Cisco Anyconnect客户端连接到VPN,但无法从客户端计算机访问任何其他networking/子网

我有一个关于VPN的大问题,我无法解决或连接点(可能会导致问题)

我们的一位客户希望用更好的东西来取代旧的snapgear,所以他们selectASA来做。

我已经在ASA中创build了所有的configuration,并在我们的testingnetworking中进行了testing。 我能够将客户机从外部连接到ASA VPN,并能ping通networking内的任何机器。 一切都很完美。 之后,我已经为客户站点设置了相同的防火墙/configuration,并且一旦我将ASA连接到他们的networking,并尝试使用任何连接从外部连接,我都无法ping他们的networking内的任何机器。 所有的networking,子网都遥不可及。

起初,我已经设置了ASA接口的静态路由和静态IP,但没有运气。 然后我设置了接口,从DHCP服务器获取IP地址,以及所有从“L3核心交换机”进行所有路由的所有路由,而没有任何运气。

ASA的configuration(dynamic)

: Saved : : Serial Number: xxxxxxxx : Hardware: ASA5506, 4096 MB RAM, CPU Atom C2000 series 1250 MHz, 1 CPU (4 cores) : ASA Version 9.5(2) ! hostname xxxxxxxx enable password xxxxxxxxxxxxxx encrypted passwd xxxxxxxxxxxxxx encrypted names ip local pool VPN_xxxxxx 10.13.3.2-10.13.3.200 mask 255.255.255.0 ! interface GigabitEthernet1/1 description WAN Connection nameif outside security-level 0 ip address xxx.xxx.xxx.88 255.255.255.224 ! interface GigabitEthernet1/2 description LAN address nameif inside security-level 100 ip address dhcp setroute ! interface GigabitEthernet1/3 description Test Connection Outside nameif testConn security-level 0 ip address xxx.xxx.xxx.218 255.255.255.248 ! interface GigabitEthernet1/4 shutdown no nameif no security-level no ip address ! interface GigabitEthernet1/5 shutdown no nameif no security-level no ip address ! interface GigabitEthernet1/6 shutdown no nameif no security-level no ip address ! interface GigabitEthernet1/7 shutdown no nameif no security-level no ip address ! interface GigabitEthernet1/8 nameif mgmtbck security-level 100 ip address 192.168.96.1 255.255.255.0 ! interface Management1/1 management-only no nameif no security-level no ip address ! ftp mode passive clock timezone GMT 0 same-security-traffic permit inter-interface same-security-traffic permit intra-interface object network obj_any subnet 0.0.0.0 0.0.0.0 object network TestConnection subnet 192.168.10.0 255.255.254.0 description TestConnection object network WANAddress host xxx.xxx.xxx.217 object network WAN_Connection subnet 192.168.10.0 255.255.254.0 description InternetConnection object network WANConnectionxxxxxx host xxx.xxx.xxx.65 object network WANConn subnet 192.168.10.0 255.255.254.0 object network NETWORK_OBJ_10.13.3.0_24 subnet 10.13.3.0 255.255.255.0 object network Network_A subnet 192.168.0.0 255.255.254.0 description Network 192.168.0.0/23 object network Network_B subnet 172.17.110.0 255.255.255.0 description Network 172.17.110.0 object network Network_C subnet 172.17.101.0 255.255.255.0 description Network 172.17.101.0/24 object network Network_D subnet 172.17.137.0 255.255.255.0 description Network 172.17.137.0/24 object network Gateway_Inside host 192.168.10.1 description inside gateway address object network OutsideNAT subnet 192.168.10.0 255.255.254.0 object-group icmp-type DM_INLINE_ICMP_1 icmp-object echo icmp-object echo-reply icmp-object time-exceeded icmp-object traceroute icmp-object unreachable access-list inside_access_in extended permit ip any any access-list inside_access_in extended permit icmp any any object-group DM_INLINE_ICMP_1 access-list 101 extended permit icmp any any echo-reply access-list 101 extended permit icmp any any source-quench access-list 101 extended permit icmp any any unreachable access-list 101 extended permit icmp any any time-exceeded access-list Split-Tunnel standard permit 192.168.10.0 255.255.254.0 pager lines 24 logging enable logging asdm informational mtu outside 1500 mtu inside 1500 mtu testConn 1500 mtu mgmtbck 1500 icmp unreachable rate-limit 1 burst-size 1 icmp permit any inside asdm image disk0:/asdm-762.bin no asdm history enable arp timeout 14400 no arp permit-nonconnected nat (inside,testConn) source static any any destination static NETWORK_OBJ_10.13.3.0_24 NETWORK_OBJ_10.13.3.0_24 no-proxy-arp route-lookup nat (inside,outside) source static any any destination static NETWORK_OBJ_10.13.3.0_24 NETWORK_OBJ_10.13.3.0_24 no-proxy-arp route-lookup ! object