Здравствуйте, проблема у меня такая, Cisco VPN client подключается к Cisco ASA 5510, все нормально, авторизация проходит, но вот внутрисеть вообще не видно, в частности не пингуется ни один IP адрес внутренней сети. Логин клиента, с которого подключаются к ASA в конфиге обозначен qqqq, ему выдается IP адрес 192.168.220.200-2 и он должен видеть(пинговать) подсеть 192.168.101.0. Подскажите пожалуйста хотя бы куда копать, сам в первые общаюсь с этой железкой, понять не могу в чем затык... Гугл тоже особого ответа не дал... Конфиг приведен ниже. Заранее огромное спасибо :)interface Ethernet0/0 nameif outside security-level 0 ip address yy.yy.yy.yy 255.255.255.252 ! interface Ethernet0/2 nameif inside security-level 100 ip address 10.1.1.1 255.255.255.0 ! ftp mode passive clock timezone YEKT 6 dns domain-lookup outside dns domain-lookup backup dns domain-lookup inside dns domain-lookup vpn dns domain-lookup management dns server-group DefaultDNS name-server 192.168.101.200 name-server 192.168.101.202 name-server 81.91.36.5 name-server 94.230.128.3 same-security-traffic permit inter-interface object network unix_gate host 10.1.1.5 object network abt_ip host 79.172.10.246 object network inside_network subnet 10.1.1.0 255.255.255.0 object network inside_network_backup subnet 10.1.1.0 255.255.255.0 object service SMTP service tcp destination eq smtp description 25 object service SAPGW service tcp destination eq 3299 description SAP GUI object network NETWORK_OBJ_192.168.220.0_24 subnet 192.168.220.0 255.255.255.0 object service UCX service tcp destination eq 11010 description Ucx Telnet Access object network NK host 195.58.18.116 object network NETWORK_OBJ_192.168.210.0_27 subnet 192.168.210.0 255.255.255.224 object network NETWORK_OBJ_192.168.220.100_30 subnet 192.168.220.100 255.255.255.252 object network abt_ip2 host 176.215.1.132 object network SAPROUTER host 192.168.101.241 object service HTTP service tcp destination eq 8800 description HTTP PORT object service MAIL_REMOTE service tcp destination eq www object service http_80 service tcp destination eq www object network NETWORK_OBJ_10.20.40.0_27 subnet 10.20.40.0 255.255.255.224 object network NETWORK_OBJ_192.168.101.0_24 subnet 192.168.101.0 255.255.255.0 object network NETWORK_OBJ_192.168.101.124_30 subnet 192.168.101.124 255.255.255.252 object-group service mail_ports service-object tcp destination eq smtp object-group service SAP tcp port-object eq 3299 port-object eq ftp port-object eq ftp-data port-object eq 3389 object-group protocol TCPUDP protocol-object udp protocol-object tcp object-group service VoIP tcp-udp port-object eq 2427 object-group service VoIP_Media tcp-udp port-object range 16400 17000 object-group service Ucx udp group-object VoIP group-object VoIP_Media port-object eq 11010 object-group service DM_INLINE_UDP_1 udp group-object Ucx group-object VoIP_Media object-group network abt_ip_adress network-object object abt_ip network-object object abt_ip2 object-group protocol DM_INLINE_PROTOCOL_1 protocol-object udp protocol-object ip object-group service 111 description 1 service-object tcp-udp destination eq www service-object tcp-udp destination eq 8800 object-group service HTTPPORTS tcp-udp port-object eq www object-group service DM_INLINE_SERVICE_1 service-object object HTTP service-object tcp destination eq smtp access-list outside_access_in extended permit tcp any object unix_gate eq smtp access-list outside_access_in extended permit tcp object abt_ip2 object SAPROUTER object-group SAP inactive access-list outside_access_in extended permit tcp object abt_ip2 object unix_gate object-group SAP access-list outside_access_in extended permit object HTTP any object unix_gate access-list outside_access_in extended permit object-group DM_INLINE_PROTOCOL_1 host 