ASA 8.4 easy vpn 内网ping不通 求指点

巧乐兹绿豆饼

网络结构

ASA 路由表






客户端路由表



客户端IP地址



客户端能ping通内网4.4.4.4 但不能ping通ASA inside接口所在网段



R4 10.1.1.0/24网段不能ping通客户端
R4 4.4.4.4/32网段不能ping通客户端

ASA 配置
ASA Version 8.4(2)
!
hostname ciscoasa
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface GigabitEthernet0
nameif outside
security-level 0
ip address 12.1.1.1 255.255.255.0
!
interface GigabitEthernet1
nameif inside
security-level 100
ip address 10.1.1.1 255.255.255.0
!
interface GigabitEthernet2
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet3
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet4
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet5
shutdown
no nameif
no security-level
no ip address
!
ftp mode passive
object network outside
range 12.1.1.100 12.1.1.200
object network inside
subnet 10.1.1.0 255.255.255.0
object-group network cisco
network-object object inside
access-list fun standard permit 10.1.1.0 255.255.255.0
access-list fun standard permit host 4.4.4.4
pager lines 24
mtu outside 1500
mtu inside 1500
ip local pool vpnpool 10.1.1.100-10.1.1.200 mask 255.255.255.0
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
nat (inside,outside) source dynamic cisco outside
route outside 0.0.0.0 0.0.0.0 12.1.1.2 1
route inside 4.4.4.4 255.255.255.255 10.1.1.4 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
crypto ipsec ikev1 transform-set ccna esp-aes esp-sha-hmac
crypto ipsec ikev2 ipsec-proposal ccnp
protocol esp encryption aes
protocol esp integrity sha-1
crypto dynamic-map dymap 1 set ikev1 transform-set ccna
crypto dynamic-map dymap 1 set ikev2 ipsec-proposal ccnp
crypto dynamic-map dymap 1 set reverse-route
crypto map cisco 1 ipsec-isakmp dynamic dymap
crypto map cisco interface outside
crypto ikev2 policy 1
encryption aes
integrity sha
group 2
prf sha
lifetime seconds 86400
crypto ikev2 enable outside
crypto ikev1 enable outside
crypto ikev1 policy 1
authentication pre-share
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 65535
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet timeout 5
ssh timeout 5
console timeout 0
!
tls-proxy maximum-session 1010
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
group-policy vpnclient internal
group-policy vpnclient attributes
dns-server value 8.8.8.8
vpn-tunnel-protocol ikev1 ikev2
split-tunnel-policy tunnelspecified
split-tunnel-network-list value fun
default-domain value cisco.com
username frank password YXIKx9jp/MLl8gus encrypted
username frank attributes
vpn-group-policy vpnclient
tunnel-group vpnclient type remote-access
tunnel-group vpnclient general-attributes
address-pool vpnpool
default-group-policy vpnclient
tunnel-group vpnclient ipsec-attributes
ikev1 pre-shared-key *****
!
!
prompt hostname context
call-home reporting anonymous prompt 2
call-home
profile CiscoTAC-1
  no active
  destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
  destination address email callhome@cisco.com
  destination transport-method http
  subscribe-to-alert-group diagnostic
  subscribe-to-alert-group environment
  subscribe-to-alert-group inventory periodic monthly
  subscribe-to-alert-group configuration periodic monthly
  subscribe-to-alert-group telemetry periodic daily
crashinfo save disable
Cryptochecksum:70dab8bd68f1ba7c0a39b85cb04b740e
: end








