本帖最后由 wx_vzmRwaMb 于 2018-1-26 17:34 编辑 YilinChen 发表于 2018-1-26 15:47
1、通过Cisco AnyConnect 客户端拨号A点VPN后不能直接访问B点的所有机器
这是A、B两个点的详细配置,麻烦大神看看需要配置什么命令才能实现拨A点VPN能直接访问B点?
Site-A# show running-config
: Saved
:
ASA Version 9.1(5)
!
hostname Site-A
domain-name cisco.com
enable password XXXXX encrypted
xlate per-session deny tcp any4 any4
xlate per-session deny tcp any4 any6
xlate per-session deny tcp any6 any4
xlate per-session deny tcp any6 any6
xlate per-session deny udp any4 any4 eq domain
xlate per-session deny udp any4 any6 eq domain
xlate per-session deny udp any6 any4 eq domain
xlate per-session deny udp any6 any6 eq domain
passwd LeiK2NfggbGk6Nyn encrypted
names
ip local pool sslvpn_pool 10.10.10.2-10.10.10.253 mask 255.255.255.0
!
interface Ethernet0/0
nameif outside
security-level 100
no ip address
!
interface Ethernet0/1
nameif inside
security-level 100
ip address 192.168.20.230 255.255.255.0
!
interface Ethernet0/2
nameif inroute
security-level 0
no ip address
!
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
nameif admin
security-level 0
no ip address
!
ftp mode passive
clock timezone Beijing 8
dns domain-lookup outside
dns domain-lookup inside
dns domain-lookup admin
dns server-group DefaultDNS
name-server 192.168.20.238
name-server 202.96.128.166
name-server 114.114.114.114
domain-name cisco.com
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object network sslvpn_pool
subnet 10.10.10.0 255.255.255.0
object-group network remote-network
network-object 192.168.80.0 255.255.255.0
network-object 192.168.90.0 255.255.255.0
network-object 192.168.70.0 255.255.255.0
object-group network local-network
network-object 192.168.10.0 255.255.255.0
network-object 192.168.30.0 255.255.254.0
network-object 192.168.20.0 255.255.255.0network-object 10.10.10.0 255.255.255.0
access-list sslvpn_Split extended permit ip 10.10.10.0 255.255.255.0 any4
access-list sslvpn_Split extended permit ip 192.168.10.0 255.255.255.0 any4
access-list sslvpn_Split extended permit ip 192.168.30.0 255.255.254.0 any4
access-list sslvpn_Split extended permit ip 192.168.20.0 255.255.255.0 any4
access-list site-to-site-vpn extended permit ip object-group local-network object-group remote-network
pager lines 24
logging console debugging
logging monitor debugging
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu inroute 1500
mtu admin 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-625.bin
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
nat (inside,inside) source static local-network local-network destination static remote-network remote-network no-proxy-arp route-lookup
route inside 0.0.0.0 0.0.0.0 192.168.20.1 1
route inside 10.10.10.0 255.255.255.0 192.168.20.1 1
route inside 192.168.10.0 255.255.255.0 192.168.20.1 1
route inside 192.168.30.0 255.255.254.0 192.168.20.1 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
webvpn
svc ask enable default svc
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL
http server enable
http 192.168.0.0 255.255.0.0 admin
http 0.0.0.0 0.0.0.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec ikev1 transform-set ESP-AES-SHA-TRANS esp-aes esp-sha-hmac
crypto ipsec security-association pmtu-aging infinite
crypto map site-to-stie-map 10 match address site-to-site-vpn
crypto map site-to-stie-map 10 set peer 120.236.111.11
crypto map site-to-stie-map 10 set ikev1 transform-set ESP-AES-SHA-TRANS
crypto map site-to-stie-map interface inside
crypto ca trustpool policy
crypto ikev1 enable inside
crypto ikev1 policy 10
authentication pre-share
encryption aes
hash sha
group 2
lifetime 86400
telnet timeout 5
ssh stricthostkeycheck
ssh 0.0.0.0 0.0.0.0 inside
ssh timeout 5
ssh key-exchange group dh-group1-sha1
console timeout 0
vpn-addr-assign local reuse-delay 1
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ssl encryption 3des-sha1 des-sha1 aes128-sha1 aes256-sha1
webvpn
enable inside
anyconnect-essentials
anyconnect image disk0:/anyconnect-win-4.4.00243-webdeploy-k9.pkg 1
anyconnect image disk0:/anyconnect-macosx-powerpc-2.1.0148-k9.pkg 2
anyconnect image disk0:/anyconnect-linux-2.1.0148-k9.pkg 3
anyconnect image disk0:/anyconnect-macosx-i386-2.1.0148-k9.pkg 4
anyconnect enable
tunnel-group-list enable
cache
disable
error-recovery disable
group-policy DfltGrpPolicy attributes
vpn-tunnel-protocol ikev1 l2tp-ipsec ssl-clientless
split-tunnel-policy excludespecified
group-policy GroupPolicy_Remote-VPN internal
group-policy GroupPolicy_Remote-VPN attributes
wins-server none
dns-server value 192.168.20.238 114.114.114.114
vpn-tunnel-protocol ssl-client ssl-clientless
split-tunnel-policy tunnelspecified
split-tunnel-network-list value sslvpn_Split
default-domain value cisco.com
Site-B# show running-config
: Saved
:
ASA Version 9.1(5)
!
