多子网Cisco ASA to AWS IPSEC ××× 问题

多子网Cisco ASA to AWS IPSEC ××× 问题

最近遇到一个很妖的问题，

Cisco ASA to AWS IPSEC CPN

Asa 这边有多个子网，每次只能一个子网和AWS 通信，别的就是不通。

配置如下。

ASA

10.10.55.0 255.255.255.010.10.66.0 255.255.255.010.10.77.0 255.255.255.0

To

AWS 172.21.84.0 255.255.252.0

比如 10.10.55.0 to 172.21.84.0 通了，那别的肯定不通。

CISCO ASA to AWS object-group network IPSEC-AMAZON-LOCALnetwork-object 10.10.55.0 255.255.255.0network-object 10.10.66.0 255.255.255.0network-object 10.10.77.0 255.255.255.0

object-group network IPSEC-AMAZON-REMOTEnetwork-object 172.21.84.0 255.255.252.0

access-list IPSEC-AMAZON extended permit ip object-group IPSEC-AMAZON-LOCAL object-group IPSEC-AMAZON-REMOTE

nat (×××ide,outside) source static tr-db tr-db destination static IPSEC-AMAZON-REMOTE IPSEC-AMAZON-REMOTE

crypto map mycryptomap 90 match address IPSEC-AMAZONcrypto map mycryptomap 90 set peer 8.8.8.8crypto map mycryptomap 90 set ikev1 transform-set transform-amzncrypto map mycryptomap 90 set security-association lifetime seconds 3600

tunnel-group 8.8.8.8 type ipsec-l2ltunnel-group 8.8.8.8 ipsec-attributesikev1 pre-shared-key

ACL 本地改成 any 试一下 过两天再看结果access-list IPSEC-AMAZON extended permit ip any4 object-group IPSEC-AMAZON-REMOTE

一下 是AWS 官方说明! --------------------------------------------------------------------------------! #2: Access List Configuration!! Access lists are configured to permit creation of tunnels and to send applicable traffic over them.! This policy may need to be applied to an inbound ACL on the outside interface that is used to manage control-plane traffic.! This is to allow ××× traffic into the device from the Amazon endpoints.!access-list extended permit ip host 34.227.189.221 host 38.105.116.50access-list extended permit ip host 34.238.204.97 host 38.105.116.50! The following access list named acl-amzn specifies all traffic that needs to be routed to the VPC. Traffic will! be encrypted and transmitted through the tunnel to the VPC. Association with the IPSec security association! is done through the "crypto map" command.!! This access list should contain a static route corresponding to your VPC CIDR and allow traffic from any subnet.! If you do not wish to use the "any" source, you must use a single access-list entry for accessing the VPC range.! If you specify more than one entry for this ACL without using "any" as the source, the ××× will function erratically.! The any rule is also used so the security association will include the ASA outside interface where the SLA monitor! traffic will be sourced from.! See section #4 regarding how to restrict the traffic going over the tunnel!!access-list acl-amzn extended permit ip any4

!---------------------------------------------------------------------------------

版权声明：本文内容由网络用户投稿，版权归原作者所有，本站不拥有其著作权，亦不承担相应法律责任。如果您发现本站中有涉嫌抄袭或描述失实的内容，请联系我们jiasou666@gmail.com 处理，核实后本网站将在24小时内删除侵权内容。