https://community.cisco.com/t5/%E5%AE%89%E5%85%A8%E8%AE%A8%E8%AE%BA%E5%8C%BA/asa5550nat%E6%95%85%E9%9A%9C%E5%92%8C-anyconnect-vpn-%E9%85%8D%E7%BD%AE%E5%AE%8C%E6%AF%95%E5%90%8E%E8%BF%9C%E7%A8%8B%E8%83%BD%E8%BF%9E%E6%8E%A5%E4%B8%8A%E4%BD%86%E6%97%A0%E6%B3%95%E8%AE%BF%E9%97%AE%E5%88%B0%E5%86%85%E9%83%A8%E7%9A%84%E6%9C%BA%E5%99%A8/m-p/4341571#M5136 <I> 本帖最后由 arvinjing 于 2017-3-10 12:04 编辑 </I><BR />先说anyconnect , 不能访问内部网络有2方面的原因，1.没有路由，需要检查分割列表。2.NAT问题，需要检查VPN的NONAT配置, 从内部网络去往vpn pool地址的流量不能NAT<BR />第一、隧道分割列表建议更改为扩展列表，当然使用标准列表也没有问题access-list remote-vpn_splitTunnelAcl standard permit 192.168.255.0 255.255.255.0<BR />建议更改为：access-list remote-vpn_splitTunnelAcl extend permit ip object test192.168.255.0 any<BR />第二、你的VPN pool地址和内网地址在同一个地址段内，我设计VPN的时候是分开的，建议分开，可能会影响其他NAT和ACL的配置，造成思路不清晰， 假如同一网段的话，那么你的NAT 写的也是错误的，原地址是需要访问的目标网段，destination 是vpn pool 地址，应该是这样的语句nat (inside,outside) source static test192.168.255.0 test192.168.255.0 destination static test192.168.255.0 test192.168.255.0<BR />NAT 做对了，anyconnect VPN应该就正常了<BR /> Fri, 10 Mar 2017 01:25:45 GMT jingjian 2017-03-10T01:25:45Z https://community.cisco.com/t5/%E5%AE%89%E5%85%A8%E8%AE%A8%E8%AE%BA%E5%8C%BA/asa5550nat%E6%95%85%E9%9A%9C%E5%92%8C-anyconnect-vpn-%E9%85%8D%E7%BD%AE%E5%AE%8C%E6%AF%95%E5%90%8E%E8%BF%9C%E7%A8%8B%E8%83%BD%E8%BF%9E%E6%8E%A5%E4%B8%8A%E4%BD%86%E6%97%A0%E6%B3%95%E8%AE%BF%E9%97%AE%E5%88%B0%E5%86%85%E9%83%A8%E7%9A%84%E6%9C%BA%E5%99%A8/m-p/4341567#M5132 最近配置一个ASA5550防火墙，版本9。1 用ASDM配置完毕后，用anyconnect 连接能连上，地址也能拿到但无法访问到内部任何主机。<BR />还有NAT配置完服务器端口映射后本地访问映射的端口没问题，其他端口都访问不到，去外部访问经过ASA的端口也无法连接，但所以的机器都能ping通，22端口始终不能访问。<BR />请问问题出现在哪，配置有点多如下：<BR />sirunASA# sh run<BR />: Saved<BR />:<BR />ASA Version 9.0(2) <BR />!<BR />hostname ASA<BR />domain-name sirun.net<BR />enable password 8Ry2YjIyt7RRXU24 encrypted<BR />names<BR />ip local pool vpn-pool 192.168.255.100-192.168.255.251 mask 255.255.255.0<BR />!<BR />interface GigabitEthernet0/0<BR /> nameif outside<BR /> security-level 0<BR /> ip address 111.x.x.x 255.255.255.224 <BR />!<BR />interface GigabitEthernet0/1<BR /> shutdown<BR /> no nameif<BR /> security-level 0<BR /> no ip address<BR />!<BR />interface GigabitEthernet0/2<BR /> shutdown<BR /> nameif CallCenter<BR /> security-level 50<BR /> ip address 192.168.8.240 255.255.255.0 <BR />!<BR />interface GigabitEthernet0/3<BR /> no nameif<BR /> no security-level<BR /> no ip address<BR />!<BR />interface GigabitEthernet0/3.9<BR /> shutdown<BR /> vlan 9<BR /> nameif Development<BR /> security-level 100<BR /> ip address 192.168.9.240 255.255.255.0 <BR />!<BR />interface GigabitEthernet0/3.10<BR /> shutdown<BR /> vlan 10<BR /> nameif office<BR /> security-level 100<BR /> ip address 192.168.10.240 255.255.255.0 <BR />!<BR />interface GigabitEthernet0/3.11<BR /> shutdown<BR /> vlan 11<BR /> nameif Accounting<BR /> security-level 50<BR /> ip address 172.32.5.254 255.255.255.0 <BR />!<BR />interface GigabitEthernet0/3.255<BR /> vlan 255<BR /> nameif inside<BR /> security-level 100<BR /> ip address 192.168.255.1 255.255.255.0 <BR />!<BR />interface GigabitEthernet0/3.998<BR /> shutdown<BR /> vlan 998<BR /> nameif hulian<BR /> security-level 100<BR /> ip address 10.1.1.1 255.255.255.0 <BR />!<BR />interface Management0/0<BR /> no nameif<BR /> no security-level<BR /> no ip address<BR />!<BR />interface GigabitEthernet1/0<BR /> shutdown<BR /> nameif CCC <BR /> security-level 50<BR /> ip address 172.20.7.2 255.255.255.0 <BR />!<BR />interface GigabitEthernet1/1<BR /> shutdown<BR /> no nameif<BR /> no security-level<BR /> no ip address<BR />!<BR />interface GigabitEthernet1/2<BR /> shutdown<BR /> no nameif<BR /> no security-level<BR /> no ip address<BR />!<BR />interface GigabitEthernet1/3<BR /> shutdown<BR /> no nameif<BR /> no security-level<BR /> no ip address<BR />!<BR />ftp mode passive<BR />dns domain-lookup outside<BR />dns domain-lookup inside<BR />dns server-group DefaultDNS<BR /> name-server 192.168.10.240<BR /> domain-name sirun.net<BR />same-security-traffic permit inter-interface<BR />same-security-traffic permit intra-interface<BR />object network test192.168.255.0<BR /> subnet 192.168.255.0 255.255.255.0<BR />object network Ali_RD_172.22.0.0<BR /> subnet 172.22.0.0 255.255.0.0<BR />object network Ali_V1_172.20.10.0<BR /> subnet 172.20.10.0 255.255.255.0<BR />object network Ali_V1_172.20.14.0<BR /> subnet 172.20.14.0 255.255.255.0<BR />object network remote_vpn<BR /> subnet 192.168.200.0 255.255.255.0<BR />object network office<BR /> subnet 192.168.10.0 255.255.255.0<BR />object network Develop<BR /> subnet 192.168.9.0 255.255.255.0<BR />object network develop_gateway<BR /> host 192.168.9.1<BR />object network Outside_ip<BR /> host 111.x.x.88<BR />object network target_server<BR /> host 192.168.9.45<BR />object service target<BR /> service tcp source eq 1235 destination eq 1235 <BR />object network CallCenter<BR /> subnet 192.168.8.0 255.255.255.0<BR />object network cesi<BR /> subnet 172.16.7.0 255.255.255.0<BR />object network HZ<BR /> subnet 172.20.0.0 255.255.252.0<BR />object network obj_192.168.9.67:8443<BR /> host 192.168.9.67<BR />object network caiwu-linshi<BR /> subnet 172.32.5.0 255.255.255.0<BR />object network obj_172.16.7.213:9080<BR /> host 172.16.7.213<BR />object service P-83<BR /> service tcp source eq 83 destination eq 83 <BR />object service P-9080<BR /> service tcp source eq 9080 destination eq 9080 <BR />object network obj_172.16.7.213<BR />object network obj_192.168.9.45:1235<BR /> host 192.168.9.45<BR />object network obj_192.168.9.81:80<BR /> host 192.168.9.81<BR />object network obj_192.168.9.81<BR />object network obj_172.16.7.212:80<BR /> host 172.16.7.212<BR />object network obj_172.16.7.233:80<BR /> host 172.16.7.233<BR />object