213.219.235.44 any access-list admin_splitTunnelAcl standard permit 192.168.101.0 255.255.255.0 access-list admin_splitTunnelAcl standard permit 192.168.10.0 255.255.255.0 access-list admin_splitTunnelAcl standard permit 192.168.200.0 255.255.255.0 access-list admin_splitTunnelAcl standard permit 192.168.0.0 255.255.255.0 access-list abt_splitTunnelAcl standard permit host 192.168.0.5 access-list abt_splitTunnelAcl standard permit host 192.168.101.241 access-list abt_splitTunnelAcl standard permit 192.168.220.0 255.255.255.0 access-list backup_access_in extended permit object-group DM_INLINE_SERVICE_1 any object unix_gate access-list support_splitTunnelAcl standard permit any access-list support_splitTunnelAcl standard permit 192.168.101.0 255.255.255.0 access-list support_splitTunnelAcl standard permit host 192.168.0.230 access-list support_splitTunnelAcl standard permit 192.168.0.0 255.255.255.0 access-list SAP_SUPPORT standard permit 192.168.10.0 255.255.255.0 access-list SAP_SUPPORT standard permit 192.168.101.128 255.255.255.128 access-list Holland_splitTunnelAcl standard permit any pager lines 24 logging enable logging asdm informational mtu outside 1500 mtu backup 1500 mtu inside 1500 mtu vpn 1500 mtu management 1500 ip local pool AbtVPN 192.168.220.100-192.168.220.102 mask 255.255.255.0 ip local pool VpnUser 192.168.210.10-192.168.210.20 mask 255.255.255.0 ip local pool VpnPool 192.168.180.10-192.168.180.20 mask 255.255.255.0 ip local pool Support 192.168.222.100-192.168.222.102 mask 255.255.255.0 ip local pool TSys 192.168.220.150-192.168.220.160 mask 255.255.255.0 ip local pool controller 10.20.40.10-10.20.40.30 mask 255.255.255.0 ip local pool supp 192.168.101.125-192.168.101.127 mask 255.255.255.0 icmp unreachable rate-limit 3 burst-size 10 icmp permit any outside icmp permit any backup icmp permit any inside icmp permit any vpn asdm image disk0:/asdm-631.bin no asdm history enable arp timeout 14400 nat (outside,inside) source static any any destination static interface unix_gate service SMTP SMTP nat (outside,inside) source static any any destination static interface unix_gate service HTTP HTTP nat (outside,inside) source static abt_ip2 abt_ip2 destination static interface unix_gate nat (backup,inside) source static any any destination static interface unix_gate service SMTP SMTP nat (inside,outside) source static any any destination static NETWORK_OBJ_192.168.220.0_24 NETWORK_OBJ_192.168.220.0_24 nat (inside,outside) source static any any destination static NETWORK_OBJ_192.168.210.0_27 NETWORK_OBJ_192.168.210.0_27 nat (vpn,outside) source static any any destination static NETWORK_OBJ_192.168.220.100_30 NETWORK_OBJ_192.168.220.100_30 nat (inside,inside) source static any any destination static NETWORK_OBJ_192.168.220.100_30 NETWORK_OBJ_192.168.220.100_30 nat (inside,outside) source static any any destination static NETWORK_OBJ_10.20.40.0_27 NETWORK_OBJ_10.20.40.0_27 nat (inside,outside) source static NETWORK_OBJ_192.168.101.0_24 NETWORK_OBJ_192.168.101.0_24 destination static NETWORK_OBJ_192.168.101.124_30 NETWORK_OBJ_192.168.101.124_30 nat (inside,outside) source static NETWORK_OBJ_192.168.101.0_24 NETWORK_OBJ_192.168.101.0_24 destination static NETWORK_OBJ_192.168.220.100_30 NETWORK_OBJ_192.168.220.100_30 ! object network inside_network nat (inside,outside) dynamic interface object network inside_network_backup nat (inside,backup) dynamic interface access-group outside_access_in in interface outside access-group backup_access_in in interface backup route outside 0.0.0.0 0.0.0.0 yy.yy.yy.yy 128 route backup 0.0.0.0 0.0.0.0 xx.xx.xx.xx 254 route vpn 192.168.0.0 255.255.255.0 192.168.190.1 1 route vpn 192.168.10.0 255.255.255.0 192.168.190.1 1 route vpn 192.168.20.0 255.255.255.0 192.168.190.1 1 route vpn 192.168.30.0 