network WANConn nat (inside,testConn) dynamic interface dns object network OutsideNAT nat (inside,outside) dynamic interface dns access-group 101 in interface outside access-group inside_access_in in interface inside access-group 101 in interface testConn route testConn 0.0.0.0 0.0.0.0 xxx.xxx.xxx.217 1 route outside 0.0.0.0 0.0.0.0 xxx.xxx.xxx.65 2 route inside 172.17.101.0 255.255.255.0 192.168.10.1 1 route inside 172.17.110.0 255.255.255.0 192.168.10.1 1 route inside 172.17.137.0 255.255.255.0 192.168.10.1 1 route inside 192.168.0.0 255.255.254.0 192.168.10.1 1 timeout xlate 3:00:00 timeout pat-xlate 0:00:30 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 sctp 0:02:00 icmp 0:00:02 timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00 timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00 timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute timeout tcp-proxy-reassembly 0:01:00 timeout floating-conn 0:00:00 aaa-server NPS protocol radius aaa-server NPS (inside) host 192.168.0.186 key ***** user-identity default-domain LOCAL aaa authentication http console LOCAL aaa authentication ssh console LOCAL http server enable http 192.168.1.0 255.255.255.0 inside http 192.168.10.0 255.255.254.0 inside http 192.168.96.0 255.255.255.0 mgmtbck no snmp-server location no snmp-server contact service sw-reset-button crypto ipsec ikev2 ipsec-proposal DES protocol esp encryption des protocol esp integrity sha-1 md5 crypto ipsec ikev2 ipsec-proposal 3DES protocol esp encryption 3des protocol esp integrity sha-1 md5 crypto ipsec ikev2 ipsec-proposal AES protocol esp encryption aes protocol esp integrity sha-1 md5 crypto ipsec ikev2 ipsec-proposal AES192 protocol esp encryption aes-192 protocol esp integrity sha-1 md5 crypto ipsec ikev2 ipsec-proposal AES256 protocol esp encryption aes-256 protocol esp integrity sha-1 md5 crypto ipsec security-association pmtu-aging infinite crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev2 ipsec-proposal AES256 AES192 AES 3DES DES crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP crypto map outside_map interface outside crypto map testConn_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP crypto map testConn_map interface testConn crypto ca trustpoint xxxxxxxx enrollment self fqdn xxxxxx.local subject-name CN=xxxxxxxx serial-number proxy-ldc-issuer crl configure crypto ca trustpool policy crypto ca certificate chain xxxxxxxx certificate cffdf657 3082036f 30820257 a0030201 020204cf fdf65730 0d06092a 864886f7 0d010105 05003047 31133011 06035504 03130a41 646d6972 616c4153 41313030 12060355 0405130b 4a414432 30323330 34435430 1a06092a 864886f7 0d010902 160d6164 6d697261 6c2e6c6f 63616c30 1e170d31 36313030 37303234 3431335a 170d3236 31303035 30323434 31335a30 47311330 11060355 0403130a 41646d69 72616c41 121616e7 7014f20f dbf9733a bca6055a 15f68e68 8fa67ea5 0c63d7ed 712e5517 a392775d 2f4bdd5a df207e10 0413c878 fba699 quit crypto ikev2 policy 1 encryption aes-256 integrity sha group 5 2 prf sha lifetime seconds 86400 crypto ikev2 policy 10 encryption aes-192 integrity sha group 5 2 prf sha lifetime seconds 86400 crypto ikev2 policy 20 encryption aes integrity sha group 5 2 prf sha lifetime seconds 86400 crypto ikev2 policy 30 encryption 3des integrity sha group 5 2 prf sha lifetime seconds 86400 crypto ikev2 policy 40 encryption des integrity sha group 5 2 prf sha lifetime seconds 86400 crypto ikev2 enable outside client-services port 443 crypto ikev2 enable testConn client-services port 443 crypto ikev2 remote-access trustpoint xxxxxxxx crypto ikev1 enable outside crypto ikev1 enable testConn crypto ikev1 policy 20 authentication rsa-sig encryption aes-256 hash sha group 2 lifetime 86400 crypto ikev1 policy 30 authentication pre-share encryption aes-256 hash sha group 2 lifetime 86400 crypto ikev1 policy 50 authentication rsa-sig encryption aes-192 hash sha group 2 lifetime 86400 crypto ikev1 policy 60 authentication pre-share encryption aes-192 hash sha group 2 lifetime 