10988
查看次数
0
有帮助
9
回复
最近配置一个ASA5550防火墙,版本9。1 用ASDM配置完毕后,用anyconnect 连接能连上,地址也能拿到但无法访问到内部任何主机。
还有NAT配置完服务器端口映射后本地访问映射的端口没问题,其他端口都访问不到,去外部访问经过ASA的端口也无法连接,但所以的机器都能ping通,22端口始终不能访问。
请问问题出现在哪,配置有点多如下:
sirunASA# sh run
: Saved
:
ASA Version 9.0(2)
!
hostname ASA
domain-name sirun.net
enable password 8Ry2YjIyt7RRXU24 encrypted
names
ip local pool vpn-pool 192.168.255.100-192.168.255.251 mask 255.255.255.0
!
interface GigabitEthernet0/0
nameif outside
security-level 0
ip address 111.x.x.x 255.255.255.224
!
interface GigabitEthernet0/1
shutdown
no nameif
security-level 0
no ip address
!
interface GigabitEthernet0/2
shutdown
nameif CallCenter
security-level 50
ip address 192.168.8.240 255.255.255.0
!
interface GigabitEthernet0/3
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/3.9
shutdown
vlan 9
nameif Development
security-level 100
ip address 192.168.9.240 255.255.255.0
!
interface GigabitEthernet0/3.10
shutdown
vlan 10
nameif office
security-level 100
ip address 192.168.10.240 255.255.255.0
!
interface GigabitEthernet0/3.11
shutdown
vlan 11
nameif Accounting
security-level 50
ip address 172.32.5.254 255.255.255.0
!
interface GigabitEthernet0/3.255
vlan 255
nameif inside
security-level 100
ip address 192.168.255.1 255.255.255.0
!
interface GigabitEthernet0/3.998
shutdown
vlan 998
nameif hulian
security-level 100
ip address 10.1.1.1 255.255.255.0
!
interface Management0/0
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/0
shutdown
nameif CCC
security-level 50
ip address 172.20.7.2 255.255.255.0
!
interface GigabitEthernet1/1
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/2
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/3
shutdown
no nameif
no security-level
no ip address
!
ftp mode passive
dns domain-lookup outside
dns domain-lookup inside
dns server-group DefaultDNS
name-server 192.168.10.240
domain-name sirun.net
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object network test192.168.255.0
subnet 192.168.255.0 255.255.255.0
object network Ali_RD_172.22.0.0
subnet 172.22.0.0 255.255.0.0
object network Ali_V1_172.20.10.0
subnet 172.20.10.0 255.255.255.0
object network Ali_V1_172.20.14.0
subnet 172.20.14.0 255.255.255.0
object network remote_vpn
subnet 192.168.200.0 255.255.255.0
object network office
subnet 192.168.10.0 255.255.255.0
object network Develop
subnet 192.168.9.0 255.255.255.0
object network develop_gateway
host 192.168.9.1
object network Outside_ip
host 111.x.x.88
object network target_server
host 192.168.9.45
object service target
service tcp source eq 1235 destination eq 1235
object network CallCenter
subnet 192.168.8.0 255.255.255.0
object network cesi
subnet 172.16.7.0 255.255.255.0
object network HZ
subnet 172.20.0.0 255.255.252.0
object network obj_192.168.9.67:8443
host 192.168.9.67
object network caiwu-linshi
subnet 172.32.5.0 255.255.255.0
object network obj_172.16.7.213:9080
host 172.16.7.213
object service P-83
service tcp source eq 83 destination eq 83
object service P-9080
service tcp source eq 9080 destination eq 9080
object network obj_172.16.7.213
object network obj_192.168.9.45:1235
host 192.168.9.45
object network obj_192.168.9.81:80
host 192.168.9.81
object network obj_192.168.9.81
object network obj_172.16.7.212:80
host 172.16.7.212
object network obj_172.16.7.233:80
host 172.16.7.233
object network obj_172.16.7.210:22
host 172.16.7.210
object network obj_172.16.7.211:22
host 172.16.7.211
object network obj_172.16.7.212:22
host 172.16.7.212
object network obj_172.16.7.213:22
host 172.16.7.213
object network obj_172.16.7.203:22
host 172.16.7.203
object network obj_192.168.9.67:443
host 192.168.9.67
object network obj_192.168.9.67:22
host 192.168.9.67
object network obj_172.16.7.206:3306
host 172.16.7.206
object network obj_172.16.7.208:3306
host 172.16.7.208
object network obj_172.16.7.211:3306
host 172.16.7.211
object network obj_172.16.7.212:3306
host 172.16.7.212
object network obj_172.16.7.233:6203
host 172.16.7.233
object network obj_172.16.7.211:443
host 172.16.7.211
object network obj_172.16.7.211:6600
host 172.16.7.211
object network obj_172.16.7.212:6600
host 172.16.7.212
object network obj_172.16.7.211:6711
host 172.16.7.211
object network obj_172.16.7.212:6711
host 172.16.7.212
object network obj_172.16.7.211:6821
host 172.16.7.211
object network obj_172.16.7.211:6822
host 172.16.7.211
object network obj_172.16.7.212:6822
host 172.16.7.212
object network obj_172.16.7.211:6933
host 172.16.7.211
object network obj_172.16.7.212:6933
host 172.16.7.212
object network obj_172.16.7.211:7040
host 172.16.7.211
object network obj_172.16.7.211:7155
host 172.16.7.211
object network obj_172.16.7.213:8080
host 172.16.7.213
object network obj_172.16.7.203:7079
host 172.16.7.203
object network obj_192.168.9.77:8080
host 192.168.9.77
object network obj_172.16.7.203:9081
host 172.16.7.203
object network obj_172.16.7.219:8090
host 172.16.7.219
object network obj_172.16.7.219:8080
host 172.16.7.219
object network obj_172.16.7.205:8080
host 172.16.7.205
object network obj_172.16.7.210:8080
host 172.16.7.210
object network obj_172.16.7.211:7979
host 172.16.7.211
object network obj_172.16.7.212:8080
host 172.16.7.212
object network obj_192.168.9.67:8080
host 192.168.9.67
object network obj_172.16.7.203:8799
host 172.16.7.203
object network obj_172.16.7.213:8765
host 172.16.7.213
object network obj_172.16.7.214:8766
host 172.16.7.214
object network obj_172.16.7.217:8799
host 172.16.7.217
object network obj_172.16.7.214:8799
host 172.16.7.214
object network obj_172.16.7.202:8080
host 172.16.7.202
object network obj_172.16.7.204:7979
host 172.16.7.204
object network obj_192.168.9.20:9081
host 192.168.9.20
object network obj_172.16.7.210:9090
host 172.16.7.210
object network obj_172.16.7.210:9092
host 172.16.7.210
object network obj_172.16.7.210:9094
host 172.16.7.210
object network obj_172.16.7.210:9095
host 172.16.7.210
object network obj_172.16.7.210:9096
host 172.16.7.210
object network obj_172.16.7.210:9097
host 172.16.7.210
object network obj_172.16.7.210:9098
host 172.16.7.210
