取消
显示结果 
搜索替代 
您的意思是: 
cancel
公告

December 2020

4641
查看次数
0
有帮助
11
回复
savi_bj
Beginner

关于VPN的问题?

各路师兄:
请教一个问题,我们有2个站点,A站点172.16.X.X,B站点10.0.1.X,相互之间的IPSEC vpn 已经打通了,现在有一个问题,远程客户端通过远程VPN 上了之后 只能访问当前站点的内网 ,其它站点的 无法访问,这个是什么问题呢?
A 站点
access-list no-nat extended permit ip 172.16.0.0 255.255.0.0 10.0.0.0 255.255.0.0
access-list no-nat extended permit ip 172.16.0.0 255.255.0.0 172.16.200.0 255.255.255.0
access-list vpnsplit extended permit ip 172.16.0.0 255.255.0.0 any
access-list vpnsplit extended permit ip 10.0.0.0 255.0.0.0 any
access-list vpnsplit extended permit ip 172.16.0.0 255.255.0.0 10.0.0.0 255.255.0.0
access-list office-idc extended permit ip 172.16.0.0 255.255.0.0 10.0.1.0 255.255.255.0
access-list vpn extended permit ip 172.16.0.0 255.255.0.0 10.0.1.0 255.255.255.0
远程VPN 的地址
ip local pool vpnpool 172.16.200.10-172.16.200.100
B 站点
access-list vpn extended permit ip 10.0.1.0 255.255.255.0 172.16.0.0 255.255.0.0
access-list no-nat extended permit ip 10.0.1.0 255.255.255.0 172.16.0.0 255.255.0.0
11 条回复11
suzhouxiaoniu
Advocate

隧道分离做了没
Mansur
Engager

这个几个ACL都是怎么调用的?
savi_bj
Beginner

隧道分离做了
access-list 110 extended permit icmp any any
access-list 110 extended permit tcp any host 117.121.38.239 eq telnet
access-list 110 extended permit ip any any
access-list 110 extended permit tcp any host 117.121.38.239 eq 2311
access-list 110 extended permit tcp any host 117.121.38.239 eq 2318
access-list 110 extended permit tcp any host 117.121.38.239 eq 2212
access-list 110 extended permit tcp any host 117.121.38.239 eq 2210
access-list no-nat extended permit ip 172.16.0.0 255.255.0.0 10.0.0.0 255.255.0.0
access-list no-nat extended permit ip 172.16.0.0 255.255.0.0 172.16.200.0 255.255.255.0
access-list vpnsplit extended permit ip 172.16.0.0 255.255.0.0 any
access-list vpnsplit extended permit ip 10.0.0.0 255.0.0.0 any
access-list vpnsplit extended permit ip 172.16.0.0 255.255.0.0 10.0.0.0 255.255.0.0
access-list office-idc extended permit ip 172.16.0.0 255.255.0.0 10.0.1.0 255.255.255.0
access-list vpn extended permit ip 172.16.0.0 255.255.0.0 10.0.1.0 255.255.255.0
pager lines 24
logging enable
logging asdm informational
mtu outside 1500
mtu inside 1500
ip local pool vpnpool 172.16.200.10-172.16.200.100
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list no-nat
nat (inside) 1 0.0.0.0 0.0.0.0
access-group 110 in interface outside
route outside 0.0.0.0 0.0.0.0 117.121.38.* 1
route inside 172.16.0.0 255.255.0.0 1.1.1.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication ssh console LOCAL
http server enable 4430
http 0.0.0.0 0.0.0.0 inside
http 0.0.0.0 0.0.0.0 outside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto dynamic-map dyn1 1 set transform-set firstset
crypto dynamic-map dyn1 1 set security-association lifetime seconds 28800
crypto dynamic-map dyn1 1 set security-association lifetime kilobytes 4608000
crypto dynamic-map vpnclient 10 set transform-set cisco
crypto map csd 11 match address vpn
crypto map csd 11 set peer 210.12.5.202
crypto map csd 11 set transform-set csd
crypto map csd 12 ipsec-isakmp dynamic dyn1
crypto map csd interface outside
crypto isakmp enable outside
crypto isakmp policy 1
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 outside
ssh 0.0.0.0 0.0.0.0 inside
ssh timeout 30
ssh version 2
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
group-policy DefaultRAGroup internal
group-policy DefaultRAGroup attributes
vpn-tunnel-protocol IPSec l2tp-ipsec
group-policy vpnclient internal
group-policy vpnclient attributes
password-storage enable
split-tunnel-policy tunnelspecified
split-tunnel-network-list value vpnsplit
nem enable
username xiaobai password LB6484npS0TIBGkg encrypted privilege 15
username cisco1 password KQARsSGAntj/FgVjWnyOaA== nt-encrypted
username cisco1 attributes
vpn-group-policy DefaultRAGroup
username cisco password miNpFG.9QSZNEuyO encrypted privilege 15
username cisco attributes
vpn-group-policy vpnclient
tunnel-group vpnclient type remote-access
tunnel-group vpnclient general-attributes
address-pool vpnpool
default-group-policy vpnclient
tunnel-group vpnclient ipsec-attributes
pre-shared-key *
tunnel-group 210.12.5.* type ipsec-l2l
tunnel-group 210.12.5.* ipsec-attributes
pre-shared-key *
savi_bj
Beginner

