思科ASA 5505 l2tp vpn

我有一个问题，思科ASA 5505 VPNconfiguration。 我为Windows客户端设置了l2tp。 我可以连接到VPN，但：

1. 当我有“在远程networking上使用默认网关”启用网卡我有权访问networking中的所有资源，但我没有互联网接入（无法打开网站等）。

2. 当我有“在远程networking上使用默认网关”NIC禁用我没有访问networking资源，但我有互联网接入。

在我的configuration文件有一点点混乱，我试图使用ASDM，并试图configuration思科Anyconnect，但configuration中的这些行并不重要，不工作。 我的VPN子网是192.168.20.0，我只需要Windows的l2tp。 如果有人想在这里帮助我的configuration：

• 思科ASA分离networking
• CISCO ASA：将特定命令添加到特权级别
• Cisco ASA l2l隧道build立后，会收到ping无法回复
• 是否可以使用Cisco ASA的dmz外部地址访问服务器内部？
• 将stream量路由到另一个内部networking

Saved : ASA Version 9.1(2) ! hostname ciscoasa enable password xxx encrypted names ip local pool poolVPN 192.168.20.10-192.168.20.30 mask 255.255.255.0 ! interface GigabitEthernet0/0 nameif inside security-level 100 ip address 192.168.0.254 255.255.255.0 ! interface GigabitEthernet0/1 nameif outside security-level 0 ip address xxx.xxx.xxx.26 255.255.255.248 ! interface GigabitEthernet0/2 nameif dmz security-level 50 ip address 192.168.100.254 255.255.255.0 ! interface GigabitEthernet0/3 shutdown no nameif no security-level no ip address ! interface GigabitEthernet0/4 shutdown no nameif no security-level no ip address ! interface GigabitEthernet0/5 shutdown no nameif no security-level no ip address ! interface Management0/0 management-only nameif management security-level 100 ip address 192.168.1.1 255.255.255.0 ! ftp mode passive object network branch1 subnet 192.168.2.0 255.255.255.0 object network branch2 subnet 192.168.1.0 255.255.255.0 object network branch3 subnet 192.168.3.0 255.255.255.0 object network branch4 subnet 192.168.4.0 255.255.255.0 object network branch5 subnet 192.168.5.0 255.255.255.0 object network central subnet 192.168.0.0 255.255.255.0 object network dmz-subnet subnet 192.168.100.0 255.255.255.0 object network camera-monitoring-ip host xxx.xxx.xxx.27 object network cameras host 192.168.100.1 object network NETWORK_OBJ_192.168.20.0_27 subnet 192.168.20.0 255.255.255.224 access-list oudside_acl extended permit tcp any object cameras eq www access-list outside_acl extended permit tcp any object cameras eq www access-list dmz_int extended permit tcp host 192.168.100.1 eq www any access-list DefaultRAGroup_splitTunnelAcl standard permit 192.168.20.0 255.255.255.0 access-list DefaultRAGroup_splitTunnelAcl standard permit 192.168.20.0 255.255.255.224 pager lines 24 logging enable logging asdm informational mtu management 1500 mtu inside 1500 mtu outside 1500 mtu dmz 1500 icmp unreachable rate-limit 1 burst-size 1 no asdm history enable arp timeout 14400 no arp permit-nonconnected nat (inside,outside) source static any any destination static NETWORK_OBJ_192.168.20.0_27 NETWORK_OBJ_192.168.20.0_27 no-proxy-arp route-lookup nat (inside,outside) source static NETWORK_OBJ_192.168.20.0_27 NETWORK_OBJ_192.168.20.0_27 destination static NETWORK_OBJ_192.168.20.0_27 NETWORK_OBJ_192.168.20.0_27 no-proxy-arp route-lookup ! object network branch1 nat (inside,outside) dynamic interface object network branch2 nat (inside,outside) dynamic interface object network branch3 nat (inside,outside) dynamic interface object network branch4 nat (inside,outside) dynamic interface object network branch5 nat (inside,outside) dynamic interface object network central nat (inside,outside) dynamic interface object network dmz-subnet nat (dmz,outside) dynamic interface object network cameras nat (dmz,outside) static cameras-monitoring-ip service tcp www www access-group outside_acl in interface outside access-group dmz_int in interface dmz route outside 0.0.0.0 0.0.0.0 xxx.xxx.xxx.25 1 route inside 192.168.1.0 255.255.255.0 192.168.0.170 1 route inside 192.168.2.0 255.255.255.0 192.168.0.170 1 route inside 192.168.3.0 255.255.255.0 192.168.0.170 