network obj_172.16.7.210:22<BR /> host 172.16.7.210<BR />object network obj_172.16.7.211:22<BR /> host 172.16.7.211<BR />object network obj_172.16.7.212:22<BR /> host 172.16.7.212<BR />object network obj_172.16.7.213:22<BR /> host 172.16.7.213<BR />object network obj_172.16.7.203:22<BR /> host 172.16.7.203<BR />object network obj_192.168.9.67:443<BR /> host 192.168.9.67<BR />object network obj_192.168.9.67:22<BR /> host 192.168.9.67<BR />object network obj_172.16.7.206:3306<BR /> host 172.16.7.206<BR />object network obj_172.16.7.208:3306<BR /> host 172.16.7.208<BR />object network obj_172.16.7.211:3306<BR /> host 172.16.7.211<BR />object network obj_172.16.7.212:3306<BR /> host 172.16.7.212<BR />object network obj_172.16.7.233:6203<BR /> host 172.16.7.233<BR />object network obj_172.16.7.211:443<BR /> host 172.16.7.211<BR />object network obj_172.16.7.211:6600<BR /> host 172.16.7.211<BR />object network obj_172.16.7.212:6600<BR /> host 172.16.7.212<BR />object network obj_172.16.7.211:6711<BR /> host 172.16.7.211<BR />object network obj_172.16.7.212:6711<BR /> host 172.16.7.212<BR />object network obj_172.16.7.211:6821<BR /> host 172.16.7.211<BR />object network obj_172.16.7.211:6822<BR /> host 172.16.7.211<BR />object network obj_172.16.7.212:6822<BR /> host 172.16.7.212<BR />object network obj_172.16.7.211:6933<BR /> host 172.16.7.211<BR />object network obj_172.16.7.212:6933<BR /> host 172.16.7.212<BR />object network obj_172.16.7.211:7040<BR /> host 172.16.7.211<BR />object network obj_172.16.7.211:7155<BR /> host 172.16.7.211<BR />object network obj_172.16.7.213:8080<BR /> host 172.16.7.213<BR />object network obj_172.16.7.203:7079<BR /> host 172.16.7.203<BR />object network obj_192.168.9.77:8080<BR /> host 192.168.9.77<BR />object network obj_172.16.7.203:9081<BR /> host 172.16.7.203<BR />object network obj_172.16.7.219:8090<BR /> host 172.16.7.219<BR />object network obj_172.16.7.219:8080<BR /> host 172.16.7.219<BR />object network obj_172.16.7.205:8080<BR /> host 172.16.7.205<BR />object network obj_172.16.7.210:8080<BR /> host 172.16.7.210<BR />object network obj_172.16.7.211:7979<BR /> host 172.16.7.211<BR />object network obj_172.16.7.212:8080<BR /> host 172.16.7.212<BR />object network obj_192.168.9.67:8080<BR /> host 192.168.9.67<BR />object network obj_172.16.7.203:8799<BR /> host 172.16.7.203<BR />object network obj_172.16.7.213:8765<BR /> host 172.16.7.213<BR />object network obj_172.16.7.214:8766<BR /> host 172.16.7.214<BR />object network obj_172.16.7.217:8799<BR /> host 172.16.7.217<BR />object network obj_172.16.7.214:8799<BR /> host 172.16.7.214<BR />object network obj_172.16.7.202:8080<BR /> host 172.16.7.202<BR />object network obj_172.16.7.204:7979<BR /> host 172.16.7.204<BR />object network obj_192.168.9.20:9081<BR /> host 192.168.9.20<BR />object network obj_172.16.7.210:9090<BR /> host 172.16.7.210<BR />object network obj_172.16.7.210:9092<BR /> host 172.16.7.210<BR />object network obj_172.16.7.210:9094<BR /> host 172.16.7.210<BR />object network obj_172.16.7.210:9095<BR /> host 172.16.7.210<BR />object network obj_172.16.7.210:9096<BR /> host 172.16.7.210<BR />object network obj_172.16.7.210:9097<BR /> host 172.16.7.210<BR />object network obj_172.16.7.210:9098<BR /> host 172.16.7.210<BR />object network obj_172.16.7.210:9099<BR /> host 172.16.7.210<BR />object network obj_192.168.9.51:27017<BR /> host 192.168.9.51<BR />object service P-8091<BR /> service tcp source eq 8091 destination eq 8091 <BR />object service P-9081<BR /> service tcp source eq 9081 destination eq 9081 <BR />object network obj_192.168.9.67:8400<BR /> host 192.168.9.67<BR />object service 22<BR /> service tcp source eq ssh destination eq ssh <BR />object network obj_172.20.3.40:22<BR /> host 172.20.3.40<BR />object-group network DM_INLINE_NETWORK_2<BR /> network-object object test192.168.255.0<BR />object-group network DM_INLINE_NETWORK_3<BR /> network-object object Ali_V1_172.20.10.0<BR /> network-object object Ali_V1_172.20.14.0<BR /> network-object object Ali_RD_172.22.0.0<BR />object-group network DM_INLINE_NETWORK_4<BR /> network-object object Ali_V1_172.20.10.0<BR /> network-object object Ali_V1_172.20.14.0<BR />object-group network DM_INLINE_NETWORK_1<BR /> network-object object HZ<BR /> network-object object office<BR />object-group network DM_INLINE_NETWORK_5<BR /> network-object 172.20.7.0 255.255.255.0<BR /> network-object 172.32.5.0 255.255.255.0<BR /> network-object 192.168.10.0 255.255.255.0<BR /> network-object 192.168.9.0 255.255.255.0<BR /> network-object 10.1.1.0 255.255.255.0<BR /> network-object 192.168.255.0 255.255.255.0<BR />object-group network DM_INLINE_NETWORK_6<BR /> network-object object HZ<BR /> network-object object office<BR />object-group network DM_INLINE_NETWORK_8<BR /> network-object 192.168.255.0 255.255.255.0<BR /> network-object 192.168.10.0 255.255.255.0<BR /> network-object 10.1.1.0 255.255.255.0<BR /> network-object 172.20.7.0 255.255.255.0<BR /> network-object 192.168.9.0 255.255.255.0<BR /> network-object object HZ<BR />object-group network DM_INLINE_NETWORK_9<BR /> network-object 192.168.9.0 255.255.255.0<BR /> network-object object office<BR /> network-object 10.1.1.0 255.255.255.0<BR /> network-object 172.20.7.0 255.255.255.0<BR /> network-object 192.168.8.0 255.255.255.0<BR /> network-object object HZ<BR />object-group network DM_INLINE_NETWORK_10<BR /> network-object 172.20.10.0 255.255.255.0<BR /> network-object 192.168.10.0 255.255.255.0<BR /> network-object 192.168.255.0 255.255.255.0<BR /> network-object object Ali_RD_172.22.0.0<BR />object-group network DM_INLINE_NETWORK_15<BR /> network-object 192.168.9.0 255.255.255.0<BR /> network-object object office<BR />object-group network DM_INLINE_NETWORK_21<BR /> network-object object Ali_V1_172.20.10.0<BR /> network-object object Ali_V1_172.20.14.0<BR /> network-object object Ali_RD_172.22.0.0<BR />access-list VPN-TO-ALI extended permit ip 192.168.255.0 255.255.255.0 object-group DM_INLINE_NETWORK_4 <BR />access-list inside_access_in extended permit ip 192.168.255.0 255.255.255.0 any <BR />access-list remote-vpn_splitTunnelAcl standard permit 192.168.255.0 255.255.255.0 <BR />access-list remote-vpn_splitTunnelAcl standard permit 172.20.10.0 255.255.255.0 <BR />access-list remote-vpn_splitTunnelAcl standard permit 172.22.0.0 255.255.0.0 <BR />access-list outside_cryptomap_1 extended permit ip object test192.168.255.0 object Ali_V1_172.20.10.0 <BR />access-list ipsec-for-remote_splitTunnelAcl standard permit any4 <BR />access-list DefaultRAGroup_splitTunnelAcl standard permit 172.20.10.0 255.255.255.0 <BR />access-list DefaultRAGroup_splitTunnelAcl standard permit 192.168.255.0 255.255.255.0 <BR />access-list outside_cryptomap extended permit ip 192.168.255.0 255.255.255.0 object Ali_RD_172.22.0.0 <BR />access-list inside.9_access_in extended permit ip 192.168.9.0 255.255.255.0 192.168.255.0 255.255.255.0 <BR />access-list hulian_access_in extended permit tcp any any <BR />access-list outside_access_in extended permit ip object-group DM_INLINE_NETWORK_5 any <BR />access-list outside_access_in extended permit ip 192.168.9.0 255.255.255.0 any <BR />access-list Development_access_in extended permit ip object-group DM_INLINE_NETWORK_15 object-group DM_INLINE_NETWORK_10 <BR />access-list office_access_in extended permit ip object office any <BR />access-list global_access extended permit ip object-group DM_INLINE_NETWORK_8 object-group DM_INLINE_NETWORK_9 <BR />pager lines 24<BR />logging enable<BR />logging monitor informational<BR />logging asdm informational<BR />mtu outside 1500<BR />mtu CallCenter 1500<BR />mtu Development 1500<BR />mtu Accounting 1500<BR />mtu inside 1500<BR />mtu CCC 1500<BR />mtu office 1500<BR />mtu hulian 1500<BR />no failover<BR />icmp unreachable rate-limit 1 burst-size 1<BR />asdm image disk0:/asdm-713.bin<BR />no asdm history enable<BR />arp timeout 14400<BR />no arp permit-nonconnected<BR />nat (inside,outside) source static test192.168.255.0 test192.168.255.0 destination static DM_INLINE_NETWORK_3 DM_INLINE_NETWORK_3 no-proxy-arp description VPN to Aliyun<BR />nat (inside,inside) source static test192.168.255.0 test192.168.255.0 destination static test192.168.255.0 test192.168.255.0 no-proxy-arp<BR />nat (inside,office) source static test192.168.255.0 test192.168.255.0 destination static office office no-proxy-arp<BR />nat (inside,hulian) source static test192.168.255.0 test192.168.255.0 destination static cesi cesi no-proxy-arp<BR />nat (office,outside) source static office office destination static DM_INLINE_NETWORK_21 DM_INLINE_NETWORK_21 no-proxy-arp<BR />nat (office,office) source static DM_INLINE_NETWORK_6 DM_INLINE_NETWORK_6 destination static DM_INLINE_NETWORK_1 DM_INLINE_NETWORK_1 no-proxy-arp<BR />nat (office,Development) source static office office destination static Develop Develop no-proxy-arp<BR />nat (office,CCC) source static office office destination static HZ HZ no-proxy-arp<BR />nat (office,hulian) source static office office destination static cesi cesi no-proxy-arp<BR />nat (Development,hulian) source static Develop Develop destination static cesi cesi no-proxy-arp<BR />nat (Development,inside) source static Develop Develop destination static test192.168.255.0 test192.168.255.0 no-proxy-arp<BR />nat (Development,office) source static Develop Develop destination static office office no-proxy-arp<BR />nat (Development,Development) source static Develop Develop destination static Develop Develop no-proxy-arp<BR />nat (hulian,Development) source static caiwu-linshi caiwu-linshi destination static Develop Develop no-proxy-arp<BR />nat (any,outside) source dynamic CallCenter interface inactive description Internet<BR />nat (any,outside) source dynamic test192.168.255.0 interface inactive description Internet<BR />nat (any,outside) source dynamic Develop interface inactive description Internet<BR />nat (any,outside) source dynamic office interface inactive description Internet<BR />!<BR />object network test192.168.255.0<BR /> nat (any,outside) dynamic interface<BR />object network office<BR /> nat (any,outside) dynamic interface<BR />object network Develop<BR /> nat (any,outside) dynamic interface<BR />object network CallCenter<BR /> nat (any,outside) dynamic interface<BR />object network cesi<BR /> nat (any,outside) dynamic interface<BR />object network obj_192.168.9.67:8443<BR /> nat (Development,outside) static Outside_ip service tcp 8443 18443 <BR />object network obj_172.16.7.213:9080<BR /> nat (hulian,outside) static Outside_ip service tcp 9080 83 <BR />object network obj_192.168.9.45:1235<BR /> nat (Development,outside) static Outside_ip service tcp 1235 1235 <BR />object network obj_172.16.7.212:80<BR /> nat (hulian,outside) static Outside_ip service tcp www 7077 <BR />object network obj_172.16.7.233:80<BR /> nat (hulian,outside) static Outside_ip service tcp www 180 <BR />object network obj_172.16.7.210:22<BR /> nat (hulian,outside) static Outside_ip service tcp 245 245 <BR />object network obj_172.16.7.211:22<BR /> nat (hulian,outside) static Outside_ip service tcp 246 246 <BR />object network obj_172.16.7.212:22<BR /> nat (hulian,outside) static Outside_ip service tcp 247 247 <BR />object network obj_172.16.7.213:22<BR /> nat (hulian,outside) static Outside_ip service tcp 248 248 <BR />object network obj_172.16.7.203:22<BR /> nat (hulian,outside) static Outside_ip