ASA 5515X VPN клиенты не видят локальную сеть

alex.z · ‎01-03-2021

Всем добра

Пользователь подключается к сети офиса посредством встроенного в винду впн клиента

После подключения не видит ресурсы локальной сети офиса

что собственно и является основной целью впн подключения

конфиг

ASA Version 9.12(4)10
!
terminal width 160
hostname ciscoasa
enable password ***** pbkdf2
service-module 0 keepalive-timeout 4
service-module 0 keepalive-counter 6
service-module ips keepalive-timeout 4
service-module ips keepalive-counter 6
service-module cxsc keepalive-timeout 4
service-module cxsc keepalive-counter 6
service-module sfr keepalive-timeout 4
service-module sfr keepalive-counter 6
passwd ***** encrypted
names
no mac-address auto
ip local pool vpn_pool 192.168.201.1-192.168.201.99 mask 255.255.252.0

!
interface GigabitEthernet0/0
 nameif WAN
 security-level 0
 ip address 91.135.154.138 255.255.255.248
!
interface GigabitEthernet0/1
 nameif LAN
 security-level 100
 ip address 192.168.200.10 255.255.252.0
!
interface GigabitEthernet0/2
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet0/3
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet0/4
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet0/5
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Management0/0
 management-only
 nameif management
 security-level 100
 ip address 192.168.1.1 255.255.255.0
!
boot system disk0:/asa9-12-4-10-smp-k8.bin
ftp mode passive
clock timezone MSK/MSD 3
clock summer-time MSK/MDD recurring last Sun Mar 2:00 last Sun Oct 3:00
object network obj_any
 subnet 0.0.0.0 0.0.0.0
object network LAN
 subnet 192.168.200.0 255.255.252.0
object network NUX_LAN
 subnet 192.168.10.0 255.255.255.0
object network freepbx-sip
 host 192.168.202.1
object network freepbx-sipudp
 host 192.168.202.1
object network m1smtp
 host 192.168.200.4
object network m1https
 host 192.168.200.4
object network lan1
 subnet 192.168.200.0 255.255.252.0
object network vpnclients
 range 192.168.201.0 192.168.201.99
object-group network enterprise
 network-object object lan1
access-list L2LACL extended permit ip 192.168.200.0 255.255.252.0 192.168.10.0 255.255.255.0
access-list ALL extended permit tcp host 195.94.224.208 host 192.168.202.1 eq sip
access-list ALL extended permit udp host 195.94.224.208 host 192.168.202.1 eq sip
access-list ALL extended permit tcp any host 192.168.200.4 eq smtp
access-list ALL extended permit tcp any host 192.168.200.138 eq 3389
access-list ALL extended permit tcp any host 192.168.200.14 eq 3389
access-list ALL extended permit tcp any host 192.168.200.4 eq https
access-list SPLIT_TUN extended permit ip object-group enterprise any
pager lines 24
logging enable
logging asdm informational
mtu WAN 1500
mtu LAN 1500
mtu management 1500
no failover
no failover wait-disable
no monitor-interface service-module
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-7131-101.bin
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
arp rate-limit 16384
nat (LAN,WAN) source static LAN LAN destination static NUX_LAN NUX_LAN
nat (LAN,WAN) source static LAN LAN destination static vpnclients vpnclients
!
object network obj_any
 nat (LAN,WAN) dynamic interface
object network freepbx-sip
 nat (LAN,WAN) static interface service tcp sip sip
object network freepbx-sipudp
 nat (LAN,WAN) static interface service udp sip sip
object network m1smtp
 nat (LAN,WAN) static interface service tcp smtp smtp
object network m1https
 nat (LAN,WAN) static interface service tcp https https
access-group ALL in interface WAN
route WAN 0.0.0.0 0.0.0.0 91.135.154.137 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 sctp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
timeout conn-holddown 0:00:15
timeout igp stale-route 0:01:10
aaa-server DC2 protocol radius
aaa-server DC2 (LAN) host 192.168.200.2
 timeout 5
 key *****
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL
aaa authentication login-history
http server enable
http 192.168.200.0 255.255.252.0 LAN
no snmp-server location
no snmp-server contact
crypto ipsec ikev1 transform-set 3DES_SHA esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS mode transport
crypto ipsec security-association pmtu-aging infinite
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-3DES-SHA-TRANS
crypto map TEST_MAP 10 match address L2LACL
crypto map TEST_MAP 10 set pfs
crypto map TEST_MAP 10 set peer 90.150.87.134
crypto map TEST_MAP 10 set ikev1 transform-set 3DES_SHA
crypto map TEST_MAP 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map TEST_MAP interface WAN
crypto ca trustpool policy
crypto ikev1 enable WAN
crypto ikev1 policy 10
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
telnet timeout 5
ssh stricthostkeycheck
ssh timeout 60
ssh version 2
ssh key-exchange group dh-group1-sha1
ssh 213.171.51.58 255.255.255.255 WAN
ssh 192.168.200.0 255.255.252.0 LAN
console timeout 0
!
tls-proxy maximum-session 500
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
 hsts
  enable
  max-age 31536000
  include-sub-domains
  no preload
 http-headers
  x-content-type-options
  x-xss-protection
  content-security-policy
 anyconnect-essentials
 cache
  disable
 error-recovery disable
group-policy DefaultRAGroup internal
group-policy DefaultRAGroup attributes
 dns-server value 192.168.200.1 192.168.200.2
 vpn-simultaneous-logins 100
 vpn-tunnel-protocol l2tp-ipsec
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value SPLIT_TUN
 default-domain value npf.local
dynamic-access-policy-record DfltAccessPolicy
username cadmin password ***** encrypted privilege 15
tunnel-group DefaultRAGroup general-attributes
 address-pool vpn_pool
 authentication-server-group DC2
 default-group-policy DefaultRAGroup
tunnel-group DefaultRAGroup ipsec-attributes
 ikev1 pre-shared-key *****
tunnel-group DefaultRAGroup ppp-attributes
 no authentication ms-chap-v1
 authentication ms-chap-v2
tunnel-group 90.150.87.134 type ipsec-l2l
tunnel-group 90.150.87.134 ipsec-attributes
 ikev1 pre-shared-key *****
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum client auto
  message-length maximum 512
  no tcp-inspection
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect netbios
  inspect tftp
  inspect ip-options
  inspect icmp
  inspect sip
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous

Leonid Voronkin · ‎01-06-2021

Воспользуйтесь packet-tracer. И всё сразу станет понятно

Для TCP/UDP синтаксис такой

ASA# packet-tracer input <intf-name> <tcp|udp> <sIP> <sport> <dIP> <dport> [detailed|xml]

Для ICMP синтаксис такой

ASA# packet-tracer input <intf-name> icmp <sIP> <type> <code> [identifier] <dIP> [detailed|xml]

Конечно это лучше делать в asdm, как, собственно говоря, и конфигурировать ASA. Работать с ASA через CLI это боль.

________________________________________________________
Если ответ понравился, ставь звёздочку. Если ответ помог решить твою проблему, утверди его в качестве решения

Oleg Volkov · ‎01-16-2021

ASDM тоже боль я поклонник CLI

--------------------------------------------------------------------------

Helping seriously ill children, all together. All information about this, is posted on my blog