hostname Site-B
enable password xxxxxxx encrypted
names
!
interface Ethernet0/0
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet0/1
nameif inside
security-level 100
ip address 192.168.70.10 255.255.255.0
!
interface Ethernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
shutdown
no nameif
no security-level
no ip address
!
ftp mode passive
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object-group network local-network
network-object 192.168.80.0 255.255.255.0
network-object 192.168.90.0 255.255.255.0
network-object 192.168.70.0 255.255.255.0
object-group network remote-network
network-object 192.168.10.0 255.255.255.0
network-object 192.168.30.0 255.255.254.0
network-object 192.168.20.0 255.255.255.0
network-object 10.10.10.0 255.255.255.0
access-list site-to-site-vpn extended permit ip object-group local-network object-group remote-network
access-list inside_nat0_outbound extended permit ip 10.10.10.0 255.255.255.0 192.168.0.0 255.255.255.0
pager lines 24
logging console debugging
logging monitor debugging
mtu inside 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
nat (inside,inside) source static local-network local-network destination static remote-network remote-network no-proxy-arp route-lookup
route inside 0.0.0.0 0.0.0.0 192.168.70.1 1
route inside 192.168.80.0 255.255.255.0 192.168.70.1 1
route inside 192.168.90.0 255.255.255.0 192.168.70.1 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-SHA-TRANS esp-aes esp-sha-hmac
crypto ipsec security-association pmtu-aging infinite
crypto map site-to-stie-map 10 match address site-to-site-vpn
crypto map site-to-stie-map 10 set peer 113.107.111.11
crypto map site-to-stie-map 10 set ikev1 transform-set ESP-AES-SHA-TRANS
crypto map site-to-stie-map interface inside
crypto ca trustpool policy
crypto ikev1 enable inside
crypto ikev1 policy 10
authentication pre-share
encryption aes
hash sha
group 2
lifetime 86400
telnet timeout 5
ssh stricthostkeycheck
ssh 0.0.0.0 0.0.0.0 inside
ssh timeout 5
ssh version 2
ssh key-exchange group dh-group14-sha1
console timeout 0
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ssl encryption des-sha1
webvpn
enable inside
anyconnect enable
tunnel-group-list enable
group-policy SSLCLientPolicy internal
group-policy SSLCLientPolicy attributes
dns-server value 192.168.90.16 211.136.192.6
vpn-tunnel-protocol ssl-client
default-domain value tsweb.local
address-pools value SSLClientPool
username admin password 1IZYbPzHAp/J3rkY encrypted
tunnel-group 113.107.111.11 type ipsec-l2l
tunnel-group 113.107.111.11 ipsec-attributes
ikev1 pre-shared-key *****
tunnel-group SSLClientProfile type remote-access
tunnel-group SSLClientProfile general-attributes
default-group-policy SSLCLientPolicy
tunnel-group SSLClientProfile webvpn-attributes
group-alias SSLVPNClient enable
!
!
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:b3bf84dd6d68a49ce46eecea6677ced8
: end