service tcp 1222 1222 <BR />object network obj_192.168.9.67:443<BR /> nat (Development,outside) static Outside_ip service tcp https 1443 <BR />object network obj_192.168.9.67:22<BR /> nat (Development,outside) static Outside_ip service tcp 2222 2222 <BR />object network obj_172.16.7.206:3306<BR /> nat (hulian,outside) static Outside_ip service tcp 3306 3336 <BR />object network obj_172.16.7.208:3306<BR /> nat (hulian,outside) static Outside_ip service tcp 3306 3346 <BR />object network obj_172.16.7.211:3306<BR /> nat (hulian,outside) static Outside_ip service tcp 3306 3356 <BR />object network obj_172.16.7.212:3306<BR /> nat (hulian,outside) static Outside_ip service tcp 3306 3366 <BR />object network obj_172.16.7.233:6203<BR /> nat (hulian,outside) static Outside_ip service tcp 6203 6203 <BR />object network obj_172.16.7.211:443<BR /> nat (hulian,outside) static Outside_ip service tcp https 6443 <BR />object network obj_172.16.7.211:6600<BR /> nat (hulian,outside) static Outside_ip service tcp 6600 6600 <BR />object network obj_172.16.7.212:6600<BR /> nat (hulian,outside) static Outside_ip service tcp 6600 6610 <BR />object network obj_172.16.7.211:6711<BR /> nat (hulian,outside) static Outside_ip service tcp 6711 6711 <BR />object network obj_172.16.7.212:6711<BR /> nat (hulian,outside) static Outside_ip service tcp 6711 6721 <BR />object network obj_172.16.7.211:6821<BR /> nat (hulian,outside) static Outside_ip service tcp 6821 6821 <BR />object network obj_172.16.7.211:6822<BR /> nat (hulian,outside) static Outside_ip service tcp 6822 6822 <BR />object network obj_172.16.7.212:6822<BR /> nat (hulian,outside) static Outside_ip service tcp 6822 6832 <BR />object network obj_172.16.7.211:6933<BR /> nat (hulian,outside) static Outside_ip service tcp 6933 6933 <BR />object network obj_172.16.7.212:6933<BR /> nat (hulian,outside) static Outside_ip service tcp 6943 6933 <BR />object network obj_172.16.7.211:7040<BR /> nat (hulian,outside) static Outside_ip service tcp 7044 7044 <BR />object network obj_172.16.7.211:7155<BR /> nat (hulian,outside) static Outside_ip service tcp 7155 7155 <BR />object network obj_172.16.7.213:8080<BR /> nat (hulian,outside) static Outside_ip service tcp 8080 7878 <BR />object network obj_172.16.7.203:7079<BR /> nat (hulian,outside) static Outside_ip service tcp 7079 7900 <BR />object network obj_192.168.9.77:8080<BR /> nat (Development,outside) static Outside_ip service tcp 8080 8088 <BR />object network obj_172.16.7.203:9081<BR /> nat (hulian,outside) static Outside_ip service tcp 9081 8091 <BR />object network obj_172.16.7.219:8090<BR /> nat (hulian,outside) static Outside_ip service tcp 8090 8092 <BR />object network obj_172.16.7.219:8080<BR /> nat (hulian,outside) static Outside_ip service tcp 8080 8110 <BR />object network obj_172.16.7.205:8080<BR /> nat (hulian,outside) static Outside_ip service tcp 8080 8180 <BR />object network obj_172.16.7.210:8080<BR /> nat (hulian,outside) static Outside_ip service tcp 8080 8250 <BR />object network obj_172.16.7.211:7979<BR /> nat (hulian,outside) static Outside_ip service tcp 7979 8260 <BR />object network obj_172.16.7.212:8080<BR /> nat (hulian,outside) static Outside_ip service tcp 8080 8270 <BR />object network obj_192.168.9.67:8080<BR /> nat (Development,outside) static Outside_ip service tcp 8080 8442 <BR />object network obj_172.16.7.203:8799<BR /> nat (hulian,outside) static Outside_ip service tcp 8799 8699 <BR />object network obj_172.16.7.213:8765<BR /> nat (hulian,outside) static Outside_ip service tcp 8765 8765 <BR />object network obj_172.16.7.214:8766<BR /> nat (hulian,outside) static Outside_ip service tcp 8766 8766 <BR />object network obj_172.16.7.217:8799<BR /> nat (hulian,outside) static Outside_ip service tcp 8799 8780 <BR />object network obj_172.16.7.214:8799<BR /> nat (hulian,outside) static Outside_ip service tcp 8799 8799 <BR />object network obj_172.16.7.202:8080<BR /> nat (hulian,outside) static Outside_ip service tcp 8080 8888 <BR />object network obj_172.16.7.204:7979<BR /> nat (hulian,outside) static Outside_ip service tcp 7979 8900 <BR />object network obj_192.168.9.20:9081<BR /> nat (Development,outside) static Outside_ip service tcp 9081 9081 <BR />object network obj_172.16.7.210:9090<BR /> nat (hulian,outside) static Outside_ip service tcp 9090 9090 <BR />object network obj_172.16.7.210:9092<BR /> nat (hulian,outside) static Outside_ip service tcp 9092 9092 <BR />object network obj_172.16.7.210:9094<BR /> nat (hulian,outside) static Outside_ip service tcp 9094 9094 <BR />object network obj_172.16.7.210:9095<BR /> nat (hulian,outside) static Outside_ip service tcp 9095 9095 <BR />object network obj_172.16.7.210:9096<BR /> nat (hulian,outside) static Outside_ip service tcp 9096 9096 <BR />object network obj_172.16.7.210:9097<BR /> nat (hulian,outside) static Outside_ip service tcp 9097 9097 <BR />object network obj_172.16.7.210:9098<BR /> nat (hulian,outside) static Outside_ip service tcp 9098 9098 <BR />object network obj_172.16.7.210:9099<BR /> nat (hulian,outside) static Outside_ip service tcp 9099 9099 <BR />object network obj_192.168.9.51:27017<BR /> nat (Development,outside) static Outside_ip service tcp 27017 27018 <BR />object network obj_192.168.9.67:8400<BR /> nat (Development,outside) static Outside_ip service tcp 8443 8400 <BR />access-group outside_access_in in interface outside<BR />access-group Development_access_in in interface Development<BR />access-group inside_access_in in interface inside<BR />access-group office_access_in in interface office<BR />access-group hulian_access_in in interface hulian<BR />access-group global_access global<BR />route outside 0.0.0.0 0.0.0.0 