多子网Cisco ASA to AWS IPSEC ××× 问题

最近遇到一个很妖的问题，

Cisco ASA to AWS IPSEC CPN

Asa 这边有多个子网，每次只能一个子网和AWS 通信，别的就是不通。

配置如下。

ASA

10.10.55.0 255.255.255.0
10.10.66.0 255.255.255.0
10.10.77.0 255.255.255.0

To

AWS 172.21.84.0 255.255.252.0

比如 10.10.55.0 to 172.21.84.0 通了，那别的肯定不通。

CISCO ASA to AWS
object-group network IPSEC-AMAZON-LOCAL
network-object 10.10.55.0 255.255.255.0
network-object 10.10.66.0 255.255.255.0
network-object 10.10.77.0 255.255.255.0

object-group network IPSEC-AMAZON-REMOTE
network-object 172.21.84.0 255.255.252.0

access-list IPSEC-AMAZON extended permit ip object-group IPSEC-AMAZON-LOCAL object-group IPSEC-AMAZON-REMOTE

nat (×××ide,outside) source static tr-db tr-db destination static IPSEC-AMAZON-REMOTE IPSEC-AMAZON-REMOTE

crypto map mycryptomap 90 match address IPSEC-AMAZON
crypto map mycryptomap 90 set peer 8.8.8.8
crypto map mycryptomap 90 set ikev1 transform-set transform-amzn
crypto map mycryptomap 90 set security-association lifetime seconds 3600

tunnel-group 8.8.8.8 type ipsec-l2l
tunnel-group 8.8.8.8 ipsec-attributes
ikev1 pre-shared-key <PSK>

ACL 本地改成 any 试一下 过两天再看结果
access-list IPSEC-AMAZON extended permit ip any4 object-group IPSEC-AMAZON-REMOTE

一下 是AWS 官方说明
! --------------------------------------------------------------------------------
! #2: Access List Configuration
!
! Access lists are configured to permit creation of tunnels and to send applicable traffic over them.
! This policy may need to be applied to an inbound ACL on the outside interface that is used to manage control-plane traffic.
! This is to allow ××× traffic into the device from the Amazon endpoints.
!
access-list <outside_access_in> extended permit ip host 34.227.189.221 host 38.105.116.50
access-list <outside_access_in> extended permit ip host 34.238.204.97 host 38.105.116.50
! The following access list named acl-amzn specifies all traffic that needs to be routed to the VPC. Traffic will
! be encrypted and transmitted through the tunnel to the VPC. Association with the IPSec security association
! is done through the "crypto map" command.
!
! This access list should contain a static route corresponding to your VPC CIDR and allow traffic from any subnet.
! If you do not wish to use the "any" source, you must use a single access-list entry for accessing the VPC range.
! If you specify more than one entry for this ACL without using "any" as the source, the ××× will function erratically.
! The any rule is also used so the security association will include the ASA outside interface where the SLA monitor
! traffic will be sourced from.
! See section #4 regarding how to restrict the traffic going over the tunnel
!
!
access-list acl-amzn extended permit ip any4 <vpc_subnet> <vpc_subnet_mask>

!---------------------------------------------------------------------------------

转载于:https://blog.51cto.com/bobo5620301/2409310