : L2L Role : responder
Rekey : no State : MM_ACTIVE
There are no IKEv2 SAsASA1(config)# show crypto ipsec sa
interface: outside
Crypto map tag: MYMAP, seq num: 10, local addr: 172.16.1.1
access-list VPN-to-SPOKE1 extended permit ip 10.20.20.0 255.255.255.0 192.168.2.0 255.255.255.0
local ident (addr/mask/prot/port): (10.20.20.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (192.168.2.0/255.255.255.0/0/0)
current_peer: 172.16.2.1
#pkts encaps: 10, #pkts encrypt: 9, #pkts digest: 10
#pkts decaps: 10, #pkts decrypt: 9, #pkts verify: 10
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 9, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#TFC rcvd: 0, #TFC sent: 0
#Valid ICMP Errors rcvd: 0, #Invalid ICMP Errors rcvd: 0
#send errors: 0, #recv errors: 0
local crypto endpt.: 172.16.1.1/0, remote crypto endpt.: 172.16.2.1/0
path mtu 1500, ipsec overhead 74(44), media mtu 1500
PMTU time remaining (sec): 0, DF policy: copy-df
ICMP error validation: disabled, TFC packets: disabled
current outbound spi: 79384296
current inbound spi : 2189BF7A
inbound esp sas:
spi: 0x2189BF7A (562675578)
transform: esp-aes-256 esp-sha-hmac no compression
in use settings ={L2L, Tunnel, IKEv1, }
slot: 0, conn_id: 12288, crypto-map: MYMAP
sa timing: remaining key lifetime (kB/sec): (3914999/28618)
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x000003FF
outbound esp sas:
spi: 0x79384296 (2033730198)
transform: esp-aes-256 esp-sha-hmac no compression
in use settings ={L2L, Tunnel, IKEv1, }
slot: 0, conn_id: 12288, crypto-map: MYMAP
sa timing: remaining key lifetime (kB/sec): (3914999/28618)
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001
Crypto map tag: MYMAP, seq num: 20, local addr: 172.16.1.1
access-list VPN-to-SPOKE2 extended permit ip 10.30.30.0 255.255.255.0 192.168.2.0 255.255.255.0
local ident (addr/mask/prot/port): (10.30.30.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (192.168.2.0/255.255.255.0/0/0)
current_peer: 172.16.3.1
#pkts encaps: 10, #pkts encrypt: 10, #pkts digest: 10
#pkts decaps: 10, #pkts decrypt: 10, #pkts verify: 10
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 4, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#TFC rcvd: 0, #TFC sent: 0
#Valid ICMP Errors rcvd: 0, #Invalid ICMP Errors rcvd: 0
#send errors: 0, #recv errors: 0
local crypto endpt.: 172.16.1.1/0, remote crypto endpt.: 172.16.3.1/0
path mtu 1500, ipsec overhead 74(44), media mtu 1500
PMTU time remaining (sec): 0, DF policy: copy-df
ICMP error validation: disabled, TFC packets: disabled
current outbound spi: 65FDF4F5
current inbound spi : 05B7155D
inbound esp sas:
spi: 0x05B7155D (95884637)
transform: esp-aes-256 esp-sha-hmac no compression
in use settings ={L2L, Tunnel, IKEv1, }
slot: 0, conn_id: 8192, crypto-map: MYMAP
sa timing: remaining key lifetime (kB/sec): (3914999/2883)
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x0000001F
outbound esp sas:
spi: 0x65FDF4F5 (1711142133)
transform: esp-aes-256 esp-sha-hmac no compression
in use settings ={L2L, Tunnel, IKEv1, }
slot: 0, conn_id: 8192, crypto-map: MYMAP
sa timing: remaining key lifetime (kB/sec): (3914999/2883)
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001 ASA2 (SPOKE1)
ASA2(config)# show crypto isakmp sa
IKEv1 SAs:
Active SA: 1
Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 1
1 IKE Peer: 172.16.1.1
Type : L2L Role : initiator
Rekey : no State : MM_ACTIVE
There are no IKEv2 SAsASA2(config)# show crypto ipsec sa
interface: outside
Crypto map tag: MYMAP, seq num: 10, local addr: 172.16.2.1
access-list VPN-TRAFFIC extended permit ip 192.168.2.0 255.255.255.0 10.20.20.0 255.255.255.0
local ident (addr/mask/prot/port): (192.168.2.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (10.20.20.0/255.255.255.0/0/0)
current_peer: 172.16.1.1
#pkts encaps: 10, #pkts encrypt: 10, #pkts digest: 10