86400 crypto ikev1 policy 80 authentication rsa-sig encryption aes hash sha group 2 lifetime 86400 crypto ikev1 policy 90 authentication pre-share encryption aes hash sha group 2 lifetime 86400 crypto ikev1 policy 110 authentication rsa-sig encryption 3des hash sha group 2 lifetime 86400 crypto ikev1 policy 120 authentication pre-share encryption 3des hash sha group 2 lifetime 86400 crypto ikev1 policy 140 authentication rsa-sig encryption des hash sha group 2 lifetime 86400 crypto ikev1 policy 150 authentication pre-share encryption des hash sha group 2 lifetime 86400 telnet timeout 5 no ssh stricthostkeycheck ssh 192.168.10.0 255.255.254.0 inside ssh timeout 5 ssh key-exchange group dh-group1-sha1 console timeout 0 dhcp-client client-id interface inside dhcpd auto_config outside ! threat-detection basic-threat threat-detection statistics access-list no threat-detection statistics tcp-intercept ntp server xxx.xxx.xxx.44 source testConn prefer ssl trust-point xxxxxxxx outside ssl trust-point xxxxxxxx inside ssl trust-point xxxxxxxx testConn ssl trust-point xxxxxxxx mgmtbck webvpn enable outside enable testConn anyconnect image disk0:/anyconnect-win-4.3.01095-k9.pkg 1 anyconnect profiles xxxxxxMain_client_profile disk0:/xxxxxxMain_client_profile.xml anyconnect profiles xxxxxx_client_profile disk0:/xxxxxx_client_profile.xml anyconnect profiles TestVPN_client_profile disk0:/TestVPN_client_profile.xml anyconnect enable tunnel-group-list enable cache disable error-recovery disable group-policy GroupPolicy_TestVPN internal group-policy GroupPolicy_TestVPN attributes wins-server none dns-server value 8.8.8.8 vpn-tunnel-protocol ikev2 ssl-client split-tunnel-policy tunnelspecified split-tunnel-network-list value Split-Tunnel default-domain none webvpn anyconnect profiles value TestVPN_client_profile type user group-policy GroupPolicy_xxxxxxMain internal group-policy GroupPolicy_xxxxxxMain attributes wins-server none dns-server value 8.8.8.8 vpn-tunnel-protocol ikev2 ssl-client split-tunnel-policy tunnelspecified split-tunnel-network-list value Split-Tunnel default-domain none webvpn anyconnect profiles value xxxxxxMain_client_profile type user group-policy GroupPolicy_VPN internal group-policy GroupPolicy_VPN attributes wins-server none dns-server value 8.8.8.8 vpn-tunnel-protocol ssl-client default-domain none group-policy Policy_xxxxxx internal group-policy Policy_xxxxxx attributes vpn-tunnel-protocol ssl-clientless webvpn url-list none dynamic-access-policy-record DfltAccessPolicy username admin password xxxxxxxx encrypted privilege 15 tunnel-group VPN type remote-access tunnel-group VPN general-attributes address-pool VPN_xxxxxx default-group-policy GroupPolicy_VPN tunnel-group VPN webvpn-attributes group-alias VPN enable tunnel-group TestVPN type remote-access tunnel-group TestVPN general-attributes address-pool VPN_xxxxxx default-group-policy GroupPolicy_TestVPN tunnel-group TestVPN webvpn-attributes group-alias TestVPN enable tunnel-group xxxxxxMain type remote-access tunnel-group xxxxxxMain general-attributes address-pool VPN_xxxxxx authentication-server-group NPS default-group-policy GroupPolicy_xxxxxxMain tunnel-group xxxxxxMain webvpn-attributes group-alias xxxxxxMain enable tunnel-group VPN_SSL type remote-access tunnel-group VPN_SSL general-attributes default-group-policy Policy_xxxxxx ! class-map inspection_default match default-inspection-traffic ! ! policy-map type inspect dns preset_dns_map parameters message-length maximum client auto message-length maximum 512 policy-map global_policy class inspection_default inspect dns preset_dns_map inspect ftp inspect h323 h225 inspect h323 ras inspect rsh inspect rtsp inspect esmtp inspect sqlnet inspect skinny inspect sunrpc inspect xdmcp inspect sip inspect netbios inspect tftp inspect ip-options ! service-policy global_policy global prompt hostname context no call-home reporting anonymous Cryptochecksum:xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx : end 