255.255.255.0 192.168.190.1 1 route vpn 192.168.40.0 255.255.255.0 192.168.190.1 1 route vpn 192.168.50.0 255.255.255.0 192.168.190.1 1 route vpn 192.168.60.0 255.255.255.0 192.168.190.1 1 route vpn 192.168.70.0 255.255.255.0 192.168.190.1 1 route vpn 192.168.80.0 255.255.255.0 192.168.190.1 1 route vpn 192.168.90.0 255.255.255.0 192.168.190.1 1 route vpn 192.168.100.0 255.255.255.0 192.168.190.1 1 route vpn 192.168.102.0 255.255.255.0 192.168.190.1 1 route vpn 192.168.110.0 255.255.255.0 192.168.190.1 1 route vpn 192.168.120.0 255.255.255.0 192.168.190.1 1 route vpn 192.168.130.0 255.255.255.0 192.168.190.1 1 route vpn 0.0.0.0 0.0.0.0 192.168.190.1 tunneled timeout xlate 3:00:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02 timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00 timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00 timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute timeout tcp-proxy-reassembly 0:01:00 dynamic-access-policy-record DfltAccessPolicy aaa authentication ssh console LOCAL http server enable http 192.168.1.0 255.255.255.0 management http 192.168.101.0 255.255.255.0 vpn http 0.0.0.0 0.0.0.0 inside http 192.168.180.0 255.255.255.0 outside http 192.168.101.245 255.255.255.255 inside no snmp-server location no snmp-server contact snmp-server enable traps snmp authentication linkup linkdown coldstart sla monitor 1 type echo protocol ipIcmpEcho yy.yy.yy.yy interface outside num-packets 3 frequency 10 sla monitor schedule 1 life forever start-time now crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac crypto ipsec transform-set TRANS_ESP_DES_SHA esp-des esp-sha-hmac crypto ipsec transform-set TRANS_ESP_DES_SHA mode transport crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac crypto ipsec security-association lifetime seconds 28800 crypto ipsec security-association lifetime kilobytes 4608000 crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1 crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-DES-SHA ESP-DES-MD5 crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP crypto map outside_map interface outside crypto map inside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP crypto map inside_map interface inside crypto ca trustpoint mail crl configure crypto ca server shutdown smtp from-address admin@ASA.null crypto isakmp enable outside crypto isakmp enable inside crypto isakmp policy 10 authentication pre-share encryption des hash md5 group 2 lifetime 86400 crypto isakmp policy 30 authentication pre-share encryption des hash sha group 2 lifetime 86400 no crypto isakmp nat-traversal ! track 1 rtr 1 reachability telnet 192.168.180.0 255.255.255.0 outside telnet 0.0.0.0 0.0.0.0 inside telnet 192.168.1.0 255.255.255.0 management telnet timeout 5 ssh timeout 5 console timeout 0 management-access management threat-detection basic-threat threat-detection statistics threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200 ntp server 192.168.101.0 source vpn ntp server 188.44.48.130 webvpn svc enable tunnel-group-list enable internal-password enable group-policy test internal group-policy test attributes vpn-tunnel-protocol IPSec group-policy DfltGrpPolicy attributes dns-server value 192.168.101.200 vpn-tunnel-protocol IPSec svc webvpn password-storage enable re-xauth enable ipsec-udp enable group-policy abt internal group-policy abt attributes wins-server value 192.168.101.200 dns-server value 192.168.101.200 192.168.101.202 vpn-tunnel-protocol IPSec split-tunnel-policy tunnelspecified split-tunnel-network-list value abt_splitTunnelAcl group-policy sap internal group-policy sap attributes dns-server value 192.168.101.200 vpn-tunnel-protocol IPSec split-tunnel-policy tunnelspecified split-tunnel-network-list value SAP_SUPPORT group-policy admin internal