111.204.193.94 1<BR />route office 172.20.0.0 255.255.248.0 192.168.10.1 1<BR />route hulian 172.32.5.0 255.255.255.0 192.168.9.253 1<BR />timeout xlate 3:00:00<BR />timeout pat-xlate 0:00:30<BR />timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02<BR />timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00<BR />timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00<BR />timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute<BR />timeout tcp-proxy-reassembly 0:01:00<BR />timeout floating-conn 0:00:00<BR />dynamic-access-policy-record DfltAccessPolicy<BR /> network-acl outside_cryptomap_1<BR /> network-acl inside_access_in<BR />user-identity default-domain LOCAL<BR />eou allow audit<BR />aaa authentication enable console LOCAL <BR />aaa authentication ssh console LOCAL <BR />http server enable<BR />http 0.0.0.0 0.0.0.0 inside<BR />no snmp-server location<BR />no snmp-server contact<BR />snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart<BR />crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac <BR />crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac <BR />crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac <BR />crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac <BR />crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac <BR />crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS esp-aes esp-sha-hmac <BR />crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS mode transport<BR />crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS esp-aes esp-md5-hmac <BR />crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS mode transport<BR />crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS esp-aes-192 esp-sha-hmac <BR />crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS mode transport<BR />crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS esp-aes-192 esp-md5-hmac <BR />crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS mode transport<BR />crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS esp-aes-256 esp-sha-hmac <BR />crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS mode transport<BR />crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS esp-aes-256 esp-md5-hmac <BR />crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS mode transport<BR />crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac <BR />crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac <BR />crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS esp-3des esp-sha-hmac <BR />crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS mode transport<BR />crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS esp-3des esp-md5-hmac <BR />crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS mode transport<BR />crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac <BR />crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac <BR />crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS esp-des esp-sha-hmac <BR />crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS mode transport<BR />crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS esp-des esp-md5-hmac <BR />crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS mode transport<BR />crypto ipsec ikev1 transform-set vpn esp-3des esp-md5-hmac <BR />crypto ipsec ikev1 transform-set tran01 esp-3des esp-md5-hmac <BR />crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac <BR />crypto ipsec ikev2 ipsec-proposal AES256<BR /> protocol esp encryption aes-256<BR /> protocol esp integrity sha-1 md5<BR />crypto ipsec ikev2 ipsec-proposal AES192<BR /> protocol esp encryption aes-192<BR /> protocol esp integrity sha-1 md5<BR />crypto ipsec ikev2 ipsec-proposal AES<BR /> protocol esp encryption aes<BR /> protocol esp integrity sha-1 md5<BR />crypto ipsec ikev2 ipsec-proposal 3DES<BR /> protocol esp encryption 3des<BR /> protocol esp integrity sha-1 md5<BR />crypto ipsec ikev2 ipsec-proposal DES<BR /> protocol esp encryption des<BR /> protocol esp integrity sha-1 md5<BR />crypto ipsec ikev2 ipsec-proposal 3desMD5<BR /> protocol esp encryption 3des<BR /> protocol esp integrity md5<BR />crypto ipsec security-association pmtu-aging infinite<BR />crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs <BR />crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-192-SHA ESP-AES-256-SHA ESP-3DES-SHA ESP-DES-SHA ESP-AES-128-SHA-TRANS ESP-AES-192-SHA-TRANS ESP-AES-256-SHA-TRANS ESP-3DES-SHA-TRANS ESP-DES-SHA-TRANS<BR />crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev2 ipsec-proposal AES256 AES192 AES 3DES DES<BR />crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set nat-t-disable<BR />crypto map outside-map 1 match address outside_cryptomap<BR />crypto map outside-map 1 set pfs <BR />crypto map outside-map 1 set peer 120.x.x.x <BR />crypto map outside-map 1 set ikev1 transform-set tran01<BR />crypto map outside-map 1 set reverse-route<BR />crypto map outside-map 10 match address VPN-TO-ALI<BR />crypto map outside-map 10 set pfs <BR />crypto map outside-map 10 set peer 121.x.x.x <BR />crypto map outside-map 10 set ikev1 transform-set vpn<BR />crypto map outside-map 10 set reverse-route<BR />crypto map outside-map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP<BR />crypto map outside-map interface outside<BR />crypto map inside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP<BR />crypto map inside_map interface inside<BR />crypto ca trustpoint ASDM_TrustPoint0_anyconnect<BR /> enrollment self<BR /> email <A href="mailto:&quot;guoyuan.wang@sirun.net&quot;">guoyuan.wang@sirun.net</A><BR /> subject-name CN=sirunASA_for_guoyuan<BR /> proxy-ldc-issuer<BR /> crl configure<BR />crypto ca trustpoint ASDM_TrustPoint0<BR /> enrollment self<BR /> fqdn sslvpn.sirun.net<BR /> subject-name CN=sslvpn.sirun.net<BR /> keypair sslvpnkeypair<BR /> crl configure<BR />crypto ca trustpool policy<BR />crypto ca certificate chain ASDM_TrustPoint0<BR /> certificate 9d6da958<BR /> 308201ef 30820158 a0030201 0202049d 6da95830 0d06092a 864886f7 0d010105 <BR /> 0500303c 31193017 06035504 03131073 736c7670 6e2e7369 72756e2e 6e657431 <BR /> 1f301d06 092a8648 86f70d01 09021610 73736c76 706e2e73 6972756e 2e6e6574 <BR /> 301e170d 31373032 32353038 35383131 5a170d32 37303232 33303835 3831315a <BR /> 303c3119 30170603 55040313 1073736c 76706e2e 73697275 6e2e6e65 74311f30 <BR /> 1d06092a 864886f7 0d010902 16107373 6c76706e 2e736972 756e2e6e 65743081 <BR /> 9f300d06 092a8648 86f70d01 01010500 03818d00 30818902 818100d9 498f96c8 <BR /> ba8e3e90 dd135747 65996664 a4e0ca2d 7a03bb8f a7a1630c d470bb7a 804749c2 <BR /> cd06285a e1fb26a2 2e55c25e 9b3d27fc 3d169cd1 642c4e6a 9b425b4d 6b00d151 <BR /> a044e3f3 8724a01b 362d7bba 1930c448 7c449df5 3f2a8d0e a4c18c23 78fc9660 <BR /> a285b99d a5eb7324 3d74c0ca 511d033f 85e989b6 8ea7ce4e 02097302 03010001 <BR /> 300d0609 2a864886 f70d0101 05050003 81810073 0395301f a979e840 6cfcb4ce <BR /> 46465792 28feee0e ea799257 6be94d62 ed99823b 0fcb7883 18f1ace3 70f40e1a <BR /> 654e3536 6b398229 7d66e8bb 19a35c8f d80d6875 4d3b35a7 68d01e35 e366c731 <BR /> b713f599 0584ccd3 a11edb73 68bceb24 64dcba2a ff35c5ff bbad15ef bab457de <BR /> 26bc3dbf 4030f725 96046473 c590a03e aa493e<BR /> quit<BR />crypto ikev2 policy 1<BR /> encryption aes-256<BR /> integrity sha<BR /> group 5 2<BR /> prf sha<BR /> lifetime seconds 86400<BR />crypto ikev2 policy 10<BR /> encryption aes-192<BR /> integrity sha<BR /> group 5 2<BR /> prf sha<BR /> lifetime seconds 86400<BR />crypto ikev2 enable outside client-services port 443<BR />crypto ikev2 remote-access trustpoint ASDM_TrustPoint0_anyconnect<BR />crypto ikev1 enable outside<BR />crypto ikev1 policy 1<BR /> authentication pre-share<BR /> encryption 3des<BR /> hash md5<BR /> group 2<BR /> lifetime 86400<BR />telnet 192.168.9.0 255.255.255.0 Development<BR />telnet timeout 5<BR />ssh 0.0.0.0 0.0.0.0 outside<BR />ssh 0.0.0.0 0.0.0.0 Development<BR />ssh 0.0.0.0 0.0.0.0 inside<BR />ssh 0.0.0.0 0.0.0.0 CCC<BR />ssh 0.0.0.0 0.0.0.0 office<BR />ssh 0.0.0.0 0.0.0.0 hulian<BR />ssh timeout 60<BR />ssh version 2<BR />console timeout 0<BR />no ipv6-vpn-addr-assign aaa<BR />no ipv6-vpn-addr-assign local<BR />vpn-sessiondb max-other-vpn-limit 5000<BR />vpn-sessiondb max-anyconnect-premium-or-essentials-limit 2<BR />dhcpd update dns <BR />!<BR />dhcpd address 192.168.8.2-192.168.8.239 CallCenter<BR />dhcpd dns 114.114.114.114 interface CallCenter<BR />dhcpd enable CallCenter<BR />!<BR />dhcpd address 192.168.9.2-192.168.9.239 Development<BR />dhcpd dns 114.114.114.114 interface Development<BR />dhcpd enable Development<BR />!<BR />dhcpd address 192.168.255.2-192.168.255.252 inside<BR />dhcpd dns 114.114.114.114 interface inside<BR />dhcpd enable inside<BR />!<BR />dhcpd address 192.168.10.50-192.168.10.239 office<BR />dhcpd dns 114.114.114.114 interface office<BR />dhcpd enable office<BR />!<BR />!<BR />tls-proxy maximum-session 3000<BR />!<BR />threat-detection basic-threat<BR />threat-detection statistics access-list<BR />no threat-detection statistics tcp-intercept<BR />ssl encryption aes128-sha1<BR />ssl trust-point ASDM_TrustPoint0_anyconnect inside<BR />ssl trust-point ASDM_TrustPoint0 outside<BR />webvpn<BR /> enable outside<BR /> anyconnect-essentials<BR /> anyconnect image disk0:/anyconnect-win-2.4.1012-k9.pkg 1<BR /> anyconnect image disk0:/anyconnect-macosx-i386-2.4.1012-k9.pkg 2<BR /> anyconnect enable<BR /> tunnel-group-list enable<BR /> keepout "Service out temporarily."<BR />group-policy SSL-vpn_policy_remote internal<BR />group-policy SSL-vpn_policy_remote attributes<BR /> wins-server none<BR /> dns-server value 114.114.114.114<BR /> vpn-tunnel-protocol ssl-client ssl-clientless<BR /> split-tunnel-policy tunnelall<BR /> split-tunnel-network-list value remote-vpn_splitTunnelAcl<BR /> default-domain value sirun.net<BR /> split-dns value 114.114.114<BR /> address-pools value vpn-pool<BR />group-policy DefaultRAGroup internal<BR />group-policy DefaultRAGroup attributes<BR /> vpn-tunnel-protocol l2tp-ipsec <BR /> split-tunnel-policy tunnelspecified<BR /> split-tunnel-network-list value DefaultRAGroup_splitTunnelAcl<BR />group-policy DfltGrpPolicy attributes<BR /> vpn-tunnel-protocol ikev1 l2tp-ipsec ssl-clientless<BR />group-policy GroupPolicy_120.27.234.197 internal<BR />group-policy GroupPolicy_120.27.234.197 attributes<BR /> vpn-tunnel-protocol ikev1 <BR />group-policy GroupPolicy1 internal<BR />group-policy GroupPolicy1 attributes<BR /> vpn-tunnel-protocol ikev1 <BR />username test02 password /cXt2mD.GZuIfGDN encrypted<BR />username test01 password 274Y4GRAbNElaCoV encrypted privilege 15<BR />username test01 attributes<BR /> vpn-group-policy SSL-vpn_policy_remote<BR />username caokai password vZOq68hnoLuvTlsi2pHOpw== nt-encrypted privilege 15<BR />username caokai attributes<BR /> vpn-group-policy DefaultRAGroup<BR />username admin password w4b7RpK6u3LUsuXd encrypted privilege 15<BR />username admin attributes<BR /> service-type admin<BR />tunnel-group DefaultRAGroup general-attributes<BR /> address-pool vpn-pool<BR /> default-group-policy DefaultRAGroup<BR />tunnel-group DefaultRAGroup ipsec-attributes<BR /> ikev1 pre-shared-key *****<BR />tunnel-group DefaultRAGroup ppp-attributes<BR /> no authentication ms-chap-v1<BR /> authentication ms-chap-v2<BR />tunnel-group 121.196.200.96 type ipsec-l2l<BR />tunnel-group 121.196.200.96 general-attributes<BR /> default-group-policy GroupPolicy1<BR />tunnel-group 121.196.200.96 ipsec-attributes<BR /> ikev1 pre-shared-key *****<BR />tunnel-group 120.27.234.197 type ipsec-l2l<BR />tunnel-group 120.27.234.197 general-attributes<BR /> default-group-policy GroupPolicy_120.27.234.197<BR />tunnel-group 120.27.234.197 ipsec-attributes<BR /> ikev1 pre-shared-key *****<BR /> ikev2 remote-authentication pre-shared-key *****<BR /> ikev2 local-authentication pre-shared-key *****<BR />tunnel-group sslvpn-remote_anyconnect type remote-access<BR />tunnel-group sslvpn-remote_anyconnect general-attributes<BR /> address-pool vpn-pool<BR /> default-group-policy SSL-vpn_policy_remote<BR />tunnel-group sslvpn-remote_anyconnect webvpn-attributes<BR /> group-alias SSLVPNClient enable<BR />tunnel-group-map enable rules<BR />!