configuration – 静态

 : Saved : : Serial Number: xxxxxxxx : Hardware: ASA5506, 4096 MB RAM, CPU Atom C2000 series 1250 MHz, 1 CPU (4 cores) : Written by xxxxx at 08:27:30.065 GMT Wed Oct 12 2016 ! ASA Version 9.5(2) ! hostname xxxxxxxxASA enable password xxxxxxxxxxxxxxxxxxxxxxxx encrypted passwd xxxxxxxxxxxxxxxxxxxxxxxx encrypted names ip local pool VPN_xxxxxxxx 10.13.3.2-10.13.3.254 mask 255.255.255.0 ! interface GigabitEthernet1/1 description WAN Connection nameif outside security-level 0 ip address xxx.xxx.xxx.88 255.255.255.224 ! interface GigabitEthernet1/2 description LAN address nameif inside security-level 100 ip address 192.168.10.3 255.255.254.0 ! interface GigabitEthernet1/3 description Test Connection Outside nameif testConn security-level 0 ip address xxx.xxx.xxx.218 255.255.255.248 ! interface GigabitEthernet1/4 shutdown no nameif no security-level no ip address ! interface GigabitEthernet1/5 shutdown no nameif no security-level no ip address ! interface GigabitEthernet1/6 shutdown no nameif no security-level no ip address ! interface GigabitEthernet1/7 shutdown no nameif no security-level no ip address ! interface GigabitEthernet1/8 shutdown no nameif no security-level no ip address ! interface Management1/1 management-only no nameif no security-level no ip address ! ftp mode passive clock timezone GMT 0 same-security-traffic permit inter-interface same-security-traffic permit intra-interface object network obj_any subnet 0.0.0.0 0.0.0.0 object network TestConnection subnet 192.168.10.0 255.255.254.0 description TestConnection object network WANAddress host xxx.xxx.xxx.217 object network WAN_Connection subnet 192.168.10.0 255.255.254.0 description InternetConnection object network WANConnectionxxxxxxxx host xxx.xxx.xxx.65 object network WANConn subnet 192.168.10.0 255.255.254.0 object network NETWORK_OBJ_10.13.3.0_24 subnet 10.13.3.0 255.255.255.0 object network Network_A subnet 192.168.0.0 255.255.254.0 description Network 192.168.0.0/23 object network Network_B subnet 172.17.110.0 255.255.255.0 description Network 172.17.110.0 object network Network_C subnet 172.17.101.0 255.255.255.0 description Network 172.17.101.0/24 object network Network_D subnet 172.17.137.0 255.255.255.0 description Network 172.17.137.0/24 object network Gateway_Inside host 192.168.10.1 description inside gateway address object network OutsideNAT subnet 192.168.10.0 255.255.254.0 object-group icmp-type DM_INLINE_ICMP_1 icmp-object echo icmp-object echo-reply icmp-object time-exceeded icmp-object traceroute icmp-object unreachable access-list inside_access_in extended permit ip any any access-list inside_access_in extended permit icmp any any object-group DM_INLINE_ICMP_1 access-list 101 extended permit icmp any any echo-reply access-list 101 extended permit icmp any any source-quench access-list 101 extended permit icmp any any unreachable access-list 101 extended permit icmp any any time-exceeded access-list Split-Tunnel standard permit 192.168.10.0 255.255.254.0 pager lines 24 logging enable logging asdm informational mtu outside 1500 mtu inside 1500 mtu testConn 1500 icmp unreachable rate-limit 1 burst-size 1 icmp permit any inside asdm image disk0:/asdm-762.bin no asdm history enable arp timeout 14400 no arp permit-nonconnected nat (inside,testConn) source static any any destination static NETWORK_OBJ_10.13.3.0_24 NETWORK_OBJ_10.13.3.0_24 no-proxy-arp route-lookup nat (inside,outside) source static any any destination static NETWORK_OBJ_10.13.3.0_24 NETWORK_OBJ_10.13.3.0_24 no-proxy-arp route-lookup ! object network WANConn nat (inside,testConn) dynamic interface dns object network OutsideNAT nat (inside,outside) dynamic interface dns access-group 101 in interface outside access-group inside_access_in in interface inside access-group 101 in interface testConn route outside 0.0.0.0 0.0.0.0 xxx.xxx.xxx.65 1 route testConn 0.0.0.0 