|
|
 |
|
|
| 1. asa remote vpn 客户端可以访问fw inside 但访问不了dmz? |
  |
|
 |
|
HP : 0 / 37
MP : 4 / 61
EXP : 50%
|
|
初涉江湖
成员等级: 2
发表总数: 14
金币总数: 55
所属组别: 普通成员
注册日期: 2008/04/30
|
拓扑
------(inside172.26.113.254)fw(outside134.25.36.210 ) -------------------internet(vpn client)192.192.0.1-192.192.0.10
!
dmz 192.168.10.1
配置如下
: Saved
:
ASA Version 7.2(2)
!
hostname ciscoasa
domain-name default.domain.invalid
enable password /qHSZGbfP8NVXgMT encrypted
names
!
interface GigabitEthernet0/0
nameif outside
security-level 0
ip address 134.25.36.210 255.255.255.248
!
interface GigabitEthernet0/1
nameif inside
security-level 100
ip address 172.26.113.254 255.255.255.0
!
interface GigabitEthernet0/2
nameif log
security-level 50
ip address 192.168.10.1 255.255.255.0
!
interface GigabitEthernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
shutdown
no nameif
no security-level
no ip address
!
passwd jiBmYmhNPhVlOePZ encrypted
ftp mode passive
clock timezone CHINA 8
dns domain-lookup outside
dns domain-lookup inside
dns server-group DefaultDNS
name-server 202.96.128.86
name-server 202.96.128.166
domain-name default.domain.invalid
access-list 100 extended permit icmp any any
access-list outside1 extended permit ip any any
access-list ciscoasa_splitTunnelAcl standard permit 172.26.113.0 255.255.255.0
access-list ciscoasa_splitTunnelAcl standard permit 192.168.10.0 255.255.255.0
access-list log_nat0_outbound extended permit ip 172.26.113.0 255.255.255.0 192.192.0.0 255.255.255.240
access-list log_nat0_outbound extended permit ip 192.168.10.0 255.255.255.0 192.192.0.0 255.255.255.240
pager lines 24
logging enable
logging timestamp
logging buffered informational
logging trap warnings
logging asdm informational
logging host log 206.182.240.240
mtu outside 1500
mtu inside 1500
mtu log 1500
ip local pool netpool 192.192.0.1-192.192.0.10
ip verify reverse-path interface outside
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-522match.bin
no asdm history enable
arp timeout 14400
nat-control
global (outside) 1 134.25.36.211-134.25.36.213 netmask 255.255.255.248
nat (inside) 1 access-list outside1
nat (log) 0 access-list log_nat0_outbound
access-group 100 in interface outside
route outside 0.0.0.0 0.0.0.0 121.13.219.209 1
route inside 172.26.112.0 255.255.255.0 172.26.113.253 1
route inside 206.182.240.0 255.255.255.0 172.26.113.253 1
route inside 172.26.114.0 255.255.255.0 172.26.113.253 1
route inside 172.26.115.0 255.255.255.0 172.26.113.253 1
route inside 172.26.118.0 255.255.255.0 172.26.113.253 1
route inside 172.26.120.0 255.255.255.0 172.26.113.253 1
route log 206.182.240.240 255.255.255.255 192.168.10.254 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
group-policy ciscoasa internal
group-policy ciscoasa attributes
dns-server value 206.182.240.252
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value ciscoasa_splitTunnelAcl
username wenchao password 6dA/fAJNZWAM/uMA encrypted
username admin password AT8n33hxM.7CQP.B encrypted
aaa authentication enable console LOCAL
aaa authentication telnet console LOCAL
aaa local authentication attempts max-fail 3
http server enable
http 0.0.0.0 0.0.0.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map outside_dyn_map 20 set pfs
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp nat-traversal 20
tunnel-group ciscoasa type ipsec-ra
tunnel-group ciscoasa general-attributes
address-pool netpool
default-group-policy ciscoasa
tunnel-group ciscoasa ipsec-attributes
pre-shared-key *
telnet 0.0.0.0 0.0.0.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0
management-access inside
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
!
service-policy global_policy global
ssl encryption des-sha1 rc4-md5
prompt hostname context
Cryptochecksum:a4f8803c9b4541eb0c71e3a7aa45eec9
: end
各位大侠帮我看看 看还需要加什么配置吗? 比如什么rri |
|
|
|
| 2. Re:asa remote vpn 客户端可以访问fw inside 但访问不了dmz?... |
|
|
 |
|
HP : 0 / 363
MP : 92 / 4112
EXP : 54%
|
|
名动江湖
成员等级: 15
发表总数: 276
金币总数: 556
所属组别: 中级成员
注册日期: 2005/01/5
|
少了一条nat (inside) 0 access-list log_nat0_outbound
Tomorrow Is Another Day |
|
|
|
| 3. Re:asa remote vpn 客户端可以访问fw inside 但访问不了dmz?... |
|
|
|
|
|
HP : 0 / 37
MP : 4 / 61
EXP : 50%
|
|
初涉江湖
成员等级: 2
发表总数: 14
金币总数: 55
所属组别: 普通成员
注册日期: 2008/04/30
|
谢谢楼上大虾的解答 应该正确的 |
|
|
|
| 4. Re:asa remote vpn 客户端可以访问fw inside 但访问不了dmz?... |
|
|
|
|
|
HP : 0 / 11
MP : 2 / 17
EXP : 47%
|
|
新手上路
成员等级: 1
发表总数: 6
金币总数: 15
所属组别: 普通成员
注册日期: 2008/05/21
|
哦原来是这样的啊 我也知道了
酷讯旅游网
列车时刻表
天气预报
火车票
酒店预定
旅游搜索
|
|
|
