The OpenNET Project / Index page

[ новости /+++ | форум | теги | ]

форумы  помощь  поиск  регистрация  майллист  вход/выход  слежка  RSS
"Cisco ASA 5510, VPN клиент не видит внутреннюю сеть"
Вариант для распечатки  
Пред. тема | След. тема 
Форум Маршрутизаторы CISCO и др. оборудование. (VPN, VLAN, туннель)
Изначальное сообщение [ Отслеживать ]

"Cisco ASA 5510, VPN клиент не видит внутреннюю сеть"  +/
Сообщение от Evolver (ok) on 30-Июл-13, 11:28 
Здравствуйте, проблема у меня такая, Cisco VPN client подключается к Cisco ASA 5510, все нормально, авторизация проходит, но вот внутрисеть вообще не видно, в частности не пингуется ни один IP адрес внутренней сети. Логин клиента, с которого подключаются к ASA в конфиге обозначен qqqq, ему выдается IP адрес 192.168.220.200-2 и он должен видеть(пинговать) подсеть 192.168.101.0. Подскажите пожалуйста хотя бы куда копать, сам в первые общаюсь с этой железкой, понять не могу в чем затык... Гугл тоже особого ответа не дал... Конфиг приведен ниже. Заранее огромное спасибо :)

interface Ethernet0/0
nameif outside
security-level 0
ip address yy.yy.yy.yy 255.255.255.252

!
interface Ethernet0/2
nameif inside
security-level 100
ip address 10.1.1.1 255.255.255.0

