Cisco Anyconnect 客戶端連接到 VPN,但無法從客戶端電腦訪問任何其他網路/子網
我有一個關於 VPN 的大問題,我無法解決或連接問題(可能會導致問題)
我們的一位客戶希望用更好的東西替換舊的 snapgear,因此他們選擇了 ASA。
我已經在 ASA 中創建了所有配置,並在我們的測試網路中進行了測試。我能夠將客戶端機器從外部連接到 ASA VPN 並 ping 網路內的任何機器。一切都很完美。之後,我為客戶站點設置了相同的防火牆/配置,一旦我將 ASA 連接到他們的網路並嘗試使用 Any connect 從外部連接,我就無法 ping 他們網路內的任何機器。所有網路、子網都無法訪問/沒有回复。
起初我設置了 ASA 介面的靜態路由和靜態 IP,但沒有運氣。然後我設置介面以從 DHCP 伺服器獲取 IP 地址,並從正在執行所有路由的“L3 核心交換機”獲取所有路由,再次沒有任何運氣。
ASA 的配置(動態)
: Saved : : Serial Number: xxxxxxxx : Hardware: ASA5506, 4096 MB RAM, CPU Atom C2000 series 1250 MHz, 1 CPU (4 cores) : ASA Version 9.5(2) ! hostname xxxxxxxx enable password xxxxxxxxxxxxxx encrypted passwd xxxxxxxxxxxxxx encrypted names ip local pool VPN_xxxxxx 10.13.3.2-10.13.3.200 mask 255.255.255.0 ! interface GigabitEthernet1/1 description WAN Connection nameif outside security-level 0 ip address xxx.xxx.xxx.88 255.255.255.224 ! interface GigabitEthernet1/2 description LAN address nameif inside security-level 100 ip address dhcp setroute ! interface GigabitEthernet1/3 description Test Connection Outside nameif testConn security-level 0 ip address xxx.xxx.xxx.218 255.255.255.248 ! interface GigabitEthernet1/4 shutdown no nameif no security-level no ip address ! interface GigabitEthernet1/5 shutdown no nameif no security-level no ip address ! interface GigabitEthernet1/6 shutdown no nameif no security-level no ip address ! interface GigabitEthernet1/7 shutdown no nameif no security-level no ip address ! interface GigabitEthernet1/8 nameif mgmtbck security-level 100 ip address 192.168.96.1 255.255.255.0 ! interface Management1/1 management-only no nameif no security-level no ip address ! ftp mode passive clock timezone GMT 0 same-security-traffic permit inter-interface same-security-traffic permit intra-interface object network obj_any subnet 0.0.0.0 0.0.0.0 object network TestConnection subnet 192.168.10.0 255.255.254.0 description TestConnection object network WANAddress host xxx.xxx.xxx.217 object network WAN_Connection subnet 192.168.10.0 255.255.254.0 description InternetConnection object network WANConnectionxxxxxx host xxx.xxx.xxx.65 object network WANConn subnet 192.168.10.0 255.255.254.0 object network NETWORK_OBJ_10.13.3.0_24 subnet 10.13.3.0 255.255.255.0 object network Network_A subnet 192.168.0.0 255.255.254.0 description Network 192.168.0.0/23 object network Network_B subnet 172.17.110.0 255.255.255.0 description Network 172.17.110.0 object network Network_C subnet 172.17.101.0 255.255.255.0 description Network 172.17.101.0/24 object network Network_D subnet 172.17.137.0 255.255.255.0 description Network 172.17.137.0/24 object network Gateway_Inside host 192.168.10.1 description inside gateway address object network OutsideNAT subnet 192.168.10.0 255.255.254.0 object-group icmp-type DM_INLINE_ICMP_1 icmp-object echo icmp-object echo-reply icmp-object time-exceeded icmp-object traceroute icmp-object unreachable access-list inside_access_in extended permit ip any any access-list inside_access_in extended permit icmp any any object-group DM_INLINE_ICMP_1 access-list 101 extended permit icmp any any echo-reply access-list 101 extended permit icmp any any source-quench access-list 101 extended permit icmp any any unreachable access-list 101 extended permit icmp any any time-exceeded access-list Split-Tunnel standard permit 192.168.10.0 255.255.254.0 pager lines 24 logging enable logging asdm informational mtu outside 1500 mtu inside 1500 mtu testConn 1500 mtu mgmtbck 1500 icmp unreachable rate-limit 1 burst-size 1 icmp permit any inside asdm image disk0:/asdm-762.bin no asdm history