ASA Version 8.2(1)
interface Vlan1
nameif inside
security-level 100
ip address 10.0.1.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address 210.12.5.X 255.255.255.252
!
access-list no-nat extended permit ip 10.0.1.0 255.255.255.0 172.16.0.0 255.255.0.0
access-list vpn extended permit ip 10.0.1.0 255.255.255.0 172.16.0.0 255.255.0.0
global (outside) 1 interface
nat (inside) 0 access-list no-nat
nat (inside) 1 0.0.0.0 0.0.0.0
crypto dynamic-map dynamic 10 set transform-set vpn-idc
crypto map office-idc 10 ipsec-isakmp dynamic dynamic
crypto map csd 11 match address vpn
crypto map csd 11 set peer 117.121.38.X
crypto map csd 11 set transform-set csd
crypto map csd interface outside
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 1
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
no crypto isakmp nat-traversal
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 inside
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 30
ssh version 2
console timeout 0
dhcpd dns 202.106.0.20 114.114.114.114
!
dhcpd address 10.0.1.12-10.0.1.200 inside
dhcpd enable inside
tunnel-group 117.121.38.X type ipsec-l2l
tunnel-group 117.121.38.X ipsec-attributes
pre-shared-key *

:
ASA Version 8.2(1)
!
hostname ciscoasa
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface GigabitEthernet0/0
nameif outside
security-level 0
ip address 117.121.38.X 255.255.255.0
!
interface GigabitEthernet0/1
nameif inside
security-level 100
ip address 1.1.1.2 255.255.255.252
!
interface GigabitEthernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
shutdown
no nameif
no security-level
no ip address
!
ftp mode passive
access-list no-nat extended permit ip 172.16.0.0 255.255.0.0 10.0.0.0 255.255.0.0
access-list no-nat extended permit ip 172.16.0.0 255.255.0.0 172.16.200.0 255.255.255.0
access-list vpnsplit extended permit ip 172.16.0.0 255.255.0.0 any
access-list vpnsplit extended permit ip 10.0.0.0 255.0.0.0 any
access-list vpnsplit extended permit ip 172.16.0.0 255.255.0.0 10.0.0.0 255.255.0.0
access-list office-idc extended permit ip 172.16.0.0 255.255.0.0 10.0.1.0 255.255.255.0
access-list vpn extended permit ip 172.16.0.0 255.255.0.0 10.0.1.0 255.255.255.0
pager lines 24
logging enable
logging asdm informational
mtu outside 1500
mtu inside 1500
ip local pool vpnpool 172.16.200.10-172.16.200.100
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list no-nat
nat (inside) 1 0.0.0.0 0.0.0.0
access-group 110 in interface outside
route outside 0.0.0.0 0.0.0.0 117.121.38.X 1
route inside 172.16.0.0 255.255.0.0 1.1.1.1 1
crypto dynamic-map dyn1 1 set transform-set firstset
crypto dynamic-map dyn1 1 set security-association lifetime seconds 28800
crypto dynamic-map dyn1 1 set security-association lifetime kilobytes 4608000
crypto dynamic-map vpnclient 10 set transform-set cisco
crypto map csd 11 match address vpn
crypto map csd 11 set peer 210.12.5.X
crypto map csd 11 set transform-set csd
crypto map csd 12 ipsec-isakmp dynamic dyn1
crypto map csd interface outside
crypto isakmp enable outside
crypto isakmp policy 1
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 outside
ssh 0.0.0.0 0.0.0.0 inside
ssh timeout 30
ssh version 2
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
group-policy DefaultRAGroup internal
group-policy DefaultRAGroup attributes
vpn-tunnel-protocol IPSec l2tp-ipsec
group-policy vpnclient internal
group-policy vpnclient attributes
password-storage enable
split-tunnel-policy tunnelspecified
split-tunnel-network-list value vpnsplit
nem enable
username cisco1 password KQARsSGAntj/FgVjWnyOaA== nt-encrypted
username cisco1 attributes
vpn-group-policy DefaultRAGroup
username cisco password miNpFG.9QSZNEuyO encrypted privilege 15
username cisco attributes
vpn-group-policy vpnclient
tunnel-group DefaultRAGroup general-attributes
address-pool vpnpool
tunnel-group DefaultRAGroup ipsec-attributes
pre-shared-key *
tunnel-group DefaultRAGroup ppp-attributes
no authentication chap
no authentication ms-chap-v1
authentication ms-chap-v2
tunnel-group vpnclient type remote-access
tunnel-group vpnclient general-attributes
address-pool vpnpool
default-group-policy vpnclient
tunnel-group vpnclient ipsec-attributes
pre-shared-key *
tunnel-group 210.12.5.X type ipsec-l2l
tunnel-group 210.12.5.X ipsec-attributes
pre-shared-key *
savi_bj
Beginner