!
ftp mode passive
clock timezone YEKT 6
dns domain-lookup outside
dns domain-lookup backup
dns domain-lookup inside
dns domain-lookup vpn
dns domain-lookup management
dns server-group DefaultDNS
name-server 192.168.101.200
name-server 192.168.101.202
name-server 81.91.36.5
name-server 94.230.128.3
same-security-traffic permit inter-interface
object network unix_gate
host 10.1.1.5
object network abt_ip
host 79.172.10.246
object network inside_network
subnet 10.1.1.0 255.255.255.0
object network inside_network_backup
subnet 10.1.1.0 255.255.255.0
object service SMTP
service tcp destination eq smtp
description 25
object service SAPGW
service tcp destination eq 3299
description SAP GUI
object network NETWORK_OBJ_192.168.220.0_24
subnet 192.168.220.0 255.255.255.0
object service UCX
service tcp destination eq 11010
description Ucx Telnet Access
object network NK
host 195.58.18.116
object network NETWORK_OBJ_192.168.210.0_27
subnet 192.168.210.0 255.255.255.224
object network NETWORK_OBJ_192.168.220.100_30
subnet 192.168.220.100 255.255.255.252
object network abt_ip2
host 176.215.1.132
object network SAPROUTER
host 192.168.101.241
object service HTTP
service tcp destination eq 8800
description HTTP PORT
object service MAIL_REMOTE
service tcp destination eq www
object service http_80
service tcp destination eq www
object network NETWORK_OBJ_10.20.40.0_27
subnet 10.20.40.0 255.255.255.224
object network NETWORK_OBJ_192.168.101.0_24
subnet 192.168.101.0 255.255.255.0
object network NETWORK_OBJ_192.168.101.124_30
subnet 192.168.101.124 255.255.255.252
object-group service mail_ports
service-object tcp destination eq smtp
object-group service SAP tcp
port-object eq 3299
port-object eq ftp
port-object eq ftp-data
port-object eq 3389
object-group protocol TCPUDP
protocol-object udp
protocol-object tcp
object-group service VoIP tcp-udp
port-object eq 2427
object-group service VoIP_Media tcp-udp
port-object range 16400 17000
object-group service Ucx udp
group-object VoIP
group-object VoIP_Media
port-object eq 11010
object-group service DM_INLINE_UDP_1 udp
group-object Ucx
group-object VoIP_Media
object-group network abt_ip_adress
network-object object abt_ip
network-object object abt_ip2
object-group protocol DM_INLINE_PROTOCOL_1
protocol-object udp
protocol-object ip
object-group service 111
description 1
service-object tcp-udp destination eq www
service-object tcp-udp destination eq 8800
object-group service HTTPPORTS tcp-udp
port-object eq www
object-group service DM_INLINE_SERVICE_1
service-object object HTTP
service-object tcp destination eq smtp
access-list outside_access_in extended permit tcp any object unix_gate eq smtp
access-list outside_access_in extended permit tcp object abt_ip2 object SAPROUTER object-group SAP inactive
access-list outside_access_in extended permit tcp object abt_ip2 object unix_gate object-group SAP
access-list outside_access_in extended permit object HTTP any object unix_gate
access-list outside_access_in extended permit object-group DM_INLINE_PROTOCOL_1 host 213.219.235.44 any
access-list admin_splitTunnelAcl standard permit 192.168.101.0 255.255.255.0
access-list admin_splitTunnelAcl standard permit 192.168.10.0 255.255.255.0
access-list admin_splitTunnelAcl standard permit 192.168.200.0 255.255.255.0
access-list admin_splitTunnelAcl standard permit 192.168.0.0 255.255.255.0
access-list abt_splitTunnelAcl standard permit host 192.168.0.5
access-list abt_splitTunnelAcl standard permit host 192.168.101.241
access-list abt_splitTunnelAcl standard permit 192.168.220.0 255.255.255.0
access-list backup_access_in extended permit object-group DM_INLINE_SERVICE_1 any object unix_gate
access-list support_splitTunnelAcl standard permit any
access-list support_splitTunnelAcl standard permit 192.168.101.0 255.255.255.0
access-list support_splitTunnelAcl standard permit host 192.168.0.230
access-list support_splitTunnelAcl standard permit 192.168.0.0 255.255.255.0
access-list SAP_SUPPORT standard permit 192.168.10.0 255.255.255.0
access-list SAP_SUPPORT standard permit 192.168.101.128 255.255.255.128
access-list Holland_splitTunnelAcl standard permit any
pager lines 24
logging enable
logging asdm informational
mtu outside 1500
mtu backup 1500
mtu inside 1500
mtu vpn 1500
mtu management 1500
ip local pool AbtVPN 192.168.220.100-192.168.220.102 mask 255.255.255.0
ip local pool VpnUser 192.168.210.10-192.168.210.20 mask 255.255.255.0
ip local pool VpnPool 192.168.180.10-192.168.180.20 mask 255.255.255.0
ip local pool Support 192.168.222.100-192.168.222.102 mask 255.255.255.0
ip local pool TSys 192.168.220.150-192.168.220.160 mask 255.255.255.0
ip local pool controller 10.20.40.10-10.20.40.30 mask 255.255.255.0
ip local pool supp 192.168.101.125-192.168.101.127 mask 255.255.255.0
icmp unreachable rate-limit 3 burst-size 10
icmp permit any outside
icmp permit any backup
icmp permit any inside
icmp permit any vpn
asdm image disk0:/asdm-631.bin
no asdm history enable
arp timeout 14400
nat (outside,inside) source static any any destination static interface unix_gate service SMTP SMTP
nat (outside,inside) source static any any destination static interface unix_gate service HTTP HTTP
nat (outside,inside) source static abt_ip2 abt_ip2 destination static interface unix_gate
nat (backup,inside) source static any any destination static interface unix_gate service SMTP SMTP
nat (inside,outside) source static any any destination static NETWORK_OBJ_192.168.220.0_24 NETWORK_OBJ_192.168.220.0_24
nat (inside,outside) source static any any destination static NETWORK_OBJ_192.168.210.0_27 NETWORK_OBJ_192.168.210.0_27
nat (vpn,outside) source static any any destination static NETWORK_OBJ_192.168.220.100_30 NETWORK_OBJ_192.168.220.100_30
nat (inside,inside) source static any any destination static NETWORK_OBJ_192.168.220.100_30 NETWORK_OBJ_192.168.220.100_30
nat (inside,outside) source static any any destination static NETWORK_OBJ_10.20.40.0_27 NETWORK_OBJ_10.20.40.0_27
nat (inside,outside) source static NETWORK_OBJ_192.168.101.0_24 NETWORK_OBJ_192.168.101.0_24 destination static NETWORK_OBJ_192.168.101.124_30 NETWORK_OBJ_192.168.101.124_30
nat (inside,outside) source static NETWORK_OBJ_192.168.101.0_24 NETWORK_OBJ_192.168.101.0_24 destination static NETWORK_OBJ_192.168.220.100_30 NETWORK_OBJ_192.168.220.100_30
!
object network inside_network
nat (inside,outside) dynamic interface
object network inside_network_backup
nat (inside,backup) dynamic interface
access-group outside_access_in in interface outside
access-group backup_access_in in interface backup
route outside 0.0.0.0 0.0.0.0 yy.yy.yy.yy 128
route backup 0.0.0.0 0.0.0.0 xx.xx.xx.xx 254
route vpn 192.168.0.0 255.255.255.0 192.168.190.1 1