enable arp timeout 14400 no arp permit-nonconnected nat (inside,testConn) source static any any destination static NETWORK_OBJ_10.13.3.0_24 NETWORK_OBJ_10.13.3.0_24 no-proxy-arp route-lookup nat (inside,outside) source static any any destination static NETWORK_OBJ_10.13.3.0_24 NETWORK_OBJ_10.13.3.0_24 no-proxy-arp route-lookup ! object network WANConn nat (inside,testConn) dynamic interface dns object network OutsideNAT nat (inside,outside) dynamic interface dns access-group 101 in interface outside access-group inside_access_in in interface inside access-group 101 in interface testConn route testConn 0.0.0.0 0.0.0.0 xxx.xxx.xxx.217 1 route outside 0.0.0.0 0.0.0.0 xxx.xxx.xxx.65 2 route inside 172.17.101.0 255.255.255.0 192.168.10.1 1 route inside 172.17.110.0 255.255.255.0 192.168.10.1 1 route inside 172.17.137.0 255.255.255.0 192.168.10.1 1 route inside 192.168.0.0 255.255.254.0 192.168.10.1 1 timeout xlate 3:00:00 timeout pat-xlate 0:00:30 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 sctp 0:02:00 icmp 0:00:02 timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00 timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00 timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute timeout tcp-proxy-reassembly 0:01:00 timeout floating-conn 0:00:00 aaa-server NPS protocol radius aaa-server NPS (inside) host 192.168.0.186 key ***** user-identity default-domain LOCAL aaa authentication http console LOCAL aaa authentication ssh console LOCAL http server enable http 192.168.1.0 255.255.255.0 inside http 192.168.10.0 255.255.254.0 inside http 192.168.96.0 255.255.255.0 mgmtbck no snmp-server location no snmp-server contact service sw-reset-button crypto ipsec ikev2 ipsec-proposal DES protocol esp encryption des protocol esp integrity sha-1 md5 crypto ipsec ikev2 ipsec-proposal 3DES protocol esp encryption 3des protocol esp integrity sha-1 md5 crypto ipsec ikev2 ipsec-proposal AES protocol esp encryption aes protocol esp integrity sha-1 md5 crypto ipsec ikev2 ipsec-proposal AES192 protocol esp encryption aes-192 protocol esp integrity sha-1 md5 crypto ipsec ikev2 ipsec-proposal AES256 protocol esp encryption aes-256 protocol esp integrity sha-1 md5 crypto ipsec security-association pmtu-aging infinite crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev2 ipsec-proposal AES256 AES192 AES 3DES DES crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP crypto map outside_map interface outside crypto map testConn_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP crypto map testConn_map interface testConn crypto ca trustpoint xxxxxxxx enrollment self fqdn xxxxxx.local subject-name CN=xxxxxxxx serial-number proxy-ldc-issuer crl configure crypto ca trustpool policy crypto ca certificate chain xxxxxxxx certificate cffdf657 3082036f 30820257 a0030201 020204cf fdf65730 0d06092a 864886f7 0d010105 05003047 31133011 06035504 03130a41 646d6972 616c4153 41313030 12060355 0405130b 4a414432 30323330 34435430 1a06092a 864886f7 0d010902 160d6164 6d697261 6c2e6c6f 63616c30 1e170d31 36313030 37303234 3431335a 170d3236 31303035 30323434 31335a30 47311330 11060355 0403130a 41646d69 72616c41 121616e7 7014f20f dbf9733a bca6055a 15f68e68 8fa67ea5 0c63d7ed 712e5517 a392775d 2f4bdd5a df207e10 0413c878 fba699 quit crypto ikev2 policy 1 encryption aes-256 integrity sha group 5 2 prf sha lifetime seconds 86400 crypto ikev2 policy 10 encryption aes-192 integrity sha group 5 2 prf sha lifetime seconds 86400 crypto ikev2 policy 20 encryption aes integrity sha group 5 2 prf sha lifetime seconds 86400 crypto ikev2 policy 30 