服务器 Gind.cn
  1. 服务器 Gind.cn
  3. Cisco ASA 5505不通过VPN访问局域网
Intereting Posts
Ubuntu 14.04 ping:sendmsg:操作不允许 在512MB的Debian服务器上的MySQL崩溃(内存问题?)如何解决? Munin像monit一样重启服务 在后台进程 有一个相当于Sigverif.exe的命令行吗? 当我不知道下游MTA的主机名(只有IP)时,如何在sendmail中强制执行TLS? Heartbleedtesting工具无法识别重新颁发的证书(PositiveSSL Wildcard + Amazon ELB) BIND9networking故障的日志过多 iPhone SDK图像 在Ubuntu下安装的Windows分区中的MySQL数据文件夹不被MySQL接受 将NSlogging传输到新服务器 提高Nginx请求/秒的技巧? Windows 2000冻结在大磁盘写入 Lighttpd域redirect 如何将2台物理服务器安装到1台服务器上

Cisco ASA 5505不通过VPN访问局域网

我一直在与这个ASA 5505打了一天。 我真的很陌生,需要社区的支持! 我完全configuration了CISCO 5505,允许我通过VPN连接浏览互联网。 但我无法访问LAN端(我的远程资源)的任何东西。 当通过VPN(Cisco VPN CLient)连接时,我想使用ADAM或SSH访问防火墙。

这是我的configuration: 

