中国思科华为3Com微软网络技术社区 › 论坛 › 「思科技术交流区」 › 「CCNP讨论区」 › ASA5520远程拨号ipsec-vpn能获取地址，但不能ping内网任 ...

报CCNP送CCNA培训获取名企职位	誉天RHCE+CCNP班，不就业退学费	ITAA返利回归季,最高优惠25%	艾迪飞五一培训优惠进行中
泰克实验室启动CCNA免费重考活动	团购CCNA课程,仅需99元,名额有限!	武汉引航CCNP就业班	深圳思科培训首选嘉华盛世
赛贝尔计算机入侵与防范实验室	ThinkMo新盟教育天津独家CCIE培训	武汉引航CCIE包过班火热上线	武汉引航2012年“五一”思科培训优惠

返回列表

查看: 229|回复: 5

ASA5520远程拨号ipsec-vpn能获取地址，但不能ping内网任何主机 [复制链接]

Monet

IT起步

Rank: 1

TA的每日心情

	衰 2012-2-4 17:55:20

签到天数: 1 天

[LV.1]初来乍到

最后登录: 2012-2-4
在线时间: 0 小时
金币: 40
注册时间: 2012-2-4
积分: 16
帖子: 2
主题: 1
精华: 0
UID: 219372

发表于 2012-2-4 20:18:07 |显示全部楼层

ASA Version 8.0(4)
!
hostname ciscoasa
domain-name ssh.com
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd RLPMUQ26KL4blgFN encrypted
names
!
interface GigabitEthernet0/0
nameif outside
security-level 0
ip address 1.1.1.1 255.255.255.128
!
interface GigabitEthernet0/1
nameif inside
security-level 100
ip address 192.168.100.1 255.255.255.0
!
interface GigabitEthernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
nameif web
security-level 0
ip address 192.168.101.1 255.255.255.0
management-only
!
ftp mode passive
dns server-group DefaultDNS
domain-name ssh.com
access-list vpn extended permit ip 192.168.100.0 255.255.255.0 192.168.0.0 255.255.255.240
access-list no_nat extended permit ip 192.168.100.0 255.255.255.0 192.168.0.0 255.255.255.240
access-list no_nat extended deny ip 192.168.100.0 255.255.255.0 any
access-list vpnsplit standard permit 192.168.100.0 255.255.255.0
access-list 101 extended permit icmp any any
access-list 101 extended permit tcp any host 192.168.100.231 eq 8008
access-list 101 extended permit ip any any
access-list 102 extended permit icmp any any
access-list 102 extended permit ip any any
access-list oa extended permit tcp any eq 8008 host 1.1.1.1
access-list outside_permit extended permit tcp any interface outside eq 8008
access-list outside_permit extended permit tcp any interface outside eq 3338
access-list outside_permit extended permit tcp any interface outside eq 3339
access-list outside_permit extended permit tcp any interface outside eq 8090
access-list outside_permit extended permit tcp any interface outside eq 9080
access-list outside_permit extended permit tcp any interface outside eq ftp
access-list outside_permit extended permit icmp any any
pager lines 24
logging enable
mtu outside 1500
mtu inside 1500
mtu web 1500
ip local pool vpnpool 192.168.0.1-192.168.15.250 mask 255.255.240.0
no failover
icmp unreachable rate-limit 1 burst-size 1
icmp permit any inside
asdm image disk0:/asdm-602.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list no_nat
nat (inside) 2 192.168.100.231 255.255.255.255
nat (inside) 1 192.168.100.0 255.255.255.0
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) tcp interface 8008 192.168.100.231 8008 netmask 255.255.255.255
static (inside,outside) tcp interface 3338 192.168.100.231 3338 netmask 255.255.255.255
static (inside,outside) tcp interface 3339 192.168.100.101 3339 netmask 255.255.255.255
static (inside,outside) tcp interface 8090 192.168.100.101 8090 netmask 255.255.255.255
static (inside,outside) tcp interface 9080 192.168.100.210 9080 netmask 255.255.255.255
static (inside,outside) tcp interface ftp 192.168.100.245 ftp netmask 255.255.255.255
access-group outside_permit in interface outside
access-group 102 in interface inside
route outside 0.0.0.0 0.0.0.0 1.1.1.2 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 192.168.101.0 255.255.255.0 web
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set vpn1 esp-3des esp-sha-hmac
crypto ipsec transform-set vpnset esp-3des esp-md5-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map dymap 10 set transform-set vpnset
crypto dynamic-map dymap 10 set security-association lifetime seconds 28800
crypto dynamic-map dymap 10 set security-association lifetime kilobytes 4608000
crypto dynamic-map dymap 10 set reverse-route
crypto map vpnmap 10 set security-association lifetime seconds 28800
crypto map vpnmap 10 set security-association lifetime kilobytes 4608000
crypto map outsidemap 1 set security-association lifetime seconds 28800
crypto map outsidemap 1 set security-association lifetime kilobytes 4608000
crypto map vpn_map 10 ipsec-isakmp dynamic dymap
crypto map vpn_map interface outside
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash md5
group 2
lifetime none
crypto isakmp nat-traversal 10
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 60
ssh version 2
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
group-policy vpnclient internal
group-policy vpnclient attributes
vpn-idle-timeout none
split-tunnel-policy tunnelspecified
split-tunnel-network-list value vpnsplit
username test password k83iXWPan0Gg1s04 encrypted
username admin password .u6poIMcG40uk0WA encrypted privilege 15
tunnel-group DefaultL2LGroup ipsec-attributes
isakmp keepalive threshold 20 retry 2
tunnel-group DefaultRAGroup ipsec-attributes
isakmp keepalive threshold 20 retry 2
tunnel-group DefaultWEBVPNGroup ipsec-attributes
isakmp keepalive threshold 20 retry 2
tunnel-group vpnclient type remote-access
tunnel-group vpnclient general-attributes
address-pool vpnpool
authentication-server-group (outside) LOCAL
default-group-policy vpnclient
tunnel-group vpnclient ipsec-attributes
pre-shared-key *
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
  message-length maximum 512
policy-map global_policy
class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:d43483e08c93169e11bcf0db59aa2553