object network obj_172.16.7.210:9099
host 172.16.7.210
object network obj_192.168.9.51:27017
host 192.168.9.51
object service P-8091
service tcp source eq 8091 destination eq 8091
object service P-9081
service tcp source eq 9081 destination eq 9081
object network obj_192.168.9.67:8400
host 192.168.9.67
object service 22
service tcp source eq ssh destination eq ssh
object network obj_172.20.3.40:22
host 172.20.3.40
object-group network DM_INLINE_NETWORK_2
network-object object test192.168.255.0
object-group network DM_INLINE_NETWORK_3
network-object object Ali_V1_172.20.10.0
network-object object Ali_V1_172.20.14.0
network-object object Ali_RD_172.22.0.0
object-group network DM_INLINE_NETWORK_4
network-object object Ali_V1_172.20.10.0
network-object object Ali_V1_172.20.14.0
object-group network DM_INLINE_NETWORK_1
network-object object HZ
network-object object office
object-group network DM_INLINE_NETWORK_5
network-object 172.20.7.0 255.255.255.0
network-object 172.32.5.0 255.255.255.0
network-object 192.168.10.0 255.255.255.0
network-object 192.168.9.0 255.255.255.0
network-object 10.1.1.0 255.255.255.0
network-object 192.168.255.0 255.255.255.0
object-group network DM_INLINE_NETWORK_6
network-object object HZ
network-object object office
object-group network DM_INLINE_NETWORK_8
network-object 192.168.255.0 255.255.255.0
network-object 192.168.10.0 255.255.255.0
network-object 10.1.1.0 255.255.255.0
network-object 172.20.7.0 255.255.255.0
network-object 192.168.9.0 255.255.255.0
network-object object HZ
object-group network DM_INLINE_NETWORK_9
network-object 192.168.9.0 255.255.255.0
network-object object office
network-object 10.1.1.0 255.255.255.0
network-object 172.20.7.0 255.255.255.0
network-object 192.168.8.0 255.255.255.0
network-object object HZ
object-group network DM_INLINE_NETWORK_10
network-object 172.20.10.0 255.255.255.0
network-object 192.168.10.0 255.255.255.0
network-object 192.168.255.0 255.255.255.0
network-object object Ali_RD_172.22.0.0
object-group network DM_INLINE_NETWORK_15
network-object 192.168.9.0 255.255.255.0
network-object object office
object-group network DM_INLINE_NETWORK_21
network-object object Ali_V1_172.20.10.0
network-object object Ali_V1_172.20.14.0
network-object object Ali_RD_172.22.0.0
access-list VPN-TO-ALI extended permit ip 192.168.255.0 255.255.255.0 object-group DM_INLINE_NETWORK_4
access-list inside_access_in extended permit ip 192.168.255.0 255.255.255.0 any
access-list remote-vpn_splitTunnelAcl standard permit 192.168.255.0 255.255.255.0
access-list remote-vpn_splitTunnelAcl standard permit 172.20.10.0 255.255.255.0
access-list remote-vpn_splitTunnelAcl standard permit 172.22.0.0 255.255.0.0
access-list outside_cryptomap_1 extended permit ip object test192.168.255.0 object Ali_V1_172.20.10.0
access-list ipsec-for-remote_splitTunnelAcl standard permit any4
access-list DefaultRAGroup_splitTunnelAcl standard permit 172.20.10.0 255.255.255.0
access-list DefaultRAGroup_splitTunnelAcl standard permit 192.168.255.0 255.255.255.0
access-list outside_cryptomap extended permit ip 192.168.255.0 255.255.255.0 object Ali_RD_172.22.0.0
access-list inside.9_access_in extended permit ip 192.168.9.0 255.255.255.0 192.168.255.0 255.255.255.0
access-list hulian_access_in extended permit tcp any any
access-list outside_access_in extended permit ip object-group DM_INLINE_NETWORK_5 any
access-list outside_access_in extended permit ip 192.168.9.0 255.255.255.0 any
access-list Development_access_in extended permit ip object-group DM_INLINE_NETWORK_15 object-group DM_INLINE_NETWORK_10
access-list office_access_in extended permit ip object office any
access-list global_access extended permit ip object-group DM_INLINE_NETWORK_8 object-group DM_INLINE_NETWORK_9
pager lines 24
logging enable
logging monitor informational
logging asdm informational
mtu outside 1500
mtu CallCenter 1500
mtu Development 1500
mtu Accounting 1500
mtu inside 1500
mtu CCC 1500
mtu office 1500
mtu hulian 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-713.bin
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
nat (inside,outside) source static test192.168.255.0 test192.168.255.0 destination static DM_INLINE_NETWORK_3 DM_INLINE_NETWORK_3 no-proxy-arp description VPN to Aliyun
nat (inside,inside) source static test192.168.255.0 test192.168.255.0 destination static test192.168.255.0 test192.168.255.0 no-proxy-arp
nat (inside,office) source static test192.168.255.0 test192.168.255.0 destination static office office no-proxy-arp
nat (inside,hulian) source static test192.168.255.0 test192.168.255.0 destination static cesi cesi no-proxy-arp
nat (office,outside) source static office office destination static DM_INLINE_NETWORK_21 DM_INLINE_NETWORK_21 no-proxy-arp
nat (office,office) source static DM_INLINE_NETWORK_6 DM_INLINE_NETWORK_6 destination static DM_INLINE_NETWORK_1 DM_INLINE_NETWORK_1 no-proxy-arp
nat (office,Development) source static office office destination static Develop Develop no-proxy-arp
nat (office,CCC) source static office office destination static HZ HZ no-proxy-arp
nat (office,hulian) source static office office destination static cesi cesi no-proxy-arp
nat (Development,hulian) source static Develop Develop destination static cesi cesi no-proxy-arp
nat (Development,inside) source static Develop Develop destination static test192.168.255.0 test192.168.255.0 no-proxy-arp
nat (Development,office) source static Develop Develop destination static office office no-proxy-arp
nat (Development,Development) source static Develop Develop destination static Develop Develop no-proxy-arp
nat (hulian,Development) source static caiwu-linshi caiwu-linshi destination static Develop Develop no-proxy-arp
nat (any,outside) source dynamic CallCenter interface inactive description Internet
nat (any,outside) source dynamic test192.168.255.0 interface inactive description Internet
nat (any,outside) source dynamic Develop interface inactive description Internet
nat (any,outside) source dynamic office interface inactive description Internet
!