R4配置
version 15.2
service timestamps debug datetime msec
service timestamps log datetime msec
!
hostname R4
!
boot-start-marker
boot-end-marker
!
!
!
no aaa new-model
no ip icmp rate-limit unreachable
!
!
!
!
!
!         
no ip domain lookup
ip cef
ipv6 multicast rpf use-bgp
no ipv6 cef
!
!
multilink bundle-name authenticated
!
!
!
!
!
!
!
!
!
!
!
!
ip tcp synwait-time 5
ip ssh version 1
!
!         
!
!
!
!
!
!
!
interface Loopback0
ip address 4.4.4.4 255.255.255.255
!
interface FastEthernet0/0
no ip address
shutdown
speed auto
duplex auto
!
interface FastEthernet0/1
ip address 10.1.1.4 255.255.255.0
speed auto
duplex auto
!
interface FastEthernet1/0
no ip address
shutdown
speed auto
duplex auto
!
interface FastEthernet1/1
no ip address
shutdown
speed auto
duplex auto
!
interface FastEthernet2/0
no ip address
shutdown
speed auto
duplex auto
!
interface FastEthernet2/1
no ip address
shutdown
speed auto
duplex auto
!
interface FastEthernet3/0
no ip address
shutdown
speed auto
duplex auto
!
interface FastEthernet3/1
no ip address
shutdown
speed auto
duplex auto
!
interface FastEthernet4/0
no ip address
shutdown
speed auto
duplex auto
!
interface FastEthernet4/1
no ip address
shutdown
speed auto
duplex auto
!         
interface Serial5/0
no ip address
shutdown
serial restart-delay 0
!
interface Serial5/1
no ip address
shutdown
serial restart-delay 0
!
interface Serial5/2
no ip address
shutdown
serial restart-delay 0
!
interface Serial5/3
no ip address
shutdown
serial restart-delay 0
!
interface Serial6/0
no ip address
shutdown
serial restart-delay 0
!
interface Serial6/1
no ip address
shutdown
serial restart-delay 0
!
interface Serial6/2
no ip address
shutdown
serial restart-delay 0
!
interface Serial6/3
no ip address
shutdown
serial restart-delay 0
!
ip forward-protocol nd
!
!
no ip http server
no ip http secure-server
ip route 0.0.0.0 0.0.0.0 FastEthernet0/1 10.1.1.1
!
!
!
!
control-plane
!
!
line con 0
exec-timeout 0 0
privilege level 15
logging synchronous
stopbits 1
line aux 0
exec-timeout 0 0
privilege level 15
logging synchronous
stopbits 1
line vty 0 4
password cisco
login
!
!
end      











R1
version 15.2
service timestamps debug datetime msec
service timestamps log datetime msec
!
hostname R1
!
boot-start-marker
boot-end-marker
!
!
!
no aaa new-model
!
!
!
ip dhcp excluded-address 30.1.1.3
!
ip dhcp pool a
network 30.1.1.0 255.255.255.0
default-router 30.1.1.3
dns-server 8.8.4.4
!
!
!
ip cef
ipv6 multicast rpf use-bgp
no ipv6 cef
!
!
multilink bundle-name authenticated
!
!
!
!
!
!
!
!
!
!
!
!         
!
!
!
!
!
!
!
!
!
interface FastEthernet0/0
ip address 30.1.1.3 255.255.255.0
ip nat inside
speed auto
duplex auto
!
interface FastEthernet0/1
ip address 23.1.1.3 255.255.255.0
ip nat outside
speed auto
duplex auto
!
interface FastEthernet1/0
no ip address
shutdown
speed auto
duplex auto
!
interface FastEthernet1/1
no ip address
shutdown
speed auto
duplex auto
!
interface FastEthernet2/0
no ip address
shutdown
speed auto
duplex auto
!
interface FastEthernet2/1
no ip address
shutdown
speed auto
duplex auto
!
interface FastEthernet3/0
no ip address
shutdown
speed auto
duplex auto
!
interface FastEthernet3/1
no ip address
shutdown
speed auto
duplex auto
!
interface FastEthernet4/0
no ip address
shutdown
speed auto
duplex auto
!
interface FastEthernet4/1
no ip address
shutdown
speed auto
duplex auto
!         
interface Serial5/0
no ip address
shutdown
serial restart-delay 0
!
interface Serial5/1
no ip address
shutdown
serial restart-delay 0
!
interface Serial5/2
no ip address
shutdown
serial restart-delay 0
!
interface Serial5/3
no ip address
shutdown
serial restart-delay 0
!
interface Serial6/0
no ip address
shutdown
serial restart-delay 0
!
interface Serial6/1
no ip address
shutdown
serial restart-delay 0
!
interface Serial6/2
no ip address
shutdown
serial restart-delay 0
!
interface Serial6/3
no ip address
shutdown
serial restart-delay 0
!
ip nat inside source list 3 interface FastEthernet0/1 overload
ip forward-protocol nd
!
!
no ip http server
no ip http secure-server
ip route 0.0.0.0 0.0.0.0 FastEthernet0/1 23.1.1.2
!
access-list 3 permit any
!
!
!
control-plane
!
!
line con 0
stopbits 1
line aux 0
stopbits 1
line vty 0 4
login
!
!
end

wyan1125