使用道具举报

ciscoccie888

IT中级

Rank: 7 Rank: 7 Rank: 7

TA的每日心情

	无聊 2012-2-11 18:22:01

签到天数: 41 天

[LV.5]常住居民I

最后登录: 2012-4-30
在线时间: 325 小时
金币: 1900
注册时间: 2008-12-8
积分: 1338
帖子: 299
主题: 2
精华: 0
UID: 119408

发表于 2012-2-5 00:19:56 |显示全部楼层

access-list no_nat extended deny ip 192.168.100.0 255.255.255.0 any
建议把这条去掉，试一下

Rank: 5 Rank: 5

TA的每日心情

	怒 2012-5-13 16:20:39

签到天数: 44 天

[LV.5]常住居民I

最后登录: 2012-5-13
在线时间: 138 小时
金币: 850
注册时间: 2010-10-24
积分: 541
帖子: 88
主题: 5
精华: 0
UID: 185508

发表于 2012-2-5 02:22:39 |显示全部楼层

感兴趣流定义的不对

使用道具举报

tvk872

IT中级

Rank: 7 Rank: 7 Rank: 7

TA的每日心情

	奋斗 4 天前

签到天数: 113 天

[LV.6]常住居民II

最后登录: 2012-5-22
在线时间: 350 小时
金币: 1526
注册时间: 2009-10-27
积分: 1316
帖子: 310
主题: 2
精华: 0
UID: 159204

发表于 2012-2-5 10:44:03 |显示全部楼层

隧道分离没做吧

使用道具举报

cw19850119

IT高级

菜鸟

Rank: 10

TA的每日心情

	开心 2012-2-7 20:45:49

签到天数: 6 天

[LV.2]偶尔看看I

最后登录: 2012-2-7
在线时间: 240 小时
金币: 5365
注册时间: 2008-2-29
积分: 4644
帖子: 922
主题: 0
精华: 0
UID: 70135

发表于 2012-2-5 11:18:07 |显示全部楼层

六，合，彩，网站www.qw233.com

六，合，彩，网站www.qw233.com

六，合，彩，网站www.qw233.com
也可以直接进入我们网站填写个人资料域名一http://www.zx779.com

也可以直接进入我们网站填写个人资料域名一http://www.gf400.com

也可以直接进入我们网站填写个人资料域名二http://www.74417.com

也可以直接进入我们网站填写个人资料域名三http://www.zx700.com

拿着毕业证，简历，从差点没把我挤暴头的招聘中心一无所获的出来，坐上一辆人力3轮回去，3轮车夫问我：“你是XX农业大学今年毕业生？”我说是“太巧了，我是XX农业大学88届的毕业生，又指着路边一个搽皮鞋的老头：“那个师兄更早，77届的”。我差点没从3轮车上栽下来。

使用道具举报