成长值: 54295
|
1鸿鹄币
R1与R2ipsec vpn
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
inspect ipsec-pass-thru
ciscoasa(config)# class inspection_default
mpf-class-map mode commands/options:
access-list Match an Access List
any Match any packet
default-inspection-traffic Match default inspection traffic:
ctiqbe----tcp--2748 dns-------udp--53
ftp-------tcp--21 gtp-------udp--2123,3386
h323-h225-tcp--1720 h323-ras--udp--1718-1719
http------tcp--80 icmp------icmp
ils-------tcp--389 ip-options-----rsvp
mgcp------udp--2427,2727 netbios---udp--137-138
radius-acct----udp--1646 rpc-------udp--111
rsh-------tcp--514 rtsp------tcp--554
sip-------tcp--5060 sip-------udp--5060
skinny----tcp--2000 smtp------tcp--25
sqlnet----tcp--1521 tftp------udp--69
waas------tcp--1-65535 xdmcp-----udp--177
默认的inspection_default并没有匹配ESP流量。为什么ipsec VPN还能通?
R1-inside#ping 2.2.2.2 source l0
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 2.2.2.2, timeout is 2 seconds:
Packet sent with a source address of 1.1.1.1
.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 68/88/116 ms
R1-inside#show crypto ipsec sa
interface: Ethernet0/0
Crypto map tag: l2l, local addr 201.100.1.1
protected vrf: (none)
local ident (addr/mask/prot/port): (1.1.1.1/255.255.255.255/0/0)
remote ident (addr/mask/prot/port): (2.2.2.2/255.255.255.255/0/0)
current_peer 201.100.2.1 port 500
PERMIT, flags={origin_is_acl,ipsec_sa_request_sent}
#pkts encaps: 4, #pkts encrypt: 4, #pkts digest: 4
#pkts decaps: 4, #pkts decrypt: 4, #pkts verify: 4
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 1, #recv errors 0
local crypto endpt.: 201.100.1.1, remote crypto endpt.: 201.100.2.1
path mtu 1500, ip mtu 1500
current outbound spi: 0xDD525960(3713161568)
inbound esp sas:
spi: 0x384862(3688546)
transform: esp-des esp-md5-hmac ,
in use settings ={Tunnel, }
conn id: 2001, flow_id: SW:1, crypto map: l2l
sa timing: remaining key lifetime (k/sec): (4515150/3583)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0xDD525960(3713161568)
transform: esp-des esp-md5-hmac ,
in use settings ={Tunnel, }
conn id: 2003, flow_id: SW:3, crypto map: l2l
sa timing: remaining key lifetime (k/sec): (4515150/3581)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE
outbound ah sas:
outbound pcp sas:
ciscoasa# show conn
5 in use, 7 most used
ESP outside 201.100.2.1 inside201.100.1.1, idle 0:00:29, bytes 496
UDP outside 201.100.2.1:500 inside 201.100.1.1:500, idle 0:00:29, bytes 1348, flags -
ESP outside 201.100.2.1 inside201.100.1.1, idle 0:00:29, bytes 496
默认的inspection_default并没有匹配ESP流量。为什么ipsec VPN还能通?
ciscoasa# show access-list
access-list cached ACL log flows: total 0, denied 0 (deny-flow-max 4096)
alert-interval 300
|
最佳答案
查看完整内容
ipsec-pass-thru就是ESP好吧,有教主的图,没有其它资料,还是没好好看?
|