[HELP] IPsec VPN pres-shared

[phandang88]

Em đang nghiên cứu về VPN trên Asa Firewall. Em dùng phần mêm giả lập GNS3 để cấu hình. Đây là mô hình của em

Tình trạng là trước khi cấu hình VPN thì mô hình của em chạy ok hoàn toàn Lan có thể ra Internet và truy cập vào vùng DMZ. Ngoài vùng Internet có thể truy cập vào vùng DMZ. Vấn đề xảy ra khi em cấu hình Ipsec VPN dùng Pre-Shared thì vùng Internet không thể truy cập vào vùng DMZ và cũng không thể VPN vào bên trong. Mong các thầy và các anh đã đi làm chia sẽ kinh nghiệm sữa lỗi này. Cám ơn !.
Đây là File cấu Hình:
ASA Version 8.0(2)
!
hostname Asa
enable password 8Ry2YjIyt7RRXU24 encrypted
names
name 172.16.2.1 host
name 209.191.122.70 yahoo
!
interface Ethernet0/0
nameif DMZ
security-level 50
ip address 192.168.30.100 255.255.255.0
!
interface Ethernet0/1
nameif ASDM
security-level 0
ip address 192.168.10.2 255.255.255.0
!
interface Ethernet0/2
nameif outsite
security-level 0
ip address 172.16.2.2 255.255.255.0
!
passwd 2KFQnbNIdI.2KYOU encrypted
regex username "phandang"
regex domainlist1 "lauxanh.us"
regex domainlist2 "yahoo.com"
regex domainlist3 "ngoisao.net"
regex username2 "u1"
boot config disk0:/.private/startup-config
ftp mode passive
same-security-traffic permit inter-interface
object-group service TCP tcp
port-object eq www
port-object eq https
object-group protocol TCPUDP
protocol-object udp
protocol-object tcp
object-group service DM_INLINE_SERVICE_1
service-object tcp
service-object tcp eq ftp
access-list ping extended permit icmp any any echo-reply
access-list ping extended permit tcp any 172.16.2.0 255.255.255.0 eq www
access-list ping extended permit tcp any 172.16.2.0 255.255.255.0 eq ftp

access-list ping extended permit ip 192.168.20.0 255.255.255.0 host 172.16.2.2
access-list LAN-DMZ extended permit ip 192.168.20.0 255.255.255.0 host 192.168.30.5
access-list LAN_mpc extended permit object-group TCPUDP any any eq www
access-list AUTHEN extended permit tcp any host 192.168.30.5
access-list VPN extended permit ip 192.168.20.0 255.255.255.0 192.168.100.0 255.255.255.0
access-list inspect_ftp extended permit tcp any host 172.16.2.2 eq ftp
access-list outsite_mpc extended permit tcp any any eq ftp
access-list kiemtra_FTP extended permit tcp any host host eq ftp
access-list outsite_mpc_1 extended permit object-group DM_INLINE_SERVICE_1 any any inactive
access-list outsite_mpc_2 extended permit ip host 172.16.2.2 host yahoo
access-list Ping extended permit icmp 192.168.20.0 255.255.255.0 host 172.16.2.2
access-list DMZ_access_in extended permit icmp 192.168.20.0 255.255.255.0 192.168.30.0 255.255.255.0 echo-reply
access-list DMZ_nat0_outbound extended permit ip host 192.168.30.5 192.168.20.0 255.255.255.0
access-list outsite_cryptomap_1 extended permit tcp any any
pager lines 24
logging enable
logging list ICMPflood level alerts class ip
logging asdm informational
no logging message 402128
mtu DMZ 1500
mtu ASDM 1500
mtu outsite 1500
mtu LAN 1500
mtu test_1 1500
ip local pool ippool 172.16.10.1-172.16.10.254 mask 255.255.255.0
ip verify reverse-path interface outsite
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-602.bin
no asdm history enable
arp timeout 14400
global (outsite) 1 interface
global (LAN) 1 interface
nat (DMZ) 0 access-list DMZ_nat0_outbound
nat (LAN) 0 access-list LAN-DMZ
static (DMZ,outsite) tcp interface www 192.168.30.5 www netmask 255.255.255.255 tcp 20 20 udp 20
static (DMZ,outsite) tcp interface ftp 192.168.30.5 ftp netmask 255.255.255.255 tcp 20 20 udp 20
static (LAN,DMZ) 192.168.30.0 192.168.20.0 netmask 255.255.255.0
access-group DMZ_access_in in interface DMZ
access-group ping in interface outsite
!
router rip
network 172.16.0.0
passive-interface outsite
passive-interface test_1
passive-interface test_2


