Меню

asa 5520 cisco vpn настройка

Easy vpn на asa 5520

Подскажите по такому вопросу.
Есть cisco 5520 на ней настраиваю easy vpn и всё как-бы ничего да только вот незадача.
Пользователь подключается из инета, но внутренней сети INSIDE (172.26.2.0), которая за asa не видит, при этом из внутренней сети vpn-пользователь (сеть – 172.26.4.0) доступен. Что не так?

ASA Version 8.3(1)
!
hostname ASA02
domain-name fgup.net
enable password 2KFQnbNIdI.2KYOU encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface Ethernet0/0
nameif inside
security-level 100
ip address 172.26.2.254 255.255.255.0
!
interface Ethernet0/1
speed 100
duplex full
nameif outside
security-level 0
ip address xxx.xxx.151.xxx 255.255.255.240
!
interface Ethernet0/2
speed 100
duplex full
nameif dmz
security-level 50
ip address 192.168.100.11 255.255.255.0
!
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
nameif management
security-level 100
ip address 172.26.1.211 255.255.255.0
management-only
!
ftp mode passive
clock timezone MSK/MSD 4
dns domain-lookup inside
dns domain-lookup outside
dns domain-lookup dmz
dns domain-lookup management
dns server-group DefaultDNS
name-server 172.26.2.6
domain-name fgup.net
same-security-traffic permit intra-interface
object network NETWORK_OBJ_172.26.2.0_24
subnet 172.26.2.0 255.255.255.0
object network NETWORK_OBJ_10.0.200.0_26
subnet 10.0.200.0 255.255.255.192
object network NETWORK_OBJ_192.168.20.0_24
subnet 192.168.20.0 255.255.255.0
object network NETWORK_OBJ_192.168.20.0_25
subnet 192.168.20.0 255.255.255.128
object network 172.26.2.111
host 172.26.2.111
object network obj_any
subnet 0.0.0.0 0.0.0.0
object network IN2OUT
subnet 172.26.2.0 255.255.255.0
object network inside
subnet 172.26.2.0 255.255.255.0
object network VPN-USERS
subnet 172.26.4.0 255.255.255.0
object-group protocol DM_INLINE_PROTOCOL_1
protocol-object ip
protocol-object icmp
protocol-object udp
protocol-object tcp
object-group icmp-type TRCEROUTE
icmp-object time-exceeded
icmp-object unreachable
icmp-object echo
icmp-object echo-reply
icmp-object source-quench
object-group network cymrubogons
network-object 0.0.0.0 255.0.0.0
network-object 5.0.0.0 255.0.0.0
network-object 14.0.0.0 255.0.0.0
network-object 23.0.0.0 255.0.0.0
network-object 31.0.0.0 255.0.0.0
network-object 36.0.0.0 255.0.0.0
network-object 37.0.0.0 255.0.0.0
network-object 39.0.0.0 255.0.0.0
network-object 42.0.0.0 255.0.0.0
network-object 49.0.0.0 255.0.0.0
network-object 50.0.0.0 255.0.0.0
network-object 100.0.0.0 255.0.0.0
network-object 101.0.0.0 255.0.0.0
network-object 102.0.0.0 255.0.0.0
network-object 103.0.0.0 255.0.0.0
network-object 104.0.0.0 255.0.0.0
network-object 105.0.0.0 255.0.0.0
network-object 106.0.0.0 255.0.0.0
network-object 107.0.0.0 255.0.0.0
network-object 127.0.0.0 255.0.0.0
network-object 169.254.0.0 255.255.0.0
network-object 176.0.0.0 255.0.0.0
network-object 177.0.0.0 255.0.0.0
network-object 179.0.0.0 255.0.0.0
network-object 181.0.0.0 255.0.0.0
network-object 185.0.0.0 255.0.0.0
network-object 192.0.2.0 255.255.255.0
network-object 198.18.0.0 255.254.0.0
network-object 198.51.100.0 255.255.255.0
network-object 203.0.113.0 255.255.255.0
network-object 223.0.0.0 255.0.0.0
network-object 224.0.0.0 224.0.0.0
access-list Manager extended permit ip 172.26.1.0 255.255.255.0 any
access-list Manager extended permit ip host 172.26.2.43 any
access-list Manager extended permit ip 172.26.2.0 255.255.255.0 any
access-list Manager extended permit ip 172.26.0.0 255.255.255.0 any
access-list Manager extended permit ip 192.168.20.0 255.255.255.0 any
access-list OUTSIDE extended deny ip object-group cymrubogons any
access-list OUTSIDE extended deny ip any object-group cymrubogons
access-list OUTSIDE extended permit icmp any any echo-reply
access-list OUTSIDE extended permit icmp any any echo
access-list OUTSIDE extended permit icmp any any object-group TRCEROUTE
access-list DMZ_in extended permit ip 192.168.100.0 255.255.255.0 any
access-list INSIDE extended permit ip 172.26.2.0 255.255.255.0 any
access-list 101 extended permit ip 172.26.2.0 255.255.255.0 172.26.4.0 255.255.255.0
access-list VPN-IN extended permit ip 172.26.4.0 255.255.255.0 any
access-list 102 extended permit ip 172.26.4.0 255.255.255.0 172.26.2.0 255.255.255.0
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu dmz 1500
mtu management 1500
ip local pool VPN-POOL 172.26.4.10-172.26.4.255 mask 255.255.255.0
no failover
icmp unreachable rate-limit 1 burst-size 1
icmp permit any inside
no asdm history enable
arp timeout 14400
nat (outside,outside) source static VPN-USERS VPN-USERS
nat (outside,inside) source static VPN-USERS VPN-USERS
!
object network inside
nat (inside,outside) dynamic interface
access-group INSIDE in interface inside
access-group OUTSIDE in interface outside
access-group DMZ_in in interface dmz
route outside 0.0.0.0 0.0.0.0 xxx.xxx.151.xxx 1
route management 172.26.0.0 255.255.255.0 172.26.1.200 1
route inside 172.26.2.0 255.255.255.0 172.26.2.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 172.26.1.0 255.255.255.0 management
http 172.26.2.43 255.255.255.255 management
http 172.26.2.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
no sysopt connection permit-vpn
crypto ipsec transform-set VPN-SET esp-aes-256 esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map DMAP 65535 set transform-set VPN-SET
crypto map OUTSIDE_MAP 10 ipsec-isakmp dynamic DMAP
crypto map OUTSIDE_MAP interface outside
crypto isakmp enable outside
crypto isakmp policy 1
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400
no vpn-addr-assign aaa
no vpn-addr-assign dhcp
telnet 0.0.0.0 0.0.0.0 inside
telnet 172.26.1.0 255.255.255.0 management
telnet 172.26.2.43 255.255.255.255 management
telnet timeout 500
ssh 0.0.0.0 0.0.0.0 inside
ssh 172.26.1.0 255.255.255.0 management
ssh 0.0.0.0 0.0.0.0 management
ssh timeout 50
console timeout 0
threat-detection basic-threat
threat-detection scanning-threat shun except ip-address 172.26.1.0 255.255.255.0
threat-detection scanning-threat shun except ip-address 172.26.2.0 255.255.255.0
threat-detection statistics host
threat-detection statistics port number-of-rate 3
threat-detection statistics protocol number-of-rate 3
threat-detection statistics access-list
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
ntp server xxx.xxx.151.xxx source outside
webvpn
anyconnect-essentials
group-policy VPNCLIENT internal
group-policy VPNCLIENT attributes
dns-server value 172.26.2.5 172.26.2.6
vpn-idle-timeout 90
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value 101
username USER password . encrypted
username USER attributes
vpn-group-policy VPNCLIENT
vpn-tunnel-protocol IPSec