object network test192.168.255.0
nat (any,outside) dynamic interface
object network office
nat (any,outside) dynamic interface
object network Develop
nat (any,outside) dynamic interface
object network CallCenter
nat (any,outside) dynamic interface
object network cesi
nat (any,outside) dynamic interface
object network obj_192.168.9.67:8443
nat (Development,outside) static Outside_ip service tcp 8443 18443
object network obj_172.16.7.213:9080
nat (hulian,outside) static Outside_ip service tcp 9080 83
object network obj_192.168.9.45:1235
nat (Development,outside) static Outside_ip service tcp 1235 1235
object network obj_172.16.7.212:80
nat (hulian,outside) static Outside_ip service tcp www 7077
object network obj_172.16.7.233:80
nat (hulian,outside) static Outside_ip service tcp www 180
object network obj_172.16.7.210:22
nat (hulian,outside) static Outside_ip service tcp 245 245
object network obj_172.16.7.211:22
nat (hulian,outside) static Outside_ip service tcp 246 246
object network obj_172.16.7.212:22
nat (hulian,outside) static Outside_ip service tcp 247 247
object network obj_172.16.7.213:22
nat (hulian,outside) static Outside_ip service tcp 248 248
object network obj_172.16.7.203:22
nat (hulian,outside) static Outside_ip service tcp 1222 1222
object network obj_192.168.9.67:443
nat (Development,outside) static Outside_ip service tcp https 1443
object network obj_192.168.9.67:22
nat (Development,outside) static Outside_ip service tcp 2222 2222
object network obj_172.16.7.206:3306
nat (hulian,outside) static Outside_ip service tcp 3306 3336
object network obj_172.16.7.208:3306
nat (hulian,outside) static Outside_ip service tcp 3306 3346
object network obj_172.16.7.211:3306
nat (hulian,outside) static Outside_ip service tcp 3306 3356
object network obj_172.16.7.212:3306
nat (hulian,outside) static Outside_ip service tcp 3306 3366
object network obj_172.16.7.233:6203
nat (hulian,outside) static Outside_ip service tcp 6203 6203
object network obj_172.16.7.211:443
nat (hulian,outside) static Outside_ip service tcp https 6443
object network obj_172.16.7.211:6600
nat (hulian,outside) static Outside_ip service tcp 6600 6600
object network obj_172.16.7.212:6600
nat (hulian,outside) static Outside_ip service tcp 6600 6610
object network obj_172.16.7.211:6711
nat (hulian,outside) static Outside_ip service tcp 6711 6711
object network obj_172.16.7.212:6711
nat (hulian,outside) static Outside_ip service tcp 6711 6721
object network obj_172.16.7.211:6821
nat (hulian,outside) static Outside_ip service tcp 6821 6821
object network obj_172.16.7.211:6822
nat (hulian,outside) static Outside_ip service tcp 6822 6822
object network obj_172.16.7.212:6822
nat (hulian,outside) static Outside_ip service tcp 6822 6832
object network obj_172.16.7.211:6933
nat (hulian,outside) static Outside_ip service tcp 6933 6933
object network obj_172.16.7.212:6933
nat (hulian,outside) static Outside_ip service tcp 6943 6933
object network obj_172.16.7.211:7040
nat (hulian,outside) static Outside_ip service tcp 7044 7044
object network obj_172.16.7.211:7155
nat (hulian,outside) static Outside_ip service tcp 7155 7155
object network obj_172.16.7.213:8080
nat (hulian,outside) static Outside_ip service tcp 8080 7878
object network obj_172.16.7.203:7079
nat (hulian,outside) static Outside_ip service tcp 7079 7900
object network obj_192.168.9.77:8080
nat (Development,outside) static Outside_ip service tcp 8080 8088
object network obj_172.16.7.203:9081
nat (hulian,outside) static Outside_ip service tcp 9081 8091
object network obj_172.16.7.219:8090
nat (hulian,outside) static Outside_ip service tcp 8090 8092
object network obj_172.16.7.219:8080
nat (hulian,outside) static Outside_ip service tcp 8080 8110
object network obj_172.16.7.205:8080
nat (hulian,outside) static Outside_ip service tcp 8080 8180
object network obj_172.16.7.210:8080
nat (hulian,outside) static Outside_ip service tcp 8080 8250
object network obj_172.16.7.211:7979
nat (hulian,outside) static Outside_ip service tcp 7979 8260
object network obj_172.16.7.212:8080
nat (hulian,outside) static Outside_ip service tcp 8080 8270
object network obj_192.168.9.67:8080
nat (Development,outside) static Outside_ip service tcp 8080 8442
object network obj_172.16.7.203:8799
nat (hulian,outside) static Outside_ip service tcp 8799 8699
object network obj_172.16.7.213:8765
nat (hulian,outside) static Outside_ip service tcp 8765 8765
object network obj_172.16.7.214:8766
nat (hulian,outside) static Outside_ip service tcp 8766 8766
object network obj_172.16.7.217:8799
nat (hulian,outside) static Outside_ip service tcp 8799 8780
object network obj_172.16.7.214:8799
nat (hulian,outside) static Outside_ip service tcp 8799 8799
object network obj_172.16.7.202:8080
nat (hulian,outside) static Outside_ip service tcp 8080 8888
object network obj_172.16.7.204:7979
nat (hulian,outside) static Outside_ip service tcp 7979 8900
object network obj_192.168.9.20:9081
nat (Development,outside) static Outside_ip service tcp 9081 9081
object network obj_172.16.7.210:9090
nat (hulian,outside) static Outside_ip service tcp 9090 9090
object network obj_172.16.7.210:9092
nat (hulian,outside) static Outside_ip service tcp 9092 9092
object network obj_172.16.7.210:9094
nat (hulian,outside) static Outside_ip service tcp 9094 9094
object network obj_172.16.7.210:9095
nat (hulian,outside) static Outside_ip service tcp 9095 9095
object network obj_172.16.7.210:9096
nat (hulian,outside) static Outside_ip service tcp 9096 9096
object network obj_172.16.7.210:9097
nat (hulian,outside) static Outside_ip service tcp 9097 9097
object network obj_172.16.7.210:9098
nat (hulian,outside) static Outside_ip service tcp 9098 9098
object network obj_172.16.7.210:9099
nat (hulian,outside) static Outside_ip service tcp 9099 9099
object network obj_192.168.9.51:27017
nat (Development,outside) static Outside_ip service tcp 27017 27018
object network obj_192.168.9.67:8400
nat (Development,outside) static Outside_ip service tcp 8443 8400
access-group outside_access_in in interface outside
access-group Development_access_in in interface Development
access-group inside_access_in in interface inside
access-group office_access_in in interface office
access-group hulian_access_in in interface hulian
access-group global_access global
route outside 0.0.0.0 0.0.0.0 111.204.193.94 1
route office 172.20.0.0 255.255.248.0 192.168.10.1 1
route hulian 172.32.5.0 255.255.255.0 192.168.9.253 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
network-acl outside_cryptomap_1
network-acl inside_access_in
user-identity default-domain LOCAL
eou allow audit
aaa authentication enable console LOCAL
aaa authentication ssh console LOCAL
http server enable
http 0.0.0.0 0.0.0.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS esp-aes esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set vpn esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set tran01 esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec ikev2 ipsec-proposal AES256
protocol esp encryption aes-256
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES192
protocol esp encryption aes-192
