|
|
本帖最后由 c50488 于 2013-3-5 23:11 编辑
核心交换机和asa都在192.168.1.0网段,我vpn拨入后,192.168.1.0网段可以ping同,但是核心上192.168.10.0网段ping不通,这是问什么啊,求感受指教。防火前配置如下
ciscoasa-jht# sho ru
: Saved
:
ASA Version 8.6(1)
!
hostname ciscoasa-jht
domain-name jxtextiles.com
enable password x71gpq0QETCyw5nF encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface GigabitEthernet0/0
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
!
interface GigabitEthernet0/1
nameif outside
security-level 0
ip address 202.x.x.x 255.255.255.252
!
interface GigabitEthernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/4
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/5
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
shutdown
no nameif
no security-level
no ip address
management-only
!
ftp mode passive
clock timezone CST 8
dns domain-lookup inside
dns domain-lookup outside
dns server-group DefaultDNS
name-server 192.168.1.130
domain-name jxtextiles.com
object network in_to_out
subnet 192.168.1.0 255.255.255.0
object network ftp
host 192.168.1.130
object network ftp-data
host 192.168.1.130
object network www
host 192.168.1.130
object network mis
host 192.168.1.166
object network oracle
host 192.168.1.122
object network rpc
host 192.168.1.13
object network pop3
host 192.168.1.13
object network smtp
host 192.168.1.13
object network https
host 192.168.1.13
object network jiankong-90
host 192.168.1.135
object network jiankong-91
host 192.168.1.137
object network jiankong-92
host 192.168.1.139
object network jiankong-93
host 192.168.1.140
object network vpnpool
subnet 172.20.0.0 255.255.255.0
object network in_to_out_40
subnet 192.168.40.0 255.255.255.0
object network in_to_out_10
subnet 192.168.10.0 255.255.255.0
object network in_to_out_20
subnet 192.168.20.0 255.255.255.0
object network in_to_out_30
subnet 192.168.30.0 255.255.255.0
object network in_to_out_50
subnet 192.168.50.0 255.255.255.0
object network rdp
host 192.168.1.18
object network voip6060
host 192.168.1.12
object network voip80
host 192.168.1.12
object network voip10010
host 192.168.1.12
object network voip10011
host 192.168.1.12
object network voip10012
host 192.168.1.12
object network voip10013
host 192.168.1.12
object network voip10014
host 192.168.1.12
object network voip10015
host 192.168.1.12
object network voip10016
host 192.168.1.12
object network voip10017
host 192.168.1.12
object network voip10018
host 192.168.1.12
object network voip10019
host 192.168.1.12
object network voip10020
host 192.168.1.12
object network voip10021
host 192.168.1.12
object network voip10022
host 192.168.1.12
object network voip10023
host 192.168.1.12
object network voip10024
host 192.168.1.12
object network voip10025
host 192.168.1.12
object network voip10026
host 192.168.1.12
object network voip10027
host 192.168.1.12
object network voip10028
host 192.168.1.12
object network voip10029
host 192.168.1.12
object network voip10030
host 192.168.1.12
object network zfj
host 192.168.1.18
object network sslpop3
host 192.168.1.13
object network receive
host 192.168.1.13
object-group network DM_INLINE_NETWORK_1
network-object object in_to_out
network-object object in_to_out_10
network-object object in_to_out_20
network-object object in_to_out_30
network-object object in_to_out_40
network-object object in_to_out_50
access-list in-to-out extended permit ip any any
access-list in-to-out extended permit icmp any any
access-list out-to-in extended permit tcp any host 192.168.1.130 eq ftp
access-list out-to-in extended permit tcp any host 192.168.1.130 eq ftp-data
access-list out-to-in extended permit tcp any host 192.168.1.130 eq www
access-list out-to-in extended permit tcp any host 192.168.1.166 eq www
access-list out-to-in extended permit tcp any host 192.168.1.122 eq sqlnet
access-list out-to-in extended permit tcp any host 192.168.1.13 eq 135
access-list out-to-in extended permit tcp any host 192.168.1.13 eq pop3
access-list out-to-in extended permit tcp any host 192.168.1.18 eq 3389
access-list out-to-in extended permit tcp any host 192.168.1.18 eq 5500
access-list out-to-in extended permit tcp any host 192.168.1.13 eq smtp
access-list out-to-in extended permit tcp any host 192.168.1.13 eq https
access-list out-to-in extended permit tcp any host 192.168.1.12 eq www
access-list out-to-in extended permit tcp any host 192.168.1.13 eq 995
access-list out-to-in extended permit tcp any host 192.168.1.13 eq 587
access-list out-to-in extended permit udp any host 192.168.1.12 range 10010 10030
access-list out-to-in extended permit udp any host 192.168.1.12 eq 6060
access-list out-to-in extended permit tcp any host 192.168.1.18 range 5499 5900
access-list out-to-in extended permit tcp any host 192.168.1.135 eq 90
access-list out-to-in extended permit tcp any host 192.168.1.137 eq 91
access-list out-to-in extended permit tcp any host 192.168.1.139 eq 92
access-list out-to-in extended permit tcp any host 192.168.1.140 eq 93
access-list out-to-in extended permit icmp any any
access-list vpn extended permit ip 192.168.1.0 255.255.255.0 172.20.0.0 255.255.255.0
access-list rate_limit extended permit ip any 192.168.1.0 255.255.255.0 inactive
access-list rate_limit extended permit ip 192.168.1.0 255.255.255.0 any inactive
access-list outside_cryptomap extended permit ip object-group DM_INLINE_NETWORK_1 192.168.0.0 255.255.255.0
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
ip local pool vpnpool 172.20.0.11-172.20.0.200
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
nat (inside,outside) source static in_to_out in_to_out destination static vpnpool vpnpool no-proxy-arp route-lookup
!