route vpn 192.168.10.0 255.255.255.0 192.168.190.1 1
route vpn 192.168.20.0 255.255.255.0 192.168.190.1 1
route vpn 192.168.30.0 255.255.255.0 192.168.190.1 1
route vpn 192.168.40.0 255.255.255.0 192.168.190.1 1
route vpn 192.168.50.0 255.255.255.0 192.168.190.1 1
route vpn 192.168.60.0 255.255.255.0 192.168.190.1 1
route vpn 192.168.70.0 255.255.255.0 192.168.190.1 1
route vpn 192.168.80.0 255.255.255.0 192.168.190.1 1
route vpn 192.168.90.0 255.255.255.0 192.168.190.1 1
route vpn 192.168.100.0 255.255.255.0 192.168.190.1 1
route vpn 192.168.102.0 255.255.255.0 192.168.190.1 1
route vpn 192.168.110.0 255.255.255.0 192.168.190.1 1
route vpn 192.168.120.0 255.255.255.0 192.168.190.1 1
route vpn 192.168.130.0 255.255.255.0 192.168.190.1 1
route vpn 0.0.0.0 0.0.0.0 192.168.190.1 tunneled
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication ssh console LOCAL
http server enable
http 192.168.1.0 255.255.255.0 management
http 192.168.101.0 255.255.255.0 vpn
http 0.0.0.0 0.0.0.0 inside
http 192.168.180.0 255.255.255.0 outside
http 192.168.101.245 255.255.255.255 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
sla monitor 1
type echo protocol ipIcmpEcho yy.yy.yy.yy interface outside
num-packets 3
frequency 10
sla monitor schedule 1 life forever start-time now
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set TRANS_ESP_DES_SHA esp-des esp-sha-hmac
crypto ipsec transform-set TRANS_ESP_DES_SHA mode transport
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto map inside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map inside_map interface inside
crypto ca trustpoint mail
crl configure
crypto ca server
shutdown
smtp from-address admin@ASA.null
crypto isakmp enable outside
crypto isakmp enable inside
crypto isakmp policy 10
authentication pre-share
encryption des
hash md5
group 2
lifetime 86400
crypto isakmp policy 30
authentication pre-share
encryption des
hash sha
group 2
lifetime 86400
no crypto isakmp nat-traversal
!
track 1 rtr 1 reachability
telnet 192.168.180.0 255.255.255.0 outside
telnet 0.0.0.0 0.0.0.0 inside
telnet 192.168.1.0 255.255.255.0 management
telnet timeout 5
ssh timeout 5
console timeout 0
management-access management
threat-detection basic-threat
threat-detection statistics
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
ntp server 192.168.101.0 source vpn
ntp server 188.44.48.130
webvpn
svc enable
tunnel-group-list enable
internal-password enable
group-policy test internal
group-policy test attributes
vpn-tunnel-protocol IPSec
group-policy DfltGrpPolicy attributes
dns-server value 192.168.101.200
vpn-tunnel-protocol IPSec svc webvpn
password-storage enable
re-xauth enable
ipsec-udp enable
group-policy abt internal
group-policy abt attributes
wins-server value 192.168.101.200
dns-server value 192.168.101.200 192.168.101.202
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value abt_splitTunnelAcl
group-policy sap internal
group-policy sap attributes
dns-server value 192.168.101.200
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value SAP_SUPPORT
group-policy admin internal
group-policy admin attributes
wins-server value 192.168.101.200
dns-server value 192.168.101.200 192.168.101.202
vpn-tunnel-protocol IPSec l2tp-ipsec
group-policy ttt internal
group-policy ttt attributes
dns-server value 192.168.101.200
vpn-tunnel-protocol IPSec l2tp-ipsec
group-policy support internal
group-policy support attributes
dns-server value 192.168.101.200 192.168.101.202
vpn-tunnel-protocol IPSec svc
split-tunnel-policy excludespecified
split-tunnel-network-list value support_splitTunnelAcl
group-policy vpnw internal
group-policy vpnw attributes
dns-server value 192.168.101.200 192.168.101.202
vpn-tunnel-protocol l2tp-ipsec
group-policy Holland internal
group-policy Holland attributes
vpn-tunnel-protocol IPSec svc
split-tunnel-policy tunnelspecified
split-tunnel-network-list value Holland_splitTunnelAcl
default-domain value xxx
username yyy password xxx privilege 15
username yyy attributes
vpn-group-policy support
service-type remote-access
username yyy password xxx privilege 0
username yyy attributes
vpn-group-policy support
service-type remote-access
username yyy password xxx privilege 0
username yyy attributes
vpn-group-policy support
service-type remote-access
username yyy password xxx privilege 0
username yyy attributes
vpn-group-policy Holland
service-type remote-access
username qqqq password xxx privilege 15
username qqqq attributes
vpn-group-policy support
service-type remote-access
username yyy password xxx privilege 0
username yyy attributes
vpn-group-policy support
service-type remote-access
username yyy password xxx privilege 0
username yyy attributes
vpn-group-policy support
service-type remote-access
username yyy password xxx privilege 0
username yyy attributes
vpn-group-policy support
service-type remote-access
username yyy password xxx privilege 0
username yyy attributes
vpn-group-policy support
service-type remote-access
username yyy password xxx privilege 0
username yyy attributes
vpn-group-policy support
service-type remote-access
username yyy password xxx privilege 0
username yyy attributes
vpn-group-policy support
service-type remote-access
tunnel-group DefaultRAGroup ipsec-attributes
pre-shared-key *****
tunnel-group admin type remote-access
tunnel-group admin general-attributes
address-pool AbtVPN
default-group-policy admin
tunnel-group admin ipsec-attributes
pre-shared-key *****
tunnel-group support type remote-access
tunnel-group support general-attributes
address-pool AbtVPN
default-group-policy support
tunnel-group support ipsec-attributes
pre-shared-key *****
tunnel-group sap type remote-access
tunnel-group sap general-attributes
address-pool TSys
default-group-policy sap
tunnel-group sap ipsec-attributes
pre-shared-key *****
tunnel-group ttt type remote-access
tunnel-group ttt general-attributes
address-pool AbtVPN
default-group-policy ttt
tunnel-group ttt ipsec-attributes
pre-shared-key *****
tunnel-group Holland type remote-access
tunnel-group Holland general-attributes
address-pool controller
default-group-policy Holland
tunnel-group Holland ipsec-attributes
pre-shared-key *****
tunnel-group test type remote-access
tunnel-group test general-attributes
address-pool AbtVPN
default-group-policy test
tunnel-group test ipsec-attributes
pre-shared-key *****
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
  message-length maximum client auto
  message-length maximum 512
policy-map global_policy
class inspection_default
  inspect dns preset_dns_map
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
  inspect ip-options
  inspect icmp
  inspect icmp error
  inspect ipsec-pass-thru
  inspect pptp
  inspect ftp strict

