服务器 Gind.cn
  1. 服务器 Gind.cn
  3. 思科ASA(客户端VPN)到局域网 – 通过第二个VPN到第二个局域网
Intereting Posts
MySQL在Debian的舒展 并不是所有的.htaccess文件都被读取 不能在Centos7上针对AD进行ISE(802.1)authentication KVM + NFS磁盘性能差 使用后缀(S / MIME)自动签名发送邮件 交换自定义属性Excemptions 如果在From标头中的友好名称匹配子string,Exim ACL将被删除 Server 2012 R2端口转发通过不同的子网 禁用天青工人angular色上的Windows防火墙有没有什么危险? 如何在Ms Sql server 7中创build用户只允许连接到本地networking 如何pipe理一个mysql转储到s3cmd “断言失败:n> len <= 32”在pkcs11_softtoken_extra的montmul_vt.c部分 将电子邮件从Dovecot / exim4迁移到Exchange – 大型收件箱 服务器VS桌面与托pipeRAM密集,低stream量应用服务响应API 使用Server 2012,DHCP使用基于MAC地址的不同范围

思科ASA(客户端VPN)到局域网 – 通过第二个VPN到第二个局域网

我们有2个通过IPSEC VPN连接到远程Cisco ASA的站点:

站点1 1.5Mb T1连接Cisco(1)2841

站点2 1.5Mb T1连接Cisco 2841

此外:

站点1具有第二个广域网3Mb绑定的T1连接Cisco 5510,连接到与Cisco(1)2841相同的LAN。

基本上,通过Cisco ASA 5510连接的远程访问(VPN)用户需要访问位于站点2末端的服务。这是由于服务销售的方式 – Cisco 2841路由器不在我们的pipe理之下,它的设置允许从本地LAN连接VLAN 1 IP地址10.20.0.0/24。 我的想法是让来自远程用户的所有stream量通过思科ASA发往站点2,通过站点1和站点2之间的VPN。最终结果是所有到达站点2的stream量都来自站点1。

我正在努力寻找关于如何设置的大量信息。 所以,首先,任何人都可以证实我想达到的目标是可能的吗? 其次,任何人都可以帮助我纠正下面的configuration或指向我这样一个configuration的例子吗?

