asa5520 vpn配置求助 内容完善
设定的是vpn拨入的地址池为:vpnpool 10.0.20.129-10.0.20.254
Asa防火墙inside地址为:10.0.99.10
拓扑情况:
远程vpn用户拨入-》Asa 5520防火墙 -》 三层交换机(三层交换机的vlan可以相互访问)
我通过asdm进行ipsec vpn配置后,发现vpn获得的内部地址和网关地址一样,并且不能够上网页,但是能够telnet 10.0.99.10(asa防火墙内部地址) 。
并且在三层交换机中 10.0.99.0 的网段和 10.0.20.0 的网段互通
现象如下:
Connection-specific DNS Suffix . : cbdom.com
Description . . . . . . . . . . . : Cisco Systems VPN Adapter
Physical Address. . . . . . . . . : 00-05-9A-3C-78-00
Dhcp Enabled. . . . . . . . . . . : No
IP Address. . . . . . . . . . . . : 10.0.20.129
Subnet Mask . . . . . . . . . . . : 255.255.255.128
Default Gateway . . . . . . . . . : 10.0.20.129
DNS Servers . . . . . . . . . . . : 10.0.3.24
10.0.3.2
Primary WINS Server . . . . . . . : 10.0.3.24
Secondary WINS Server . . . . . . : 10.0.3.2
ASA Version 7.0(8)
!
Hostname asa5520
domain-name default.domain.invalid
enable password lMOXcvCwVH0YDnbi encrypted
passwd lMOXcvCwVH0YDnbi encrypted
names
dns-guard
!
interface GigabitEthernet0/0
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/1
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/2
nameif outside
security-level 0
ip address *.*.*.4 255.255.255.248
!
interface GigabitEthernet0/3
nameif inside
security-level 100
ip address 10.0.99.10 255.255.255.0 !
interface Management0/0
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
management-only
!
ftp mode passive
access-list acl-outside extended permit icmp any any
access-list inside_nat0_outbound extended permit ip any 10.0.20.128 255.255.255.128
access-list inside_nat0_outbound extended permit ip 10.0.0.0 255.255.0.0 10.0.0.0 255.255.0.0
access-list acl_inside extended deny ip host 10.0.3.22 any
access-list acl_inside extended deny ip host 10.0.3.23 any
access-list acl_inside extended deny ip host 10.0.3.24 any
access-list acl_inside extended deny ip host 10.0.3.28 any
access-list acl_inside extended deny ip host 10.0.3.29 any
access-list acl_inside extended permit tcp host 10.0.3.25 any eq 445
access-list acl_inside extended permit tcp host 10.0.3.25 any eq 88
access-list acl_inside extended permit tcp host 10.0.3.25 any eq domain
access-list acl_inside extended permit udp host 10.0.3.25 any eq domain
access-list acl_inside extended permit udp host 10.0.3.25 any eq 389
access-list acl_inside extended permit udp host 10.0.3.25 any eq 88
access-list acl_inside extended permit udp host 10.0.3.25 any eq 445
access-list acl_inside extended deny ip host 10.0.3.25 any
access-list acl_inside extended permit ip any any
pager lines 24
logging asdm informational
mtu management 1500
mtu inside 1500
mtu outside 1500
ip local pool vpnpool 10.0.20.129-10.0.20.254 mask 255.255.255.128no failover
asdm image disk0:/asdm-508.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 10.0.0.0 255.255.0.0
access-group acl-outside in interface outside
route inside 10.0.0.0 255.255.0.0 10.0.99.1 1
route outside 0.0.0.0 0.0.0.0 *.*.*.1 1timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
group-policy vpn internal
group-policy vpn attributes
wins-server value 10.0.3.24 10.0.3.2
dns-server value 10.0.3.24 10.0.3.2
default-domain value cbdom.com
webvpn
username test password P4ttSyrm33SV8TYp encrypted privilege 0
username test attributes
vpn-group-policy vpn
webvpn
username zsrb password lGuESSF2nj3xOphs encrypted privilege 15
http server enable
http 192.168.1.0 255.255.255.0 management
http 0.0.0.0 0.0.0.0 outside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 20 set security-association lifetime seconds 28800
crypto dynamic-map outside_dyn_map 20 set security-association lifetime kilobytes 4608000
crypto map outside_map 65535 set security-association lifetime seconds 28800
crypto map outside_map 65535 set security-association lifetime kilobytes 4608000
crypto map outside_map_1 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map_1 interface outside
isakmp enable outside
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash sha
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
tunnel-group vpn type ipsec-ra
tunnel-group vpn general-attributes
address-pool vpnpool
default-group-policy vpn
tunnel-group vpn ipsec-attributes
pre-shared-key *telnet 0.0.0.0 0.0.0.0 inside
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 inside
ssh timeout 30
ssh version 2
console timeout 0
management-access inside
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd lease 3600
dhcpd ping_timeout 50
dhcpd enable management
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map global_policy
class inspection_default
inspect dns maximum-length 512
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect http
!
service-policy global_policy global
client-update enable
Cryptochecksum:f09e6261cd0c07ed01f6c79b29c7b6e7
搜索更多相关主题的帖子:
vpn 求助
