Help Asa-5050 vpn-mobile non raggiunge una rete

Mettete al sicuro la vostra rete!

Moderatore: Federico.Lagni

Rispondi
desmo4
n00b
Messaggi: 6
Iscritto il: gio 01 lug , 2010 7:02 pm

Ciao a Tutti , sono un sistemista molto arruginito e mi è caduto addosso un problema con un asa.
Decrizione problema :
L'Asa serve per connesioni intranet aziendali con dispositivi mobili , nella rete aziendale abbiamo più reti che si raggiungono con piu gateway .
Problema i dispositivi mobili una volta connessi raggiungono tranquillamente gli host abilitati in acl della lan aziendale ma non riescono raggiungere un' altra rete collegata con un altro gateway alla rete aziendale .
rete aziendale 172.16.0.0 /22 gateway1 172.16.0.1
rete non raggiungibile 10.3.66.0/24 gateway2 172.16.1.2
Posto la configurazione e chiedo umilmente aiuto a voi Guru!

: Saved
:
ASA Version 8.4(2)
!
hostname ciscoasa1
domain-name XXXXXXX
enable password XXXXXXXX
passwd XXXXXXX
names
name 172.16.0.1 GW
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
interface Vlan1
nameif inside
security-level 100
ip address 172.16.0.250 255.255.252.0
!
interface Vlan2
nameif outside
security-level 0
ip address XX.XX.XX 255.255.255.248
!
boot system disk0:/asa842-k8.bin
ftp mode passive
clock timezone CEST 1
clock summer-time CEDT recurring last Sun Mar 2:00 last Sun Oct 3:00
dns domain-lookup inside
dns server-group DefaultDNS
name-server 172.16.0.5
name-server 172.16.0.6
domain-name XXXXXXl
object network LAN1_SERVER
subnet 172.16.0.0 255.255.252.0
object network obj_any
subnet 0.0.0.0 0.0.0.0
object network XXXX
host 172.16.0.140
description Server
object network VPN_POOL_LAN1
object network DNS1
host 172.16.0.5
object network DNS2
host 172.16.0.6
object network LAN_CLIENT
subnet 172.16.112.0 255.255.240.0
object network Gateway2
host 172.16.2.1
description gateway2
object network RTR rete-che-non-riesco-a-raggiungere
subnet 10.3.0.0 255.255.0.0
description
object network vpnlan1
description vpn_lan_group_1
object network VPN_UCC_POOL-VLAN1
description VPN_UCC_POOL-VLAN1
object network XXXXXXX
host 172.16.1.6
description
object-group network VPN_POOL_GROUP1
network-object object VPN_POOL
object-group network UCC-GROUP
network-object object DNS1
network-object object DNS2
network-object object XXXX
network-object object XXXX
network-object object XXXX
object-group network vpn_lan1
access-list inside_nat0_outbound extended permit ip 172.16.0.0 255.255.252.0 object VPN_POOL
access-list deny_all extended deny ip any any
access-list UCC extended permit ip any object-group UCC-GROUP
access-list VLAN1 remark VLAN Servers
access-list VLAN1 standard permit 172.16.0.0 255.255.252.0
access-list vpn_out extended permit ip object VPN_POOL interface outside inactive
pager lines 24
logging enable
logging trap informational
logging asdm informational
logging host inside 172.16.0.10
mtu inside 1500
mtu outside 1500
ip local pool VPN_POOL_LAN1 172.16.1.170-172.16.1.179 mask 255.255.252.0
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
nat (inside,outside) source static LAN1_SERVERSS LAN1_SERVERSS destination static LAN1_SERVERSS LAN1_SERVERSS no-proxy-arp
nat (inside,inside) source static LAN1_SERVERSS LAN1_SERVERSS destination static CLAVISTER LAN1_SERVERSS no-proxy-arp inactive
!
object network obj_any
nat (inside,outside) dynamic interface
object network RTR_CUP-AMC
nat (any,inside) dynamic interface
route outside 0.0.0.0 0.0.0.0 85.44.53.145 1
route inside 10.3.0.0 255.255.0.0 172.16.2.1 1
route inside 172.16.112.0 255.255.240.0 GW_SS 1
route inside SS-Catalochino 255.255.255.0 GW_SS 1
route inside Ozieri 255.255.254.0 GW_SS 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
network-acl deny_all
dynamic-access-policy-record VPN_Fornitori
dynamic-access-policy-record VPN_UCC
network-acl UCC
aaa-server asl1ss.local protocol ldap
aaa-server asl1ss.local (inside) host 172.16.0.5
ldap-base-dn dc=asl1ss, dc=local
ldap-scope subtree
ldap-login-password XXXXX
ldap-login-dn [email protected]
server-type microsoft
aaa-server XXXX.local (inside) host 172.16.0.6
ldap-base-dn dc=asl1ss, dc=local
ldap-scope subtree
ldap-login-password *****
