取消
显示结果 
搜索替代 
您的意思是: 
cancel
公告

December 2020

December 2020

10388
查看次数
60
有帮助
10
回复
wx_vzmRwaMb
Beginner

点对点VPN拨号连不通另一个点

目前小弟如到一个难题如下:公司A跟公司B有两台Cisco ASA 5510防火墙(仅VPN用途),A和B公司目前是相互打通形成局域网,AB两个公司互通。然后A是开通了Cisco AnyConnect 客户端访问的许可,员工可以通过A点的VPN访问到公司的服务器。问题是:1、通过Cisco AnyConnect 客户端拨号A点VPN后不能直接访问B点的所有机器 2、但是通过连上A点服务器再去ping B点的服务器是可以通的。请问想连进A点VPN后就直接能访问到B点,应该怎么做?哪台VPN分别需要加什么配置?
附上A、B两个公司的网络拓扑图。A、B两台VPN都是放在路由器和交换机下面再映射一个外网IP的。
1 个已接受解答

已接受的解答
YilinChen
Advocate

wx_vzmRwaMb 发表于 2018-1-26 17:00
这是A、B两个点的详细配置,麻烦大神看看需要配置什么命令才能实现拨A点VPN能直接访问B点?
Site-A# s ...

Site-A 的防火墙上,现在L2L VPN的配置,匹配源IP地址ACL为:
object-group network local-network
network-object 192.168.10.0 255.255.255.0
network-object 192.168.30.0 255.255.254.0
network-object 192.168.20.0 255.255.255.0
缺少10.10.10.0/24(SSLVPN地址)
SSLVPN看配置上有隧道分离的ACL:
access-list sslvpn_Split extended permit ip 10.10.10.0 255.255.255.0 any4
access-list sslvpn_Split extended permit ip 192.168.10.0 255.255.255.0 any4
access-list sslvpn_Split extended permit ip 192.168.30.0 255.255.254.0 any4
access-list sslvpn_Split extended permit ip 192.168.20.0 255.255.255.0 any4
access-list sslvpn_Split extended permit ip 10.10.10.0 255.255.255.0 any4 为垃圾配置,
如需要实现任意物理地点拨VPN均可访问AB2个站点,需要把Site-B内网的地址段加上去;

在原帖中查看解决方案

10 条回复10
YilinChen
Advocate

wx_vzmRwaMb 发表于 2018-1-26 17:00
这是A、B两个点的详细配置,麻烦大神看看需要配置什么命令才能实现拨A点VPN能直接访问B点?
Site-A# s ...

Site-A 的防火墙上,现在L2L VPN的配置,匹配源IP地址ACL为:
object-group network local-network
network-object 192.168.10.0 255.255.255.0
network-object 192.168.30.0 255.255.254.0
network-object 192.168.20.0 255.255.255.0
缺少10.10.10.0/24(SSLVPN地址)
SSLVPN看配置上有隧道分离的ACL:
access-list sslvpn_Split extended permit ip 10.10.10.0 255.255.255.0 any4
access-list sslvpn_Split extended permit ip 192.168.10.0 255.255.255.0 any4
access-list sslvpn_Split extended permit ip 192.168.30.0 255.255.254.0 any4
access-list sslvpn_Split extended permit ip 192.168.20.0 255.255.255.0 any4
access-list sslvpn_Split extended permit ip 10.10.10.0 255.255.255.0 any4 为垃圾配置,
如需要实现任意物理地点拨VPN均可访问AB2个站点,需要把Site-B内网的地址段加上去;

在原帖中查看解决方案

13nash
Collaborator

VPN有路由打通即可
wuleihen
Advocate

应该是你A点的路由没有写全,把B点网络也写入VPN准入网络里,试下
YilinChen
Advocate

1、通过Cisco AnyConnect 客户端拨号A点VPN后不能直接访问B点的所有机器


这个现象很正常呀,首先,A和B 2个地点已经Site-to-Site IPSecVPN 打通了,如果用户从B工作地点,还用Anyconnet拨VPN到A地点,再访问B地点的内部IP,本身就不合理。
2、但是通过连上A点服务器再去ping B点的服务器是可以通的。


这时你是拿A点服务器做为跳板,源IP地址是 A服务器的IP地址,如果和B站点内网络路由可达,自然就能访问了。
请问想连进A点VPN后就直接能访问到B点,应该怎么做?哪台VPN分别需要加什么配置?
要明确A地点 ASA防火墙上SSLVPN的配置,有没有配置隧道分离(推给终端设备明细路由),还是推了默认路由?
终端设备拨了Anyconnect 后,终端电脑获取IP的是SSLVPN地址池分配的地址,而A站点防火墙上配置的SSLVPN地址池的IP地址网段,在B站点内,是否有路由可达?
wx_vzmRwaMb
Beginner

本帖最后由 wx_vzmRwaMb 于 2018-1-26 17:34 编辑
YilinChen 发表于 2018-1-26 15:47
1、通过Cisco AnyConnect 客户端拨号A点VPN后不能直接访问B点的所有机器