group-policy admin attributes wins-server value 192.168.101.200 dns-server value 192.168.101.200 192.168.101.202 vpn-tunnel-protocol IPSec l2tp-ipsec group-policy ttt internal group-policy ttt attributes dns-server value 192.168.101.200 vpn-tunnel-protocol IPSec l2tp-ipsec group-policy support internal group-policy support attributes dns-server value 192.168.101.200 192.168.101.202 vpn-tunnel-protocol IPSec svc split-tunnel-policy excludespecified split-tunnel-network-list value support_splitTunnelAcl group-policy vpnw internal group-policy vpnw attributes dns-server value 192.168.101.200 192.168.101.202 vpn-tunnel-protocol l2tp-ipsec group-policy Holland internal group-policy Holland attributes vpn-tunnel-protocol IPSec svc split-tunnel-policy tunnelspecified split-tunnel-network-list value Holland_splitTunnelAcl default-domain value xxx username yyy password xxx privilege 15 username yyy attributes vpn-group-policy support service-type remote-access username yyy password xxx privilege 0 username yyy attributes vpn-group-policy support service-type remote-access username yyy password xxx privilege 0 username yyy attributes vpn-group-policy support service-type remote-access username yyy password xxx privilege 0 username yyy attributes vpn-group-policy Holland service-type remote-access username qqqq password xxx privilege 15 username qqqq attributes vpn-group-policy support service-type remote-access username yyy password xxx privilege 0 username yyy attributes vpn-group-policy support service-type remote-access username yyy password xxx privilege 0 username yyy attributes vpn-group-policy support service-type remote-access username yyy password xxx privilege 0 username yyy attributes vpn-group-policy support service-type remote-access username yyy password xxx privilege 0 username yyy attributes vpn-group-policy support service-type remote-access username yyy password xxx privilege 0 username yyy attributes vpn-group-policy support service-type remote-access username yyy password xxx privilege 0 username yyy attributes vpn-group-policy support service-type remote-access tunnel-group DefaultRAGroup ipsec-attributes pre-shared-key ***** tunnel-group admin type remote-access tunnel-group admin general-attributes address-pool AbtVPN default-group-policy admin tunnel-group admin ipsec-attributes pre-shared-key ***** tunnel-group support type remote-access tunnel-group support general-attributes address-pool AbtVPN default-group-policy support tunnel-group support ipsec-attributes pre-shared-key ***** tunnel-group sap type remote-access tunnel-group sap general-attributes address-pool TSys default-group-policy sap tunnel-group sap ipsec-attributes pre-shared-key ***** tunnel-group ttt type remote-access tunnel-group ttt general-attributes address-pool AbtVPN default-group-policy ttt tunnel-group ttt ipsec-attributes pre-shared-key ***** tunnel-group Holland type remote-access tunnel-group Holland general-attributes address-pool controller default-group-policy Holland tunnel-group Holland ipsec-attributes pre-shared-key ***** tunnel-group test type remote-access tunnel-group test general-attributes address-pool AbtVPN default-group-policy test tunnel-group test ipsec-attributes pre-shared-key ***** ! class-map inspection_default match default-inspection-traffic ! ! policy-map type inspect dns preset_dns_map parameters message-length maximum client auto message-length maximum 512 policy-map global_policy class inspection_default inspect dns preset_dns_map inspect h323 h225 inspect h323 ras inspect rsh inspect rtsp inspect esmtp inspect sqlnet inspect skinny inspect sunrpc inspect xdmcp inspect sip inspect netbios inspect tftp inspect ip-options inspect icmp inspect icmp error inspect ipsec-pass-thru inspect pptp inspect ftp strict
|