ldap-login-dn [email protected]
server-type microsoft
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL
aaa authorization command LOCAL
aaa authorization exec LOCAL
http server enable
http 172.16.0.0 255.255.252.0 inside
http 172.16.112.0 255.255.240.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec ikev2 ipsec-proposal DES
protocol esp encryption des
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal 3DES
protocol esp encryption 3des
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES
protocol esp encryption aes
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES192
protocol esp encryption aes-192
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES256
protocol esp encryption aes-256
protocol esp integrity sha-1 md5
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev2 ipsec-proposal AES256 AES192 AES 3DES DES
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto ca trustpoint ASDM_TrustPoint0
enrollment self
subject-name CN=ciscoasa1
crl configure
crypto ca certificate chain ASDM_TrustPoint0
certificate 75360e4f
308201ed 30820156 a0030201 02020475 360e4f30 0d06092a 864886f7 0d010105
0500303b 31123010 06035504 03130963 6973636f 61736131 31253023 06092a86
4886f70d 01090216 16636973 636f6173 61312e61 736c3173 732e6c6f 63616c30
1e170d31 32303131 32303232 3635365a 170d3232 30313039 30323236 35365a30
3b311230 10060355 04031309 63697363 6f617361 31312530 2306092a 864886f7
0d010902 16166369 73636f61 7361312e 61736c31 73732e6c 6f63616c 30819f30
0d06092a 864886f7 0d010101 05000381 8d003081 89028181 0091dbf1 5c2ba210
3a709983 b0f4c75c fad9b35b cff30527 c0e5fea4 95a8d510 eb8cf8de 41661ab9
a4aa0bed e3876553 0fed676a 9b73bb21 e8fe0fc6 a5961ef8 d954c648 2570a978
9b53f0ba da50d66f 26a70056 add4b571 e92028a4 2e9009ad b8b9958e 68e3b85b
4659caa6 e6382c9d 439511f0 49d9fc3d c3c98304 04498021 bf020301 0001300d
06092a86 4886f70d 01010505 00038181 001ee3b5 29830b29 2989a88b ed79fe2a
ebdbc197 552c55bf 738fc3b1 eadf9721 46e0c0b0 ab180f28 f911daea 7e07e96c
b9090f4c b93bd21f 871ea26f 2d7857ce a3970d9e ea975a8c 44aa5fdc c1e0dc29
cb400a6c c637ed84 e3369a0b 58f4f53f 57ed032f 0cb98547 e3e2d71e 5bb72b6f
ffedf993 00316ac3 cabbc54d 9119edd5 6e
quit
crypto ikev2 policy 1
encryption aes-256
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 10
encryption aes-192
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 20
encryption aes
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 30
encryption 3des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 40
encryption des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 enable outside client-services port 443
crypto ikev2 remote-access trustpoint ASDM_TrustPoint0
crypto ikev1 enable outside
crypto ikev1 policy 10
authentication crack
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 20
authentication rsa-sig
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 30
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 40
authentication crack
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 50
authentication rsa-sig
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 60
authentication pre-share
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 70
authentication crack
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 80
authentication rsa-sig
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 90
authentication pre-share
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 100
authentication crack
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 110
authentication rsa-sig
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 120
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 130
authentication crack
encryption des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 140
authentication rsa-sig
encryption des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 150
authentication pre-share
encryption des
hash sha
group 2
lifetime 86400
telnet 172.16.0.0 255.255.252.0 inside
telnet 172.16.112.0 255.255.240.0 inside
telnet timeout 5
ssh 172.16.0.0 255.255.0.0 inside
ssh timeout 5
ssh version 2
console timeout 0
no vpn-addr-assign aaa
no vpn-addr-assign dhcp
vpn-addr-assign local reuse-delay 5