这是A、B两个点的详细配置,麻烦大神看看需要配置什么命令才能实现拨A点VPN能直接访问B点?
Site-A# show running-config
: Saved
:
ASA Version 9.1(5)
!
hostname Site-A
domain-name cisco.com
enable password XXXXX encrypted
xlate per-session deny tcp any4 any4
xlate per-session deny tcp any4 any6
xlate per-session deny tcp any6 any4
xlate per-session deny tcp any6 any6
xlate per-session deny udp any4 any4 eq domain
xlate per-session deny udp any4 any6 eq domain
xlate per-session deny udp any6 any4 eq domain
xlate per-session deny udp any6 any6 eq domain
passwd LeiK2NfggbGk6Nyn encrypted
names
ip local pool sslvpn_pool 10.10.10.2-10.10.10.253 mask 255.255.255.0
!
interface Ethernet0/0
nameif outside
security-level 100
no ip address
!
interface Ethernet0/1
nameif inside
security-level 100
ip address 192.168.20.230 255.255.255.0
!
interface Ethernet0/2
nameif inroute
security-level 0
no ip address
!
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
nameif admin
security-level 0
no ip address
!
ftp mode passive
clock timezone Beijing 8
dns domain-lookup outside
dns domain-lookup inside
dns domain-lookup admin
dns server-group DefaultDNS
name-server 192.168.20.238
name-server 202.96.128.166
name-server 114.114.114.114
domain-name cisco.com
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object network sslvpn_pool
subnet 10.10.10.0 255.255.255.0
object-group network remote-network
network-object 192.168.80.0 255.255.255.0
network-object 192.168.90.0 255.255.255.0
network-object 192.168.70.0 255.255.255.0
object-group network local-network
network-object 192.168.10.0 255.255.255.0
network-object 192.168.30.0 255.255.254.0
network-object 192.168.20.0 255.255.255.0network-object 10.10.10.0 255.255.255.0
access-list sslvpn_Split extended permit ip 10.10.10.0 255.255.255.0 any4
access-list sslvpn_Split extended permit ip 192.168.10.0 255.255.255.0 any4
access-list sslvpn_Split extended permit ip 192.168.30.0 255.255.254.0 any4
access-list sslvpn_Split extended permit ip 192.168.20.0 255.255.255.0 any4
access-list site-to-site-vpn extended permit ip object-group local-network object-group remote-network
pager lines 24
logging console debugging
logging monitor debugging
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu inroute 1500
mtu admin 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-625.bin
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
nat (inside,inside) source static local-network local-network destination static remote-network remote-network no-proxy-arp route-lookup
route inside 0.0.0.0 0.0.0.0 192.168.20.1 1
route inside 10.10.10.0 255.255.255.0 192.168.20.1 1
route inside 192.168.10.0 255.255.255.0 192.168.20.1 1
route inside 192.168.30.0 255.255.254.0 192.168.20.1 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
webvpn
svc ask enable default svc
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL
http server enable
http 192.168.0.0 255.255.0.0 admin
http 0.0.0.0 0.0.0.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec ikev1 transform-set ESP-AES-SHA-TRANS esp-aes esp-sha-hmac
crypto ipsec security-association pmtu-aging infinite
crypto map site-to-stie-map 10 match address site-to-site-vpn
crypto map site-to-stie-map 10 set peer 120.236.111.11
crypto map site-to-stie-map 10 set ikev1 transform-set ESP-AES-SHA-TRANS
crypto map site-to-stie-map interface inside
crypto ca trustpool policy
crypto ikev1 enable inside
crypto ikev1 policy 10
authentication pre-share
encryption aes
hash sha
group 2
lifetime 86400
telnet timeout 5
ssh stricthostkeycheck
ssh 0.0.0.0 0.0.0.0 inside
ssh timeout 5
ssh key-exchange group dh-group1-sha1
console timeout 0
vpn-addr-assign local reuse-delay 1
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ssl encryption 3des-sha1 des-sha1 aes128-sha1 aes256-sha1
webvpn
enable inside
anyconnect-essentials
anyconnect image disk0:/anyconnect-win-4.4.00243-webdeploy-k9.pkg 1
anyconnect image disk0:/anyconnect-macosx-powerpc-2.1.0148-k9.pkg 2
anyconnect image disk0:/anyconnect-linux-2.1.0148-k9.pkg 3
anyconnect image disk0:/anyconnect-macosx-i386-2.1.0148-k9.pkg 4
anyconnect enable
tunnel-group-list enable
cache
disable
error-recovery disable
group-policy DfltGrpPolicy attributes
vpn-tunnel-protocol ikev1 l2tp-ipsec ssl-clientless
split-tunnel-policy excludespecified
group-policy GroupPolicy_Remote-VPN internal
group-policy GroupPolicy_Remote-VPN attributes
wins-server none
dns-server value 192.168.20.238 114.114.114.114
vpn-tunnel-protocol ssl-client ssl-clientless
split-tunnel-policy tunnelspecified
split-tunnel-network-list value sslvpn_Split
default-domain value cisco.com
Site-B# show running-config
: Saved
:
ASA Version 9.1(5)
!
hostname Site-B
enable password xxxxxxx encrypted
names
!
interface Ethernet0/0
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet0/1
nameif inside
security-level 100
ip address 192.168.70.10 255.255.255.0
!
interface Ethernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
shutdown
no nameif
no security-level
no ip address
!
ftp mode passive
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object-group network local-network
network-object 192.168.80.0 255.255.255.0
network-object 192.168.90.0 255.255.255.0
network-object 192.168.70.0 255.255.255.0
object-group network remote-network
network-object 192.168.10.0 255.255.255.0
network-object 192.168.30.0 255.255.254.0
network-object 192.168.20.0 255.255.255.0
network-object 10.10.10.0 255.255.255.0
access-list site-to-site-vpn extended permit ip object-group local-network object-group remote-network
access-list inside_nat0_outbound extended permit ip 10.10.10.0 255.255.255.0 192.168.0.0 255.255.255.0
pager lines 24
logging console debugging
logging monitor debugging
mtu inside 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
nat (inside,inside) source static local-network local-network destination static remote-network remote-network no-proxy-arp route-lookup
route inside 0.0.0.0 0.0.0.0 192.168.70.1 1
route inside 192.168.80.0 255.255.255.0 192.168.70.1 1
route inside 192.168.90.0 255.255.255.0 192.168.70.1 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-SHA-TRANS esp-aes esp-sha-hmac
crypto ipsec security-association pmtu-aging infinite
crypto map site-to-stie-map 10 match address site-to-site-vpn
crypto map site-to-stie-map 10 set peer 113.107.111.11
crypto map site-to-stie-map 10 set ikev1 transform-set ESP-AES-SHA-TRANS
crypto map site-to-stie-map interface inside
crypto ca trustpool policy
crypto ikev1 enable inside
crypto ikev1 policy 10
authentication pre-share
encryption aes
hash sha
group 2
lifetime 86400
telnet timeout 5
ssh stricthostkeycheck
ssh 0.0.0.0 0.0.0.0 inside
ssh timeout 5
ssh version 2
ssh key-exchange group dh-group14-sha1
console timeout 0
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ssl encryption des-sha1
webvpn
enable inside
anyconnect enable
tunnel-group-list enable
group-policy SSLCLientPolicy internal
group-policy SSLCLientPolicy attributes
dns-server value 192.168.90.16 211.136.192.6
vpn-tunnel-protocol ssl-client
default-domain value tsweb.local
address-pools value SSLClientPool
username admin password 1IZYbPzHAp/J3rkY encrypted
tunnel-group 113.107.111.11 type ipsec-l2l
tunnel-group 113.107.111.11 ipsec-attributes
ikev1 pre-shared-key *****
tunnel-group SSLClientProfile type remote-access
tunnel-group SSLClientProfile general-attributes
default-group-policy SSLCLientPolicy
tunnel-group SSLClientProfile webvpn-attributes
group-alias SSLVPNClient enable
!
!
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:b3bf84dd6d68a49ce46eecea6677ced8
: end
wx_vzmRwaMb
Beginner