CiscoASA(config)# show run : Saved : ASA Version 9.0(1) ! hostname CiscoASA enable password s/ffffuuuuuuuuu encrypted passwd ffffuuuuuuuuu encrypted names ip local pool VPN_IP_POOL 10.0.3.80-10.0.3.90 mask 255.255.255.0 ! interface Ethernet0/0 switchport access vlan 2 ! interface Ethernet0/1 ! interface Ethernet0/2 ! interface Ethernet0/3 ! interface Ethernet0/4 ! interface Ethernet0/5 ! interface Ethernet0/6 ! interface Ethernet0/7 ! interface Vlan1 nameif inside security-level 100 ip address 10.0.2.254 255.255.255.0 ! interface Vlan2 nameif outside security-level 0 ip address XX.XX.XX.XX 255.255.255.0 ! ftp mode passive dns domain-lookup outside dns domain-lookup inside dns server-group DefaultDNS name-server XX.XX.XX.XX name-server XX.XX.XX.XX same-security-traffic permit intra-interface object network obj_any subnet 0.0.0.0 0.0.0.0 object network NETWORK_OBJ_10.0.2.0_24 subnet 10.0.2.0 255.255.255.0 object network NETWORK_OBJ_10.0.3.80_28 subnet 10.0.3.80 255.255.255.240 object network obj-vpnpool access-list Default_Tunnel_Group_Name_VPN_splitTunnelAcl standard permit 10.0.2.0 255.255.255.0 pager lines 24 logging asdm informational mtu outside 1500 mtu inside 1500 icmp unreachable rate-limit 1 burst-size 1 icmp permit any outside icmp permit any inside no asdm history enable arp timeout 14400 no arp permit-nonconnected nat (inside,outside) source static NETWORK_OBJ_10.0.2.0_24 NETWORK_OBJ_10.0.2.0_24 destination static NETWORK_OBJ_10.0.3.80_28 NETWORK_OBJ_10.0.3.80_28 no-proxy-arp route-lookup ! object network obj_any nat (inside,outside) dynamic interface route outside 0.0.0.0 0.0.0.0 XX.XX.XX.XX 1 timeout xlate 3:00:00 timeout pat-xlate 0:00:30 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02 timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00 timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00 timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute timeout tcp-proxy-reassembly 0:01:00 timeout floating-conn 0:00:00 dynamic-access-policy-record DfltAccessPolicy user-identity default-domain LOCAL aaa authentication serial console LOCAL aaa authentication ssh console LOCAL aaa authentication http console LOCAL http server enable http 10.0.2.0 255.255.255.0 inside http 10.0.3.0 255.255.255.0 inside no snmp-server location no snmp-server contact snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac crypto ipsec security-association pmtu-aging infinite crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5 crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP crypto map outside_map interface outside crypto ca trustpool policy crypto isakmp nat-traversal 30 crypto ikev1 enable outside crypto ikev1 policy 10 authentication crack encryption aes-256 hash sha group 2 lifetime 86400 crypto ikev1 policy 20 authentication rsa-sig encryption aes-256 hash sha group 2 lifetime 86400 crypto ikev1 policy 30 authentication pre-share encryption aes-256 hash sha group 2 lifetime 86400 crypto ikev1 policy 40 authentication crack encryption aes-192 hash sha group 2 lifetime 86400 crypto ikev1 policy 50 authentication rsa-sig encryption aes-192 hash sha group 2 lifetime 86400 crypto ikev1 policy 60 authentication pre-share encryption aes-192 hash sha group 2 lifetime 86400 crypto ikev1 policy 70 authentication crack encryption aes hash sha group 2 lifetime 86400 crypto ikev1 policy 80 authentication rsa-sig encryption aes hash sha group 2 lifetime 86400 crypto ikev1 policy 90 authentication pre-share encryption aes hash sha group 2 lifetime 86400 crypto ikev1 policy 100 authentication crack encryption 3des hash sha group 2 lifetime 86400 crypto ikev1 policy 110 authentication rsa-sig encryption 3des hash sha group 2 lifetime 86400 crypto ikev1 policy 120 authentication pre-share encryption 3des hash sha group 2 lifetime 86400 crypto ikev1 policy 130 authentication crack encryption des hash sha group 2 lifetime 86400 crypto ikev1 policy 140 authentication rsa-sig encryption des hash sha group 2 lifetime 86400 crypto ikev1 policy 150 authentication pre-share encryption des hash sha group 2 lifetime 86400 telnet timeout 5 ssh 10.0.2.0 255.255.255.0 inside ssh 10.0.3.0 255.255.255.0 inside ssh timeout 60 console timeout 0 dhcpd auto_config outside ! threat-detection basic-threat threat-detection statistics access-list no threat-detection statistics tcp-intercept ntp server 213.132.202.192 source outside ntp server 72.251.252.11 source outside ntp server 131.211.8.244 source outside group-policy Default_Tunnel_Group_Name_VPN internal group-policy Default_Tunnel_Group_Name_VPN attributes dns-server value XX.XX.XX.XX XX.XX.XX.XX vpn-tunnel-protocol ikev1 split-tunnel-policy tunnelspecified split-tunnel-network-list value Default_Tunnel_Group_Name_VPN_splitTunnelAcl username admin password ffffuuuuuuuuu encrypted privilege 15 username USERNAME password ffffuuuuuuuuu encrypted privilege 0 username USERNAME attributes vpn-group-policy Default_Tunnel_Group_Name_VPN tunnel-group Default_Tunnel_Group_Name_VPN type remote-access tunnel-group Default_Tunnel_Group_Name_VPN general-attributes address-pool VPN_IP_POOL default-group-policy Default_Tunnel_Group_Name_VPN tunnel-group Default_Tunnel_Group_Name_VPN ipsec-attributes ikev1 pre-shared-key ***** ! class-map inspection_default match default-inspection-traffic ! ! policy-map type inspect dns preset_dns_map parameters message-length maximum client auto message-length maximum 512 policy-map global_policy class inspection_default inspect dns preset_dns_map inspect ftp inspect h323 h225 inspect h323 ras inspect rsh inspect rtsp inspect esmtp inspect sqlnet inspect skinny inspect sunrpc inspect xdmcp inspect sip inspect netbios inspect tftp inspect ip-options ! service-policy global_policy global prompt hostname context no call-home reporting anonymous Cryptochecksum:161376d95d28d1e4085c029b0ae9e273 : end CiscoASA(config)#

请确保您使用新的NATconfiguration样式的例子。 这会帮助我很多。

通常,Cisco VPN-Client的虚拟networking适配器捕获所有数据包,并通过VPN连接发送,即使目标IP地址在本地LAN中。

您可以尝试在连接属性的“传输”窗格中激活“允许本地局域网访问”。 如果不起作用,则必须在ASA上configuration分割路由。