#pkts decaps: 10, #pkts decrypt: 10, #pkts verify: 10
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 9, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#TFC rcvd: 0, #TFC sent: 0
#Valid ICMP Errors rcvd: 0, #Invalid ICMP Errors rcvd: 0
#send errors: 0, #recv errors: 0
local crypto endpt.: 172.16.2.1/0, remote crypto endpt.: 172.16.1.1/0
path mtu 1500, ipsec overhead 74(44), media mtu 1500
PMTU time remaining (sec): 0, DF policy: copy-df
ICMP error validation: disabled, TFC packets: disabled
current outbound spi: 2189BF7A
current inbound spi : 79384296
inbound esp sas:
spi: 0x79384296 (2033730198)
transform: esp-aes-256 esp-sha-hmac no compression
in use settings ={L2L, Tunnel, IKEv1, }
slot: 0, conn_id: 8192, crypto-map: MYMAP
sa timing: remaining key lifetime (kB/sec): (4373999/28494)
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x000003FF
outbound esp sas:
spi: 0x2189BF7A (562675578)
transform: esp-aes-256 esp-sha-hmac no compression
in use settings ={L2L, Tunnel, IKEv1, }
slot: 0, conn_id: 8192, crypto-map: MYMAP
sa timing: remaining key lifetime (kB/sec): (4373999/28494)
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001R1 (SPOKE2)
R31show crypto isakmp sa IPv4 Crypto ISAKMP SA dst src state conn-id status 172.16.1.1 172.16.3.1 QM_IDLE 1001 ACTIVE IPv6 Crypto ISAKMP SA
R1#show crypto ipsec sa
interface: GigabitEthernet0/1
Crypto map tag: MYMAP, local addr 172.16.3.1
protected vrf: (none)
local ident (addr/mask/prot/port): (192.168.2.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (10.30.30.0/255.255.255.0/0/0)
current_peer 172.16.1.1 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 10, #pkts encrypt: 10, #pkts digest: 10
#pkts decaps: 10, #pkts decrypt: 10, #pkts verify: 10
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: 172.16.3.1, remote crypto endpt.: 172.16.1.1
plaintext mtu 1438, path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet0/1
current outbound spi: 0x5B7155D(95884637)
PFS (Y/N): N, DH group: none
inbound esp sas:
spi: 0x65FDF4F5(1711142133)
transform: esp-256-aes esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 1, flow_id: SW:1, sibling_flags 80004040, crypto map: MYMAP
sa timing: remaining key lifetime (k/sec): (4188495/2652)
IV size: 16 bytes
replay detection support: Y
Status: ACTIVE(ACTIVE)
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0x5B7155D(95884637)
transform: esp-256-aes esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 2, flow_id: SW:2, sibling_flags 80004040, crypto map: MYMAP
sa timing: remaining key lifetime (k/sec): (4188495/2652)
IV size: 16 bytes
replay detection support: Y
Status: ACTIVE(ACTIVE)
outbound ah sas:
outbound pcp sas:Problemen oplossen
Deze sectie bevat informatie waarmee u problemen met de configuratie kunt oplossen.
Wis security koppelingen
Wanneer u problemen oplost, moet u bestaande SA's wissen nadat u een wijziging hebt aangebracht. Gebruik in de geprivilegieerde modus van de PIX de volgende opdrachten:
-
crypto ipsec sa wissen - Verwijdert de actieve IPsec SA's.
-
clear crypto isakmp sa - Verwijdert de actieve IKE SA's.
NAT-configuratie controleren
-
NAT-details weergeven - Hiermee wordt de NAT-configuratie weergegeven met de object(en) / objectgroep(en) uitgevouwen
Opdrachten voor troubleshooting
Gebruik deze sectie om te controleren of uw configuratie goed werkt.
De Cisco CLI Analyzer (alleen voor geregistreerde klanten) ondersteunt bepaalde opdrachten met show . Gebruik de Cisco CLI Analyzer om een analyse te bekijken van de output van de opdracht show .
-
debug crypto ipsec - Geeft de IPsec-onderhandelingen van fase 2 weer.
-
debug crypto isakmp - Geeft de ISAKMP-onderhandelingen van fase 1 weer.
Gerelateerde informatie
Revisiegeschiedenis
| Revisie | Publicatiedatum | Opmerkingen |
|---|---|---|
1.0 |
25-May-2017
|
Eerste vrijgave |
Feedback