0.0.0.0 xxx.xxx.xxx.217 3 route inside 172.17.101.0 255.255.255.0 192.168.10.1 1 route inside 172.17.110.0 255.255.255.0 192.168.10.1 1 route inside 172.17.137.0 255.255.255.0 192.168.10.1 1 route inside 192.168.0.0 255.255.254.0 192.168.10.1 1 timeout xlate 3:00:00 timeout pat-xlate 0:00:30 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 sctp 0:02:00 icmp 0:00:02 timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00 timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00 timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute timeout tcp-proxy-reassembly 0:01:00 timeout floating-conn 0:00:00 aaa-server NPS protocol radius aaa-server NPS (inside) host 192.168.0.186 key xxxxxxx user-identity default-domain LOCAL aaa authentication http console LOCAL aaa authentication ssh console LOCAL http server enable http 192.168.1.0 255.255.255.0 inside http 192.168.10.0 255.255.254.0 inside no snmp-server location no snmp-server contact service sw-reset-button crypto ipsec ikev2 ipsec-proposal AES256 protocol esp encryption aes-256 protocol esp integrity sha-1 md5 crypto ipsec ikev2 ipsec-proposal AES192 protocol esp encryption aes-192 protocol esp integrity sha-1 md5 crypto ipsec ikev2 ipsec-proposal AES protocol esp encryption aes protocol esp integrity sha-1 md5 crypto ipsec ikev2 ipsec-proposal 3DES protocol esp encryption 3des protocol esp integrity sha-1 md5 crypto ipsec ikev2 ipsec-proposal DES protocol esp encryption des protocol esp integrity sha-1 md5 crypto ipsec security-association pmtu-aging infinite crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev2 ipsec-proposal AES256 AES192 AES 3DES DES crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP crypto map outside_map interface outside crypto map testConn_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP crypto map testConn_map interface testConn crypto ca trustpoint xxxxxxxxCert enrollment self fqdn xxxxxxxx.local subject-name CN=xxxxxxxxASA serial-number proxy-ldc-issuer crl configure crypto ca trustpool policy crypto ca certificate chain xxxxxxxxCert certificate cffdf657 3082036f 30820257 a0030201 020204cf fdf65730 0d06092a 864886f7 0d010105 05003047 31133011 06035504 03130a41 646d6972 616c4153 41313030 12060355 0405130b 4a414432 30323330 34435430 1a06092a 864886f7 0d010902 160d6164 6d697261 6c2e6c6f 63616c30 1e170d31 36313030 37303234 3431335a 170d3236 31303035 30323434 31335a30 47311330 11060355 0403130a 41646d69 72616c41 89dcd2ca 48d03495 655c1b39 35d26809 40d73e65 8bebfe10 c3c07753 75d6ba67 e7fd3326 5ee135c4 bf96971a 99e5ed5c 72c22c56 bda3e047 97f5e667 57504628 5b64c134 279b5205 2ebf37fe 81174d03 e2c9a30f acdf2893 f3136e20 4221bca0 121616e7 7014f20f dbf9733a bca6055a 15f68e68 8fa67ea5 0c63d7ed 712e5517 a392775d 2f4bdd5a df207e10 0413c878 fba699 quit crypto ikev2 policy 1 encryption aes-256 integrity sha group 5 2 prf sha lifetime seconds 86400 crypto ikev2 policy 10 encryption aes-192 integrity sha group 5 2 prf sha lifetime seconds 86400 crypto ikev2 policy 20 encryption aes integrity sha group 5 2 prf sha lifetime seconds 86400 crypto ikev2 policy 30 encryption 3des integrity sha group 5 2 prf sha lifetime seconds 86400 crypto ikev2 policy 40 encryption des integrity sha group 5 2 prf sha lifetime seconds 86400 crypto ikev2 enable outside client-services port 443 crypto ikev2 enable testConn client-services port 443 crypto ikev2 remote-access trustpoint xxxxxxxxCert crypto ikev1 enable outside crypto ikev1 enable testConn crypto ikev1 policy 20 authentication rsa-sig encryption aes-256 hash sha group 2 lifetime 86400 crypto ikev1 policy 30 authentication pre-share encryption aes-256 hash sha group 2 lifetime 86400 crypto ikev1 policy 50 authentication rsa-sig encryption aes-192 hash sha group 2 lifetime 86400 crypto ikev1 policy 60 authentication pre-share encryption aes-192 hash sha group 2 lifetime 86400 crypto ikev1 policy 