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES
protocol esp encryption aes
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal 3DES
protocol esp encryption 3des
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal DES
protocol esp encryption des
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal 3desMD5
protocol esp encryption 3des
protocol esp integrity md5
crypto ipsec security-association pmtu-aging infinite
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-192-SHA ESP-AES-256-SHA ESP-3DES-SHA ESP-DES-SHA ESP-AES-128-SHA-TRANS ESP-AES-192-SHA-TRANS ESP-AES-256-SHA-TRANS ESP-3DES-SHA-TRANS ESP-DES-SHA-TRANS
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev2 ipsec-proposal AES256 AES192 AES 3DES DES
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set nat-t-disable
crypto map outside-map 1 match address outside_cryptomap
crypto map outside-map 1 set pfs
crypto map outside-map 1 set peer 120.x.x.x
crypto map outside-map 1 set ikev1 transform-set tran01
crypto map outside-map 1 set reverse-route
crypto map outside-map 10 match address VPN-TO-ALI
crypto map outside-map 10 set pfs
crypto map outside-map 10 set peer 121.x.x.x
crypto map outside-map 10 set ikev1 transform-set vpn
crypto map outside-map 10 set reverse-route
crypto map outside-map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside-map interface outside
crypto map inside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map inside_map interface inside
crypto ca trustpoint ASDM_TrustPoint0_anyconnect
enrollment self
email guoyuan.wang@sirun.net
subject-name CN=sirunASA_for_guoyuan
proxy-ldc-issuer
crl configure
crypto ca trustpoint ASDM_TrustPoint0
enrollment self
fqdn sslvpn.sirun.net
subject-name CN=sslvpn.sirun.net
keypair sslvpnkeypair
crl configure
crypto ca trustpool policy
crypto ca certificate chain ASDM_TrustPoint0
certificate 9d6da958
308201ef 30820158 a0030201 0202049d 6da95830 0d06092a 864886f7 0d010105
0500303c 31193017 06035504 03131073 736c7670 6e2e7369 72756e2e 6e657431
1f301d06 092a8648 86f70d01 09021610 73736c76 706e2e73 6972756e 2e6e6574
301e170d 31373032 32353038 35383131 5a170d32 37303232 33303835 3831315a
303c3119 30170603 55040313 1073736c 76706e2e 73697275 6e2e6e65 74311f30
1d06092a 864886f7 0d010902 16107373 6c76706e 2e736972 756e2e6e 65743081
9f300d06 092a8648 86f70d01 01010500 03818d00 30818902 818100d9 498f96c8
ba8e3e90 dd135747 65996664 a4e0ca2d 7a03bb8f a7a1630c d470bb7a 804749c2
cd06285a e1fb26a2 2e55c25e 9b3d27fc 3d169cd1 642c4e6a 9b425b4d 6b00d151
a044e3f3 8724a01b 362d7bba 1930c448 7c449df5 3f2a8d0e a4c18c23 78fc9660
a285b99d a5eb7324 3d74c0ca 511d033f 85e989b6 8ea7ce4e 02097302 03010001
300d0609 2a864886 f70d0101 05050003 81810073 0395301f a979e840 6cfcb4ce
46465792 28feee0e ea799257 6be94d62 ed99823b 0fcb7883 18f1ace3 70f40e1a
654e3536 6b398229 7d66e8bb 19a35c8f d80d6875 4d3b35a7 68d01e35 e366c731
b713f599 0584ccd3 a11edb73 68bceb24 64dcba2a ff35c5ff bbad15ef bab457de
26bc3dbf 4030f725 96046473 c590a03e aa493e
quit
crypto ikev2 policy 1
encryption aes-256
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 10
encryption aes-192
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 enable outside client-services port 443
crypto ikev2 remote-access trustpoint ASDM_TrustPoint0_anyconnect
crypto ikev1 enable outside
crypto ikev1 policy 1
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
telnet 192.168.9.0 255.255.255.0 Development
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 outside
ssh 0.0.0.0 0.0.0.0 Development
ssh 0.0.0.0 0.0.0.0 inside
ssh 0.0.0.0 0.0.0.0 CCC
ssh 0.0.0.0 0.0.0.0 office
ssh 0.0.0.0 0.0.0.0 hulian
ssh timeout 60
ssh version 2
console timeout 0
no ipv6-vpn-addr-assign aaa
no ipv6-vpn-addr-assign local
vpn-sessiondb max-other-vpn-limit 5000
vpn-sessiondb max-anyconnect-premium-or-essentials-limit 2
dhcpd update dns
!
dhcpd address 192.168.8.2-192.168.8.239 CallCenter
dhcpd dns 114.114.114.114 interface CallCenter
dhcpd enable CallCenter
!
dhcpd address 192.168.9.2-192.168.9.239 Development
dhcpd dns 114.114.114.114 interface Development
dhcpd enable Development
!
dhcpd address 192.168.255.2-192.168.255.252 inside
dhcpd dns 114.114.114.114 interface inside
dhcpd enable inside
!
dhcpd address 192.168.10.50-192.168.10.239 office
dhcpd dns 114.114.114.114 interface office
dhcpd enable office
!
!
tls-proxy maximum-session 3000
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ssl encryption aes128-sha1
ssl trust-point ASDM_TrustPoint0_anyconnect inside
ssl trust-point ASDM_TrustPoint0 outside
webvpn
enable outside
anyconnect-essentials
anyconnect image disk0:/anyconnect-win-2.4.1012-k9.pkg 1
anyconnect image disk0:/anyconnect-macosx-i386-2.4.1012-k9.pkg 2
anyconnect enable
tunnel-group-list enable
keepout "Service out temporarily."
group-policy SSL-vpn_policy_remote internal
group-policy SSL-vpn_policy_remote attributes
wins-server none
dns-server value 114.114.114.114
vpn-tunnel-protocol ssl-client ssl-clientless
split-tunnel-policy tunnelall
split-tunnel-network-list value remote-vpn_splitTunnelAcl
default-domain value sirun.net
split-dns value 114.114.114
address-pools value vpn-pool
group-policy DefaultRAGroup internal
group-policy DefaultRAGroup attributes
vpn-tunnel-protocol l2tp-ipsec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value DefaultRAGroup_splitTunnelAcl
group-policy DfltGrpPolicy attributes
vpn-tunnel-protocol ikev1 l2tp-ipsec ssl-clientless
group-policy GroupPolicy_120.27.234.197 internal
group-policy GroupPolicy_120.27.234.197 attributes
vpn-tunnel-protocol ikev1
group-policy GroupPolicy1 internal
group-policy GroupPolicy1 attributes
vpn-tunnel-protocol ikev1
username test02 password /cXt2mD.GZuIfGDN encrypted
username test01 password 274Y4GRAbNElaCoV encrypted privilege 15
username test01 attributes
vpn-group-policy SSL-vpn_policy_remote
username caokai password vZOq68hnoLuvTlsi2pHOpw== nt-encrypted privilege 15
username caokai attributes
vpn-group-policy DefaultRAGroup
username admin password w4b7RpK6u3LUsuXd encrypted privilege 15
username admin attributes
service-type admin
tunnel-group DefaultRAGroup general-attributes
address-pool vpn-pool
default-group-policy DefaultRAGroup
tunnel-group DefaultRAGroup ipsec-attributes
ikev1 pre-shared-key *****
tunnel-group DefaultRAGroup ppp-attributes
no authentication ms-chap-v1
authentication ms-chap-v2
tunnel-group 121.196.200.96 type ipsec-l2l
tunnel-group 121.196.200.96 general-attributes
default-group-policy GroupPolicy1
tunnel-group 121.196.200.96 ipsec-attributes
ikev1 pre-shared-key *****
tunnel-group 120.27.234.197 type ipsec-l2l
tunnel-group 120.27.234.197 general-attributes
default-group-policy GroupPolicy_120.27.234.197
tunnel-group 120.27.234.197 ipsec-attributes
ikev1 pre-shared-key *****
ikev2 remote-authentication pre-shared-key *****
ikev2 local-authentication pre-shared-key *****
tunnel-group sslvpn-remote_anyconnect type remote-access
tunnel-group sslvpn-remote_anyconnect general-attributes
address-pool vpn-pool
default-group-policy SSL-vpn_policy_remote
tunnel-group sslvpn-remote_anyconnect webvpn-attributes
group-alias SSLVPNClient enable
tunnel-group-map enable rules
!