1 route inside 192.168.4.0 255.255.255.0 192.168.0.170 1 route inside 192.168.5.0 255.255.255.0 192.168.0.170 1 timeout xlate 3:00:00 timeout pat-xlate 0:00:30 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02 timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00 timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00 timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute timeout tcp-proxy-reassembly 0:01:00 timeout floating-conn 0:00:00 dynamic-access-policy-record DfltAccessPolicy user-identity default-domain LOCAL aaa authentication ssh console LOCAL http server enable http 192.168.1.0 255.255.255.0 management no snmp-server location no snmp-server contact snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS esp-aes esp-sha-hmac crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS mode transport crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS esp-des esp-sha-hmac crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS mode transport crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS esp-aes-192 esp-sha-hmac crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS mode transport crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS esp-aes-256 esp-sha-hmac crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS mode transport crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS esp-3des esp-sha-hmac crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS mode transport crypto ipsec ikev2 ipsec-proposal DES protocol esp encryption des protocol esp integrity sha-1 md5 crypto ipsec ikev2 ipsec-proposal 3DES protocol esp encryption 3des protocol esp integrity sha-1 md5 crypto ipsec ikev2 ipsec-proposal AES protocol esp encryption aes protocol esp integrity sha-1 md5 crypto ipsec ikev2 ipsec-proposal AES192 protocol esp encryption aes-192 protocol esp integrity sha-1 md5 crypto ipsec ikev2 ipsec-proposal AES256 protocol esp encryption aes-256 protocol esp integrity sha-1 md5 crypto ipsec security-association pmtu-aging infinite crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-192-SHA ESP-AES-256-SHA ESP-3DES-SHA ESP-DES-SHA ESP-AES-128-SHA-TRANS ESP-AES-192-SHA-TRANS ESP-AES-256-SHA-TRANS ESP-3DES-SHA-TRANS ESP-DES-SHA-TRANS crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev2 ipsec-proposal AES256 AES192 AES 3DES DES crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP crypto map outside_map interface outside crypto ca trustpoint ASDM_TrustPoint0 enrollment self subject-name CN=ciscoasa keypair xxxxx crl configure crypto ca trustpoint ASDM_TrustPoint1 enrollment terminal subject-name CN=ciscoasa crl configure crypto ca trustpool policy crypto ca certificate chain ASDM_TrustPoint0 certificate 9gfdrfss fdfasfd vczvc quit crypto ikev2 policy 1 encryption aes-256 integrity sha group 5 2 prf sha lifetime seconds 86400 crypto ikev2 policy 10 encryption aes-192 integrity sha group 5 2 prf sha lifetime seconds 86400 crypto ikev2 policy 20 encryption aes integrity sha group 5 2 prf sha lifetime seconds 86400 crypto ikev2 policy 30 encryption 3des integrity sha group 5 2 prf sha lifetime seconds 86400 crypto ikev2 policy 40 encryption des integrity sha group 5 2 prf sha lifetime seconds 86400 crypto ikev2 enable outside client-services port 443 crypto ikev2 remote-access trustpoint ASDM_TrustPoint0 crypto ikev1 enable outside crypto ikev1 policy 10 authentication crack encryption aes-256 hash sha group 2 lifetime 86400 crypto ikev1 policy 20 authentication rsa-sig encryption aes-256 hash sha group 2 lifetime 86400 crypto ikev1 policy 30 authentication pre-share encryption aes-256 hash sha group 2 lifetime 86400 crypto ikev1 policy 40 authentication crack encryption aes-192 hash sha group 