80 authentication rsa-sig encryption aes hash sha group 2 lifetime 86400 crypto ikev1 policy 90 authentication pre-share encryption aes hash sha group 2 lifetime 86400 crypto ikev1 policy 110 authentication rsa-sig encryption 3des hash sha group 2 lifetime 86400 crypto ikev1 policy 120 authentication pre-share encryption 3des hash sha group 2 lifetime 86400 crypto ikev1 policy 140 authentication rsa-sig encryption des hash sha group 2 lifetime 86400 crypto ikev1 policy 150 authentication pre-share encryption des hash sha group 2 lifetime 86400 telnet timeout 5 no ssh stricthostkeycheck ssh 192.168.10.0 255.255.254.0 inside ssh timeout 5 ssh key-exchange group dh-group1-sha1 console timeout 0 dhcpd auto_config outside ! threat-detection basic-threat threat-detection statistics access-list no threat-detection statistics tcp-intercept ntp server xxx.xxx.xxx.44 source testConn prefer ssl trust-point xxxxxxxxCert outside ssl trust-point xxxxxxxxCert inside ssl trust-point xxxxxxxxCert testConn webvpn enable outside enable testConn anyconnect image disk0:/anyconnect-win-4.3.01095-k9.pkg 1 anyconnect profiles xxxxxxxxVPNMain_client_profile disk0:/xxxxxxxxVPNMain_client_profile.xml anyconnect profiles xxxxxxxxVPN_client_profile disk0:/xxxxxxxxVPN_client_profile.xml anyconnect profiles TestVPN_client_profile disk0:/TestVPN_client_profile.xml anyconnect enable tunnel-group-list enable cache disable error-recovery disable group-policy GroupPolicy_xxxxxxxxVPN internal group-policy GroupPolicy_xxxxxxxxVPN attributes wins-server none dns-server value 8.8.8.8 vpn-tunnel-protocol ikev2 ssl-client split-tunnel-policy tunnelspecified split-tunnel-network-list value Split-Tunnel default-domain none webvpn anyconnect profiles value xxxxxxxxVPN_client_profile type user group-policy GroupPolicy_TestVPN internal group-policy GroupPolicy_TestVPN attributes wins-server none dns-server value 8.8.8.8 vpn-tunnel-protocol ikev2 ssl-client split-tunnel-policy tunnelspecified split-tunnel-network-list value Split-Tunnel default-domain none webvpn anyconnect profiles value TestVPN_client_profile type user group-policy GroupPolicy_xxxxxxxxVPNMain internal group-policy GroupPolicy_xxxxxxxxVPNMain attributes wins-server none dns-server value 8.8.8.8 vpn-tunnel-protocol ikev2 ssl-client split-tunnel-policy tunnelspecified split-tunnel-network-list value Split-Tunnel default-domain none webvpn anyconnect profiles value xxxxxxxxVPNMain_client_profile type user dynamic-access-policy-record DfltAccessPolicy username xxxxx password xxxxxxxxxxx encrypted privilege 15 tunnel-group xxxxxxxxVPN type remote-access tunnel-group xxxxxxxxVPN general-attributes address-pool VPN_xxxxxxxx default-group-policy GroupPolicy_xxxxxxxxVPN tunnel-group xxxxxxxxVPN webvpn-attributes group-alias xxxxxxxxVPN enable tunnel-group TestVPN type remote-access tunnel-group TestVPN general-attributes address-pool VPN_xxxxxxxx default-group-policy GroupPolicy_TestVPN tunnel-group TestVPN webvpn-attributes group-alias TestVPN enable tunnel-group xxxxxxxxVPNMain type remote-access tunnel-group xxxxxxxxVPNMain general-attributes address-pool VPN_xxxxxxxx authentication-server-group NPS default-group-policy GroupPolicy_xxxxxxxxVPNMain tunnel-group xxxxxxxxVPNMain webvpn-attributes group-alias xxxxxxxxVPNMain enable ! class-map inspection_default match default-inspection-traffic ! ! policy-map type inspect dns preset_dns_map parameters message-length maximum client auto message-length maximum 512 policy-map global_policy class inspection_default inspect dns preset_dns_map inspect ftp inspect h323 h225 inspect h323 ras inspect rsh inspect rtsp inspect esmtp inspect sqlnet inspect skinny inspect sunrpc inspect xdmcp inspect sip inspect netbios inspect tftp inspect ip-options ! service-policy global_policy global prompt hostname context no call-home reporting anonymous Cryptochecksum:x : end 