!
prompt hostname context
no call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email callhome@cisco.com
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:00055f0b97a5bc792db25f24a62ea3ed
: end
还有NAT配置完服务器端口映射后本地访问映射的端口没问题,其他端口都访问不到,去外部访问经过ASA的端口也无法连接,但所以的机器都能ping通,22端口始终不能访问。
请问问题出现在哪,配置有点多如下:
sirunASA# sh run
: Saved
:
ASA Version 9.0(2)
!
hostname ASA
domain-name sirun.net
enable password 8Ry2YjIyt7RRXU24 encrypted
names
ip local pool vpn-pool 192.168.255.100-192.168.255.251 mask 255.255.255.0
!
interface GigabitEthernet0/0
nameif outside
security-level 0
ip address 111.x.x.x 255.255.255.224
!
interface GigabitEthernet0/1
shutdown
no nameif
security-level 0
no ip address
!
interface GigabitEthernet0/2
shutdown
nameif CallCenter
security-level 50
ip address 192.168.8.240 255.255.255.0
!
interface GigabitEthernet0/3
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/3.9
shutdown
vlan 9
nameif Development
security-level 100
ip address 192.168.9.240 255.255.255.0
!
interface GigabitEthernet0/3.10
shutdown
vlan 10
nameif office
security-level 100
ip address 192.168.10.240 255.255.255.0
!
interface GigabitEthernet0/3.11
shutdown
vlan 11
nameif Accounting
security-level 50
ip address 172.32.5.254 255.255.255.0
!
interface GigabitEthernet0/3.255
vlan 255
nameif inside
security-level 100
ip address 192.168.255.1 255.255.255.0
!
interface GigabitEthernet0/3.998
shutdown
vlan 998
nameif hulian
security-level 100
ip address 10.1.1.1 255.255.255.0
!
interface Management0/0
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/0
shutdown
nameif CCC
security-level 50
ip address 172.20.7.2 255.255.255.0
!
interface GigabitEthernet1/1
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/2
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/3
shutdown
no nameif
no security-level
no ip address
!
ftp mode passive
dns domain-lookup outside
dns domain-lookup inside
dns server-group DefaultDNS
name-server 192.168.10.240
domain-name sirun.net
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object network test192.168.255.0
subnet 192.168.255.0 255.255.255.0
object network Ali_RD_172.22.0.0
subnet 172.22.0.0 255.255.0.0
object network Ali_V1_172.20.10.0
subnet 172.20.10.0 255.255.255.0
object network Ali_V1_172.20.14.0
subnet 172.20.14.0 255.255.255.0
object network remote_vpn
subnet 192.168.200.0 255.255.255.0
object network office
subnet 192.168.10.0 255.255.255.0
object network Develop
subnet 192.168.9.0 255.255.255.0
object network develop_gateway
host 192.168.9.1
object network Outside_ip
host 111.x.x.88
object network target_server
host 192.168.9.45
object service target
service tcp source eq 1235 destination eq 1235
object network CallCenter
subnet 192.168.8.0 255.255.255.0
object network cesi
subnet 172.16.7.0 255.255.255.0
object network HZ
subnet 172.20.0.0 255.255.252.0
object network obj_192.168.9.67:8443
host 192.168.9.67
object network caiwu-linshi
subnet 172.32.5.0 255.255.255.0
object network obj_172.16.7.213:9080
host 172.16.7.213
object service P-83
service tcp source eq 83 destination eq 83
object service P-9080
service tcp source eq 9080 destination eq 9080
object network obj_172.16.7.213
object network obj_192.168.9.45:1235
host 192.168.9.45
object network obj_192.168.9.81:80
host 192.168.9.81
object network obj_192.168.9.81
object network obj_172.16.7.212:80
host 172.16.7.212
object network obj_172.16.7.233:80
host 172.16.7.233
object network obj_172.16.7.210:22
host 172.16.7.210
object network obj_172.16.7.211:22
host 172.16.7.211
object network obj_172.16.7.212:22
host 172.16.7.212
object network obj_172.16.7.213:22
host 172.16.7.213
object network obj_172.16.7.203:22
host 172.16.7.203
object network obj_192.168.9.67:443
host 192.168.9.67
object network obj_192.168.9.67:22
host 192.168.9.67
object network obj_172.16.7.206:3306
host 172.16.7.206
object network obj_172.16.7.208:3306
host 172.16.7.208
object network obj_172.16.7.211:3306
host 172.16.7.211
object network obj_172.16.7.212:3306
host 172.16.7.212
object network obj_172.16.7.233:6203
host 172.16.7.233
object network obj_172.16.7.211:443
host 172.16.7.211
object network obj_172.16.7.211:6600
host 172.16.7.211
object network obj_172.16.7.212:6600
host 172.16.7.212
object network obj_172.16.7.211:6711
host 172.16.7.211
object network obj_172.16.7.212:6711
host 172.16.7.212
object network obj_172.16.7.211:6821
host 172.16.7.211
object network obj_172.16.7.211:6822
host 172.16.7.211
object network obj_172.16.7.212:6822
host 172.16.7.212
object network obj_172.16.7.211:6933
host 172.16.7.211
object network obj_172.16.7.212:6933
host 172.16.7.212
object network obj_172.16.7.211:7040
host 172.16.7.211
object network obj_172.16.7.211:7155
host 172.16.7.211
object network obj_172.16.7.213:8080
host 172.16.7.213
object network obj_172.16.7.203:7079
host 172.16.7.203
object network obj_192.168.9.77:8080
host 192.168.9.77
object network obj_172.16.7.203:9081
host 172.16.7.203
object network obj_172.16.7.219:8090
host 172.16.7.219
object network obj_172.16.7.219:8080
host 172.16.7.219
object network obj_172.16.7.205:8080
host 172.16.7.205
object network obj_172.16.7.210:8080
host 172.16.7.210
object network obj_172.16.7.211:7979
host 172.16.7.211
object network obj_172.16.7.212:8080
host 172.16.7.212
object network obj_192.168.9.67:8080
host 192.168.9.67
object network obj_172.16.7.203:8799
host 172.16.7.203
object network obj_172.16.7.213:8765
host 172.16.7.213
object network obj_172.16.7.214:8766
host 172.16.7.214
object network obj_172.16.7.217:8799
host 172.16.7.217
object network obj_172.16.7.214:8799
host 172.16.7.214
object network obj_172.16.7.202:8080
host 172.16.7.202
object network obj_172.16.7.204:7979
host 172.16.7.204
object network obj_192.168.9.20:9081
host 192.168.9.20
object network obj_172.16.7.210:9090
host 172.16.7.210
object network obj_172.16.7.210:9092
host 172.16.7.210
object network obj_172.16.7.210:9094
host 172.16.7.210
object network obj_172.16.7.210:9095
host 172.16.7.210
object network obj_172.16.7.210:9096
host 172.16.7.210
object network obj_172.16.7.210:9097
host 172.16.7.210
