ASA5520远程拨号ipsec-vpn能获取地址，但不能ping内网任何主机

qhpal3 · 发表于 2012-2-4 16:35:36

本帖最后由 qhpal3 于 2012-2-4 16:38 编辑

ASA Version 8.0(4)
!
hostname ciscoasa
domain-name ssh.com
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd RLPMUQ26KL4blgFN encrypted
names
!
interface GigabitEthernet0/0
nameif outside
security-level 0
ip address 1.1.1.1 255.255.255.128
!
interface GigabitEthernet0/1
nameif inside
security-level 100
ip address 192.168.100.1 255.255.255.0
!
interface GigabitEthernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
nameif web
security-level 0
ip address 192.168.101.1 255.255.255.0
management-only
!
ftp mode passive
dns server-group DefaultDNS
domain-name ssh.com
access-list vpn extended permit ip 192.168.100.0 255.255.255.0 192.168.0.0 255.255.255.240
access-list no_nat extended permit ip 192.168.100.0 255.255.255.0 192.168.0.0 255.255.255.240
access-list no_nat extended deny ip 192.168.100.0 255.255.255.0 any
access-list vpnsplit standard permit 192.168.100.0 255.255.255.0
access-list 101 extended permit icmp any any
access-list 101 extended permit tcp any host 192.168.100.231 eq 8008
access-list 101 extended permit ip any any
access-list 102 extended permit icmp any any
access-list 102 extended permit ip any any
access-list oa extended permit tcp any eq 8008 host 1.1.1.1
access-list outside_permit extended permit tcp any interface outside eq 8008
access-list outside_permit extended permit tcp any interface outside eq 3338
access-list outside_permit extended permit tcp any interface outside eq 3339
access-list outside_permit extended permit tcp any interface outside eq 8090
access-list outside_permit extended permit tcp any interface outside eq 9080
access-list outside_permit extended permit tcp any interface outside eq ftp
access-list outside_permit extended permit icmp any any
pager lines 24
logging enable
mtu outside 1500
mtu inside 1500
mtu web 1500
ip local pool vpnpool 192.168.0.1-192.168.15.250 mask 255.255.240.0
no failover
icmp unreachable rate-limit 1 burst-size 1
icmp permit any inside
asdm image disk0:/asdm-602.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list no_nat
nat (inside) 2 192.168.100.231 255.255.255.255
nat (inside) 1 192.168.100.0 255.255.255.0
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) tcp interface 8008 192.168.100.231 8008 netmask 255.255.255.255
static (inside,outside) tcp interface 3338 192.168.100.231 3338 netmask 255.255.255.255
static (inside,outside) tcp interface 3339 192.168.100.101 3339 netmask 255.255.255.255
static (inside,outside) tcp interface 8090 192.168.100.101 8090 netmask 255.255.255.255
static (inside,outside) tcp interface 9080 192.168.100.210 9080 netmask 255.255.255.255
static (inside,outside) tcp interface ftp 192.168.100.245 ftp netmask 255.255.255.255
access-group outside_permit in interface outside
access-group 102 in interface inside
route outside 0.0.0.0 0.0.0.0 1.1.1.2 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 192.168.101.0 255.255.255.0 web
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set vpn1 esp-3des esp-sha-hmac
crypto ipsec transform-set vpnset esp-3des esp-md5-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map dymap 10 set transform-set vpnset
crypto dynamic-map dymap 10 set security-association lifetime seconds 28800
crypto dynamic-map dymap 10 set security-association lifetime kilobytes 4608000
crypto dynamic-map dymap 10 set reverse-route
crypto map vpnmap 10 set security-association lifetime seconds 28800
crypto map vpnmap 10 set security-association lifetime kilobytes 4608000
crypto map outsidemap 1 set security-association lifetime seconds 28800
crypto map outsidemap 1 set security-association lifetime kilobytes 4608000
crypto map vpn_map 10 ipsec-isakmp dynamic dymap
crypto map vpn_map interface outside
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash md5
group 2
lifetime none
crypto isakmp nat-traversal 10
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 60
ssh version 2
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
group-policy vpnclient internal
group-policy vpnclient attributes
vpn-idle-timeout none
split-tunnel-policy tunnelspecified
split-tunnel-network-list value vpnsplit
username test password k83iXWPan0Gg1s04 encrypted
username admin password .u6poIMcG40uk0WA encrypted privilege 15
tunnel-group DefaultL2LGroup ipsec-attributes
isakmp keepalive threshold 20 retry 2
tunnel-group DefaultRAGroup ipsec-attributes
isakmp keepalive threshold 20 retry 2
tunnel-group DefaultWEBVPNGroup ipsec-attributes
isakmp keepalive threshold 20 retry 2
tunnel-group vpnclient type remote-access
tunnel-group vpnclient general-attributes
address-pool vpnpool
authentication-server-group (outside) LOCAL
default-group-policy vpnclient
tunnel-group vpnclient ipsec-attributes
pre-shared-key *
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
  message-length maximum 512
policy-map global_policy
class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:d43483e08c93169e11bcf0db59aa2553

qhpal3 · 发表于 2012-2-4 16:44:25

sdwchow 发表于 2012-2-4 16:42

登录/注册后可看大图

排错时你可以先把acl等等无关的config去掉，先做最简单的VPN

acl无关的也没有在接口上调用啊。。。

除了 101 和 oa没用以外其他的都在用

qhpal3 · 发表于 2012-2-4 16:49:27

sdwchow 发表于 2012-2-4 16:42

登录/注册后可看大图

排错时你可以先把acl等等无关的config去掉，先做最简单的VPN

我认为是 NAT的问题但是我不知道怎么弄

qhpal3 · 发表于 2012-2-4 17:01:52

sdwchow 发表于 2012-2-4 16:56

登录/注册后可看大图

是2台ASA5500吗？

服务运行中还是test中？

运行中是远程拨号的就一台5500 5500 inside 就是各种服务器

我是远程拨入用户

qhpal3 · 发表于 2012-2-4 17:06:19

sdwchow 发表于 2012-2-4 17:04

登录/注册后可看大图

你取得的IP可以PING通GW吗？

不能但这个不影响啊

以前都是可以ping主机但ping不到网关一直这么用的

但现在就是都不通

chinese_ys · 发表于 2012-2-5 12:01:20

做ipsec vpn时，如果时site to site，你必须指定nat exempt lan和远程子网。

qhpal3 · 发表于 2012-2-6 09:36:13

chinese_ys 发表于 2012-2-5 12:01

登录/注册后可看大图

做ipsec vpn时，如果时site to site，你必须指定nat exempt lan和远程子网。

这是 remote-access ipsec vpn

qhpal3 · 发表于 2012-2-6 09:36:24

chinese_ys 发表于 2012-2-5 12:01

登录/注册后可看大图

做ipsec vpn时，如果时site to site，你必须指定nat exempt lan和远程子网。

这是 remote-access ipsec vpn

账号		自动登录	找回密码
密码			论坛注册

[已解决] ASA5520远程拨号ipsec-vpn能获取地址，但不能ping内网任何主机

相关帖子

客服中心

投诉建议