YilinChen 发表于 2018-1-26 17:28
Site-A 的防火墙上,现在L2L VPN的配置,匹配源IP地址ACL为:
object-group network local-network
net ...

感谢感谢大兄弟,感谢大神。按照你说的配置加上去后成功解决了,目前可以访问了。厉害:handshake 5分好评
Yanli Sun
Community Manager

恭喜楼主问题解决,记得标记最佳答案(在回帖的右下角可以看到最佳答案按钮),也是对热心解答用户的支持和鼓励
wx_vzmRwaMb
Beginner

YilinChen 发表于 2018-1-26 17:28
Site-A 的防火墙上,现在L2L VPN的配置,匹配源IP地址ACL为:
object-group network local-network
net ...

你好,还有一个问题请教一下。有几个同事在家连VPN的时候连接不上,提示:The VPN client was unable to successfully verify the IP forwarding table modifications. A VPN connection will not be establised. 的情况,请问这个会是什么问题? 公司一条电信50M专线,一条移动50M专线
one-time
Expert

恭喜楼主的问题被解答啦,还请标记最佳答案哦,奖励一下认真回复问题的用户吧!
yunzhiLi33438
Beginner

The VPN client was unable to successfully verify the IP forwarding table modifications. A VPN connection will not be establised.
这个问题今天我也遇到了,Windows客户端没这个问题,mac客户端有这个问题,原因在于,你mac连网分配的ip和你推送的路由冲突了,比如苹果手机开热点分配给mac电脑的ip是172.20.10.X,客户端连上之后我推送了一个路由是172.20.0.0/16的,这俩冲突就会报这个错。解决方法是asa配置时,避开手机热点网段。毕竟手机热点目前看是没法改分配网段的。或者换安卓手机开热点。
Content for Community-Ad


不能显示该小部件。