object network obj_172.16.7.210:9098
host 172.16.7.210
object network obj_172.16.7.210:9099
host 172.16.7.210
object network obj_192.168.9.51:27017
host 192.168.9.51
object service P-8091
service tcp source eq 8091 destination eq 8091
object service P-9081
service tcp source eq 9081 destination eq 9081
object network obj_192.168.9.67:8400
host 192.168.9.67
object service 22
service tcp source eq ssh destination eq ssh
object network obj_172.20.3.40:22
host 172.20.3.40
object-group network DM_INLINE_NETWORK_2
network-object object test192.168.255.0
object-group network DM_INLINE_NETWORK_3
network-object object Ali_V1_172.20.10.0
network-object object Ali_V1_172.20.14.0
network-object object Ali_RD_172.22.0.0
object-group network DM_INLINE_NETWORK_4
network-object object Ali_V1_172.20.10.0
network-object object Ali_V1_172.20.14.0
object-group network DM_INLINE_NETWORK_1
network-object object HZ
network-object object office
object-group network DM_INLINE_NETWORK_5
network-object 172.20.7.0 255.255.255.0
network-object 172.32.5.0 255.255.255.0
network-object 192.168.10.0 255.255.255.0
network-object 192.168.9.0 255.255.255.0
network-object 10.1.1.0 255.255.255.0
network-object 192.168.255.0 255.255.255.0
object-group network DM_INLINE_NETWORK_6
network-object object HZ
network-object object office
object-group network DM_INLINE_NETWORK_8
network-object 192.168.255.0 255.255.255.0
network-object 192.168.10.0 255.255.255.0
network-object 10.1.1.0 255.255.255.0
network-object 172.20.7.0 255.255.255.0
network-object 192.168.9.0 255.255.255.0
network-object object HZ
object-group network DM_INLINE_NETWORK_9
network-object 192.168.9.0 255.255.255.0
network-object object office
network-object 10.1.1.0 255.255.255.0
network-object 172.20.7.0 255.255.255.0
network-object 192.168.8.0 255.255.255.0
network-object object HZ
object-group network DM_INLINE_NETWORK_10
network-object 172.20.10.0 255.255.255.0
network-object 192.168.10.0 255.255.255.0
network-object 192.168.255.0 255.255.255.0
network-object object Ali_RD_172.22.0.0
object-group network DM_INLINE_NETWORK_15
network-object 192.168.9.0 255.255.255.0
network-object object office
object-group network DM_INLINE_NETWORK_21
network-object object Ali_V1_172.20.10.0
network-object object Ali_V1_172.20.14.0
network-object object Ali_RD_172.22.0.0
access-list VPN-TO-ALI extended permit ip 192.168.255.0 255.255.255.0 object-group DM_INLINE_NETWORK_4
access-list inside_access_in extended permit ip 192.168.255.0 255.255.255.0 any
access-list remote-vpn_splitTunnelAcl standard permit 192.168.255.0 255.255.255.0
access-list remote-vpn_splitTunnelAcl standard permit 172.20.10.0 255.255.255.0
access-list remote-vpn_splitTunnelAcl standard permit 172.22.0.0 255.255.0.0
access-list outside_cryptomap_1 extended permit ip object test192.168.255.0 object Ali_V1_172.20.10.0
access-list ipsec-for-remote_splitTunnelAcl standard permit any4
access-list DefaultRAGroup_splitTunnelAcl standard permit 172.20.10.0 255.255.255.0
access-list DefaultRAGroup_splitTunnelAcl standard permit 192.168.255.0 255.255.255.0
access-list outside_cryptomap extended permit ip 192.168.255.0 255.255.255.0 object Ali_RD_172.22.0.0
access-list inside.9_access_in extended permit ip 192.168.9.0 255.255.255.0 192.168.255.0 255.255.255.0
access-list hulian_access_in extended permit tcp any any
access-list outside_access_in extended permit ip object-group DM_INLINE_NETWORK_5 any
access-list outside_access_in extended permit ip 192.168.9.0 255.255.255.0 any
access-list Development_access_in extended permit ip object-group DM_INLINE_NETWORK_15 object-group DM_INLINE_NETWORK_10
access-list office_access_in extended permit ip object office any
access-list global_access extended permit ip object-group DM_INLINE_NETWORK_8 object-group DM_INLINE_NETWORK_9
pager lines 24
logging enable
logging monitor informational
logging asdm informational
mtu outside 1500
mtu CallCenter 1500
mtu Development 1500
mtu Accounting 1500
mtu inside 1500
mtu CCC 1500
mtu office 1500
mtu hulian 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-713.bin
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
nat (inside,outside) source static test192.168.255.0 test192.168.255.0 destination static DM_INLINE_NETWORK_3 DM_INLINE_NETWORK_3 no-proxy-arp description VPN to Aliyun
nat (inside,inside) source static test192.168.255.0 test192.168.255.0 destination static test192.168.255.0 test192.168.255.0 no-proxy-arp
nat (inside,office) source static test192.168.255.0 test192.168.255.0 destination static office office no-proxy-arp
nat (inside,hulian) source static test192.168.255.0 test192.168.255.0 destination static cesi cesi no-proxy-arp
nat (office,outside) source static office office destination static DM_INLINE_NETWORK_21 DM_INLINE_NETWORK_21 no-proxy-arp
nat (office,office) source static DM_INLINE_NETWORK_6 DM_INLINE_NETWORK_6 destination static DM_INLINE_NETWORK_1 DM_INLINE_NETWORK_1 no-proxy-arp
nat (office,Development) source static office office destination static Develop Develop no-proxy-arp
nat (office,CCC) source static office office destination static HZ HZ no-proxy-arp
nat (office,hulian) source static office office destination static cesi cesi no-proxy-arp
nat (Development,hulian) source static Develop Develop destination static cesi cesi no-proxy-arp
nat (Development,inside) source static Develop Develop destination static test192.168.255.0 test192.168.255.0 no-proxy-arp
nat (Development,office) source static Develop Develop destination static office office no-proxy-arp
nat (Development,Development) source static Develop Develop destination static Develop Develop no-proxy-arp
nat (hulian,Development) source static caiwu-linshi caiwu-linshi destination static Develop Develop no-proxy-arp
nat (any,outside) source dynamic CallCenter interface inactive description Internet
nat (any,outside) source dynamic test192.168.255.0 interface inactive description Internet
nat (any,outside) source dynamic Develop interface inactive description Internet
nat (any,outside) source dynamic office interface inactive description Internet
!
