Cisco ASA 5505配置Ipsec VPN,Cisco vpn客户端可以拔上来,也可以获取IP,但是无法访问内网。
Posted
tags:
篇首语:本文由小常识网(cha138.com)小编为大家整理,主要介绍了Cisco ASA 5505配置Ipsec VPN,Cisco vpn客户端可以拔上来,也可以获取IP,但是无法访问内网。相关的知识,希望对你有一定的参考价值。
下面贴上配置,
ciscoasa# show running
: Saved
ASA Version 7.2(4)
hostname ciscoasa
domain-name default.domain.invalid
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
interface Vlan1
nameif inside
security-level 100
ip address 172.16.2.250 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address 113.105.67.55 255.255.255.240
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
boot system disk0:/asa724-k8.bin
ftp mode passive
dns server-group DefaultDNS
domain-name default.domain.invalid
access-list inside_nat0_outbound extended permit ip any 192.168.50.0 255.255.255.0
access-list ICMP extended permit icmp any any
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
ip local pool IPPool 192.168.50.1-192.168.50.254 mask 255.255.255.0
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-524.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 172.16.2.0 255.255.255.0
route inside 172.16.11.0 255.255.255.0 172.16.2.251 1
route outside 0.0.0.0 0.0.0.0 113.105.x.x1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
http server enable
http 172.16.2.0 255.255.255.0 inside
http 0.0.0.0 0.0.0.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA
crypto map outside_map 1 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp nat-traversal 20
telnet 0.0.0.0 0.0.0.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd auto_config outside
group-policy ipsecvpn internal
group-policy ipsecvpn attributes
dns-server value 202.96.128.86
vpn-tunnel-protocol IPSec
username test password HI8KY4vdUEM9qUVI encrypted privilege 15
username test attributes
vpn-group-policy ipsecvpn
tunnel-group ipsecvpn type ipsec-ra
tunnel-group ipsecvpn general-attributes
address-pool IPPool
default-group-policy ipsecvpn
tunnel-group ipsecvpn ipsec-attributes
pre-shared-key *
!
class-map inspection_default
match default-inspection-traffic
下面的都是一样,字数限制我就不贴出来了,请大家帮忙看看。
就是图片上显示的
下面的内容无关紧要,只是提醒
你的配置会有一个问题,客户端如果连接了VPN,就不能再直接访问INTERNET,而必须通过公司的内网。
可以在tunnel-group里使用:
split-tunnel-policy tunnelspecified
split-tunnel-network-list value
方式,就可以使客户端有可以访问Internet,有可以访问内网。 参考技术A 阿萨德 参考技术B 用的是不是模拟器啊?
Cisco ASA - Permit/Deny Traffic Domain name FQDN
refer to:https://www.fir3net.com/Firewalls/Cisco/cisco-asa-domain-fqdn-based-acls.html
dns domain-lookup outside
DNS server-group China_Telecom_SH_DNS
name-server 202.96.209.133 202.96.209.5
domain-name Oneitc.local
object network obj-i1.mallcoo.cn
fqdn i1.mallcoo.cnno access-list 200 extended permit ip object-group Reception-Desktop-with-liminatioin object-group Mallcoo-Server log
no access-list 200 extended deny ip object-group Reception-Desktop-with-liminatioin any log
no access-list 200 extended permit ip any any log
access-list 200 extended permit ip object-group Reception-Desktop-with-liminatioin object obj-i1.mallcoo.cn
access-list 200 extended permit ip object-group Reception-Desktop-with-liminatioin object-group Mallcoo-Server log
access-list 200 extended deny ip object-group Reception-Desktop-with-liminatioin any log sh access-list acl-inside
sh dns
dns expire-entry-timer minutes <minute>以上是关于Cisco ASA 5505配置Ipsec VPN,Cisco vpn客户端可以拔上来,也可以获取IP,但是无法访问内网。的主要内容,如果未能解决你的问题,请参考以下文章
cisco asa5520 和H3C SecPath做IPSEC VPN问题