非常感谢。 

interface Ethernet0/0 nameif outside security-level 0 ip address 7.7.7.19 255.255.255.240 interface Ethernet0/1 nameif inside security-level 100 ip address 10.20.0.249 255.255.255.0 object-group network group-inside-vpnclient description All inside networks accessible to vpn clients network-object 10.20.0.0 255.255.255.0 network-object 10.20.1.0 255.255.255.0 object-group network group-adp-network description ADP IP Address or network accessible to vpn clients network-object 207.207.207.173 255.255.255.255 access-list outside_access_in extended permit icmp any any echo-reply access-list outside_access_in extended permit icmp any any source-quench access-list outside_access_in extended permit icmp any any unreachable access-list outside_access_in extended permit icmp any any time-exceeded access-list outside_access_in extended permit tcp any host 7.7.7.20 eq smtp access-list outside_access_in extended permit tcp any host 7.7.7.20 eq https access-list outside_access_in extended permit tcp any host 7.7.7.20 eq pop3 access-list outside_access_in extended permit tcp any host 7.7.7.20 eq www access-list outside_access_in extended permit tcp any host 7.7.7.21 eq www access-list outside_access_in extended permit tcp any host 7.7.7.21 eq https access-list outside_access_in extended permit tcp any host 7.7.7.21 eq 5721 access-list acl-vpnclient extended permit ip object-group group-inside-vpnclient any access-list acl-vpnclient extended permit ip object-group group-inside-vpnclient object-group group-adp-network access-list acl-vpnclient extended permit ip object-group group-adp-network object-group group-inside-vpnclient access-list PinesFLVPNTunnel_splitTunnelAcl standard permit 10.20.0.0 255.255.255.0 access-list inside_nat0_outbound_1 extended permit ip 10.20.0.0 255.255.255.0 10.20.1.0 255.255.255.0 access-list inside_nat0_outbound_1 extended permit ip 10.20.0.0 255.255.255.0 host 207.207.207.173 access-list inside_nat0_outbound_1 extended permit ip 10.20.1.0 255.255.255.0 host 207.207.207.173 ip local pool VPNPool 10.20.1.100-10.20.1.200 mask 255.255.255.0 route outside 0.0.0.0 0.0.0.0 7.7.7.17 1 route inside 207.207.207.173 255.255.255.255 10.20.0.3 1 crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac crypto ipsec security-association lifetime seconds 28800 crypto ipsec security-association lifetime kilobytes 4608000 crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA crypto dynamic-map outside_dyn_map 20 set security-association lifetime seconds 288000 crypto dynamic-map outside_dyn_map 20 set security-association lifetime kilobytes 4608000 crypto dynamic-map outside_dyn_map 20 set reverse-route crypto map outside_map 20 ipsec-isakmp dynamic outside_dyn_map crypto map outside_map interface outside crypto map outside_dyn_map 20 match address acl-vpnclient crypto map outside_dyn_map 20 set security-association lifetime seconds 28800 crypto map outside_dyn_map 20 set security-association lifetime kilobytes 4608000 crypto isakmp identity address crypto isakmp enable outside crypto isakmp policy 20 authentication pre-share encryption 3des hash sha group 2 lifetime 86400 group-policy YeahRightflVPNTunnel internal group-policy YeahRightflVPNTunnel attributes wins-server value 10.20.0.9 dns-server value 10.20.0.9 vpn-tunnel-protocol IPSec password-storage disable pfs disable split-tunnel-policy tunnelspecified split-tunnel-network-list value acl-vpnclient default-domain value YeahRight.com group-policy YeahRightFLVPNTunnel internal group-policy YeahRightFLVPNTunnel attributes wins-server value 10.20.0.9 dns-server value 10.20.0.9 10.20.0.7 vpn-tunnel-protocol IPSec split-tunnel-policy tunnelspecified split-tunnel-network-list value YeahRightFLVPNTunnel_splitTunnelAcl default-domain value yeahright.com tunnel-group YeahRightFLVPN type remote-access tunnel-group YeahRightFLVPN general-attributes address-pool VPNPool tunnel-group YeahRightFLVPNTunnel type remote-access tunnel-group YeahRightFLVPNTunnel general-attributes address-pool VPNPool authentication-server-group WinRadius default-group-policy YeahRightFLVPNTunnel tunnel-group YeahRightFLVPNTunnel ipsec-attributes pre-shared-key *

当然,你可以实现这种情况。 它被称为“发夹”。 您需要以下内容: – 将远程访问用户POOLconfiguration为与encryption映射关联的encryption访问列表的一部分 – configurationNAT-EXEMPT或NO-NAT访问列表以包含该池。

最重要的是:

  • configuration此命令:“same-security-traffic permit intra-interface”允许stream量进出思科ASA中的相同接口。
  • configuration隧道对端(路由器)将远程访问用户池包含在encryption访问列表中,这是因为L2L隧道encryption访问列表必须在两个对等端进行镜像。
  • 如果远程访问用户使用拆分隧道,则需要确保远程对等(路由器)后面的子网包含在拆分隧道访问列表中

看到这个: https : //supportforums.cisco.com/message/3864922

希望这可以帮助。

马沙尔

请添加更多的信息和架构,这将是非常有用的帮助。 我们不知道您的Site 2 IP。 似乎在group-inside-vpnclient中缺less10.20.0.0/24在站点1上,10.21.1.0/24是你的vpn池。 您还需要通过站点1路由器为站点2networkingIP创build路由如果您尝试在站点2上尝试访问IP 207.207.207.173,我们确实需要更多的解释。