encryption 3des integrity sha group 5 2 prf sha lifetime seconds 86400 crypto ikev2 policy 40 encryption des integrity sha group 5 2 prf sha lifetime seconds 86400 crypto ikev2 enable outside client-services port 443 crypto ikev2 enable testConn client-services port 443 crypto ikev2 remote-access trustpoint xxxxxxxx crypto ikev1 enable outside crypto ikev1 enable testConn crypto ikev1 policy 20 authentication rsa-sig encryption aes-256 hash sha group 2 lifetime 86400 crypto ikev1 policy 30 authentication pre-share encryption aes-256 hash sha group 2 lifetime 86400 crypto ikev1 policy 50 authentication rsa-sig encryption aes-192 hash sha group 2 lifetime 86400 crypto ikev1 policy 60 authentication pre-share encryption aes-192 hash sha group 2 lifetime 86400 crypto ikev1 policy 80 authentication rsa-sig encryption aes hash sha group 2 lifetime 86400 crypto ikev1 policy 90 authentication pre-share encryption aes hash sha group 2 lifetime 86400 crypto ikev1 policy 110 authentication rsa-sig encryption 3des hash sha group 2 lifetime 86400 crypto ikev1 policy 120 authentication pre-share encryption 3des hash sha group 2 lifetime 86400 crypto ikev1 policy 140 authentication rsa-sig encryption des hash sha group 2 lifetime 86400 crypto ikev1 policy 150 authentication pre-share encryption des hash sha group 2 lifetime 86400 telnet timeout 5 no ssh stricthostkeycheck ssh 192.168.10.0 255.255.254.0 inside ssh timeout 5 ssh key-exchange group dh-group1-sha1 console timeout 0 dhcp-client client-id interface inside dhcpd auto_config outside ! threat-detection basic-threat threat-detection statistics access-list no threat-detection statistics tcp-intercept ntp server xxx.xxx.xxx.44 source testConn prefer ssl trust-point xxxxxxxx outside ssl trust-point xxxxxxxx inside ssl trust-point xxxxxxxx testConn ssl trust-point xxxxxxxx mgmtbck webvpn enable outside enable testConn anyconnect image disk0:/anyconnect-win-4.3.01095-k9.pkg 1 anyconnect profiles xxxxxxMain_client_profile disk0:/xxxxxxMain_client_profile.xml anyconnect profiles xxxxxx_client_profile disk0:/xxxxxx_client_profile.xml anyconnect profiles TestVPN_client_profile disk0:/TestVPN_client_profile.xml anyconnect enable tunnel-group-list enable cache disable error-recovery disable group-policy GroupPolicy_TestVPN internal group-policy GroupPolicy_TestVPN attributes wins-server none dns-server value 8.8.8.8 vpn-tunnel-protocol ikev2 ssl-client split-tunnel-policy tunnelspecified split-tunnel-network-list value Split-Tunnel default-domain none webvpn anyconnect profiles value TestVPN_client_profile type user group-policy GroupPolicy_xxxxxxMain internal group-policy GroupPolicy_xxxxxxMain attributes wins-server none dns-server value 8.8.8.8 vpn-tunnel-protocol ikev2 ssl-client split-tunnel-policy tunnelspecified split-tunnel-network-list value Split-Tunnel default-domain none webvpn anyconnect profiles value xxxxxxMain_client_profile type user group-policy GroupPolicy_VPN internal group-policy GroupPolicy_VPN attributes wins-server none dns-server value 8.8.8.8 vpn-tunnel-protocol ssl-client default-domain none group-policy Policy_xxxxxx internal group-policy Policy_xxxxxx attributes vpn-tunnel-protocol ssl-clientless webvpn url-list none dynamic-access-policy-record DfltAccessPolicy username admin password xxxxxxxx encrypted privilege 15 tunnel-group VPN type remote-access tunnel-group VPN general-attributes address-pool VPN_xxxxxx default-group-policy GroupPolicy_VPN tunnel-group VPN webvpn-attributes group-alias VPN enable tunnel-group TestVPN type remote-access