将ASA直接连接到的交换机configuration,并执行所有路由。

Snapgear VPN的工作路线

工作路线

ASA VPN路由(不工作)

连接到ASA的路由

另外我需要告诉你,当我连接到客户networking的ASA时,我可以从ASA ping任何子网/networking的任何接口,这意味着路由设置正确,但是尽快使用VPN并尝试从外部ping内部设备/服务器/接口的隧道,我无法到达他们中的任何一个…

什么可能导致这个问题?

先谢谢你,祝你有个美好的一天。

保持ASA上的“静态”configuration。

在核心交换机上,为ASA的内部IP地址192.168.10.3添加10.13.3.0/24(Anyconnect IP池)的路由作为下一跳。

编辑:请注意,您的拆分隧道configuration将导致只有stream量到192.168.10.0/23隧道,如果你想能够到达任何其他地址的内部,那么你将需要将这些networking添加到拆分隧道名单。

即你现在有(我只显示一个组策略,其他人也一样):

 group-policy GroupPolicy_xxxxxxxxVPN attributes split-tunnel-policy tunnelspecified split-tunnel-network-list value Split-Tunnel 

它是指这个ACL:

 access-list Split-Tunnel standard permit 192.168.10.0 255.255.254.0 

所以这意味着当客户端在192.168.10.0/23networking时,客户端只能通过隧道发送stream量。 stream量到互联网,但也stream量如172.17.xx不会通过隧道发送,而是发送到正常的默认网关(因此172.17.xx将无法访问)。

如果您希望172.17.xx和192.168.0.0/23也可以访问,则需要将这些networking添加到拆分隧道ACL:

 access-list Split-Tunnel standard permit 172.17.101.0 255.255.255.0 access-list Split-Tunnel standard permit 172.17.110.0 255.255.255.0 access-list Split-Tunnel standard permit 172.17.137.0 255.255.255.0 access-list Split-Tunnel standard permit 192.168.0.0 255.255.254.0 

或者你也可以保持简短,并将其扩展到:

 access-list Split-Tunnel standard permit 172.16.0.0 255.240.0.0 access-list Split-Tunnel standard permit 192.168.0.0 255.255.0.0 no access-list Split-Tunnel standard permit 192.168.10.0 255.255.254.0 

或者,您可以将隧道策略改为“隧道策略”,以便通过隧道发送所有stream量(包括互联网stream量!),但是您需要进行一些更改,然后才能允许Internetstream量创build一个U – 在ASA上打开,参见AnyConnect VPN客户端U形车削configuration示例