送女朋友鞋子代表什么:ASA 5585拨号问题

ASA 5585拨号问题

描述一下环境，ASA 5585有三根线，其中两根（vpnside,movevpn）做的是ipsec vpn，目前正常运行，我在另外一个接口（clientside)又加了一条线，用来做拨号，配置完以后，用cisco拨号软件怎么也拨不上来(第一阶段都启不来，提示：Reason 412:The remote peer is no longer responding)，请高手解答，谢谢，5585上没启用NAT。
ASA 配置：

interface GigabitEthernet0/0
description NeiWang
nameif inside
security-level 100
ip address 111.111.111.2 255.255.255.252
!
interface GigabitEthernet0/1
description DianXin
nameif vpnside
security-level 0
ip address *.*.*.* 255.255.255.248
!
interface GigabitEthernet0/2
description YiDong
nameif movevpn
security-level 0
ip address *.*.*.* 255.255.255.248
!
interface GigabitEthernet0/5
nameif clientside
security-level 0
ip address 61.136.14.226 255.255.255.224
!
ftp mode passive
logging enable
logging asdm informational
mtu inside 1500
mtu vpnside 1500
mtu movevpn 1500
mtu clientside 1500
ip local pool hbyh01 123.1.1.1-123.1.1.2
no failover
icmp unreachable rate-limit 1 burst-size 1
icmp deny any inside
no asdm history enable
arp timeout 14400
access-group 101 in interface clientside
route clientside 0.0.0.0 0.0.0.0 61.123.14.225 1
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
crypto ipsec ikev1 transform-set hbyh esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ra esp-3des esp-sha-hmac
crypto dynamic-map dy1 10 set ikev1 transform-set ra
crypto dynamic-map dy1 10 set reverse-route
crypto map dy 10 ipsec-isakmp dynamic dy1
crypto map dy interface clientside
crypto ikev1 enable vpnside                        (ipsec vpn)
crypto ikev1 enable movevpn                         (ipsecvpn)
crypto ikev1 enable clientside
crypto ikev1 policy 1     (ipsec vpn策略）
authentication pre-share
encryption des
hash sha
group 1      
lifetime 86400
crypto ikev1 policy 2    （remote vpn策略）
authentication pre-share
encryption des
hash md5
group 2
lifetime 43200
telnet timeout 30
ssh timeout 5
console timeout 5
!
tls-proxy maximum-session 1000
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn        
group-policy hbyh01 internal
group-policy hbyh01 attributes
dns-server value 10.138.6.6
ipsec-udp enable
default-domain value hbyh.cc
username cisco password cisco encrypted
tunnel-group hbyh01 type remote-access
tunnel-group hbyh01 general-attributes
address-pool hbyh01
default-group-policy hbyh01
tunnel-group hbyh01 ipsec-attributes
ikev1 pre-shared-key cisco
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
  message-length maximum client auto
  message-length maximum 512
policy-map global_policy
class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect ip-options
  inspect netbios
  inspect rsh
  inspect rtsp
  inspect skinny  
  inspect esmtp
  inspect sqlnet
  inspect sunrpc
  inspect tftp
  inspect sip  
  inspect xdmcp
!
service-policy global_policy global
prompt hostname context
call-home
profile CiscoTAC-1
  no active
  destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
  destination address email callhome@cisco.com
  destination transport-method http
  subscribe-to-alert-group diagnostic
  subscribe-to-alert-group environment
  subscribe-to-alert-group inventory periodic monthly 13
  subscribe-to-alert-group configuration periodic monthly 13
  subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:2f654b68ec5f6b6a8a374a3953ea0099


