设为首页收藏本站language 语言切换
开启辅助访问 切换到宽版

鸿鹄论坛

 找回密码
 论坛注册

QQ登录

先注册再绑定QQ

鸿鹄论坛»鸿鹄论坛 ≡□≡思科认证≡□≡ CCNP求助答疑 cisco asa easy vpn远程拨入后无法访问内网
返回列表 发新帖
查看: 2423|回复: 5
收起左侧

[求助] cisco asa easy vpn远程拨入后无法访问内网

[复制链接]
abdxj
发表于 2016-5-28 18:06:44 | 显示全部楼层 |阅读模式
3鸿鹄币
拓扑图
1.JPG

ASA配置:
ciscoasa(config)# show run
ciscoasa(config)# show running-config
: Saved
:
ASA Version 8.4(2)
!
hostname ciscoasa
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface GigabitEthernet0
nameif outside
security-level 0
ip address 200.1.1.1 255.255.255.0
!
interface GigabitEthernet1
nameif inside
security-level 100
ip address 172.16.1.1 255.255.255.0
!
interface GigabitEthernet2
nameif dmz
security-level 50
ip address 172.16.2.1 255.255.255.0
!
interface GigabitEthernet3
shutdown     
no nameif
no security-level
no ip address
!
interface GigabitEthernet4
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet5
shutdown
no nameif
no security-level
no ip address
!
ftp mode passive
object network inside
range 172.16.1.0 255.255.255.0
object network outside
host 200.1.1.1
object network dmz
range 172.16.2.0 255.255.255.0
object network vpn
range 100.100.100.0 255.255.255.0
object network inside1
range 172.16.1.0 255.255.255.0
object-group network inside10
network-object object inside
network-object object dmz
access-list vpn1 extended permit ip 172.16.1.0 255.255.255.0 any
access-list vpn1 extended permit ip 172.16.2.0 255.255.255.0 any
access-list out extended permit ip any any
pager lines 24
mtu inside 1500
mtu dmz 1500
mtu outside 1500
ip local pool pool 10.10.10.1-10.10.10.254
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
nat (inside,outside) source static inside10 inside10 destination static vpn vpn no-proxy-arp route-lookup
nat (inside,outside) source dynamic inside interface
nat (dmz,outside) source dynamic dmz interface
access-group out in interface outside
route outside 0.0.0.0 0.0.0.0 200.1.1.8 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
no snmp-server location
no snmp-server contact
crypto ipsec ikev1 transform-set set esp-3des esp-md5-hmac
crypto dynamic-map dmap 10 set ikev1 transform-set set
crypto dynamic-map dmap 10 set reverse-route
crypto map map 10 ipsec-isakmp dynamic dmap
crypto map map interface outside
crypto isakmp nat-traversal 10
crypto ikev1 enable outside
crypto ikev1 policy 10
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
telnet timeout 5
ssh timeout 5
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
group-policy vpn internal
group-policy vpn attributes
split-tunnel-policy tunnelspecified
split-tunnel-network-list value vpn1
address-pools value pool
username cisco password 3USUcOPFUiMCO4Jk encrypted
tunnel-group vpn type remote-access
tunnel-group vpn general-attributes
address-pool pool
default-group-policy vpn
tunnel-group vpn ipsec-attributes
ikev1 pre-shared-key *****
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
  message-length maximum client auto
  message-length maximum 512
policy-map global_policy
class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny  
  inspect sunrpc
  inspect xdmcp
  inspect sip  
  inspect netbios
  inspect tftp
  inspect ip-options
  inspect icmp
!
service-policy global_policy global
prompt hostname context
crashinfo save disable
Cryptochecksum:0c735323e9fb62ebce43d953fb4b0eaf
: end
ciscoasa(config)#                            exit

2.JPG 3.JPG

最佳答案

sboku

查看完整内容

内网的路由器有10.10.10.0/24的路由信息吗?R5/R6上show ip route看看
回复

使用道具 举报

sboku
发表于 2016-5-28 18:06:45 | 显示全部楼层
abdxj 发表于 2016-5-28 19:07
客户端怎么都ping不通内部路由器

内网的路由器有10.10.10.0/24的路由信息吗?R5/R6上show ip route看看
沙发 2016-5-28 18:06:45 回复 收起回复
回复

使用道具 举报

abdxj
 楼主| 发表于 2016-5-28 18:07:27 | 显示全部楼层
客户端怎么都ping不通内部路由器
板凳 2016-5-28 18:07:27 回复 收起回复
回复

使用道具 举报

abdxj
 楼主| 发表于 2016-5-28 20:41:31 | 显示全部楼层
有的,内网指了默认到ASA
地板 2016-5-28 20:41:31 回复 收起回复
回复

使用道具 举报

abdxj
 楼主| 发表于 2016-5-28 20:42:17 | 显示全部楼层
ASA吧所有NAT都删除,远程拨入后,也不能访问内网,非常奇怪。
5# 2016-5-28 20:42:17 回复 收起回复
回复

使用道具 举报

abdxj
 楼主| 发表于 2016-5-28 20:52:20 | 显示全部楼层
ASA上用户拨入前后的路由
5.JPG

用户拨入后用户端的路由
6.JPG

ASA上用户拨入后,感觉反向注入的那条路由有问题,但是这条路由是自动产生的,即使在配置VPN的时候不写上反向注册路由那条命令,他自己也会反向注册一条路由在ASA上。其他地方感觉没有问题,百思不得其解。
6# 2016-5-28 20:52:20 回复 收起回复
回复

使用道具 举报

返回列表 发新帖
高级模式
B Color Image Link Quote Code Smilies
您需要登录后才可以回帖 登录 | 论坛注册

本版积分规则

QQ|Archiver|手机版|小黑屋|sitemap|鸿鹄论坛 ( 京ICP备14027439号 )  

GMT+8, 2025-4-28 18:40 , Processed in 0.075122 second(s), 26 queries , Redis On.  

  Powered by Discuz!

  © 2001-2025 HH010.COM

快速回复 返回顶部 返回列表