<BR />!<BR />prompt hostname context <BR />no call-home reporting anonymous<BR />call-home<BR /> profile CiscoTAC-1<BR /> no active<BR /> destination address http <A href="https://tools.cisco.com/its/service/oddce/services/DDCEService" target="test_blank">https://tools.cisco.com/its/service/oddce/services/DDCEService</A><BR /> destination address email <A href="mailto:&quot;callhome@cisco.com&quot;">callhome@cisco.com</A><BR /> destination transport-method http<BR /> subscribe-to-alert-group diagnostic<BR /> subscribe-to-alert-group environment<BR /> subscribe-to-alert-group inventory periodic monthly<BR /> subscribe-to-alert-group configuration periodic monthly<BR /> subscribe-to-alert-group telemetry periodic daily<BR />Cryptochecksum:00055f0b97a5bc792db25f24a62ea3ed<BR />: end<BR /> Fri, 03 Mar 2017 06:56:10 GMT https://community.cisco.com/t5/%E5%AE%89%E5%85%A8%E8%AE%A8%E8%AE%BA%E5%8C%BA/asa5550nat%E6%95%85%E9%9A%9C%E5%92%8C-anyconnect-vpn-%E9%85%8D%E7%BD%AE%E5%AE%8C%E6%AF%95%E5%90%8E%E8%BF%9C%E7%A8%8B%E8%83%BD%E8%BF%9E%E6%8E%A5%E4%B8%8A%E4%BD%86%E6%97%A0%E6%B3%95%E8%AE%BF%E9%97%AE%E5%88%B0%E5%86%85%E9%83%A8%E7%9A%84%E6%9C%BA%E5%99%A8/m-p/4341567#M5132 w67531549 2017-03-03T06:56:10Z https://community.cisco.com/t5/%E5%AE%89%E5%85%A8%E8%AE%A8%E8%AE%BA%E5%8C%BA/asa5550nat%E6%95%85%E9%9A%9C%E5%92%8C-anyconnect-vpn-%E9%85%8D%E7%BD%AE%E5%AE%8C%E6%AF%95%E5%90%8E%E8%BF%9C%E7%A8%8B%E8%83%BD%E8%BF%9E%E6%8E%A5%E4%B8%8A%E4%BD%86%E6%97%A0%E6%B3%95%E8%AE%BF%E9%97%AE%E5%88%B0%E5%86%85%E9%83%A8%E7%9A%84%E6%9C%BA%E5%99%A8/m-p/4341568#M5133 感谢您的提问！稍后会有小伙伴为您解答的！ Fri, 03 Mar 2017 10:26:02 GMT https://community.cisco.com/t5/%E5%AE%89%E5%85%A8%E8%AE%A8%E8%AE%BA%E5%8C%BA/asa5550nat%E6%95%85%E9%9A%9C%E5%92%8C-anyconnect-vpn-%E9%85%8D%E7%BD%AE%E5%AE%8C%E6%AF%95%E5%90%8E%E8%BF%9C%E7%A8%8B%E8%83%BD%E8%BF%9E%E6%8E%A5%E4%B8%8A%E4%BD%86%E6%97%A0%E6%B3%95%E8%AE%BF%E9%97%AE%E5%88%B0%E5%86%85%E9%83%A8%E7%9A%84%E6%9C%BA%E5%99%A8/m-p/4341568#M5133 one-time 2017-03-03T10:26:02Z https://community.cisco.com/t5/%E5%AE%89%E5%85%A8%E8%AE%A8%E8%AE%BA%E5%8C%BA/asa5550nat%E6%95%85%E9%9A%9C%E5%92%8C-anyconnect-vpn-%E9%85%8D%E7%BD%AE%E5%AE%8C%E6%AF%95%E5%90%8E%E8%BF%9C%E7%A8%8B%E8%83%BD%E8%BF%9E%E6%8E%A5%E4%B8%8A%E4%BD%86%E6%97%A0%E6%B3%95%E8%AE%BF%E9%97%AE%E5%88%B0%E5%86%85%E9%83%A8%E7%9A%84%E6%9C%BA%E5%99%A8/m-p/4341569#M5134 是否ASA 到内部服务器还有三层交换机或者路由器，他们之间的路由没有做？ 感兴趣流是否有放通内网服务器与VPN 网段！ Mon, 06 Mar 2017 06:09:39 GMT https://community.cisco.com/t5/%E5%AE%89%E5%85%A8%E8%AE%A8%E8%AE%BA%E5%8C%BA/asa5550nat%E6%95%85%E9%9A%9C%E5%92%8C-anyconnect-vpn-%E9%85%8D%E7%BD%AE%E5%AE%8C%E6%AF%95%E5%90%8E%E8%BF%9C%E7%A8%8B%E8%83%BD%E8%BF%9E%E6%8E%A5%E4%B8%8A%E4%BD%86%E6%97%A0%E6%B3%95%E8%AE%BF%E9%97%AE%E5%88%B0%E5%86%85%E9%83%A8%E7%9A%84%E6%9C%BA%E5%99%A8/m-p/4341569#M5134 fortune 2017-03-06T06:09:39Z https://community.cisco.com/t5/%E5%AE%89%E5%85%A8%E8%AE%A8%E8%AE%BA%E5%8C%BA/asa5550nat%E6%95%85%E9%9A%9C%E5%92%8C-anyconnect-vpn-%E9%85%8D%E7%BD%AE%E5%AE%8C%E6%AF%95%E5%90%8E%E8%BF%9C%E7%A8%8B%E8%83%BD%E8%BF%9E%E6%8E%A5%E4%B8%8A%E4%BD%86%E6%97%A0%E6%B3%95%E8%AE%BF%E9%97%AE%E5%88%B0%E5%86%85%E9%83%A8%E7%9A%84%E6%9C%BA%E5%99%A8/m-p/4341570#M5135 上个拓扑吧！ Tue, 07 Mar 2017 03:41:23 GMT https://community.cisco.com/t5/%E5%AE%89%E5%85%A8%E8%AE%A8%E8%AE%BA%E5%8C%BA/asa5550nat%E6%95%85%E9%9A%9C%E5%92%8C-anyconnect-vpn-%E9%85%8D%E7%BD%AE%E5%AE%8C%E6%AF%95%E5%90%8E%E8%BF%9C%E7%A8%8B%E8%83%BD%E8%BF%9E%E6%8E%A5%E4%B8%8A%E4%BD%86%E6%97%A0%E6%B3%95%E8%AE%BF%E9%97%AE%E5%88%B0%E5%86%85%E9%83%A8%E7%9A%84%E6%9C%BA%E5%99%A8/m-p/4341570#M5135 xuxianda7 2017-03-07T03:41:23Z https://community.cisco.com/t5/%E5%AE%89%E5%85%A8%E8%AE%A8%E8%AE%BA%E5%8C%BA/asa5550nat%E6%95%85%E9%9A%9C%E5%92%8C-anyconnect-vpn-%E9%85%8D%E7%BD%AE%E5%AE%8C%E6%AF%95%E5%90%8E%E8%BF%9C%E7%A8%8B%E8%83%BD%E8%BF%9E%E6%8E%A5%E4%B8%8A%E4%BD%86%E6%97%A0%E6%B3%95%E8%AE%BF%E9%97%AE%E5%88%B0%E5%86%85%E9%83%A8%E7%9A%84%E6%9C%BA%E5%99%A8/m-p/4341571#M5136 <I> 本帖最后由 arvinjing 于 2017-3-10 12:04 编辑 </I><BR />先说anyconnect , 不能访问内部网络有2方面的原因，1.没有路由，需要检查分割列表。2.NAT问题，需要检查VPN的NONAT配置, 从内部网络去往vpn pool地址的流量不能NAT<BR />第一、隧道分割列表建议更改为扩展列表，当然使用标准列表也没有问题access-list remote-vpn_splitTunnelAcl standard permit 192.168.255.0 255.255.255.0<BR />建议更改为：access-list remote-vpn_splitTunnelAcl extend permit ip object test192.168.255.0 any<BR />第二、你的VPN pool地址和内网地址在同一个地址段内，我设计VPN的时候是分开的，建议分开，可能会影响其他NAT和ACL的配置，造成思路不清晰， 假如同一网段的话，那么你的NAT 写的也是错误的，原地址是需要访问的目标网段，destination 是vpn pool 地址，应该是这样的语句nat (inside,outside) source static test192.168.255.0 test192.168.255.0 destination static test192.168.255.0 test192.168.255.0<BR />NAT 做对了，anyconnect VPN应该就正常了<BR /> Fri, 10 Mar 2017 01:25:45 GMT https://community.cisco.com/t5/%E5%AE%89%E5%85%A8%E8%AE%A8%E8%AE%BA%E5%8C%BA/asa5550nat%E6%95%85%E9%9A%9C%E5%92%8C-anyconnect-vpn-%E9%85%8D%E7%BD%AE%E5%AE%8C%E6%AF%95%E5%90%8E%E8%BF%9C%E7%A8%8B%E8%83%BD%E8%BF%9E%E6%8E%A5%E4%B8%8A%E4%BD%86%E6%97%A0%E6%B3%95%E8%AE%BF%E9%97%AE%E5%88%B0%E5%86%85%E9%83%A8%E7%9A%84%E6%9C%BA%E5%99%A8/m-p/4341571#M5136 jingjian 2017-03-10T01:25:45Z https://community.cisco.com/t5/%E5%AE%89%E5%85%A8%E8%AE%A8%E8%AE%BA%E5%8C%BA/asa5550nat%E6%95%85%E9%9A%9C%E5%92%8C-anyconnect-vpn-%E9%85%8D%E7%BD%AE%E5%AE%8C%E6%AF%95%E5%90%8E%E8%BF%9C%E7%A8%8B%E8%83%BD%E8%BF%9E%E6%8E%A5%E4%B8%8A%E4%BD%86%E6%97%A0%E6%B3%95%E8%AE%BF%E9%97%AE%E5%88%B0%E5%86%85%E9%83%A8%E7%9A%84%E6%9C%BA%E5%99%A8/m-p/4341572#M5137 你的第二个问题关于端口映射分三个步骤检查<BR />1.object 定义的host是否正确，先检查端口22的object, 可以在定义一个object-group，包含这些object，方便写列表<BR />object network obj_172.16.7.210:22<BR />host 172.16.7.210<BR />object network obj_172.16.7.211:22<BR />host 172.16.7.211<BR />object network obj_172.16.7.212:22<BR />host 172.16.7.212<BR />object network obj_172.16.7.213:22<BR />host 172.16.7.213<BR />object network obj_172.16.7.203:22<BR />host 172.16.7.203<BR />object network obj_192.168.9.67:22<BR />host 192.168.9.67<BR />2. 