ASA Version 8.2(1)
interface Vlan1
nameif inside
security-level 100
ip address 10.0.1.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address 210.12.5.X 255.255.255.252
!
access-list no-nat extended permit ip 10.0.1.0 255.255.255.0 172.16.0.0 255.255.0.0
access-list vpn extended permit ip 10.0.1.0 255.255.255.0 172.16.0.0 255.255.0.0
global (outside) 1 interface
nat (inside) 0 access-list no-nat
nat (inside) 1 0.0.0.0 0.0.0.0
crypto dynamic-map dynamic 10 set transform-set vpn-idc
crypto map office-idc 10 ipsec-isakmp dynamic dynamic
crypto map csd 11 match address vpn
crypto map csd 11 set peer 117.121.38.X
crypto map csd 11 set transform-set csd
crypto map csd interface outside
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 1
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
no crypto isakmp nat-traversal
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 inside
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 30
ssh version 2
console timeout 0
dhcpd dns 202.106.0.20 114.114.114.114
!
dhcpd address 10.0.1.12-10.0.1.200 inside
dhcpd enable inside
tunnel-group 117.121.38.X type ipsec-l2l
tunnel-group 117.121.38.X ipsec-attributes
pre-shared-key *
:
ASA Version 8.2(1)
!
hostname ciscoasa
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface GigabitEthernet0/0
nameif outside
security-level 0
ip address 117.121.38.X 255.255.255.0
!
interface GigabitEthernet0/1
nameif inside
security-level 100
ip address 1.1.1.2 255.255.255.252
!
interface GigabitEthernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
shutdown
no nameif
no security-level
no ip address
!
ftp mode passive
access-list no-nat extended permit ip 172.16.0.0 255.255.0.0 10.0.0.0 255.255.0.0
access-list no-nat extended permit ip 172.16.0.0 255.255.0.0 172.16.200.0 255.255.255.0
access-list vpnsplit extended permit ip 172.16.0.0 255.255.0.0 any
access-list vpnsplit extended permit ip 10.0.0.0 255.0.0.0 any
access-list vpnsplit extended permit ip 172.16.0.0 255.255.0.0 10.0.0.0 255.255.0.0
access-list office-idc extended permit ip 172.16.0.0 255.255.0.0 10.0.1.0 255.255.255.0
access-list vpn extended permit ip 172.16.0.0 255.255.0.0 10.0.1.0 255.255.255.0
pager lines 24
logging enable
logging asdm informational
mtu outside 1500
mtu inside 1500
ip local pool vpnpool 172.16.200.10-172.16.200.100