客户端LOG：

Cisco Systems VPN Client Version 5.0.07.0410
Copyright (C) 1998-2010 Cisco Systems, Inc. All Rights Reserved.
Client Type(s): Windows, WinNT
Running on: 6.1.7601 Service Pack 1
81     02:06:55.440  05/29/11  Sev=Info/4 CM/0x63100002
Begin connection process
82     02:06:55.466  05/29/11  Sev=Info/4 CM/0x63100004
Establish secure connection
83     02:06:55.466  05/29/11  Sev=Info/4 CM/0x63100024
Attempt connection with server "61.123.14.226"
84     02:06:55.475  05/29/11  Sev=Info/6 IKE/0x6300003B
Attempting to establish a connection with 61.123.14.226
85     02:06:55.483  05/29/11  Sev=Info/4 IKE/0x63000001
Starting IKE Phase 1 Negotiation
86     02:06:55.489  05/29/11  Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK AG (SA, KE, NON, ID, VID(Xauth), VID(dpd), VID(Frag), VID(Nat-T), VID(Unity)) to 61.123.14.226
87     02:07:00.664  05/29/11  Sev=Info/4 IKE/0x63000021
Retransmitting last packet!
88     02:07:00.664  05/29/11  Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK AG (Retransmission) to 61.123.14.226
89     02:07:05.733  05/29/11  Sev=Info/4 IKE/0x63000021
Retransmitting last packet!
90     02:07:05.733  05/29/11  Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK AG (Retransmission) to 61.123.14.226
91     02:07:10.805  05/29/11  Sev=Info/4 IKE/0x63000021
Retransmitting last packet!
92     02:07:10.805  05/29/11  Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK AG (Retransmission) to 61.123.14.226
93     02:07:15.874  05/29/11  Sev=Info/4 IKE/0x63000017
Marking IKE SA for deletion  (I_Cookie=573445D0500584EC R_Cookie=0000000000000000) reason = DEL_REASON_PEER_NOT_RESPONDING
94     02:07:16.388  05/29/11  Sev=Info/4 IKE/0x6300004B
Discarding IKE SA negotiation (I_Cookie=573445D0500584EC R_Cookie=0000000000000000) reason = DEL_REASON_PEER_NOT_RESPONDING
95     02:07:16.388  05/29/11  Sev=Info/4 CM/0x63100014
Unable to establish Phase 1 SA with server "61.123.14.226" because of "DEL_REASON_PEER_NOT_RESPONDING"
96     02:07:16.424  05/29/11  Sev=Info/4 IKE/0x63000001
IKE received signal to terminate VPN connection

[ 本帖最后由 lhddlcz 于 2011-5-29 02:38 编辑 ]    

 

沙发 大 中 小 发表于 2011-5-30 03:41  只看该作者

ASA5585拨号问题终于搞定

研究了几天，终于搞好了，没人回答，自己顶，附上模板（8.4的和其它版本的配置就是不一样），希望能帮到和我一样的人，（在此感谢左岸流年和落雪飞花的帮助，你们不愧是我的好兄弟，呵呵）：
1、定义地址池
ip local pool remote 123.1.1.1-123.1.1.254 mask 255.255.255.0
2、定义、启用NAT转换
object network remote
subnet 123.1.1.0 255.255.255.0
nat (clientside,clientside) source static any any destination static remote remote
3、定义ISAKMP策略
crypto ikev1 policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
4、定义转换集
crypto ipsec ikev1 transform-set remotevpn esp-3des esp-sha-hmac
5、定义动态MAP  
crypto dynamic-map Dynamic 65535 set pfs group1
crypto dynamic-map Dynamic 65535 set ikev1 transform-set remotevpn
6、定义静态MAP，调用动态MAP
crypto map Dynamic 65535 ipsec-isakmp dynamic Dynamic
crypto map Dynamic interface clientside
7、开启IKE协商
crypto ikev1 enable clientside
8、应用MAP
crypto map Dynamic interface clientside
9、定义隧道分离ACL
access-list remotevpn extended permit ip 10.138.0.0 255.255.0.0 any
10、定义组策略和隧道分离
group-policy remote internal
group-policy remote attributes
dns-server value 10.138.6.6 202.103.6.46
vpn-tunnel-protocol ikev1
default-domain value info.com
split-tunnel-policy tunnelspecified
split-tunnel-network-list value remotevpn
11、定义隧道
tunnel-group remote type remote-access
tunnel-group remote general-attributes
address-pool remote
default-group-policy remote
tunnel-group hbyh01 ipsec-attributes
ikev1 pre-shared-key abcABC
12、定义用户
username info password abc
username info attributes
vpn-group-policy remote