下面这个小实验也反映了ACL覆盖的导致的问题,他的情况是静态×××,一端的ACL覆盖了另一端,导致的结果是从一端可以发起连接,从另一端却无法发起。

拓扑:


说明:

1.  R1,R2点到点直连,分别开启loopback0接口模拟内部网络。

2.  R2的感兴趣流ACL覆盖R1的感兴趣流ACL

配置:

 

R1:

version 12.4

hostname R1

!

crypto isakmp policy 10

 authentication pre-share

crypto isakmp key cisco address 12.1.1.2

!

!

crypto ipsec transform-set cisco esp-des esp-md5-hmac

!        

crypto map cisco 10 ipsec-isakmp

 set peer 12.1.1.2

 set transform-set cisco

 match address ***

!

interface Loopback0

 ip address 1.1.1.1 255.255.255.0

!      

interface Serial1/0

 ip address 12.1.1.1 255.255.255.0

 serial restart-delay 0

 crypto map cisco

!

ip route 2.2.2.0 255.255.255.0 12.1.1.2

!

ip access-list extended ***

 permit ip host 1.1.1.1 host 2.2.2.2

!

 

R2:

version 12.4

hostname R2

!

crypto isakmp policy 10

 authentication pre-share

crypto isakmp key cisco address 12.1.1.1

!

!

crypto ipsec transform-set cisco esp-des esp-md5-hmac

!

crypto map cisco 10 ipsec-isakmp

 set peer 12.1.1.1

 set transform-set cisco

 match address ***

!

interface Loopback0

 ip address 2.2.2.2 255.255.255.0

!

interface Serial1/0

 ip address 12.1.1.2 255.255.255.0

 serial restart-delay 0

 crypto map cisco

!

ip route 1.1.1.0 255.255.255.0 12.1.1.1

!

permit ip 2.2.2.0 0.0.0.255 1.1.1.0 0.0.0.255

!

 

下面测试先从R1发起连接:

R1#ping 2.2.2.2 sou l0 re 10

 

Type escape sequence to abort.

Sending 10, 100-byte ICMP Echos to 2.2.2.2, timeout is 2 seconds:

Packet sent with a source address of 1.1.1.1

.!!!!!!!!!

Success rate is 90 percent (9/10), round-trip min/avg/max = 8/27/76 ms

R1#ping 2.2.2.2 sou l0 re 10

 

Type escape sequence to abort.

Sending 10, 100-byte ICMP Echos to 2.2.2.2, timeout is 2 seconds:

Packet sent with a source address of 1.1.1.1

.!!!!!!!!!

Success rate is 90 percent (9/10), round-trip min/avg/max = 8/27/76 ms

R1#

R1#sh cry isa sa

dst             src             state          conn-id slot status

12.1.1.2        12.1.1.1        QM_IDLE              1    0 ACTIVE

    能够成功发起!

清掉连接,测试从R2发起连接。

R2#ping 1.1.1.1 sou l0 re 10

 

Type escape sequence to abort.

Sending 10, 100-byte ICMP Echos to 1.1.1.1, timeout is 2 seconds:

Packet sent with a source address of 2.2.2.2

..........

Success rate is 0 percent (0/10)

Ping不通!

R2#sh cry isa sa

dst             src             state          conn-id slot status

12.1.1.1        12.1.1.2        MM_NO_STATE          2    0 ACTIVE (deleted)

 

R2发起连接时就无法建立。原因还是出在ACL覆盖的问题上。

前面的实验中曾经总结了被覆盖的不能发起连接,但是这个实验中却是被覆盖的可以发起连接。但是他们具体的应用场景也不一样,我暂时还没有得到一个很好的技术解释。看到这篇博客的朋友如果了解的话请不吝赐教。