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list no-nat
nat (inside) 1 0.0.0.0 0.0.0.0
access-group 110 in interface outside
route outside 0.0.0.0 0.0.0.0 117.121.38.X 1
route inside 172.16.0.0 255.255.0.0 1.1.1.1 1
crypto dynamic-map dyn1 1 set transform-set firstset
crypto dynamic-map dyn1 1 set security-association lifetime seconds 28800
crypto dynamic-map dyn1 1 set security-association lifetime kilobytes 4608000
crypto dynamic-map vpnclient 10 set transform-set cisco
crypto map csd 11 match address vpn
crypto map csd 11 set peer 210.12.5.X
crypto map csd 11 set transform-set csd
crypto map csd 12 ipsec-isakmp dynamic dyn1
crypto map csd interface outside
crypto isakmp enable outside
crypto isakmp policy 1
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 outside
ssh 0.0.0.0 0.0.0.0 inside
ssh timeout 30
ssh version 2
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
group-policy DefaultRAGroup internal
group-policy DefaultRAGroup attributes
vpn-tunnel-protocol IPSec l2tp-ipsec
group-policy vpnclient internal
group-policy vpnclient attributes
password-storage enable
split-tunnel-policy tunnelspecified
split-tunnel-network-list value vpnsplit
nem enable
username cisco1 password KQARsSGAntj/FgVjWnyOaA== nt-encrypted
username cisco1 attributes
vpn-group-policy DefaultRAGroup
username cisco password miNpFG.9QSZNEuyO encrypted privilege 15
username cisco attributes
vpn-group-policy vpnclient
tunnel-group DefaultRAGroup general-attributes
address-pool vpnpool
tunnel-group DefaultRAGroup ipsec-attributes
pre-shared-key *
tunnel-group DefaultRAGroup ppp-attributes
no authentication chap
no authentication ms-chap-v1
authentication ms-chap-v2
tunnel-group vpnclient type remote-access
tunnel-group vpnclient general-attributes
address-pool vpnpool
default-group-policy vpnclient
tunnel-group vpnclient ipsec-attributes
pre-shared-key *
tunnel-group 210.12.5.X type ipsec-l2l
tunnel-group 210.12.5.X ipsec-attributes
pre-shared-key *
13nash
Collaborator

你的需求是这个远程VPN能访问两个站点的内网?
savi_bj
Beginner

是的 任何一个远程VPN 播上来之后 就可以访问
huoran1234
Participant

既然vpn能拨,也能通信,应该不是配置问题。你的asa到对端站点有路由么,核心到vpn网段有路由么
alina_xiao
Beginner

duxingxia 发表于 2016-12-5 08:22
ASA Version 8.2(1)
interface Vlan1
nameif inside

感谢分享!学到了不少!
savi_bj
Beginner

有路由的 两个站点之间 是互通的
ayumi
Beginner

same-security-traffic permit intra-interface
Content for Community-Ad