tunnel-group TestVPN general-attributes address-pool VPN_xxxxxx default-group-policy GroupPolicy_TestVPN tunnel-group TestVPN webvpn-attributes group-alias TestVPN enable tunnel-group xxxxxxMain type remote-access tunnel-group xxxxxxMain general-attributes address-pool VPN_xxxxxx authentication-server-group NPS default-group-policy GroupPolicy_xxxxxxMain tunnel-group xxxxxxMain webvpn-attributes group-alias xxxxxxMain enable tunnel-group VPN_SSL type remote-access tunnel-group VPN_SSL general-attributes default-group-policy Policy_xxxxxx ! class-map inspection_default match default-inspection-traffic ! ! policy-map type inspect dns preset_dns_map parameters message-length maximum client auto message-length maximum 512 policy-map global_policy class inspection_default inspect dns preset_dns_map inspect ftp inspect h323 h225 inspect h323 ras inspect rsh inspect rtsp inspect esmtp inspect sqlnet inspect skinny inspect sunrpc inspect xdmcp inspect sip inspect netbios inspect tftp inspect ip-options ! service-policy global_policy global prompt hostname context no call-home reporting anonymous Cryptochecksum:xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx : end
配置 - 靜態
: Saved : : Serial Number: xxxxxxxx : Hardware: ASA5506, 4096 MB RAM, CPU Atom C2000 series 1250 MHz, 1 CPU (4 cores) : Written by xxxxx at 08:27:30.065 GMT Wed Oct 12 2016 ! ASA Version 9.5(2) ! hostname xxxxxxxxASA enable password xxxxxxxxxxxxxxxxxxxxxxxx encrypted passwd xxxxxxxxxxxxxxxxxxxxxxxx encrypted names ip local pool VPN_xxxxxxxx 10.13.3.2-10.13.3.254 mask 255.255.255.0 ! interface GigabitEthernet1/1 description WAN Connection nameif outside security-level 0 ip address xxx.xxx.xxx.88 255.255.255.224 ! interface GigabitEthernet1/2 description LAN address nameif inside security-level 100 ip address 192.168.10.3 255.255.254.0 ! interface GigabitEthernet1/3 description Test Connection Outside nameif testConn security-level 0 ip address xxx.xxx.xxx.218 255.255.255.248 ! interface GigabitEthernet1/4 shutdown no nameif no security-level no ip address ! interface GigabitEthernet1/5 shutdown no nameif no security-level no ip address ! interface GigabitEthernet1/6 shutdown no nameif no security-level no ip address ! interface GigabitEthernet1/7 shutdown no nameif no security-level no ip address ! interface GigabitEthernet1/8 shutdown no nameif no security-level no ip address ! interface Management1/1 management-only no nameif no security-level no ip address ! ftp mode passive clock timezone GMT 0 same-security-traffic permit inter-interface same-security-traffic permit intra-interface object network obj_any subnet 0.0.0.0 0.0.0.0 object network TestConnection subnet 192.168.10.0 255.255.254.0 description TestConnection object network WANAddress host xxx.xxx.xxx.217 object network WAN_Connection subnet 192.168.10.0 255.255.254.0 description InternetConnection object network WANConnectionxxxxxxxx host xxx.xxx.xxx.65 object network WANConn subnet 192.168.10.0 255.255.254.0 object network NETWORK_OBJ_10.13.3.0_24 subnet 10.13.3.0 255.255.255.0 object network Network_A subnet 192.168.0.0 255.255.254.0 description Network 192.168.0.0/23 object network Network_B subnet 172.17.110.0 255.255.255.0 description Network 172.17.110.0 object network Network_C subnet 172.17.101.0 255.255.255.0 description Network 172.17.101.0/24 object network Network_D subnet 172.17.137.0 255.255.255.0 description Network 172.17.137.0/24 object network Gateway_Inside host 192.168.10.1 description inside gateway address object network OutsideNAT subnet 192.168.10.0 255.255.254.0 