服务器 Gind.cn
  1. 服务器 Gind.cn
  3. 思科ASA 5505configurationVPN遍历
Intereting Posts
“拒绝本地login”效果“是否允许通过terminal服务login”? 热链接防止不起作用 升级到Debian Jessie后MySQL不启动 通过VPN打印到共享打印机 Apache – 相同的应用程序两个URL,Cookie保留 在端口80上运行本地gae服务器 在公司中的用户名惯例 启动到活cd后如何重buildRaidarrays? Oracle 10g上的雪豹? 通过远程smtp服务器的PHP邮件中继 批量命令问题 端口123上的传出UDP连接被防火墙丢弃 思科IPS如何工作? Django – 无法通过套接字连接到本地MySQL服务器 重新启动CentOS 6服务器需要多长时间?

思科ASA 5505configurationVPN遍历

我最近安装了ASA 5505,通过站点到站点VPN连接几个站点,工作得很好。 我还需要使用L2TP / IPSecconfiguration的远程访问VPN。 但是,在configuration方面遇到问题,允许远程访问用户访问任何站点VPN连接的networking上的系统。 以下是集线器/辐条configuration中的总体布局:

10.100.20.0/24 – 中心局(集线器)10.100.50.0/24 – 远程办公室1 10.100.60.0/24 – 远程办公室2 10.100.70.0/24 – 远程办公室3

10.200.0.0/24 – 远程访问池

中心局可以与任何远程办公室进行通信,所有远程办公室都可以与中心局进行通信。 远程访问用户只能与作为其VPN(L2TP)端点的中心局进行通信。

我很好奇为了让远程访问用户访问任何连接的远程办公室,我需要考虑哪些NAT和/或路由configuration?

提前谢谢了! 克里斯

这是configuration(有必要的混淆): 

