送女朋友鞋子代表什么:ASA 5585拨号问题
来源:百度文库 编辑:九乡新闻网 时间:2024/07/14 17:46:39
ASA 5585拨号问题
描述一下环境,ASA 5585有三根线,其中两根(vpnside,movevpn)做的是ipsec vpn,目前正常运行,我在另外一个接口(clientside)又加了一条线,用来做拨号,配置完以后,用cisco拨号软件怎么也拨不上来(第一阶段都启不来,提示:Reason 412:The remote peer is no longer responding),请高手解答,谢谢,5585上没启用NAT。ASA 配置:
interface GigabitEthernet0/0
description NeiWang
nameif inside
security-level 100
ip address 111.111.111.2 255.255.255.252
!
interface GigabitEthernet0/1
description DianXin
nameif vpnside
security-level 0
ip address *.*.*.* 255.255.255.248
!
interface GigabitEthernet0/2
description YiDong
nameif movevpn
security-level 0
ip address *.*.*.* 255.255.255.248
!
interface GigabitEthernet0/5
nameif clientside
security-level 0
ip address 61.136.14.226 255.255.255.224
!
ftp mode passive
logging enable
logging asdm informational
mtu inside 1500
mtu vpnside 1500
mtu movevpn 1500
mtu clientside 1500
ip local pool hbyh01 123.1.1.1-123.1.1.2
no failover
icmp unreachable rate-limit 1 burst-size 1
icmp deny any inside
no asdm history enable
arp timeout 14400
access-group 101 in interface clientside
route clientside 0.0.0.0 0.0.0.0 61.123.14.225 1
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
crypto ipsec ikev1 transform-set hbyh esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ra esp-3des esp-sha-hmac
crypto dynamic-map dy1 10 set ikev1 transform-set ra
crypto dynamic-map dy1 10 set reverse-route
crypto map dy 10 ipsec-isakmp dynamic dy1
crypto map dy interface clientside
crypto ikev1 enable vpnside (ipsec vpn)
crypto ikev1 enable movevpn (ipsecvpn)
crypto ikev1 enable clientside
crypto ikev1 policy 1 (ipsec vpn策略)
authentication pre-share
encryption des
hash sha
group 1
lifetime 86400
crypto ikev1 policy 2 (remote vpn策略)
authentication pre-share
encryption des
hash md5
group 2
lifetime 43200
telnet timeout 30
ssh timeout 5
console timeout 5
!
tls-proxy maximum-session 1000
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
group-policy hbyh01 internal
group-policy hbyh01 attributes
dns-server value 10.138.6.6
ipsec-udp enable
default-domain value hbyh.cc
username cisco password cisco encrypted
tunnel-group hbyh01 type remote-access
tunnel-group hbyh01 general-attributes
address-pool hbyh01
default-group-policy hbyh01
tunnel-group hbyh01 ipsec-attributes
ikev1 pre-shared-key cisco
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect ip-options
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
!
service-policy global_policy global
prompt hostname context
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email callhome@cisco.com
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly 13
subscribe-to-alert-group configuration periodic monthly 13
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:2f654b68ec5f6b6a8a374a3953ea0099
客户端LOG:
Cisco Systems VPN Client Version 5.0.07.0410
Copyright (C) 1998-2010 Cisco Systems, Inc. All Rights Reserved.
Client Type(s): Windows, WinNT
Running on: 6.1.7601 Service Pack 1
81 02:06:55.440 05/29/11 Sev=Info/4 CM/0x63100002
Begin connection process
82 02:06:55.466 05/29/11 Sev=Info/4 CM/0x63100004
Establish secure connection
83 02:06:55.466 05/29/11 Sev=Info/4 CM/0x63100024
Attempt connection with server "61.123.14.226"
84 02:06:55.475 05/29/11 Sev=Info/6 IKE/0x6300003B
Attempting to establish a connection with 61.123.14.226
85 02:06:55.483 05/29/11 Sev=Info/4 IKE/0x63000001
Starting IKE Phase 1 Negotiation
86 02:06:55.489 05/29/11 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK AG (SA, KE, NON, ID, VID(Xauth), VID(dpd), VID(Frag), VID(Nat-T), VID(Unity)) to 61.123.14.226
87 02:07:00.664 05/29/11 Sev=Info/4 IKE/0x63000021
Retransmitting last packet!