object-group icmp-type DM_INLINE_ICMP_1 icmp-object echo icmp-object echo-reply icmp-object time-exceeded icmp-object traceroute icmp-object unreachable access-list inside_access_in extended permit ip any any access-list inside_access_in extended permit icmp any any object-group DM_INLINE_ICMP_1 access-list 101 extended permit icmp any any echo-reply access-list 101 extended permit icmp any any source-quench access-list 101 extended permit icmp any any unreachable access-list 101 extended permit icmp any any time-exceeded access-list Split-Tunnel standard permit 192.168.10.0 255.255.254.0 pager lines 24 logging enable logging asdm informational mtu outside 1500 mtu inside 1500 mtu testConn 1500 icmp unreachable rate-limit 1 burst-size 1 icmp permit any inside asdm image disk0:/asdm-762.bin no asdm history enable arp timeout 14400 no arp permit-nonconnected nat (inside,testConn) source static any any destination static NETWORK_OBJ_10.13.3.0_24 NETWORK_OBJ_10.13.3.0_24 no-proxy-arp route-lookup nat (inside,outside) source static any any destination static NETWORK_OBJ_10.13.3.0_24 NETWORK_OBJ_10.13.3.0_24 no-proxy-arp route-lookup ! object network WANConn nat (inside,testConn) dynamic interface dns object network OutsideNAT nat (inside,outside) dynamic interface dns access-group 101 in interface outside access-group inside_access_in in interface inside access-group 101 in interface testConn route outside 0.0.0.0 0.0.0.0 xxx.xxx.xxx.65 1 route testConn 0.0.0.0 0.0.0.0 xxx.xxx.xxx.217 3 route inside 172.17.101.0 255.255.255.0 192.168.10.1 1 route inside 172.17.110.0 255.255.255.0 192.168.10.1 1 route inside 172.17.137.0 255.255.255.0 192.168.10.1 1 route inside 192.168.0.0 255.255.254.0 192.168.10.1 1 timeout xlate 3:00:00 timeout pat-xlate 0:00:30 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 sctp 0:02:00 icmp 0:00:02 timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00 timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00 timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute timeout tcp-proxy-reassembly 0:01:00 timeout floating-conn 0:00:00 aaa-server NPS protocol radius aaa-server NPS (inside) host 192.168.0.186 key xxxxxxx user-identity default-domain LOCAL aaa authentication http console LOCAL aaa authentication ssh console LOCAL http server enable http 192.168.1.0 255.255.255.0 inside http 192.168.10.0 255.255.254.0 inside no snmp-server location no snmp-server contact service sw-reset-button crypto ipsec ikev2 ipsec-proposal AES256 protocol esp encryption aes-256 protocol esp integrity sha-1 md5 crypto ipsec ikev2 ipsec-proposal AES192 protocol esp encryption aes-192 protocol esp integrity sha-1 md5 crypto ipsec ikev2 ipsec-proposal AES protocol esp encryption aes protocol esp integrity sha-1 md5 crypto ipsec ikev2 ipsec-proposal 3DES protocol esp encryption 3des protocol esp integrity sha-1 md5 crypto ipsec ikev2 ipsec-proposal DES protocol esp encryption des protocol esp integrity sha-1 md5 crypto ipsec security-association pmtu-aging infinite crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev2 ipsec-proposal AES256 AES192 AES 3DES DES crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP crypto map outside_map interface outside crypto map testConn_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP crypto map testConn_map interface testConn crypto ca trustpoint xxxxxxxxCert enrollment self fqdn xxxxxxxx.local subject-name CN=xxxxxxxxASA serial-number proxy-ldc-issuer crl configure crypto ca trustpool policy crypto ca certificate chain xxxxxxxxCert certificate