ASA Version 8.2(1) ! hostname ciscoasa enable password ***** encrypted passwd ***** encrypted names name 208.67.222.222 opendns1 name 208.67.220.220 opendns2 ! interface Vlan1 nameif inside security-level 100 ip address 10.100.20.254 255.255.255.0 ! interface Vlan2 nameif outside security-level 0 ip address 200.200.200.2 255.255.255.252 ! interface Ethernet0/0 switchport access vlan 2 ! interface Ethernet0/1 ! interface Ethernet0/2 ! interface Ethernet0/3 ! interface Ethernet0/4 ! interface Ethernet0/5 ! interface Ethernet0/6 ! interface Ethernet0/7 ! ftp mode passive clock timezone EST -5 clock summer-time EDT recurring dns domain-lookup inside dns domain-lookup outside dns server-group DefaultDNS name-server opendns2 name-server opendns1 same-security-traffic permit intra-interface object-group protocol TCPUDP protocol-object udp protocol-object tcp object-group network opendns-servers network-object host opendns2 network-object host opendns1 access-list outside_1_cryptomap extended permit ip 10.100.20.0 255.255.255.0 10.100.50.0 255.255.255.0 access-list outside_2_cryptomap extended permit ip 10.100.20.0 255.255.255.0 10.100.60.0 255.255.255.0 access-list outside_3_cryptomap extended permit ip 10.100.20.0 255.255.255.0 10.100.70.0 255.255.255.0 access-list inside_nat0_outbound extended permit ip 10.100.20.0 255.255.255.0 10.100.50.0 255.255.255.0 access-list inside_nat0_outbound extended permit ip 10.100.20.0 255.255.255.0 10.100.60.0 255.255.255.0 access-list inside_nat0_outbound extended permit ip 10.100.20.0 255.255.255.0 10.100.70.0 255.255.255.0 access-list inside_nat0_outbound extended permit ip 10.100.20.0 255.255.255.0 10.200.0.0 255.255.255.0 access-list inside_access_in extended permit object-group TCPUDP any object-group opendns-servers eq domain access-list inside_access_in extended permit object-group TCPUDP host 10.100.20.1 any eq domain access-list inside_access_in extended deny object-group TCPUDP any any eq domain access-list inside_access_in extended permit ip any any access-list outside_access_in extended deny ip any any access-list outside_nat0_outbound extended permit ip 10.200.0.0 255.255.255.0 10.100.20.0 255.255.255.0 access-list DefaultRAGroup_splitTunnelAcl standard permit 10.100.20.0 255.255.255.0 pager lines 24 logging enable logging asdm-buffer-size 300 logging asdm informational mtu inside 1500 mtu outside 1500 ip local pool RA-pool 10.200.0.1-10.200.0.50 mask 255.255.255.0 ip local pool test-pool 10.100.20.200-10.100.20.209 mask 255.255.255.0 icmp unreachable rate-limit 1 burst-size 1 icmp permit any inside icmp deny any echo outside no asdm history enable arp timeout 14400 nat-control global (outside) 1 interface nat (inside) 0 access-list inside_nat0_outbound nat (inside) 1 0.0.0.0 0.0.0.0 dns nat (outside) 0 access-list outside_nat0_outbound outside access-group inside_access_in in interface inside access-group outside_access_in in interface outside route outside 0.0.0.0 0.0.0.0 200.200.200.1 1 timeout xlate 3:00:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02 timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00 timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00 timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute timeout tcp-proxy-reassembly 0:01:00 dynamic-access-policy-record DfltAccessPolicy aaa authentication ssh console LOCAL http server enable http 10.100.20.0 255.255.255.0 inside http 0.0.0.0 0.0.0.0 outside no snmp-server location no snmp-server contact snmp-server enable traps snmp authentication linkup linkdown coldstart crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac crypto ipsec transform-set TRANS_ESP_3DES_SHA esp-3des esp-sha-hmac crypto ipsec transform-set TRANS_ESP_3DES_SHA mode transport crypto ipsec security-association lifetime seconds 28800 crypto ipsec security-association lifetime kilobytes 4608000 crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set TRANS_ESP_3DES_SHA ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5 crypto map outside_map 1 match address outside_1_cryptomap crypto map outside_map 1 set pfs crypto map outside_map 1 set peer 1.1.1.1 crypto map outside_map 1 set transform-set ESP-3DES-SHA crypto map outside_map 2 match address outside_2_cryptomap crypto map outside_map 2 set pfs crypto map outside_map 2 set peer 2.2.2.2 crypto map outside_map 2 set transform-set ESP-3DES-SHA crypto map outside_map 3 match address outside_3_cryptomap crypto map outside_map 3 set pfs crypto map outside_map 3 set peer 3.3.3.3 crypto map outside_map 3 set transform-set ESP-3DES-SHA crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP crypto map outside_map interface outside crypto isakmp enable outside crypto isakmp policy 5 authentication pre-share encryption 3des hash sha group 2 lifetime 86400 crypto isakmp policy 10 authentication pre-share encryption des hash sha group 2 lifetime 86400 crypto isakmp policy 30 authentication crack encryption 3des hash sha group 2 lifetime 86400 telnet timeout 5 ssh 0.0.0.0 0.0.0.0 inside ssh 0.0.0.0 0.0.0.0 outside ssh timeout 15 ssh version 2 console timeout 0 dhcpd auto_config outside ! threat-detection basic-threat threat-detection statistics port threat-detection statistics protocol threat-detection statistics access-list no threat-detection statistics tcp-intercept webvpn enable inside enable outside svc image disk0:/anyconnect-win-2.4.1012-k9.pkg 1 group-policy DefaultRAGroup internal group-policy DefaultRAGroup attributes dns-server value 208.67.222.222 208.67.220.220 vpn-tunnel-protocol IPSec l2tp-ipsec ip-comp disable pfs disable split-tunnel-policy tunnelspecified split-tunnel-network-list value DefaultRAGroup_splitTunnelAcl group-policy DfltGrpPolicy attributes vpn-tunnel-protocol IPSec l2tp-ipsec svc webvpn split-tunnel-policy tunnelspecified split-tunnel-network-list value DefaultRAGroup_splitTunnelAcl webvpn svc ask enable username user1 password ***** nt-encrypted privilege 15 username user1 attributes vpn-group-policy DefaultRAGroup username user2 password ***** nt-encrypted username user2 attributes vpn-group-policy DefaultRAGroup service-type remote-access username user3 password ***** encrypted username user3 attributes vpn-group-policy DefaultRAGroup service-type remote-access tunnel-group DefaultRAGroup general-attributes address-pool RA-pool default-group-policy DefaultRAGroup strip-realm strip-group tunnel-group DefaultRAGroup ipsec-attributes pre-shared-key * isakmp keepalive disable tunnel-group DefaultRAGroup ppp-attributes authentication ms-chap-v2 tunnel-group DefaultWEBVPNGroup general-attributes address-pool RA-pool dhcp-server 10.100.20.254 tunnel-group 1.1.1.1 type ipsec-l2l tunnel-group 1.1.1.1 ipsec-attributes pre-shared-key * tunnel-group 2.2.2.2 type ipsec-l2l tunnel-group 2.2.2.2 ipsec-attributes pre-shared-key * tunnel-group 3.3.3.3 type ipsec-l2l tunnel-group 3.3.3.3 ipsec-attributes pre-shared-key * ! ! prompt hostname context Cryptochecksum:e78f2c61bd1c3b5dea31af3782a04b51 : end

这个: 

  access-list DefaultRAGroup_splitTunnelAcl standard permit 10.100.20.0 255.255.255.0

结合这一点: 

  split-tunnel-network-list value DefaultRAGroup_splitTunnelAcl

只允许10.100.20.0上的stream量进入splitTunnel。 所以VPN客户端试图连接到你的其他私有IP地址,实际上被路由到隧道之外,到达互联网。 不是你想要的。

添加您的其他私人IP到隧道: 

  access-list DefaultRAGroup_splitTunnelAcl standard permit XXXX YYYY

为您的所有其他私人IP。

同一安全通信许可证内部接口

在中心站点发夹,然后退出相同的界面到达辐射点