Ответить | Правка | Cообщить модератору

Оглавление

Сообщения по теме [Сортировка по времени | RSS]


1. "Cisco ASA 5510, VPN клиент не видит внутреннюю сеть"  +1 +/
Сообщение от Evolver (ok) on 01-Авг-13, 09:39 
неужели никто не может ничего подсказать? :(
Ответить | Правка | ^ к родителю #0 | Наверх | Cообщить модератору

2. "Cisco ASA 5510, VPN клиент не видит внутреннюю сеть"  +/
Сообщение от Случайный прохожий on 20-Авг-13, 12:46 
> неужели никто не может ничего подсказать? :(

http://diflyon.livejournal.com/11905.html

Ответить | Правка | ^ к родителю #1 | Наверх | Cообщить модератору

3. "Cisco ASA 5510, VPN клиент не видит внутреннюю сеть"  +/
Сообщение от crash (ok) on 21-Авг-13, 07:41 
> неужели никто не может ничего подсказать? :(

а вам точно крипто мапа нужна на inside и на outside?

Ответить | Правка | ^ к родителю #1 | Наверх | Cообщить модератору

Архив | Удалить

Рекомендовать для помещения в FAQ | Индекс форумов | Темы | Пред. тема | След. тема




Партнёры:
PostgresPro
Inferno Solutions
Hosting by Hoster.ru
Хостинг:

Закладки на сайте
Проследить за страницей
Created 1996-2024 by Maxim Chirkov
Добавить, Поддержать, Вебмастеру