Элтекс

Добрый день!
Есть такой зверь
System type: Eltex ESR-21 Service Router
System name: rov-gw1-elt
Software version: 1.5.3(FSTEC) build 7[724a8bcfb] (date 18/03/2020 time 15:34:15)
Hardware version: 1v3

И такая проблема!
При поднятии тоннеля, со стороны ASA я вижу сам esr и сеть за ним!
Со стороны esr я невижу ни ASAы ни сети за ней!
При мониторинге на asa обнаружил что esr не отправляет пакеты в тоннель!

На esr такая картина!
rov-gw1-elt# ping 10.150.32.1 source ip 192.168.153.1
PING 10.150.32.1 (10.150.32.1) from 192.168.153.1 : 56(84) bytes of data.
.....
--- 10.150.32.1 ping statistics ---
5 packets transmitted, 0 received, 100% packet loss, time 4004ms

С циски:
rov-gw1# ping 192.168.153.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.153.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 22/26/30 ms

Кусок конфигурации esr.
security ike gateway MEG_MTS
ike-policy MEG_MTS
local address X.X.X.X
local network 192.168.153.0/24
remote address Y.Y.Y.Y
remote network 10.150.32.0/24
remote network 10.150.37.0/24
remote network 10.150.39.0/24
mode policy-based
exit

security ipsec vpn MEGMTS
mode ike
ike establish-tunnel route
ike gateway MEG_MTS
ike ipsec-policy ipsecMEG_MTS
enable
exit

Не подскажите куда копать?

С уважение!

Какая версия прошивки у asa?
Покажите настройки криптокарты с asa.

asa922-4-smp-k8.bin
--------------------------------------------------------
crypto map vpn 14 match address MegRovVPN
crypto map vpn 14 set peer ROVMEG_VPN
crypto map vpn 14 set ikev1 transform-set ESP-DES-SHA
crypto map vpn 14 set security-association lifetime seconds 14400
crypto map vpn 14 set security-association lifetime kilobytes 460800

access-list MegRovVPN extended permit ip object-group MEG_LOCAL_VPN object-group ROVMEG_REMOTE_VPN

object-group network ROVMEG_REMOTE_VPN
network-object 192.168.153.0 255.255.255.0

object-group network MEG_LOCAL_VPN
network-object 10.150.32.0 255.255.255.0
network-object 10.150.37.0 255.255.255.0
network-object 10.150.39.0 255.255.255.0

nat (lan,CTS) source static MEG_LOCAL_VPN MEG_LOCAL_VPN destination static ROVMEG_REMOTE_VPN ROVMEG_REMOTE_VPN route-lookup
----------------------------------------------------------

С уважением!

тему можно закрывать!

Победили, добавив в правило nat match not destination-address REM_ROV!

object-group network REM_ROV
ip prefix 10.150.32.0/24
ip prefix 10.150.37.0/24
ip prefix 10.150.39.0/24

Элтекс

ESR-21 FSTEC + cisco ASA site to site vpn

ESR-21 FSTEC + cisco ASA site to site vpn

Re: ESR-21 FSTEC + cisco ASA site to site vpn

Re: ESR-21 FSTEC + cisco ASA site to site vpn

Re: ESR-21 FSTEC + cisco ASA site to site vpn