Читайте также:  windows vista home premium настройка

tunnel-group VPN-CLIENTS-GROUP type remote-access
tunnel-group VPN-CLIENTS-GROUP general-attributes
address-pool VPN-POOL
default-group-policy VPNCLIENT
tunnel-group VPN-CLIENTS-GROUP ipsec-attributes
pre-shared-key *****
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
inspect icmp
inspect icmp error
class class-default
set connection decrement-ttl
!
service-policy global_policy global
prompt hostname context
hpm topN enable
Cryptochecksum:96f5ab6013817cfe2170975b71d72318
: end

ASA02# sh crypto isakmp sa

Active SA: 1
Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 1

1 IKE Peer: 92.36.87.75
Type : user Role : responder
Rekey : no State : AM_ACTIVE

ASA02# sh crypto ips
ASA02# sh crypto ipsec sa
interface: outside
Crypto map tag: DMAP, seq num: 65535, local addr: xxx.xxx.151.xxx

local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
remote ident (addr/mask/prot/port): (172.26.4.10/255.255.255.255/0/0)
current_peer: 92.36.87.75, username: USER
dynamic allocated peer ip: 172.26.4.10

#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 56, #pkts decrypt: 56, #pkts verify: 56
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#send errors: 0, #recv errors: 0

local crypto endpt.: xxx.xxx.151.xxx/4500, remote crypto endpt.: 92.36.87.75/4500
path mtu 1500, ipsec overhead 82, media mtu 1500
current outbound spi: 010E4A7F
current inbound spi : 71E8E068

inbound esp sas:
spi: 0x71E8E068 (1911087208)
transform: esp-aes-256 esp-sha-hmac no compression
in use settings =
slot: 0, conn_id: 335872, crypto-map: DMAP
sa timing: remaining key lifetime (sec): 3513
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0x7FFFFFFF 0xFFFFFFFF
outbound esp sas:
spi: 0x010E4A7F (17713791)
transform: esp-aes-256 esp-sha-hmac no compression
in use settings =
slot: 0, conn_id: 335872, crypto-map: DMAP
sa timing: remaining key lifetime (sec): 3513
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001

Читайте также:  kerio connect multi server настройка

ASA02# sh run all | include sysopt
no sysopt connection timewait
sysopt connection tcpmss 1380
sysopt connection tcpmss minimum 0
no sysopt connection permit-vpn
sysopt connection reclassify-vpn
no sysopt connection preserve-vpn-flows
no sysopt radius ignore-secret
no sysopt noproxyarp inside
no sysopt noproxyarp outside
no sysopt noproxyarp dmz
no sysopt noproxyarp management
ASA02#

источник

Добавить комментарий

Adblock
detector