服务器 Gind.cn
  1. 服务器 Gind.cn
  3. Cisco Anyconnect客户端连接到VPN,但不能连接其他任何内部连接的networking
Intereting Posts
制作包含MySQL数据库的EBS卷的快照 – 安全吗? ASA 5505:如何使用公共IP从内部访问DMZ Web服务器? 升级到Ubuntu 10.04后,与Firebird 2.1的networking连接变慢了 Lotus Notes用户名中有重音标记时,用户无法validation到Sharepoint 2010中 通过脚本清理事件日志 用puppet在centos上安装php 5.5 Total通配符DNS主机到1个文件 脚本和文件执行安全与.htaccess 我应该使用哪种备份工具来进行简单的增量备份? 使用不带系统用户帐户的adduser /邮箱创build用于sendmail的邮箱 如何生成上一次每个域用户login到特定的Windows Server 2008虚拟机的报告? 我如何从ec2主机获取ec2标签名称? 指定Include conf文件时,Apache Conf失败 Zimbra Alternative开源应用程序 事件创build与多行描述

Cisco Anyconnect客户端连接到VPN,但不能连接其他任何内部连接的networking

我有一个关于Cisco Anyconnect VPN的问题,我无法解决,一分钟它工作正常一两个星期,下一个它停止死亡没有连接一旦vpn内部接口build立。

基本上VPN连接没有问题,但我不能访问任何资源,似乎stream量正在像DNS一样的服务器的方式,但回应没有做到这一点!

