gengchunlin 发表于 2018-10-25 13:38
应该不用调整acl
有两个点忘了提
1、B3-VpnNatACL 有没有做调用
1.B3-VpnNatACL做了调用
nat (inside) 0 access-list B3-VpnNatACL
2.定义了tunne-group,
tunnel-group group-B3 type remote-access
tunnel-group group-B3 general-attributes
default-group-policy webvpn-B3
tunnel-group group-B3 webvpn-attributes
group-alias group-B3 enable
3.group-policy配置如下:
ASA01# sh running-config group-policy
group-policy webvpn-B3 internal
group-policy webvpn-B3 attributes
vpn-simultaneous-logins 50
vpn-idle-timeout 5
vpn-session-timeout 180
vpn-filter value webvpn-B3
vpn-tunnel-protocol svc webvpn
split-tunnel-policy tunnelspecified
split-tunnel-network-list value B3-SplitACL
address-pools value B3-VpnPool
4.隧道分离下发服务器的路由已配置:
access-list B3-SplitACL standard permit host 47.x.x.x
access-list anyconnect-ACL extended permit ip 172.16.66.0 255.255.255.0 host 47.x.x.x
nat (outside2) 1 access-list anyconnect-ACL
global (outside2) 1 192.168.10.7 netmask 255.255.255.255
测试已经获得路由:
数据包已经发出,但是在outside接口查看不到172.16.66.0/24的nat表项
设备版本:
不知道这个版本是否支持outside方向到outside方向的Nat,还是配置上有点问题,看不到nat表项,
请帮忙看下