object network test192.168.255.0
nat (any,outside) dynamic interface
object network office
nat (any,outside) dynamic interface
object network Develop
nat (any,outside) dynamic interface
object network CallCenter
nat (any,outside) dynamic interface
object network cesi
nat (any,outside) dynamic interface
object network obj_192.168.9.67:8443
nat (Development,outside) static Outside_ip service tcp 8443 18443
object network obj_172.16.7.213:9080
nat (hulian,outside) static Outside_ip service tcp 9080 83
object network obj_192.168.9.45:1235
nat (Development,outside) static Outside_ip service tcp 1235 1235
object network obj_172.16.7.212:80
nat (hulian,outside) static Outside_ip service tcp www 7077
object network obj_172.16.7.233:80
nat (hulian,outside) static Outside_ip service tcp www 180
object network obj_172.16.7.210:22
nat (hulian,outside) static Outside_ip service tcp 245 245
object network obj_172.16.7.211:22
nat (hulian,outside) static Outside_ip service tcp 246 246
object network obj_172.16.7.212:22
nat (hulian,outside) static Outside_ip service tcp 247 247
object network obj_172.16.7.213:22
nat (hulian,outside) static Outside_ip service tcp 248 248
object network obj_172.16.7.203:22
nat (hulian,outside) static Outside_ip service tcp 1222 1222
object network obj_192.168.9.67:443
nat (Development,outside) static Outside_ip service tcp https 1443
object network obj_192.168.9.67:22
nat (Development,outside) static Outside_ip service tcp 2222 2222
object network obj_172.16.7.206:3306
nat (hulian,outside) static Outside_ip service tcp 3306 3336
object network obj_172.16.7.208:3306
nat (hulian,outside) static Outside_ip service tcp 3306 3346
object network obj_172.16.7.211:3306
nat (hulian,outside) static Outside_ip service tcp 3306 3356
object network obj_172.16.7.212:3306
nat (hulian,outside) static Outside_ip service tcp 3306 3366
object network obj_172.16.7.233:6203
nat (hulian,outside) static Outside_ip service tcp 6203 6203
object network obj_172.16.7.211:443
nat (hulian,outside) static Outside_ip service tcp https 6443
object network obj_172.16.7.211:6600
nat (hulian,outside) static Outside_ip service tcp 6600 6600
object network obj_172.16.7.212:6600
nat (hulian,outside) static Outside_ip service tcp 6600 6610
object network obj_172.16.7.211:6711
nat (hulian,outside) static Outside_ip service tcp 6711 6711
object network obj_172.16.7.212:6711
nat (hulian,outside) static Outside_ip service tcp 6711 6721
object network obj_172.16.7.211:6821
nat (hulian,outside) static Outside_ip service tcp 6821 6821
object network obj_172.16.7.211:6822
nat (hulian,outside) static Outside_ip service tcp 6822 6822
object network obj_172.16.7.212:6822
nat (hulian,outside) static Outside_ip service tcp 6822 6832
object network obj_172.16.7.211:6933
nat (hulian,outside) static Outside_ip service tcp 6933 6933
object network obj_172.16.7.212:6933
nat (hulian,outside) static Outside_ip service tcp 6943 6933
object network obj_172.16.7.211:7040
nat (hulian,outside) static Outside_ip service tcp 7044 7044
object network obj_172.16.7.211:7155
nat (hulian,outside) static Outside_ip service tcp 7155 7155
object network obj_172.16.7.213:8080
nat (hulian,outside) static Outside_ip service tcp 8080 7878
object network obj_172.16.7.203:7079
nat (hulian,outside) static Outside_ip service tcp 7079 7900
object network obj_192.168.9.77:8080
nat (Development,outside) static Outside_ip service tcp 8080 8088
object network obj_172.16.7.203:9081
nat (hulian,outside) static Outside_ip service tcp 9081 8091
object network obj_172.16.7.219:8090
nat (hulian,outside) static Outside_ip service tcp 8090 8092
object network obj_172.16.7.219:8080
nat (hulian,outside) static Outside_ip service tcp 8080 8110
object network obj_172.16.7.205:8080
nat (hulian,outside) static Outside_ip service tcp 8080 8180
object network obj_172.16.7.210:8080
nat (hulian,outside) static Outside_ip service tcp 8080 8250
object network obj_172.16.7.211:7979
nat (hulian,outside) static Outside_ip service tcp 7979 8260
object network obj_172.16.7.212:8080
nat (hulian,outside) static Outside_ip service tcp 8080 8270
object network obj_192.168.9.67:8080
nat (Development,outside) static Outside_ip service tcp 8080 8442
object network obj_172.16.7.203:8799
nat (hulian,outside) static Outside_ip service tcp 8799 8699
object network obj_172.16.7.213:8765
nat (hulian,outside) static Outside_ip service tcp 8765 8765
object network obj_172.16.7.214:8766
nat (hulian,outside) static Outside_ip service tcp 8766 8766
object network obj_172.16.7.217:8799
nat (hulian,outside) static Outside_ip service tcp 8799 8780
object network obj_172.16.7.214:8799
nat (hulian,outside) static Outside_ip service tcp 8799 8799
object network obj_172.16.7.202:8080
nat (hulian,outside) static Outside_ip service tcp 8080 8888
object network obj_172.16.7.204:7979
nat (hulian,outside) static Outside_ip service tcp 7979 8900
object network obj_192.168.9.20:9081
nat (Development,outside) static Outside_ip service tcp 9081 9081
object network obj_172.16.7.210:9090
nat (hulian,outside) static Outside_ip service tcp 9090 9090
object network obj_172.16.7.210:9092
nat (hulian,outside) static Outside_ip service tcp 9092 9092
object network obj_172.16.7.210:9094
nat (hulian,outside) static Outside_ip service tcp 9094 9094
object network obj_172.16.7.210:9095
nat (hulian,outside) static Outside_ip service tcp 9095 9095
object network obj_172.16.7.210:9096
nat (hulian,outside) static Outside_ip service tcp 9096 9096
object network obj_172.16.7.210:9097
nat (hulian,outside) static Outside_ip service tcp 9097 9097
object network obj_172.16.7.210:9098
nat (hulian,outside) static Outside_ip service tcp 9098 9098
object network obj_172.16.7.210:9099
nat (hulian,outside) static Outside_ip service tcp 9099 9099
object network obj_192.168.9.51:27017
nat (Development,outside) static Outside_ip service tcp 27017 27018
object network obj_192.168.9.67:8400
nat (Development,outside) static Outside_ip service tcp 8443 8400
access-group outside_access_in in interface outside
access-group Development_access_in in interface Development
access-group inside_access_in in interface inside
access-group office_access_in in interface office
access-group hulian_access_in in interface hulian
access-group global_access global
route outside 0.0.0.0 0.0.0.0 111.204.193.94 1
route office 172.20.0.0 255.255.248.0 192.168.10.1 1
route hulian 172.32.5.0 255.255.255.0 192.168.9.253 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
network-acl outside_cryptomap_1
network-acl inside_access_in
user-identity default-domain LOCAL
eou allow audit
aaa authentication enable console LOCAL
aaa authentication ssh console LOCAL
http server enable
http 0.0.0.0 0.0.0.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS esp-aes esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set vpn esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set tran01 esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec ikev2 ipsec-proposal AES256
