ciscoasa# sh run
: Saved
:
ASA Version 7.2(5)
!
hostname ciscoasa
domain-name xxx.com
enable password 8MAbNmQHb7btnVyZ encrypted
passwd 8MAbNmQHb7btnVyZ encrypted
names
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.170.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address 61.165.129.20 255.255.255.248
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
shutdown
!
interface Ethernet0/3
shutdown
!
interface Ethernet0/4
shutdown
!
interface Ethernet0/5
shutdown
!
interface Ethernet0/6
shutdown
!
interface Ethernet0/7
shutdown
!
boot system disk0:/asa725-k8.bin
ftp mode passive
dns server-group DefaultDNS
domain-name baoxiniao.com
access-list nonat extended permit ip 192.168.170.0 255.255.255.0 192.168.0.0 255
.255.0.0
access-list 101 extended permit ip 192.168.170.0 255.255.255.0 192.168.0.0 255.2
55.0.0
access-list 103 standard permit 192.168.170.0 255.255.255.0
access-list test extended permit ip any any
pager lines 24
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
icmp permit any inside
icmp permit any outside
asdm p_w_picpath disk0:/asa725-k8.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list nonat
nat (inside) 1 0.0.0.0 0.0.0.0
no threat-detection statistics tcp-intercept
access-group test in interface outside
route outside 0.0.0.0 0.0.0.0 61.165.129.17 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
aaa authentication ssh console LOCAL
aaa authentication telnet console LOCAL
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ***set esp-des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto map mymap 10 match address 101
crypto map mymap 10 set peer 220.108.21.3
crypto map mymap 10 set transform-set ***set
crypto map mymap interface outside
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 20
authentication pre-share
encryption des
hash sha
group 2
lifetime 86400
telnet 0.0.0.0 0.0.0.0 inside
telnet 0.0.0.0 0.0.0.0 outside
telnet timeout 50
ssh 0.0.0.0 0.0.0.0 inside
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 50
console timeout 0
dhcpd dns 61.153.177.197
!
dhcpd address 192.168.170.5-192.168.170.36 inside
dhcpd enable inside
!
: Saved
:
ASA Version 7.2(5)
!
hostname ciscoasa
domain-name xxx.com
enable password 8MAbNmQHb7btnVyZ encrypted
passwd 8MAbNmQHb7btnVyZ encrypted
names
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.170.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address 61.165.129.20 255.255.255.248
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
shutdown
!
interface Ethernet0/3
shutdown
!
interface Ethernet0/4
shutdown
!
interface Ethernet0/5
shutdown
!
interface Ethernet0/6
shutdown
!
interface Ethernet0/7
shutdown
!
boot system disk0:/asa725-k8.bin
ftp mode passive
dns server-group DefaultDNS
domain-name baoxiniao.com
access-list nonat extended permit ip 192.168.170.0 255.255.255.0 192.168.0.0 255
.255.0.0
access-list 101 extended permit ip 192.168.170.0 255.255.255.0 192.168.0.0 255.2
55.0.0
access-list 103 standard permit 192.168.170.0 255.255.255.0
access-list test extended permit ip any any
pager lines 24
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
icmp permit any inside
icmp permit any outside
asdm p_w_picpath disk0:/asa725-k8.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list nonat
nat (inside) 1 0.0.0.0 0.0.0.0
no threat-detection statistics tcp-intercept
access-group test in interface outside
route outside 0.0.0.0 0.0.0.0 61.165.129.17 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
aaa authentication ssh console LOCAL
aaa authentication telnet console LOCAL
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ***set esp-des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto map mymap 10 match address 101
crypto map mymap 10 set peer 220.108.21.3
crypto map mymap 10 set transform-set ***set
crypto map mymap interface outside
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 20
authentication pre-share
encryption des
hash sha
group 2
lifetime 86400
telnet 0.0.0.0 0.0.0.0 inside
telnet 0.0.0.0 0.0.0.0 outside
telnet timeout 50
ssh 0.0.0.0 0.0.0.0 inside
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 50
console timeout 0
dhcpd dns 61.153.177.197
!
dhcpd address 192.168.170.5-192.168.170.36 inside
dhcpd enable inside
!
username baoxiniao password qilW81GVs.oZkKJT encrypted privilege 15
tunnel-group 220.108.21.3 type ipsec-l2l
tunnel-group 220.108.21.3 ipsec-attributes
pre-shared-key *
isakmp keepalive threshold 60 retry 2
!
!
prompt hostname context
Cryptochecksum:461d49d111b432bab152a101bded4634
: end
tunnel-group 220.108.21.3 type ipsec-l2l
tunnel-group 220.108.21.3 ipsec-attributes
pre-shared-key *
isakmp keepalive threshold 60 retry 2
!
!
prompt hostname context
Cryptochecksum:461d49d111b432bab152a101bded4634
: end
根据客户需求公司要在X酒店开一个发布会,需要用cisco ASA5505的防火墙做IPSEC隧道跟公司总部连接。访问公司总部内网资源,酒店这边ASA5505就是上面的配置,然后配合思科AP给发布会用户使用。现在ASA5505上面IPSEC配置如上,就是无法跟总部建立隧道。DEBUG收集信息有以下提示:
lifetime Jan 26 02:22:07 [IKEv1]: IP = 220.108.21.3, Removing peer from peer table failed, no match!
Jan 26 02:22:07 [IKEv1]: IP = 220.108.21.3, Error: Unable to remove PeerTblEntry
lifetime Jan 26 02:22:07 [IKEv1]: IP = 220.108.21.3, Removing peer from peer table failed, no match!
Jan 26 02:22:07 [IKEv1]: IP = 220.108.21.3, Error: Unable to remove PeerTblEntry
排错搞了很久都没查出问题,头痛啊...
转载于:https://blog.51cto.com/alonecto/486570
240
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