检查nat 端口映射的配置，端口映射的原则：1一个public IP地址，可以对应不同的服务，<A href="https://community.cisco.com/www.ftp.ssh">www.ftp.ssh</A>等，这么多主机要开放22端口，1个地址肯定是做不到的。我检查你的配置没有发现关于端口22的映射，因为没有拓扑，看不到172.16.7.0/24的流量从哪个接口进入，假设从inside进入，我定义一个nat<BR />object network obj_172.16.7.210:22<BR /> nat (inside,outside) static A.B.C.D service tcp 22 22<BR />3.检查从外部访问的ACL的放行流量<BR />检测了你的配置，没有发现关于端口22放行的ACL<BR />access-list outside_access_in extended permit tcp any object obj_172.16.7.210:22 eq 22<BR />希望给你一个思路，整理一下的你的object、NAT和ACL的配置，条目虽然很多，但是思路一定要清晰。<BR /> Fri, 03 Mar 2017 06:56:11 GMT https://community.cisco.com/t5/%E5%AE%89%E5%85%A8%E8%AE%A8%E8%AE%BA%E5%8C%BA/asa5550nat%E6%95%85%E9%9A%9C%E5%92%8C-anyconnect-vpn-%E9%85%8D%E7%BD%AE%E5%AE%8C%E6%AF%95%E5%90%8E%E8%BF%9C%E7%A8%8B%E8%83%BD%E8%BF%9E%E6%8E%A5%E4%B8%8A%E4%BD%86%E6%97%A0%E6%B3%95%E8%AE%BF%E9%97%AE%E5%88%B0%E5%86%85%E9%83%A8%E7%9A%84%E6%9C%BA%E5%99%A8/m-p/4341572#M5137 jingjian 2017-03-03T06:56:11Z https://community.cisco.com/t5/%E5%AE%89%E5%85%A8%E8%AE%A8%E8%AE%BA%E5%8C%BA/asa5550nat%E6%95%85%E9%9A%9C%E5%92%8C-anyconnect-vpn-%E9%85%8D%E7%BD%AE%E5%AE%8C%E6%AF%95%E5%90%8E%E8%BF%9C%E7%A8%8B%E8%83%BD%E8%BF%9E%E6%8E%A5%E4%B8%8A%E4%BD%86%E6%97%A0%E6%B3%95%E8%AE%BF%E9%97%AE%E5%88%B0%E5%86%85%E9%83%A8%E7%9A%84%E6%9C%BA%E5%99%A8/m-p/4341573#M5138 <BLOCKQUOTE><FONT size="2"><A href="https://community.cisco.com/forum.php?mod=redirect&amp;goto=findpost&amp;pid=990214&amp;ptid=969201" target="_blank"><FONT color="#999999">vsop5207 发表于 2017-3-6 14:09</FONT></A></FONT><BR />是否ASA 到内部服务器还有三层交换机或者路由器，他们之间的路由没有做？ 感兴趣流是否有放通内网服务器与 ...</BLOCKQUOTE><BR />感谢您的回复！20金钱已发放给您啦~ Mon, 13 Mar 2017 01:58:16 GMT https://community.cisco.com/t5/%E5%AE%89%E5%85%A8%E8%AE%A8%E8%AE%BA%E5%8C%BA/asa5550nat%E6%95%85%E9%9A%9C%E5%92%8C-anyconnect-vpn-%E9%85%8D%E7%BD%AE%E5%AE%8C%E6%AF%95%E5%90%8E%E8%BF%9C%E7%A8%8B%E8%83%BD%E8%BF%9E%E6%8E%A5%E4%B8%8A%E4%BD%86%E6%97%A0%E6%B3%95%E8%AE%BF%E9%97%AE%E5%88%B0%E5%86%85%E9%83%A8%E7%9A%84%E6%9C%BA%E5%99%A8/m-p/4341573#M5138 one-time 2017-03-13T01:58:16Z https://community.cisco.com/t5/%E5%AE%89%E5%85%A8%E8%AE%A8%E8%AE%BA%E5%8C%BA/asa5550nat%E6%95%85%E9%9A%9C%E5%92%8C-anyconnect-vpn-%E9%85%8D%E7%BD%AE%E5%AE%8C%E6%AF%95%E5%90%8E%E8%BF%9C%E7%A8%8B%E8%83%BD%E8%BF%9E%E6%8E%A5%E4%B8%8A%E4%BD%86%E6%97%A0%E6%B3%95%E8%AE%BF%E9%97%AE%E5%88%B0%E5%86%85%E9%83%A8%E7%9A%84%E6%9C%BA%E5%99%A8/m-p/4341574#M5139 <BLOCKQUOTE><FONT size="2"><A href="https://community.cisco.com/forum.php?mod=redirect&amp;goto=findpost&amp;pid=990345&amp;ptid=969201" target="_blank"><FONT color="#999999">arvinjing 发表于 2017-3-10 09:58</FONT></A></FONT><BR />你的第二个问题关于端口映射分三个步骤检查<BR />1.object 定义的host是否正确，先检查端口22的object, 可以在 ...</BLOCKQUOTE><BR />感谢您的回复！20金钱已发放给您啦~ Mon, 13 Mar 2017 01:58:34 GMT https://community.cisco.com/t5/%E5%AE%89%E5%85%A8%E8%AE%A8%E8%AE%BA%E5%8C%BA/asa5550nat%E6%95%85%E9%9A%9C%E5%92%8C-anyconnect-vpn-%E9%85%8D%E7%BD%AE%E5%AE%8C%E6%AF%95%E5%90%8E%E8%BF%9C%E7%A8%8B%E8%83%BD%E8%BF%9E%E6%8E%A5%E4%B8%8A%E4%BD%86%E6%97%A0%E6%B3%95%E8%AE%BF%E9%97%AE%E5%88%B0%E5%86%85%E9%83%A8%E7%9A%84%E6%9C%BA%E5%99%A8/m-p/4341574#M5139 one-time 2017-03-13T01:58:34Z https://community.cisco.com/t5/%E5%AE%89%E5%85%A8%E8%AE%A8%E8%AE%BA%E5%8C%BA/asa5550nat%E6%95%85%E9%9A%9C%E5%92%8C-anyconnect-vpn-%E9%85%8D%E7%BD%AE%E5%AE%8C%E6%AF%95%E5%90%8E%E8%BF%9C%E7%A8%8B%E8%83%BD%E8%BF%9E%E6%8E%A5%E4%B8%8A%E4%BD%86%E6%97%A0%E6%B3%95%E8%AE%BF%E9%97%AE%E5%88%B0%E5%86%85%E9%83%A8%E7%9A%84%E6%9C%BA%E5%99%A8/m-p/4341575#M5140 <BLOCKQUOTE><FONT size="2"><A href="https://community.cisco.com/forum.php?mod=redirect&amp;goto=findpost&amp;pid=990271&amp;ptid=969201" target="_blank"><FONT color="#999999">xuxianda7 发表于 2017-3-7 11:41</FONT></A></FONT><BR />上个拓扑吧！</BLOCKQUOTE><BR />感谢您的回复！20金钱已发放给您啦~ Mon, 13 Mar 2017 01:59:00 GMT https://community.cisco.com/t5/%E5%AE%89%E5%85%A8%E8%AE%A8%E8%AE%BA%E5%8C%BA/asa5550nat%E6%95%85%E9%9A%9C%E5%92%8C-anyconnect-vpn-%E9%85%8D%E7%BD%AE%E5%AE%8C%E6%AF%95%E5%90%8E%E8%BF%9C%E7%A8%8B%E8%83%BD%E8%BF%9E%E6%8E%A5%E4%B8%8A%E4%BD%86%E6%97%A0%E6%B3%95%E8%AE%BF%E9%97%AE%E5%88%B0%E5%86%85%E9%83%A8%E7%9A%84%E6%9C%BA%E5%99%A8/m-p/4341575#M5140 one-time 2017-03-13T01:59:00Z https://community.cisco.com/t5/%E5%AE%89%E5%85%A8%E8%AE%A8%E8%AE%BA%E5%8C%BA/asa5550nat%E6%95%85%E9%9A%9C%E5%92%8C-anyconnect-vpn-%E9%85%8D%E7%BD%AE%E5%AE%8C%E6%AF%95%E5%90%8E%E8%BF%9C%E7%A8%8B%E8%83%BD%E8%BF%9E%E6%8E%A5%E4%B8%8A%E4%BD%86%E6%97%A0%E6%B3%95%E8%AE%BF%E9%97%AE%E5%88%B0%E5%86%85%E9%83%A8%E7%9A%84%E6%9C%BA%E5%99%A8/m-p/4341576#M5141 若您的问题已解决，请不要忘了标记最佳答案！ Mon, 13 Mar 2017 02:07:45 GMT https://community.cisco.com/t5/%E5%AE%89%E5%85%A8%E8%AE%A8%E8%AE%BA%E5%8C%BA/asa5550nat%E6%95%85%E9%9A%9C%E5%92%8C-anyconnect-vpn-%E9%85%8D%E7%BD%AE%E5%AE%8C%E6%AF%95%E5%90%8E%E8%BF%9C%E7%A8%8B%E8%83%BD%E8%BF%9E%E6%8E%A5%E4%B8%8A%E4%BD%86%E6%97%A0%E6%B3%95%E8%AE%BF%E9%97%AE%E5%88%B0%E5%86%85%E9%83%A8%E7%9A%84%E6%9C%BA%E5%99%A8/m-p/4341576#M5141 one-time 2017-03-13T02:07:45Z