最近遇到一個很妖的問題,
Cisco ASA to AWS IPSEC CPN
Asa 這邊有多個子網,每次只能一個子網和AWS 通信,別的就是不通。
配置如下。
ASA
10.10.55.0 255.255.255.0
10.10.66.0 255.255.255.0
10.10.77.0 255.255.255.0
To
AWS 172.21.84.0 255.255.252.0
比如 10.10.55.0 to 172.21.84.0 通了,那別的肯定不通。
CISCO ASA to AWS
object-group network IPSEC-AMAZON-LOCAL
network-object 10.10.55.0 255.255.255.0
network-object 10.10.66.0 255.255.255.0
network-object 10.10.77.0 255.255.255.0
object-group network IPSEC-AMAZON-REMOTE
network-object 172.21.84.0 255.255.252.0
access-list IPSEC-AMAZON extended permit ip object-group IPSEC-AMAZON-LOCAL object-group IPSEC-AMAZON-REMOTE
nat (×××ide,outside) source static tr-db tr-db destination static IPSEC-AMAZON-REMOTE IPSEC-AMAZON-REMOTE
crypto map mycryptomap 90 match address IPSEC-AMAZON
crypto map mycryptomap 90 set peer 8.8.8.8
crypto map mycryptomap 90 set ikev1 transform-set transform-amzn
crypto map mycryptomap 90 set security-association lifetime seconds 3600
tunnel-group 8.8.8.8 type ipsec-l2l
tunnel-group 8.8.8.8 ipsec-attributes
ikev1 pre-shared-key <PSK>
ACL 本地改成 any 試一下 過兩天再看結果
access-list IPSEC-AMAZON extended permit ip any4 object-group IPSEC-AMAZON-REMOTE
一下 是AWS 官方說明
! --------------------------------------------------------------------------------
! #2: Access List Configuration
!
! Access lists are configured to permit creation of tunnels and to send applicable traffic over them.
! This policy may need to be applied to an inbound ACL on the outside interface that is used to manage control-plane traffic.
! This is to allow ××× traffic into the device from the Amazon endpoints.
!
access-list <outside_access_in> extended permit ip host 34.227.189.221 host 38.105.116.50
access-list <outside_access_in> extended permit ip host 34.238.204.97 host 38.105.116.50
! The following access list named acl-amzn specifies all traffic that needs to be routed to the VPC. Traffic will
! be encrypted and transmitted through the tunnel to the VPC. Association with the IPSec security association
! is done through the "crypto map" command.
!
! This access list should contain a static route corresponding to your VPC CIDR and allow traffic from any subnet.
! If you do not wish to use the "any" source, you must use a single access-list entry for accessing the VPC range.
! If you specify more than one entry for this ACL without using "any" as the source, the ××× will function erratically.
! The any rule is also used so the security association will include the ASA outside interface where the SLA monitor
! traffic will be sourced from.
! See section #4 regarding how to restrict the traffic going over the tunnel
!
!
access-list acl-amzn extended permit ip any4 <vpc_subnet> <vpc_subnet_mask>
!---------------------------------------------------------------------------------