服务器 Gind.cn
  1. 服务器 Gind.cn
  3. 思科ASA – 在多个站点到站点隧道之间路由stream量
Intereting Posts
哪个是pipe理五台虚拟主机的最经济的方法? Windows服务重启源 需要帮助解决高度可变的ping时间 负载平衡nginx代理keepalived可能吗? Mysql失去了它的root密码 使用AutoFSreplace静态安装 防御僵尸networking – 如何分析apache日志? -rwxr-xr-x @的含义 VNC通过SSH与一个命令 阻止匹配HTTP_X_FORWARDED_SERVER标头的请求 Microsoft SQL服务器备份:将数据恢复到一个表 Nginx的多个服务器块 IIS 7 Windows身份validation错误的用户 在chroot jail中运行Apache是​​否明智? 域随机变得无法parsing

思科ASA – 在多个站点到站点隧道之间路由stream量

我们有一个思科ASA为我们的客户提供多个站点隧道。 我们大多数员工使用标准的VPN客户端连接到ASA。

但是,我们也希望允许拥有静态连接或多台PC的员工使用站点隧道。

我们如何允许来自Employee1thruX < – > Cisco ASA < – >所有客户隧道的stream量,同时不允许CustomerA隧道< – > Cisco ASA < – > CustomerB隧道?

沿着这些线路 – 192.168.168.0/24似乎有点小; 如果你需要,那么也为他们build立一个对象组。 

 same-security-traffic permit intra-interface object-group network Client_Networks ! Load up client network assignments here, so the ACLs don't get huge: network-object 192.0.2.0 255.255.255.0 network-object 198.51.100.0 255.255.255.0 ! ACL for tunnel to an example client - this one's on the 192.0.2.0 range. ! The entry covers traffic between the local net and the client access-list outside_cryptomap_client_1 extended permit ip 172.16.89.0 255.255.255.0 192.0.2.0 255.255.255.0 ! And this is needed for the traffic between the employee nets and the client access-list outside_cryptomap_client_1 extended permit ip 192.168.168.0 255.255.255.0 192.0.2.0 255.255.255.0 ! ACL for the tunnel to an employee - we'll stick them on 192.168.168.32/30; ! For the purposes of the tunnel, the client networks are local networks. ! The entry's going to create a ton of IPSec SAs -- makes a mess, but not a lot of choice. access-list outside_cryptomap_employee_1 extended permit ip object-group Client_Networks 192.168.168.32 255.255.255.252 ! And, the local whatnot. access-list outside_cryptomap_employee_1 extended permit ip 172.16.89.0 255.255.255.0 192.168.168.32 255.255.255.252 ! all the other config for the site-to-site tunnels.. crypto map outside_map 1 match address outside_cryptomap_client_1 ! ... crypto map outside_map 501 match address outside_cryptomap_employee_1

而且,如果您有任何正在进行的NAT ,那么您在使用RFC1918范围之后可能会执行任何NAT ,则需要在所有NAT范围内进行免除,以匹配encryptionACL中的所有stream量。 

 ! add to an existing NAT exemption ACL, if you have one. Otherwise, make one.. ! local to clients access-list outside_nat0_outbound extended permit ip 172.16.89.0 255.255.255.0 object-group Client_Networks ! local to employees access-list outside_nat0_outbound extended permit ip 172.16.89.0 255.255.255.0 192.168.168.0 255.255.255.0 ! employees to clients access-list outside_nat0_outbound extended permit ip 192.168.168.0 255.255.255.0 object-group Client_Networks nat (Public) 0 access-list outside_nat0_outbound

当然,您需要在员工的位置configuration远程VPN端点,以将客户端networking作为远程networking,并将encryptionACL与站点到站点的连接进行匹配。