object network in_to_out
nat (inside,outside) dynamic interface
object network ftp
nat (inside,outside) static interface service tcp ftp ftp
object network ftp-data
nat (inside,outside) static interface service tcp ftp-data ftp-data
object network www
nat (inside,outside) static interface service tcp www www
object network mis
nat (inside,outside) static interface service tcp www 88
object network oracle
nat (inside,outside) static interface service tcp sqlnet sqlnet
object network rpc
nat (inside,outside) static interface service tcp 135 135
object network pop3
nat (inside,outside) static interface service tcp pop3 pop3
object network smtp
nat (inside,outside) static interface service tcp smtp smtp
object network https
nat (inside,outside) static interface service tcp https https
object network jiankong-90
nat (inside,outside) static interface service tcp 90 90
object network jiankong-91
nat (inside,outside) static interface service tcp 91 91
object network jiankong-92
nat (inside,outside) static interface service tcp 92 92
object network jiankong-93
nat (inside,outside) static interface service tcp 93 93
object network in_to_out_40
nat (inside,outside) dynamic interface
object network in_to_out_10
nat (inside,outside) dynamic interface
object network in_to_out_20
nat (inside,outside) dynamic interface
object network in_to_out_30
nat (inside,outside) dynamic interface
object network in_to_out_50
nat (inside,outside) dynamic interface
object network rdp
nat (inside,outside) static interface service tcp 3389 3389
object network voip6060
nat (inside,outside) static interface service udp 6060 6060
object network voip80
nat (inside,outside) static interface service tcp www 8888
object network voip10010
nat (inside,outside) static interface service udp 10010 10010
object network voip10011
nat (inside,outside) static interface service udp 10011 10011
object network voip10012
nat (inside,outside) static interface service udp 10012 10012
object network voip10013
nat (inside,outside) static interface service udp 10013 10013
object network voip10014
nat (inside,outside) static interface service udp 10014 10014
object network voip10015
nat (inside,outside) static interface service udp 10015 10015
object network voip10016
nat (inside,outside) static interface service udp 10016 10016
object network voip10017
nat (inside,outside) static interface service udp 10017 10017
object network voip10018
nat (inside,outside) static interface service udp 10018 10018
object network voip10019
nat (inside,outside) static interface service udp 10019 10019
object network voip10020
nat (inside,outside) static interface service udp 10020 10020
object network voip10021
nat (inside,outside) static interface service udp 10021 10021
object network voip10022
nat (inside,outside) static interface service udp 10022 10022
object network voip10023
nat (inside,outside) static interface service udp 10023 10023
object network voip10024
nat (inside,outside) static interface service udp 10024 10024
object network voip10025
nat (inside,outside) static interface service udp 10025 10025
object network voip10026
nat (inside,outside) static interface service udp 10026 10026
object network voip10027
nat (inside,outside) static interface service udp 10027 10027
object network voip10028
nat (inside,outside) static interface service udp 10028 10028
object network voip10029
nat (inside,outside) static interface service udp 10029 10029
object network voip10030
nat (inside,outside) static interface service udp 10030 10030
object network sslpop3
nat (inside,outside) static interface service tcp 995 995
object network receive
nat (inside,outside) static interface service tcp 587 587
access-group out-to-in in interface outside
access-group in-to-out out interface outside
route outside 0.0.0.0 0.0.0.0 202.x.x.x 1
route inside 192.168.10.0 255.255.255.0 192.168.1.254 1
route inside 192.168.20.0 255.255.255.0 192.168.1.254 1
route inside 192.168.30.0 255.255.255.0 192.168.1.254 1