redistribute ospf 1 metric 5
version 2
!
router ospf 1
network 172.16.2.0 255.255.255.0 area 0
network 172.16.3.0 255.255.255.0 area 0
network 172.16.4.0 255.255.255.0 area 0
log-adj-changes
redistribute rip subnets
default-information originate
!
route outsite 0.0.0.0 0.0.0.0 host 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
aaa authentication match AUTHEN DMZ LOCAL
http server enable
http 192.168.10.0 255.255.255.0 ASDM
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec transform-set MYSET esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map outsite_dyn_map 20 set peer 172.16.2.2
crypto dynamic-map outsite_dyn_map 20 set transform-set ESP-3DES-SHA
crypto map MYMAP 10 match address VPN
crypto map MYMAP 10 set peer 172.16.2.2
crypto map MYMAP 10 set transform-set MYSET
crypto map outsite_map 1 match address outsite_cryptomap_1
crypto map outsite_map 1 set peer 172.16.2.2
crypto map outsite_map 1 set transform-set ESP-3DES-SHA
crypto map outsite_map 1 set reverse-route
crypto map outsite_map 65535 ipsec-isakmp dynamic outsite_dyn_map
crypto map outsite_map interface outsite
crypto isakmp enable outsite
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
no crypto isakmp nat-traversal
telnet timeout 5
ssh timeout 5
console timeout 0

priority-queue outsite
threat-detection basic-threat
threat-detection scanning-threat
threat-detection statistics access-list
!
class-map TELNET
match port tcp eq telnet
class-map FTP
match access-list outsite_mpc
class-map type regex match-any usernamelist
match regex username2
class-map type inspect ftp match-all lop7
match request-command put dele mkd rmd
match not username regex class usernamelist
class-map type regex match-any Domainblocklist
match regex domainlist1
match regex domainlist3
match regex domainlist2
class-map outsite-class1
match access-list outsite_mpc_2
class-map HTTP
match port tcp eq www
class-map class_l34
match access-list inspect_ftp

class-map CONNS
match any
class-map outsite-class
match access-list outsite_mpc_1
class-map type inspect http match-all Blockdomainclass
match request header host regex class Domainblocklist
class-map inspection_default
match default-inspection-traffic
class-map type inspect ftp match-all class_l7
match not username regex username
match request-command put dele mkd rmd
match not username regex username2
class-map lop34
match access-list kiemtra_FTP
class-map httptraffic
match access-list LAN_mpc
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map type inspect ftp policy_l7
parameters
policy-map type inspect ftp chinhsach_l7

parameters
mask-banner
mask-syst-reply
class lop7
reset log
policy-map POLICY
class TELNET
priority
class HTTP
police output 256000
set connection conn-max 20 embryonic-conn-max 10 per-client-max 100 per-client-embryonic-max 50
set connection timeout tcp 1:00:00 reset
class FTP
inspect ftp strict policy_l7
class outsite-class
inspect ftp strict chinhsach_l7
set connection conn-max 20 embryonic-conn-max 10 per-client-max 100 per-client-embryonic-max 50
set connection timeout tcp 1:00:00 reset
class CONNS
set connection conn-max 10 embryonic-conn-max 20
set connection timeout embryonic 0:40:00 half-closed 0:20:00 tcp 2:00:00 dcd
class outsite-class1
inspect icmp
class class-default

police output 512000
policy-map type inspect http http_inspection_policy
parameters
protocol-violation action drop-connection
match request method connect
drop-connection log
class Blockdomainclass
reset log
policy-map chinhsach_l34
class class_l34
inspect ftp strict policy_l7
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc

inspect tftp
inspect sip
inspect xdmcp
policy-map LAN-policy
class httptraffic
inspect http http_inspection_policy
policy-map chinhsach34
class lop34
inspect ftp strict chinhsach_l7
!
service-policy global_policy global
service-policy POLICY interface outsite
service-policy LAN-policy interface LAN
group-policy vpngroup1 internal
group-policy vpngroup1 attributes
default-domain value phandang
address-pools value ippool
username phandang password LafTsR602/WrmlJC encrypted privilege 15
username cisco password 3USUcOPFUiMCO4Jk encrypted
tunnel-group 172.16.2.2 type ipsec-l2l
tunnel-group 172.16.2.2 ipsec-attributes
pre-shared-key *
tunnel-group vnpgroup1 type remote-access
tunnel-group vpngroup1 type remote-access

tunnel-group vpngroup1 general-attributes
default-group-policy vpngroup1
tunnel-group vpngroup1 ipsec-attributes
pre-shared-key *

[lenguyen1988]

Bạn cấu hình làm mình muốn hỏa con mắt lun.Thiệt tình muốn tshoot thật là khó.

[phamminhtuan]

Chào bạn phandang88,

Thường nếu bị vậy bạn cần kiểm tra lại phần NAT, cụ thể

1. Interface LAN không thấy trong file show run

2. Bạn làm dư 1 lệnh global (LAN)
global (outsite) 1 interface
global (LAN) 1 interface

3. Không thấy nat (LAN) 1 để chọn traffic cho phần mạng inside (mạng LAN) đi ra Internet