我可以ping从我的内部接口在服务器上,反之亦然,所以我消除了路由问题。

我也卸载netbalancer消除这不是问题的原因。 

Result of the command: "sh run" : Hardware: ASA5516, 8192 MB RAM, CPU Atom C2000 series 2416 MHz, 1 CPU (8 cores) : ASA Version 9.6(1) ! hostname pegasus domain-name jth.local enable password IFomWluDEyOnsYVw encrypted xlate per-session deny tcp any4 any4 xlate per-session deny tcp any4 any6 xlate per-session deny tcp any6 any4 xlate per-session deny tcp any6 any6 xlate per-session deny udp any4 any4 eq domain xlate per-session deny udp any4 any6 eq domain xlate per-session deny udp any6 any4 eq domain xlate per-session deny udp any6 any6 eq domain names ip local pool PegasusPool 10.200.10.2-10.200.10.253 mask 255.255.255.0 ! interface GigabitEthernet1/1 nameif outside security-level 0 ip address *********************** ! interface GigabitEthernet1/2 no nameif no security-level no ip address ! interface GigabitEthernet1/2.843 vlan 843 nameif Inside security-level 99 ip address 10.200.10.1 255.255.255.0 ! interface GigabitEthernet1/3 shutdown no nameif no security-level no ip address ! interface GigabitEthernet1/4 shutdown no nameif no security-level no ip address ! interface GigabitEthernet1/5 shutdown no nameif no security-level no ip address ! interface GigabitEthernet1/6 shutdown no nameif no security-level no ip address ! interface GigabitEthernet1/7 shutdown no nameif no security-level no ip address ! interface GigabitEthernet1/8 shutdown no nameif no security-level no ip address ! interface Management1/1 management-only nameif management security-level 100 ip address *************** ! ftp mode passive dns domain-lookup Inside dns server-group DefaultDNS expire-entry-timer minutes 60 name-server *************102 Inside name-server *************101 Inside domain-name ***************** Objects************************ description DNS Resolution access-list outside_access_in extended deny ip any any access-list AnyConnect_Client_Local_Print extended deny ip any4 any4 access-list AnyConnect_Client_Local_Print extended permit tcp any4 any4 eq lpd access-list AnyConnect_Client_Local_Print remark IPP: Internet Printing Protocol access-list AnyConnect_Client_Local_Print extended permit tcp any4 any4 eq 631 access-list AnyConnect_Client_Local_Print remark Windows' printing port access-list AnyConnect_Client_Local_Print extended permit tcp any4 any4 eq 9100 access-list AnyConnect_Client_Local_Print remark mDNS: multicast DNS protocol access-list AnyConnect_Client_Local_Print extended permit udp any4 host 224.0.0.251 eq 5353 access-list AnyConnect_Client_Local_Print remark LLMNR: Link Local Multicast Name Resolution protocol access-list AnyConnect_Client_Local_Print extended permit udp any4 host 224.0.0.252 eq 5355 access-list AnyConnect_Client_Local_Print remark TCP/NetBIOS protocol access-list AnyConnect_Client_Local_Print extended permit tcp any4 any4 eq 137 access-list AnyConnect_Client_Local_Print extended permit udp any4 any4 eq netbios-ns access-list Inside_access_in extended permit tcp any object dc3.***** eq domain access-list Inside_access_in extended permit tcp any object dc1.***** eq domain access-list Inside_access_in extended permit tcp any object api-****************.duosecurity.com eq ldaps access-list Inside_access_in extended permit ip any any pager lines 24 logging enable logging asdm informational mtu outside 1500 mtu Inside 1500 mtu management 1500 no failover no monitor-interface service-module icmp unreachable rate-limit 1 burst-size 1 no asdm history enable arp timeout 14400 no arp permit-nonconnected access-group outside_access_in in interface outside access-group Inside_access_in in interface Inside route Inside 0.0.0.0 0.0.0.0 10.200.10.254 1 route outside 10.0.10.0 255.255.255.0 192.168.192.254 1 timeout xlate 3:00:00 timeout pat-xlate 0:00:30 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 sctp 0:02:00 icmp 0:00:02 timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00 timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00 timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute timeout tcp-proxy-reassembly 0:01:00 timeout floating-conn 0:00:00 ldap attribute-map MAP-ANYCONNECT-LOGIN map-name memberOf Group-Policy map-value memberOf CN=AuthorisedAAAUsers,CN=Users,DC=JTH,DC=local GroupPolicy_pegasus aaa-server LDAPSERVERS protocol ldap aaa-server LDAPSERVERS (Inside) host ************* timeout 30 ldap-base-dn dc=*****,dc=***** ldap-scope subtree ldap-naming-attribute sAMAccountName ldap-login-password ***** ldap-login-dn CN=Cisco Authentication,CN=Users,DC=****,DC=**** server-type microsoft ldap-attribute-map MAP-ANYCONNECT-LOGIN group-search-timeout 30 aaa-server Duo-Ldap protocol ldap aaa-server Duo-Ldap (Inside) host api-****************.duosecurity.com timeout 180 server-port 636 ldap-base-dn dc=*********************,dc=duosecurity,dc=com ldap-naming-attribute cn ldap-login-password ***** ldap-login-dn dc=********************,dc=duosecurity,dc=com ldap-over-ssl enable server-type auto-detect user-identity default-domain LOCAL aaa local authentication attempts max-fail 3 http server enable http ************************* management no snmp-server location no snmp-server contact sysopt noproxyarp Inside service sw-reset-button crypto ipsec security-association pmtu-aging infinite crypto ca trustpoint 1&1Certificate keypair ASDM_TrustPoint0 crl configure crypto ca trustpool policy crypto ca certificate chain 1&1Certificate certificate ****************************************** quit telnet timeout 5 ssh stricthostkeycheck ssh timeout 5 ssh key-exchange group dh-group1-sha1 console timeout 0 ssl server-version tlsv1.2 ssl cipher dtlsv1 custom "DHE-RSA-AES256-SHA:AES256-SHA" ssl trust-point 1&1Certificate outside webvpn enable outside hostscan image disk0:/hostscan_4.3.05028-k9.pkg hostscan enable anyconnect image disk0:/anyconnect-win-4.5.02033-webdeploy-k9.pkg 1 anyconnect profiles pegasus disk0:/pegasus.xml anyconnect enable tunnel-group-list enable cache disable error-recovery disable mus password ***** group-policy NoAccess internal group-policy NoAccess attributes dns-server value ******************************************** vpn-simultaneous-logins 0 vpn-tunnel-protocol ssl-client ssl-clientless webvpn customization value CiscoDuo group-policy DfltGrpPolicy attributes vpn-tunnel-protocol ikev1 l2tp-ipsec ssl-clientless group-policy GroupPolicy_pegasus internal group-policy GroupPolicy_pegasus attributes wins-server none dns-server value **************************************** vpn-simultaneous-logins 25 vpn-tunnel-protocol ssl-client password-storage disable default-domain value ***** webvpn anyconnect ssl dtls enable anyconnect ssl compression lzs anyconnect dtls compression lzs anyconnect modules value dart,posture anyconnect profiles value pegasus type user customization value CiscoDuo dynamic-access-policy-record DfltAccessPolicy dynamic-access-policy-record PegasusACL description "Pegasus Allowed Clients" username *************************************************** username ********************************************************* tunnel-group pegasus type remote-access tunnel-group pegasus general-attributes address-pool PegasusPool authentication-server-group LDAPSERVERS LOCAL secondary-authentication-server-group Duo-Ldap use-primary-username default-group-policy NoAccess tunnel-group pegasus webvpn-attributes customization CiscoDuo group-alias pegasus enable ! class-map inspection_default match default-inspection-traffic ! ! policy-map type inspect dns preset_dns_map parameters message-length maximum client auto message-length maximum 512 policy-map global_policy class inspection_default inspect ftp inspect h323 h225 inspect h323 ras inspect netbios inspect rsh inspect rtsp inspect skinny inspect esmtp inspect sqlnet inspect sunrpc inspect tftp inspect sip inspect xdmcp inspect dns preset_dns_map inspect icmp inspect icmp error inspect ip-options class class-default user-statistics accounting policy-map type inspect dns migrated_dns_map_1 parameters message-length maximum client auto message-length maximum 512 ! service-policy global_policy global prompt hostname context no call-home reporting anonymous call-home profile CiscoTAC-1 no active destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService destination address email [email protected] destination transport-method http subscribe-to-alert-group diagnostic subscribe-to-alert-group environment subscribe-to-alert-group inventory periodic monthly subscribe-to-alert-group configuration periodic monthly subscribe-to-alert-group telemetry periodic daily hpm topN enable