route inside 192.168.40.0 255.255.255.0 192.168.1.254 1
route inside 192.168.50.0 255.255.255.0 192.168.1.254 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
http server enable 4443
http 192.168.1.0 255.255.255.0 inside
http 172.20.0.0 255.255.255.0 inside
http authentication-certificate inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
crypto ipsec ikev1 transform-set firstset esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec ikev2 ipsec-proposal DES
protocol esp encryption des
protocol esp integrity sha-1 md5
crypto dynamic-map dyn1 1 set pfs
crypto dynamic-map dyn1 1 set ikev1 transform-set firstset
crypto dynamic-map dyn1 1 set reverse-route
crypto map mymap 1 ipsec-isakmp dynamic dyn1
crypto map mymap 2 match address outside_cryptomap
crypto map mymap 2 set peer 59.53.163.213
crypto map mymap 2 set ikev1 transform-set ESP-DES-SHA ESP-DES-MD5
crypto map mymap 2 set ikev2 ipsec-proposal DES
crypto map mymap interface outside
crypto ikev2 policy 40
encryption des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 enable outside
crypto ikev1 enable outside
crypto ikev1 policy 1
authentication pre-share
encryption des
hash md5
group 2
lifetime 43200
crypto ikev1 policy 65535
authentication pre-share
encryption des
hash md5
group 2
lifetime 86400
telnet 192.168.1.0 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0
threat-detection basic-threat
threat-detection statistics
threat-detection statistics tcp-intercept rate-interval 1440 burst-rate 400 average-rate 200
webvpn
port 3355
enable outside
group-policy JHTwebvpn internal
group-policy JHTwebvpn attributes
vpn-tunnel-protocol ssl-clientless
webvpn
url-list value Applications
customization value Custom_JHTwebvpn
group-policy jht internal
group-policy jht attributes
wins-server value 192.168.1.3
dns-server value 192.168.1.130
vpn-tunnel-protocol ikev1
split-tunnel-policy tunnelspecified
split-tunnel-network-list value vpn
default-domain value jxtextiles.com
group-policy GroupPolicy_59.53.163.213 internal
group-policy GroupPolicy_59.53.163.213 attributes
vpn-tunnel-protocol ikev1 ikev2
username jerry password aCvOm2BgRjO5C6tN encrypted privilege 15
username jerry attributes
vpn-group-policy jht
vpn-tunnel-protocol ikev1
service-type admin
tunnel-group jht type remote-access
tunnel-group jht general-attributes
address-pool vpnpool
tunnel-group jht ipsec-attributes
ikev1 pre-shared-key *****
tunnel-group JHTwebvpn type remote-access
tunnel-group JHTwebvpn general-attributes
default-group-policy JHTwebvpn
tunnel-group JHTwebvpn webvpn-attributes
customization Custom_Login
radius-reject-message
group-url https://202.x.x.x:3355 enable
tunnel-group 59.53.163.213 type ipsec-l2l
tunnel-group 59.53.163.213 general-attributes
default-group-policy GroupPolicy_59.53.163.213
tunnel-group 59.53.163.213 ipsec-attributes
ikev1 pre-shared-key *****
ikev2 remote-authentication pre-shared-key *****
ikev2 local-authentication pre-shared-key *****
!
class-map policing_class
class-map rate_limit
match access-list rate_limit
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect ip-options
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
inspect pptp
class class-default
user-statistics accounting
policy-map rate_limit
class rate_limit
police input 2000000 3000000
police output 2000000 3000000
!
service-policy global_policy global
service-policy rate_limit interface inside
prompt hostname context
no call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email callhome@cisco.com
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly 12
subscribe-to-alert-group configuration periodic monthly 12
subscribe-to-alert-group telemetry periodic daily
hpm topN enable
Cryptochecksum:eeff30698ef133f38ce837122b5225d7
: end |
|
简体中文
英语
日语
韩语
法语
西班牙语
越南语
泰语
阿拉伯语
俄语
葡萄牙语
德语
意大利语
希腊语
荷兰语
波兰语
保加利亚语
爱沙尼亚语
丹麦语
芬兰语
捷克语
罗马尼亚语
斯洛文尼亚语
瑞典语
匈牙利语
繁体中文
文言文
[复制链接]
发表于 2013-3-5 22:55:55
置顶卡
喧嚣卡
变色卡
千斤顶
眼都看花了 帮顶
楼主
没学好啊,见谅。我写了permit 192.168.10.0 255.255.255.0 172.20.0.0 255.255.255.0