threat-detection basic-threat
threat-detection statistics port
threat-detection statistics protocol
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ntp server 82.98.86.172 source outside prefer
ssl trust-point ASDM_TrustPoint0 outside
webvpn
enable outside
anyconnect image disk0:/anyconnect-win-2.5.2014-k9.pkg 1
anyconnect image disk0:/anyconnect-macosx-i386-2.5.2014-k9.pkg 2
anyconnect image disk0:/anyconnect-linux-2.5.2014-k9.pkg 3
anyconnect profiles Mobile_client_profile disk0:/Mobile_client_profile.xml
anyconnect enable
tunnel-group-list enable
group-policy DfltGrpPolicy attributes
dns-server value 172.16.0.5 172.16.0.6
vpn-tunnel-protocol ssl-client ssl-clientless
default-domain value asl1ss.local
group-policy GroupPolicy_Mobile internal
group-policy GroupPolicy_Mobile attributes
wins-server value 172.16.0.5 172.16.0.6
dns-server value 172.16.0.5 172.16.0.6
vpn-tunnel-protocol ikev2 ssl-client
split-tunnel-policy tunnelspecified
split-tunnel-network-list value VLAN1
default-domain value asl1ss.local
webvpn
anyconnect profiles value Mobile_client_profile type user
group-policy GroupPolicy1 internal
group-policy GroupPolicy1 attributes
wins-server value 172.16.0.5 172.16.0.6
dns-server value 172.16.0.5 172.16.0.6
vpn-tunnel-protocol ikev1 l2tp-ipsec
default-domain value asl1ss.local
username 111016 password XXXXXX 15
username 505525 password XXXXXXX 15
username 505525 attributes
webvpn
url-list value ASL1SS
tunnel-group DefaultRAGroup general-attributes
address-pool VPN_POOL_LAN1
tunnel-group TunnelGroup1 type remote-access
tunnel-group TunnelGroup1 general-attributes
address-pool VPN_POOL_LAN1
default-group-policy GroupPolicy1
tunnel-group TunnelGroup1 ipsec-attributes
ikev1 pre-shared-key *****
tunnel-group Mobile type remote-access
tunnel-group Mobile general-attributes
address-pool VPN_POOL_LAN1
authentication-server-group asl1ss.local
default-group-policy GroupPolicy_Mobile
tunnel-group Mobile webvpn-attributes
group-alias Mobile enable
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
!
service-policy global_policy global
privilege cmd level 3 mode exec command perfmon
privilege cmd level 3 mode exec command ping
privilege cmd level 3 mode exec command who
privilege cmd level 3 mode exec command logging
privilege cmd level 3 mode exec command failover
privilege cmd level 3 mode exec command packet-tracer
privilege show level 5 mode exec command import
privilege show level 5 mode exec command running-config
privilege show level 3 mode exec command reload
privilege show level 3 mode exec command mode
privilege show level 3 mode exec command firewall
privilege show level 3 mode exec command asp
privilege show level 3 mode exec command cpu
privilege show level 3 mode exec command interface
privilege show level 3 mode exec command clock
privilege show level 3 mode exec command dns-hosts
privilege show level 3 mode exec command access-list
privilege show level 3 mode exec command logging
privilege show level 3 mode exec command vlan
privilege show level 3 mode exec command ip
privilege show level 3 mode exec command ipv6
privilege show level 3 mode exec command failover
privilege show level 3 mode exec command asdm
privilege show level 3 mode exec command arp
privilege show level 3 mode exec command route
privilege show level 3 mode exec command ospf
privilege show level 3 mode exec command aaa-server
privilege show level 3 mode exec command aaa
privilege show level 3 mode exec command eigrp
privilege show level 3 mode exec command crypto
privilege show level 3 mode exec command ssh
privilege show level 3 mode exec command vpn-sessiondb
privilege show level 3 mode exec command vpnclient
privilege show level 3 mode exec command vpn
privilege show level 3 mode exec command dhcpd
privilege show level 3 mode exec command blocks
privilege show level 3 mode exec command wccp
privilege show level 3 mode exec command dynamic-filter
privilege show level 3 mode exec command webvpn
privilege show level 3 mode exec command module
privilege show level 3 mode exec command uauth
privilege show level 3 mode exec command compression
privilege show level 3 mode configure command interface
privilege show level 3 mode configure command clock
privilege show level 3 mode configure command access-list
privilege show level 3 mode configure command logging
privilege show level 3 mode configure command ip
privilege show level 3 mode configure command failover
privilege show level 5 mode configure command asdm
privilege show level 3 mode configure command arp
privilege show level 3 mode configure command route
privilege show level 3 mode configure command aaa-server
privilege show level 3 mode configure command aaa
privilege show level 3 mode configure command crypto
privilege show level 3 mode configure command ssh
privilege show level 3 mode configure command dhcpd
privilege show level 5 mode configure command privilege
privilege clear level 3 mode exec command dns-hosts
privilege clear level 3 mode exec command logging
privilege clear level 3 mode exec command arp
privilege clear level 3 mode exec command aaa-server
privilege clear level 3 mode exec command crypto
privilege clear level 3 mode exec command dynamic-filter
privilege cmd level 3 mode configure command failover
privilege clear level 3 mode configure command logging
privilege clear level 3 mode configure command arp
privilege clear level 3 mode configure command crypto
privilege clear level 3 mode configure command aaa-server
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:3d941af59ff23784f3dd0669bbe5c750
: end
asdm location VPN_POOL 255.255.255.0 inside
asdm location GW_SS 255.255.255.255 inside
asdm location XXX 255.255.254.0 inside
asdm location XXXX 255.255.255.0 inside
no asdm history enable
Rispondi