2 lifetime 86400 crypto ikev1 policy 50 authentication rsa-sig encryption aes-192 hash sha group 2 lifetime 86400 crypto ikev1 policy 60 authentication pre-share encryption aes-192 hash sha group 2 lifetime 86400 crypto ikev1 policy 70 authentication crack encryption aes hash sha group 2 lifetime 86400 crypto ikev1 policy 80 authentication rsa-sig encryption aes hash sha group 2 lifetime 86400 crypto ikev1 policy 90 authentication pre-share encryption aes hash sha group 2 lifetime 86400 crypto ikev1 policy 100 authentication crack encryption 3des hash sha group 2 lifetime 86400 crypto ikev1 policy 110 authentication rsa-sig encryption 3des hash sha group 2 lifetime 86400 crypto ikev1 policy 120 authentication pre-share encryption 3des hash sha group 2 lifetime 86400 crypto ikev1 policy 130 authentication crack encryption des hash sha group 2 lifetime 86400 crypto ikev1 policy 140 authentication rsa-sig encryption des hash sha group 2 lifetime 86400 crypto ikev1 policy 150 authentication pre-share encryption des hash sha group 2 lifetime 86400 telnet timeout 5 ssh 0.0.0.0 0.0.0.0 inside ssh timeout 5 ssh version 2 ssh key-exchange group dh-group1-sha1 console timeout 0 dhcpd address 192.168.1.2-192.168.1.254 management dhcpd enable management ! threat-detection basic-threat threat-detection statistics access-list no threat-detection statistics tcp-intercept webvpn enable outside anyconnect image disk0:/anyconnect-win-2.5.2014-k9.pkg 1 anyconnect profiles VPNanyconnect_client_profile disk0:/VPNanyconnect_client_profile.xml anyconnect enable tunnel-group-list enable group-policy DefaultRAGroup internal group-policy DefaultRAGroup attributes wins-server value 192.168.0.201 dns-server value 192.168.0.201 xxx.xxx.xxx.244 vpn-tunnel-protocol l2tp-ipsec split-tunnel-policy tunnelspecified split-tunnel-network-list value DefaultRAGroup_splitTunnelAcl default-domain value xxxxx group-policy DefaultRAGroup_1 internal group-policy DefaultRAGroup_1 attributes wins-server value 192.168.0.201 dns-server value 192.168.0.201 xxx.xxx.xxx.244 vpn-tunnel-protocol l2tp-ipsec split-tunnel-policy tunnelspecified split-tunnel-network-list value DefaultRAGroup_splitTunnelAcl default-domain value xxxx.local group-policy GroupPolicy_VPNanyconnect internal group-policy GroupPolicy_VPNanyconnect attributes wins-server value 192.168.0.201 dns-server value 192.168.0.201 xxx.xxx.xxx.244 vpn-tunnel-protocol ikev2 default-domain value xxx.local webvpn ! class-map icmp-class match default-inspection-traffic class-map inspection_default match default-inspection-traffic ! ! policy-map type inspect dns preset_dns_map parameters message-length maximum client auto message-length maximum 512 policy-map icmp_policy class icmp-class inspect icmp policy-map global_policy class inspection_default inspect dns preset_dns_map inspect ftp inspect h323 h225 inspect h323 ras inspect rsh inspect rtsp inspect esmtp inspect sqlnet inspect skinny inspect sunrpc inspect xdmcp inspect sip inspect netbios inspect tftp inspect ip-options ! service-policy global_policy global service-policy icmp_policy interface outside prompt hostname context no call-home reporting anonymous Cryptochecksum:xxx68c1xxx5dbef0baxxxf2378e540 : end no asdm history enable 

感谢您的回复。

 access-list DefaultRAGroup_splitTunnelAcl standard permit 192.168.20.0 255.255.255.0 group-policy DefaultRAGroup internal group-policy DefaultRAGroup attributes wins-server value 192.168.0.201 dns-server value 192.168.0.201 xxx.xxx.xxx.244 vpn-tunnel-protocol l2tp-ipsec split-tunnel-policy tunnelspecified split-tunnel-network-list value DefaultRAGroup_splitTunnelAcl default-domain value xxxxx 

是的，我没有像教程中所示的拆分隧道，但它不工作。 我加了ACL和ACE，重新启动路由器。 不知道这里有什么问题