设为首页收藏本站language 语言切换
开启辅助访问 切换到宽版

鸿鹄论坛

 找回密码
 论坛注册

QQ登录

先注册再绑定QQ

鸿鹄论坛»鸿鹄论坛 ≡□≡思科认证≡□≡ CCNP求助答疑 ASA L2TP over IPSEC VPN 正常拨号,但是访问不了内网
返回列表 发新帖
查看: 2074|回复: 2
收起左侧

[求助] ASA L2TP over IPSEC VPN 正常拨号,但是访问不了内网

[复制链接]
desohu
发表于 2014-10-17 11:49:52 | 显示全部楼层 |阅读模式
10鸿鹄币
ASA L2TP over IPSEC VPN 正常拨号,但是访问不了内网
在ASA上可以ping通VPN客户端,VPN客户端也可以ping通inside口,但就是ping不通内网其它IP
配置如下;请高手解答,在线等,急啊!
# show run
: Saved
:
ASA Version 7.2(3)
!
hostname Pay-FW
domain-name default.domain.invalid
enable password U6sQegXTM2buKGt2 encrypted
names
!
interface Vlan1
no nameif
no security-level
no ip address
!
interface Vlan2
nameif outside
security-level 0
ip address 10.148.122.42 255.255.255.248
!
interface Vlan3
nameif inside
security-level 100
ip address 172.168.1.1 255.255.255.0
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
switchport access vlan 3
!
interface Ethernet0/2
shutdown
!
interface Ethernet0/3
shutdown
!
interface Ethernet0/4
shutdown
!
interface Ethernet0/5
shutdown
!
interface Ethernet0/6
shutdown
!
interface Ethernet0/7
shutdown
!
passwd U6sQegXTM2buKGt2 encrypted
boot system disk0:/asa723-k8.bin
ftp mode passive
dns domain-lookup outside
dns server-group DefaultDNS
name-server 8.8.8.8
domain-name default.domain.invalid
access-list vpn-split standard permit 172.168.1.0 255.255.255.0
access-list nonat extended permit ip 172.168.1.0 255.255.255.0 172.168.40.0 255.255.255.0
access-list icmp extended permit icmp any any
access-list acl-outside extended permit icmp any any
access-list acl-outside extended permit ip any any
access-list acl-inside extended permit icmp any any
access-list acl-inside extended permit ip any any
pager lines 24
logging enable
logging buffered debugging
logging asdm informational
mtu outside 1500
mtu inside 1500
ip local pool vpn-pool 172.168.40.10-172.168.40.100 mask 255.255.255.0
ip verify reverse-path interface outside
ip verify reverse-path interface inside
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-523.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list nonat
nat (inside) 1 172.168.1.0 255.255.255.0
access-group acl-outside in interface outside
access-group acl-inside in interface inside
route outside 0.0.0.0 0.0.0.0 10.148.122.41 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
aaa authentication ssh console LOCAL
aaa authentication http console LOCAL
http server enable 8080
http 0.0.0.0 0.0.0.0 inside
http 0.0.0.0 0.0.0.0 outside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set TRANS_ESP_3DES_SHA esp-3des esp-sha-hmac
crypto ipsec transform-set TRANS_ESP_3DES_SHA mode transport
crypto ipsec transform-set TRANS_ESP_3DES_MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set TRANS_ESP_3DES_MD5 mode transport
crypto dynamic-map outside_dyn_map 10 set transform-set TRANS_ESP_3DES_SHA
crypto map outside_map 10 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp nat-traversal  10
telnet 0.0.0.0 0.0.0.0 inside
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 5
console timeout 0
management-access inside

group-policy l2tp-policy internal
group-policy l2tp-policy attributes
dns-server value 8.8.8.8
vpn-idle-timeout none
vpn-tunnel-protocol IPSec l2tp-ipsec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value vpn-split

address-pools value vpn-pool


username test password XIAPE6POhu0lQN1OczHpog== nt-encrypted
username zhang password KawlFG5TeARJjacTHfD3RA== nt-encrypted
tunnel-group DefaultRAGroup general-attributes
address-pool vpn-pool
authentication-server-group (outside) LOCAL
default-group-policy l2tp-policy
strip-realm
strip-group
tunnel-group DefaultRAGroup ipsec-attributes
pre-shared-key *
peer-id-validate nocheck
tunnel-group DefaultRAGroup ppp-attributes
authentication ms-chap-v2
prompt hostname context
Cryptochecksum:a0b5c90db21f6eaa616e91ecf89cd544
: end

最佳答案

今日寻欢

查看完整内容

水平分割出错了:access-list vpn-split standard permit 172.168.1.0 255.255.255.0 用标准的ACL不行,是扩展ACL,本地到对端通信点的路由; 另外看到你还有做那个nat,是实验需求必须的么,你给的信息太少了 还有你的ACL,写的也太烂了吧,有了permit ip any any 这一条,其他的还需要么????
回复

使用道具 举报

今日寻欢
发表于 2014-10-17 11:49:53 | 显示全部楼层
本帖最后由 今日寻欢 于 2014-10-22 08:57 编辑

水平分割出错了:access-list vpn-split standard permit 172.168.1.0 255.255.255.0
   用标准的ACL不行,是扩展ACL,本地到对端通信点的路由;

另外看到你还有做那个nat,是实验需求必须的么,你给的信息太少了

还有你的ACL,写的也太烂了吧,有了permit ip any any 这一条,其他的还需要么????
沙发 2014-10-17 11:49:53 回复 收起回复
回复

使用道具 举报

aleser
发表于 2014-10-25 12:30:55 | 显示全部楼层
拿分走人呵呵,楼下继续!
板凳 2014-10-25 12:30:55 回复 收起回复
回复

使用道具 举报

返回列表 发新帖
高级模式
B Color Image Link Quote Code Smilies
您需要登录后才可以回帖 登录 | 论坛注册

本版积分规则

QQ|Archiver|手机版|小黑屋|sitemap|鸿鹄论坛 ( 京ICP备14027439号 )  

GMT+8, 2025-5-9 08:12 , Processed in 0.083201 second(s), 24 queries , Redis On.  

  Powered by Discuz!

  © 2001-2025 HH010.COM

快速回复 返回顶部 返回列表