ASA ipsec vpn 路由问题
小弟对vpn接触较少,现按网上一些资料配置ASA ipsec vpn出现以下问题,远程电脑客户端可以成功拨入,相关指定的IP也可以获取到,但不能访问公司内网,就连ASA inside接口都不能ping通。如果vpn连接网段设置跟inside网段相同,即可以正常访问,查了很多资料,现还没弄明白是路由问题,还是NAT没有做好。相关拓扑图如下:http://cisco.chinaitlab.com/UploadFiles_6776/201311/20131119202612612.gifhttp://cisco.chinaitlab.com/UploadFiles_6776/201311/20131119202613965.jpg asa配置:
ASA Version 8.2(5)
!
hostname ciscoasa
enable password 2KFQnbNIdI.2KYOU encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface Ethernet0/0
nameif outside
security-level 0
ip address 202.xxx.xxx.xxx 255.255.255.248
!
interface Ethernet0/1
nameif inside
security-level 100
ip address 172.65.1.100 255.255.255.0
!
interface Ethernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
shutdown
no nameif
no security-level
no ip address
!
ftp mode passive
access-list no-nat extended permit ip 172.65.1.0 255.255.255.0 172.65.3.0 255.255.255.0
access-list no-nat extended permit ip 172.65.3.0 255.255.255.0 172.65.1.0 255.255.255.0
access-list vpnclient_splitTunnelAcl standard permit 172.65.1.0 255.255.255.0
pager lines 24
logging enable
logging asdm informational
mtu outside 1500
mtu inside 1500
ip local pool ipsecpool 172.65.3.100-172.65.3.199 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-645.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list no-nat
nat (inside) 1 0.0.0.0 0.0.0.0
route outside 0.0.0.0 0.0.0.0 202.xxx.xxx.xxx 1
route inside 172.65.0.0 255.255.0.0 172.65.1.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00 timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00 timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute timeout tcp-proxy-reassembly 0:01:00 timeout floating-conn 0:00:00 dynamic-access-policy-record DfltAccessPolicy aaa authentication http console LOCAL aaa authentication telnet console LOCAL http server enable http 172.65.0.0 255.255.0.0 inside no snmp-server location no snmp-server contact snmp-server enable traps snmp authentication linkup linkdown coldstart crypto ipsec transform-set vpnset esp-3des esp-sha-hmac crypto ipsec security-association lifetime seconds 28800 crypto ipsec security-association lifetime kilobytes 4608000 crypto dynamic-map outside-dyn-map 10 set transform-set vpnset crypto dynamic-map outside-dyn-map 10 set security-association lifetime seconds 288000 crypto dynamic-map outside-dyn-map 10 set reverse-route crypto map outside-map 10 ipsec-isakmp dynamic outside-dyn-map crypto map outside-map interface outside crypto ca trustpoint _SmartCallHome_ServerCA crl configure crypto isakmp enable outside crypto isakmp policy 1 authentication pre-share encryption 3des hash sha group 2 lifetime 43200 telnet 172.65.0.0 255.255.0.0 inside telnet timeout 30 ssh 172.65.0.0 255.255.0.0 inside ssh timeout 30 ssh version 1 console timeout 0 threat-detection basic-threat threat-detection statistics access-list no threat-detection statistics tcp-intercept webvpn group-policy vpnclient internal group-policy vpnclient attributes dns-server value 172.65.0.11 vpn-tunnel-protocol IPSec split-tunnel-policy tunnelspecified split-tunnel-network-list value vpnclient_splitTunnelAcl username admin password f3UhLvUj1QsXsuK7 encrypted username test password c2I40Rrw1iizALuA encrypted username test attributes vpn-group-policy vpnclient tunnel-group vpnclient type remote-access tunnel-group vpnclient general-attributes address-pool ipsecpool default-group-policy vpnclient tunnel-group vpnclient ipsec-attributes pre-shared-key ***** ! class-map inspection_default match default-inspection-traffic ! ! policy-map type inspect dns preset_dns_map parameters message-length maximum client auto message-length maximum 512 policy-map global_policy class inspection_default inspect dns preset_dns_map inspect ftp inspect h323 h225 inspect h323 ras inspect ip-options inspect netbios inspect rsh inspect rtsp inspect skinny inspect esmtp inspect sqlnet inspect sunrpc inspect tftp inspect sip inspect xdmcp ! service-policy global_policy global prompt hostname context call-home reporting anonymous call-home profile CiscoTAC-1 no active destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService destination address email callhome@cisco.com destination transport-method http subscribe-to-alert-group diagnostic subscribe-to-alert-group environment subscribe-to-alert-group inventory periodic monthly subscribe-to-alert-group configuration periodic monthly subscribe-to-alert-group telemetry periodic daily Cryptochecksum:6fdb4100304d2eebc91ce0be6c3c9e89 : end 补充:vpn route模式 如果把vpn地址池更换为ip local pool ipsecpool 172.65.1.110-172.65.1.199 mask 255.255.255.0 即可正常访问了!
页:
[1]