- Пожалуйста проверьте конфигурацию,
 sidsoft, 15:06 , 13-Апр-13 (1)Сейчас я изменил конфигурацию для подключения CISCO 891, но все равно никаких соеднинений :(
Вот конфиг АСА:
Код:
ASA-5515-X# show config
: Saved
: Written by enable_15 at 03:30:20.135 UTC Sat Apr 13 2013
!
ASA Version 8.6(1)
!
hostname ASA-5515-X
domain-name xxxx.ru
enable password WpxNiWVGVaDdWqId encrypted
passwd WpxNiWVGVaDdWqId encrypted
names
!
interface GigabitEthernet0/0
nameif inside
security-level 100
ip address 192.168.200.236 255.255.255.0
!
interface GigabitEthernet0/1
nameif outside
security-level 0
ip address 192.0.0.2 255.255.255.0
!
interface GigabitEthernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/4
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/5
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
management-only
!
ftp mode passive
dns server-group DefaultDNS
domain-name хххх.ru
object network obj-local
subnet 192.168.200.0 255.255.255.0
object network obj-remote
subnet 192.168.20.0 255.255.255.0
object network internal-lan
subnet 192.168.200.0 255.255.255.0
pager lines 24
mtu inside 1500
mtu management 1500
mtu outside 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
nat (inside,outside) source static obj-local obj-local destination static obj-remote obj-remote
!
object network internal-lan
nat (inside,outside) dynamic interface
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL
aaa authentication telnet console LOCAL
aaa authentication http console LOCAL
http server enable
http server idle-timeout 60
http server session-timeout 60
http 192.168.1.0 255.255.255.0 management
http 0.0.0.0 0.0.0.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
crypto ikev1 enable outside
crypto ikev1 policy 10
authentication pre-share
encryption aes
hash sha
group 2
lifetime 86400
telnet 0.0.0.0 0.0.0.0 inside
telnet timeout 1440
ssh 0.0.0.0 0.0.0.0 inside
ssh timeout 60
ssh version 2
console timeout 0
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd enable management
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
username root password fSxC7.NN7u15TsWj encrypted privilege 15
tunnel-group 192.0.0.1 type ipsec-l2l
tunnel-group 192.0.0.1 ipsec-attributes
ikev1 pre-shared-key *****
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
inspect icmp
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:5e52e58b5e4fcd0c02bcf89a4a429fe9Вот конфиг CISCO 891:
Код:
CISCO-ISR-891#show config
Using 2461 out of 262136 bytes
!
! Last configuration change at 10:49:11 UTC Sat Apr 13 2013
! NVRAM config last updated at 10:49:12 UTC Sat Apr 13 2013
! NVRAM config last updated at 10:49:12 UTC Sat Apr 13 2013
version 15.1
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname CISCO-ISR-891
!
boot-start-marker
boot-end-marker
!
!
enable secret
enable password
!
aaa new-model
!
!
!
!
!
!
!
aaa session-id common
!
crypto pki token default removal timeout 0
!
!
ip source-route
!
!
!
!
!
ip cef
ip domain name xxxx.ru
no ipv6 cef
!
!
!
!
multilink bundle-name authenticated
!
!
!
!
!
!
license udi pid
!
!
!
no spanning-tree vlan 1
no spanning-tree vlan 2
username root privilege 15 password 7
!
!
!
!
!
!
crypto isakmp policy 10
encr aes
authentication pre-share
group 2
crypto isakmp key 123321 address 192.0.0.2
!
!
crypto ipsec transform-set TS esp-aes esp-sha-hmac
!
!
crypto map vpn 10 ipsec-isakmp
set peer 192.0.0.2
set transform-set TS
match address vpn
!
!
!
!
!
interface FastEthernet0
no ip address
!
interface FastEthernet1
switchport access vlan 2
no ip address
!
interface FastEthernet2
no ip address
!
interface FastEthernet3
no ip address
!
interface FastEthernet4
no ip address
!
interface FastEthernet5
no ip address
!
interface FastEthernet6
no ip address
!
interface FastEthernet7
no ip address
!
interface FastEthernet8
no ip address
shutdown
duplex auto
speed auto
!
interface GigabitEthernet0
no ip address
shutdown
duplex auto
speed auto
!
interface Vlan1
description LAN
ip address 192.168.20.1 255.255.255.0
!
interface Vlan2
description OUTSIDE
ip address 192.0.0.1 255.255.255.0
crypto map vpn
!
interface Async1
no ip address
encapsulation slip
!
ip forward-protocol nd
!
!
no ip http server
no ip http secure-server
!
ip access-list extended vpn
permit ip 192.168.20.0 0.0.0.255 192.168.200.0 0.0.0.255
!
access-list 23 permit 192.168.20.20
access-list 23 permit 192.168.200.200
access-list 23 permit 192.168.200.100
access-list 23 permit 192.168.200.65
!
!
!
!
!
!
!
!
control-plane
!
!
!
!
mgcp profile default
!
!
!
!
!
line con 0
line 1
modem InOut
stopbits 1
speed 115200
flowcontrol hardware
line aux 0
line vty 0 4
access-class 23 in
privilege level 15
transport input telnet ssh
transport output telnet ssh
!
end Не подключается CISCO 891 к CISCO ASA :(
- Пожалуйста проверьте конфигурацию, McS555, 16:17 , 15-Апр-13 (2)
>[оверквотинг удален]
> crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
> crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
> crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
> crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
> crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
> crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
> crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
> crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
> crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
> crypto map outside_map 1 set ikev1 transform-set ESP-3DES-MD5 ESP-3DES-SHA Почему ESP-3DES-MD5 ESP-3DES-SHA ?? А не ESP-AES-128-SHA
> encr aes
> authentication pre-share
а на ASA encryption 3des
hash sha encryption 3des
hash md5 encryption aes-256
hash sh
|
Версия для распечатки
Пожалуйста проверьте конфигурацию, 