cffdf657 3082036f 30820257 a0030201 020204cf fdf65730 0d06092a 864886f7 0d010105 05003047 31133011 06035504 03130a41 646d6972 616c4153 41313030 12060355 0405130b 4a414432 30323330 34435430 1a06092a 864886f7 0d010902 160d6164 6d697261 6c2e6c6f 63616c30 1e170d31 36313030 37303234 3431335a 170d3236 31303035 30323434 31335a30 47311330 11060355 0403130a 41646d69 72616c41 89dcd2ca 48d03495 655c1b39 35d26809 40d73e65 8bebfe10 c3c07753 75d6ba67 e7fd3326 5ee135c4 bf96971a 99e5ed5c 72c22c56 bda3e047 97f5e667 57504628 5b64c134 279b5205 2ebf37fe 81174d03 e2c9a30f acdf2893 f3136e20 4221bca0 121616e7 7014f20f dbf9733a bca6055a 15f68e68 8fa67ea5 0c63d7ed 712e5517 a392775d 2f4bdd5a df207e10 0413c878 fba699 quit crypto ikev2 policy 1 encryption aes-256 integrity sha group 5 2 prf sha lifetime seconds 86400 crypto ikev2 policy 10 encryption aes-192 integrity sha group 5 2 prf sha lifetime seconds 86400 crypto ikev2 policy 20 encryption aes integrity sha group 5 2 prf sha lifetime seconds 86400 crypto ikev2 policy 30 encryption 3des integrity sha group 5 2 prf sha lifetime seconds 86400 crypto ikev2 policy 40 encryption des integrity sha group 5 2 prf sha lifetime seconds 86400 crypto ikev2 enable outside client-services port 443 crypto ikev2 enable testConn client-services port 443 crypto ikev2 remote-access trustpoint xxxxxxxxCert crypto ikev1 enable outside crypto ikev1 enable testConn crypto ikev1 policy 20 authentication rsa-sig encryption aes-256 hash sha group 2 lifetime 86400 crypto ikev1 policy 30 authentication pre-share encryption aes-256 hash sha group 2 lifetime 86400 crypto ikev1 policy 50 authentication rsa-sig encryption aes-192 hash sha group 2 lifetime 86400 crypto ikev1 policy 60 authentication pre-share encryption aes-192 hash sha group 2 lifetime 86400 crypto ikev1 policy 80 authentication rsa-sig encryption aes hash sha group 2 lifetime 86400 crypto ikev1 policy 90 authentication pre-share encryption aes hash sha group 2 lifetime 86400 crypto ikev1 policy 110 authentication rsa-sig encryption 3des hash sha group 2 lifetime 86400 crypto ikev1 policy 120 authentication pre-share encryption 3des hash sha group 2 lifetime 86400 crypto ikev1 policy 140 authentication rsa-sig encryption des hash sha group 2 lifetime 86400 crypto ikev1 policy 150 authentication pre-share encryption des hash sha group 2 lifetime 86400 telnet timeout 5 no ssh stricthostkeycheck ssh 192.168.10.0 255.255.254.0 inside ssh timeout 5 ssh key-exchange group dh-group1-sha1 console timeout 0 dhcpd auto_config outside ! threat-detection basic-threat threat-detection statistics access-list no threat-detection statistics tcp-intercept ntp server xxx.xxx.xxx.44 source testConn prefer ssl trust-point xxxxxxxxCert outside ssl trust-point xxxxxxxxCert inside ssl trust-point xxxxxxxxCert testConn webvpn enable outside enable testConn anyconnect image disk0:/anyconnect-win-4.3.01095-k9.pkg 1 anyconnect profiles xxxxxxxxVPNMain_client_profile disk0:/xxxxxxxxVPNMain_client_profile.xml anyconnect profiles xxxxxxxxVPN_client_profile disk0:/xxxxxxxxVPN_client_profile.xml anyconnect profiles TestVPN_client_profile disk0:/TestVPN_client_profile.xml anyconnect enable tunnel-group-list enable cache disable error-recovery disable group-policy GroupPolicy_xxxxxxxxVPN internal group-policy GroupPolicy_xxxxxxxxVPN attributes wins-server none dns-server value 8.8.8.8 vpn-tunnel-protocol ikev2 ssl-client split-tunnel-policy tunnelspecified split-tunnel-network-list value Split-Tunnel default-domain none webvpn anyconnect profiles value xxxxxxxxVPN_client_profile