ASA ipsec vpn 路由问题

whycx2013

小弟对vpn接触较少，现按网上一些资料配置ASA ipsec vpn出现以下问题，远程电脑客户端可以成功拨入，相关指定的IP也可以获取到，但不能访问公司内网，就连ASA inside接口都不能ping通。如果vpn连接网段设置跟inside网段相同，即可以正常访问，查了很多资料，现还没弄明白是路由问题，还是NAT没有做好。相关拓扑图如下：
　　asa配置：
　　ASA Version 8.2(5)
　　!
　　hostname ciscoasa
　　enable password 2KFQnbNIdI.2KYOU encrypted
　　passwd 2KFQnbNIdI.2KYOU encrypted
　　names
　　!
　　interface Ethernet0/0
　　nameif outside
　　security-level 0
　　ip address 202.xxx.xxx.xxx 255.255.255.248
　　!
　　interface Ethernet0/1
　　nameif inside
　　security-level 100
　　ip address 172.65.1.100 255.255.255.0
　　!
　　interface Ethernet0/2
　　shutdown
　　no nameif
　　no security-level
　　no ip address
　　!
　　interface Ethernet0/3
　　shutdown
　　no nameif
　　no security-level
　　no ip address
　　!
　　interface Management0/0
　　shutdown
　　no nameif
　　no security-level
　　no ip address
　　!
　　ftp mode passive
　　access-list no-nat extended permit ip 172.65.1.0 255.255.255.0 172.65.3.0 255.255.255.0
　　access-list no-nat extended permit ip 172.65.3.0 255.255.255.0 172.65.1.0 255.255.255.0
　　access-list vpnclient_splitTunnelAcl standard permit 172.65.1.0 255.255.255.0
　　pager lines 24
　　logging enable
　　logging asdm informational
　　mtu outside 1500
　　mtu inside 1500
　　ip local pool ipsecpool 172.65.3.100-172.65.3.199 mask 255.255.255.0
　　icmp unreachable rate-limit 1 burst-size 1
　　asdm image disk0:/asdm-645.bin
　　no asdm history enable
　　arp timeout 14400
　　global (outside) 1 interface
　　nat (inside) 0 access-list no-nat
　　nat (inside) 1 0.0.0.0 0.0.0.0
　　route outside 0.0.0.0 0.0.0.0 202.xxx.xxx.xxx 1
　　route inside 172.65.0.0 255.255.0.0 172.65.1.1 1
　　timeout xlate 3:00:00
　　timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00　　timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00　　timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute　　timeout tcp-proxy-reassembly 0:01:00　　timeout floating-conn 0:00:00　　dynamic-access-policy-record DfltAccessPolicy　　aaa authentication http console LOCAL　　aaa authentication telnet console LOCAL　　http server enable　　http 172.65.0.0 255.255.0.0 inside　　no snmp-server location　　no snmp-server contact　　snmp-server enable traps snmp authentication linkup linkdown coldstart　　crypto ipsec transform-set vpnset esp-3des esp-sha-hmac　　crypto ipsec security-association lifetime seconds 28800　　crypto ipsec security-association lifetime kilobytes 4608000　　crypto dynamic-map outside-dyn-map 10 set transform-set vpnset　　crypto dynamic-map outside-dyn-map 10 set security-association lifetime seconds 288000　　crypto dynamic-map outside-dyn-map 10 set reverse-route　　crypto map outside-map 10 ipsec-isakmp dynamic outside-dyn-map　　crypto map outside-map interface outside　　crypto ca trustpoint _SmartCallHome_ServerCA　　crl configure　　crypto isakmp enable outside　　crypto isakmp policy 1　　authentication pre-share　　encryption 3des　　hash sha　　group 2　　lifetime 43200　　telnet 172.65.0.0 255.255.0.0 inside　　telnet timeout 30　　ssh 172.65.0.0 255.255.0.0 inside　　ssh timeout 30　　ssh version 1　　console timeout 0　　threat-detection basic-threat　　threat-detection statistics access-list　　no threat-detection statistics tcp-intercept　　webvpn　　group-policy vpnclient internal　　group-policy vpnclient attributes　　dns-server value 172.65.0.11　　vpn-tunnel-protocol IPSec　　split-tunnel-policy tunnelspecified　　split-tunnel-network-list value vpnclient_splitTunnelAcl　　username admin password f3UhLvUj1QsXsuK7 encrypted　　username test password c2I40Rrw1iizALuA encrypted　　username test attributes　　vpn-group-policy vpnclient　　tunnel-group vpnclient type remote-access　　tunnel-group vpnclient general-attributes　　address-pool ipsecpool　　default-group-policy vpnclient　　tunnel-group vpnclient ipsec-attributes　　pre-shared-key *****　　!　　class-map inspection_default　　match default-inspection-traffic　　!　　!　　policy-map type inspect dns preset_dns_map　　parameters　　message-length maximum client auto　　message-length maximum 512　　policy-map global_policy　　class inspection_default　　inspect dns preset_dns_map　　inspect ftp　　inspect h323 h225　　inspect h323 ras　　inspect ip-options　　inspect netbios　　inspect rsh　　inspect rtsp　　inspect skinny　　inspect esmtp　　inspect sqlnet　　inspect sunrpc　　inspect tftp　　inspect sip　　inspect xdmcp　　!　　service-policy global_policy global　　prompt hostname context　　call-home reporting anonymous　　call-home　　profile CiscoTAC-1　　no active　　destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService　　destination address email callhome@cisco.com　　destination transport-method http　　subscribe-to-alert-group diagnostic　　subscribe-to-alert-group environment　　subscribe-to-alert-group inventory periodic monthly　　subscribe-to-alert-group configuration periodic monthly　　subscribe-to-alert-group telemetry periodic daily　　Cryptochecksum:6fdb4100304d2eebc91ce0be6c3c9e89　　: end　　补充：vpn route模式　　如果把vpn地址池更换为ip local pool ipsecpool 172.65.1.110-172.65.1.199 mask 255.255.255.0　　即可正常访问了!