本帖最后由 XUEHAIWUYA1 于 2018-8-30 05:30 编辑 总部VPN配置完成以后,客户端远程可以拨号到总部,但是访问不了总部内网,只能ping通总部网关,ping不通内部地址,内网地址是1.0网段的,vpn分配地支池是2.0段的
ip local pool vpn 192.10.2.100-192.10.2.200 mask 255.255.255.0
!
interface Ethernet0/0
switchport access vlan 4
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Vlan1
nameif inside
security-level 100
ip address 192.10.1.1 255.255.255.0 内网地址
!
interface Vlan4
nameif outside
security-level 0
ip address x.x.x.x x.x.x.x 外网网关
!
interface Vlan5
no nameif
security-level 100
no ip address
!
ftp mode passive
clock timezone CST 8
object network in
subnet 192.10.1.0 255.255.255.0
access-list 102 extended permit ip any any
pager lines 24
mtu inside 1500
mtu outside 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
!
object network in
nat (inside,outside) dynamic interface
access-group 200 in interface outside
route outside 0.0.0.0 0.0.0.0 10.10.10.10 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
aaa authentication http console LOCAL
aaa authentication ssh console LOCAL
http server enable 500
http 192.10.1.0 255.255.255.0 inside
http 0.0.0.0 0.0.0.0 outside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
crypto ipsec security-association pmtu-aging infinite
crypto ca trustpoint ASDM_TrustPoint0
enrollment terminal
subject-name CN=10.10.10.10,O=XXXX,C=CN
crl configure
crypto ca trustpool policy
telnet timeout 5
no ssh stricthostkeycheck
ssh 192.10.1.0 255.255.255.0 inside
ssh timeout 30
ssh version 2
ssh key-exchange group dh-group1-sha1
console timeout 0
dhcpd dns 61.134.1.4 218.30.19.40
!
dhcpd address 192.10.1.100-192.10.1.250 inside
dhcpd enable inside
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
enable outside
anyconnect image disk0:/anyconnect-win-3.1.05187-k9.pkg 1
anyconnect enable
group-policy anyconnect internal
group-policy anyconnect attributes
vpn-tunnel-protocol ssl-client ssl-clientless
address-pools value vpn
username admin password f3UhLvUj1QsXsuK7 encrypted privilege 15
username YYYYY password 3QaE0K2Bfwsb.fdh encrypted
username YYYYY attributes
vpn-group-policy anyconnect
username XXXXX password JlHRhsYnAnFL80q8 encrypted
username XXXXX attributes
vpn-group-policy anyconnect
username XXXX password 1x7at4eaNk.TMe2m encrypted privilege 15
tunnel-group SSLPRO type remote-access
tunnel-group SSLPRO general-attributes
address-pool vpn
default-group-policy anyconnect
tunnel-group SSLPRO webvpn-attributes
group-alias SSLPRO enable
!
class-map inspection_default
match default-inspection-traffic