type user group-policy GroupPolicy_TestVPN internal group-policy GroupPolicy_TestVPN attributes wins-server none dns-server value 8.8.8.8 vpn-tunnel-protocol ikev2 ssl-client split-tunnel-policy tunnelspecified split-tunnel-network-list value Split-Tunnel default-domain none webvpn anyconnect profiles value TestVPN_client_profile type user group-policy GroupPolicy_xxxxxxxxVPNMain internal group-policy GroupPolicy_xxxxxxxxVPNMain attributes wins-server none dns-server value 8.8.8.8 vpn-tunnel-protocol ikev2 ssl-client split-tunnel-policy tunnelspecified split-tunnel-network-list value Split-Tunnel default-domain none webvpn anyconnect profiles value xxxxxxxxVPNMain_client_profile type user dynamic-access-policy-record DfltAccessPolicy username xxxxx password xxxxxxxxxxx encrypted privilege 15 tunnel-group xxxxxxxxVPN type remote-access tunnel-group xxxxxxxxVPN general-attributes address-pool VPN_xxxxxxxx default-group-policy GroupPolicy_xxxxxxxxVPN tunnel-group xxxxxxxxVPN webvpn-attributes group-alias xxxxxxxxVPN enable tunnel-group TestVPN type remote-access tunnel-group TestVPN general-attributes address-pool VPN_xxxxxxxx default-group-policy GroupPolicy_TestVPN tunnel-group TestVPN webvpn-attributes group-alias TestVPN enable tunnel-group xxxxxxxxVPNMain type remote-access tunnel-group xxxxxxxxVPNMain general-attributes address-pool VPN_xxxxxxxx authentication-server-group NPS default-group-policy GroupPolicy_xxxxxxxxVPNMain tunnel-group xxxxxxxxVPNMain webvpn-attributes group-alias xxxxxxxxVPNMain enable ! class-map inspection_default match default-inspection-traffic ! ! policy-map type inspect dns preset_dns_map parameters message-length maximum client auto message-length maximum 512 policy-map global_policy class inspection_default inspect dns preset_dns_map inspect ftp inspect h323 h225 inspect h323 ras inspect rsh inspect rtsp inspect esmtp inspect sqlnet inspect skinny inspect sunrpc inspect xdmcp inspect sip inspect netbios inspect tftp inspect ip-options ! service-policy global_policy global prompt hostname context no call-home reporting anonymous Cryptochecksum:x : end
與 ASA 直接連接並執行所有路由的交換機配置。
有效的 Snapgear VPN 的路由
ASA VPN 路由(不工作)
另外我需要通知您,當我將 ASA 連接到客戶網路時,我可以從 ASA ping 任何子網/網路的任何介面,這意味著路由設置正確,但是一旦我使用 VPN 並嘗試從外部通過 ping內部設備/伺服器/介面的隧道,我無法到達它們中的任何一個……
什麼可能導致問題?
提前感謝您,祝您有美好的一天。
保持 ASA 上的“靜態”配置。
在核心交換機上,為
10.13.3.0/24
(您的 Anyconnect ip 池)添加一條路由,並將 ASA 的內部 ip 地址192.168.10.3
作為下一跳。編輯:請注意,您的拆分隧道配置只會導致到 192.168.10.0/23 的流量通過隧道傳輸,如果您希望能夠到達內部的任何其他地址,那麼您需要將這些網路添加到拆分隧道列表。
即你目前有(我只展示一個組策略,其他的也一樣):
group-policy GroupPolicy_xxxxxxxxVPN attributes split-tunnel-policy tunnelspecified split-tunnel-network-list value Split-Tunnel
它指的是這個 ACL:
access-list Split-Tunnel standard permit 192.168.10.0 255.255.254.0
所以這意味著客戶端只會在目標位於該網路 192.168.10.0/23 中時通過隧道發送流量。到 Internet 的流量,以及到例如 172.17.xx 的流量都不會通過隧道發送,而是發送到正常的預設網關(因此 172.17.xx 將無法訪問)。
如果您希望 172.17.xx 和 192.168.0.0/23 也可以訪問,您需要將這些網路添加到拆分隧道 ACL:
access-list Split-Tunnel standard permit 172.17.101.0 255.255.255.0 access-list Split-Tunnel standard permit 172.17.110.0 255.255.255.0 access-list Split-Tunnel standard permit 172.17.137.0 255.255.255.0 access-list Split-Tunnel standard permit 192.168.0.0 255.255.254.0
或者您也可以保持簡短並將 acl 擴展為:
access-list Split-Tunnel standard permit 172.16.0.0 255.240.0.0 access-list Split-Tunnel standard permit 192.168.0.0 255.255.0.0 no access-list Split-Tunnel standard permit 192.168.10.0 255.255.254.0
或者,您可以將 split-tunnel-policy 更改為“tunnelall”,以便通過隧道發送所有流量(包括 Internet 流量!),但是您需要進行更多更改以允許 Internet 流量進行 U -在 ASA 處轉,請參閱例如AnyConnect VPN 客戶端掉頭配置範例