88 02:07:00.664 05/29/11 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK AG (Retransmission) to 61.123.14.226
89 02:07:05.733 05/29/11 Sev=Info/4 IKE/0x63000021
Retransmitting last packet!
90 02:07:05.733 05/29/11 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK AG (Retransmission) to 61.123.14.226
91 02:07:10.805 05/29/11 Sev=Info/4 IKE/0x63000021
Retransmitting last packet!
92 02:07:10.805 05/29/11 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK AG (Retransmission) to 61.123.14.226
93 02:07:15.874 05/29/11 Sev=Info/4 IKE/0x63000017
Marking IKE SA for deletion (I_Cookie=573445D0500584EC R_Cookie=0000000000000000) reason = DEL_REASON_PEER_NOT_RESPONDING
94 02:07:16.388 05/29/11 Sev=Info/4 IKE/0x6300004B
Discarding IKE SA negotiation (I_Cookie=573445D0500584EC R_Cookie=0000000000000000) reason = DEL_REASON_PEER_NOT_RESPONDING
95 02:07:16.388 05/29/11 Sev=Info/4 CM/0x63100014
Unable to establish Phase 1 SA with server "61.123.14.226" because of "DEL_REASON_PEER_NOT_RESPONDING"
96 02:07:16.424 05/29/11 Sev=Info/4 IKE/0x63000001
IKE received signal to terminate VPN connection
[ 本帖最后由 lhddlcz 于 2011-5-29 02:38 编辑 ]
沙发 大 中 小 发表于 2011-5-30 03:41 只看该作者
ASA5585拨号问题终于搞定
研究了几天,终于搞好了,没人回答,自己顶,附上模板(8.4的和其它版本的配置就是不一样),希望能帮到和我一样的人,(在此感谢左岸流年和落雪飞花的帮助,你们不愧是我的好兄弟,呵呵):1、定义地址池
ip local pool remote 123.1.1.1-123.1.1.254 mask 255.255.255.0
2、定义、启用NAT转换
object network remote
subnet 123.1.1.0 255.255.255.0
nat (clientside,clientside) source static any any destination static remote remote
3、定义ISAKMP策略
crypto ikev1 policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
4、定义转换集
crypto ipsec ikev1 transform-set remotevpn esp-3des esp-sha-hmac
5、定义动态MAP
crypto dynamic-map Dynamic 65535 set pfs group1
crypto dynamic-map Dynamic 65535 set ikev1 transform-set remotevpn
6、定义静态MAP,调用动态MAP
crypto map Dynamic 65535 ipsec-isakmp dynamic Dynamic
crypto map Dynamic interface clientside
7、开启IKE协商
crypto ikev1 enable clientside
8、应用MAP
crypto map Dynamic interface clientside
9、定义隧道分离ACL
access-list remotevpn extended permit ip 10.138.0.0 255.255.0.0 any
10、定义组策略和隧道分离
group-policy remote internal
group-policy remote attributes
dns-server value 10.138.6.6 202.103.6.46
vpn-tunnel-protocol ikev1
default-domain value info.com
split-tunnel-policy tunnelspecified
split-tunnel-network-list value remotevpn
11、定义隧道
tunnel-group remote type remote-access
tunnel-group remote general-attributes
address-pool remote
default-group-policy remote
tunnel-group hbyh01 ipsec-attributes
ikev1 pre-shared-key abcABC
12、定义用户
username info password abc
username info attributes
vpn-group-policy remote
ASA 5585拨号问题
牵挂asa
IP拨号
拨号边齿痕 -
拨号边齿痕
ASA-PIX密码破解
人体正常医用指标asa
人体正常生理指标ASA
血管“年轻”人不老asa
日常生活中如何与陌生人说asa
《金瓶梅》令人拍案叫绝的俗谚口碑ASA
医学检查相关参数简介ASA
开机自动宽带拨号连接
ADSL宽带拨号错误678
拨号错误678的解决办法
这里的每一句话都让你回味无穷aSA
国民党抗战阵亡将领(少将以上)ASA
英语单词记忆方法20种--赵asa老师教英语
常用的密码破解方法大汇总ASA
保养、修车、驾驶知识大全之修车ASA
命运在心中【转】asa启明星——美文
ADSL拨号中出现的错误代码
ADSL拨号中出现的错误代码
让你的ADSL开机自动拨号