protocol esp encryption aes-256
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES192
protocol esp encryption aes-192
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES
protocol esp encryption aes
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal 3DES
protocol esp encryption 3des
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal DES
protocol esp encryption des
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal 3desMD5
protocol esp encryption 3des
protocol esp integrity md5
crypto ipsec security-association pmtu-aging infinite
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-192-SHA ESP-AES-256-SHA ESP-3DES-SHA ESP-DES-SHA ESP-AES-128-SHA-TRANS ESP-AES-192-SHA-TRANS ESP-AES-256-SHA-TRANS ESP-3DES-SHA-TRANS ESP-DES-SHA-TRANS
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev2 ipsec-proposal AES256 AES192 AES 3DES DES
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set nat-t-disable
crypto map outside-map 1 match address outside_cryptomap
crypto map outside-map 1 set pfs
crypto map outside-map 1 set peer 120.x.x.x
crypto map outside-map 1 set ikev1 transform-set tran01
crypto map outside-map 1 set reverse-route
crypto map outside-map 10 match address VPN-TO-ALI
crypto map outside-map 10 set pfs
crypto map outside-map 10 set peer 121.x.x.x
crypto map outside-map 10 set ikev1 transform-set vpn
crypto map outside-map 10 set reverse-route
crypto map outside-map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside-map interface outside
crypto map inside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map inside_map interface inside
crypto ca trustpoint ASDM_TrustPoint0_anyconnect
enrollment self
email guoyuan.wang@sirun.net
subject-name CN=sirunASA_for_guoyuan
proxy-ldc-issuer
crl configure
crypto ca trustpoint ASDM_TrustPoint0
enrollment self
fqdn sslvpn.sirun.net
subject-name CN=sslvpn.sirun.net
keypair sslvpnkeypair
crl configure
crypto ca trustpool policy
crypto ca certificate chain ASDM_TrustPoint0
certificate 9d6da958
308201ef 30820158 a0030201 0202049d 6da95830 0d06092a 864886f7 0d010105
0500303c 31193017 06035504 03131073 736c7670 6e2e7369 72756e2e 6e657431
1f301d06 092a8648 86f70d01 09021610 73736c76 706e2e73 6972756e 2e6e6574
301e170d 31373032 32353038 35383131 5a170d32 37303232 33303835 3831315a
303c3119 30170603 55040313 1073736c 76706e2e 73697275 6e2e6e65 74311f30
1d06092a 864886f7 0d010902 16107373 6c76706e 2e736972 756e2e6e 65743081
9f300d06 092a8648 86f70d01 01010500 03818d00 30818902 818100d9 498f96c8
ba8e3e90 dd135747 65996664 a4e0ca2d 7a03bb8f a7a1630c d470bb7a 804749c2
cd06285a e1fb26a2 2e55c25e 9b3d27fc 3d169cd1 642c4e6a 9b425b4d 6b00d151
a044e3f3 8724a01b 362d7bba 1930c448 7c449df5 3f2a8d0e a4c18c23 78fc9660
a285b99d a5eb7324 3d74c0ca 511d033f 85e989b6 8ea7ce4e 02097302 03010001
300d0609 2a864886 f70d0101 05050003 81810073 0395301f a979e840 6cfcb4ce
46465792 28feee0e ea799257 6be94d62 ed99823b 0fcb7883 18f1ace3 70f40e1a
654e3536 6b398229 7d66e8bb 19a35c8f d80d6875 4d3b35a7 68d01e35 e366c731
b713f599 0584ccd3 a11edb73 68bceb24 64dcba2a ff35c5ff bbad15ef bab457de
26bc3dbf 4030f725 96046473 c590a03e aa493e
quit
crypto ikev2 policy 1
encryption aes-256
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 10
encryption aes-192
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 enable outside client-services port 443
crypto ikev2 remote-access trustpoint ASDM_TrustPoint0_anyconnect
crypto ikev1 enable outside
crypto ikev1 policy 1
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
telnet 192.168.9.0 255.255.255.0 Development
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 outside
ssh 0.0.0.0 0.0.0.0 Development
ssh 0.0.0.0 0.0.0.0 inside
ssh 0.0.0.0 0.0.0.0 CCC
ssh 0.0.0.0 0.0.0.0 office
ssh 0.0.0.0 0.0.0.0 hulian
ssh timeout 60
ssh version 2
console timeout 0
no ipv6-vpn-addr-assign aaa
no ipv6-vpn-addr-assign local
vpn-sessiondb max-other-vpn-limit 5000
vpn-sessiondb max-anyconnect-premium-or-essentials-limit 2
dhcpd update dns
!
dhcpd address 192.168.8.2-192.168.8.239 CallCenter
dhcpd dns 114.114.114.114 interface CallCenter
dhcpd enable CallCenter
!
dhcpd address 192.168.9.2-192.168.9.239 Development
dhcpd dns 114.114.114.114 interface Development
dhcpd enable Development
!
dhcpd address 192.168.255.2-192.168.255.252 inside
dhcpd dns 114.114.114.114 interface inside
dhcpd enable inside
!
dhcpd address 192.168.10.50-192.168.10.239 office
dhcpd dns 114.114.114.114 interface office
dhcpd enable office
!
!
tls-proxy maximum-session 3000
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ssl encryption aes128-sha1
ssl trust-point ASDM_TrustPoint0_anyconnect inside
ssl trust-point ASDM_TrustPoint0 outside
webvpn
enable outside
anyconnect-essentials
anyconnect image disk0:/anyconnect-win-2.4.1012-k9.pkg 1
anyconnect image disk0:/anyconnect-macosx-i386-2.4.1012-k9.pkg 2
anyconnect enable
tunnel-group-list enable
keepout "Service out temporarily."
group-policy SSL-vpn_policy_remote internal
group-policy SSL-vpn_policy_remote attributes
wins-server none
dns-server value 114.114.114.114
vpn-tunnel-protocol ssl-client ssl-clientless
split-tunnel-policy tunnelall
split-tunnel-network-list value remote-vpn_splitTunnelAcl
default-domain value sirun.net
split-dns value 114.114.114
address-pools value vpn-pool
group-policy DefaultRAGroup internal
group-policy DefaultRAGroup attributes
vpn-tunnel-protocol l2tp-ipsec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value DefaultRAGroup_splitTunnelAcl
group-policy DfltGrpPolicy attributes
vpn-tunnel-protocol ikev1 l2tp-ipsec ssl-clientless
group-policy GroupPolicy_120.27.234.197 internal
group-policy GroupPolicy_120.27.234.197 attributes
vpn-tunnel-protocol ikev1
group-policy GroupPolicy1 internal
group-policy GroupPolicy1 attributes
vpn-tunnel-protocol ikev1
username test02 password /cXt2mD.GZuIfGDN encrypted
username test01 password 274Y4GRAbNElaCoV encrypted privilege 15
username test01 attributes
vpn-group-policy SSL-vpn_policy_remote
username caokai password vZOq68hnoLuvTlsi2pHOpw== nt-encrypted privilege 15
username caokai attributes
vpn-group-policy DefaultRAGroup
username admin password w4b7RpK6u3LUsuXd encrypted privilege 15
username admin attributes
service-type admin
tunnel-group DefaultRAGroup general-attributes
address-pool vpn-pool
default-group-policy DefaultRAGroup
tunnel-group DefaultRAGroup ipsec-attributes
ikev1 pre-shared-key *****
tunnel-group DefaultRAGroup ppp-attributes
no authentication ms-chap-v1
authentication ms-chap-v2
tunnel-group 121.196.200.96 type ipsec-l2l
tunnel-group 121.196.200.96 general-attributes
default-group-policy GroupPolicy1
tunnel-group 121.196.200.96 ipsec-attributes
ikev1 pre-shared-key *****
tunnel-group 120.27.234.197 type ipsec-l2l
tunnel-group 120.27.234.197 general-attributes
default-group-policy GroupPolicy_120.27.234.197
tunnel-group 120.27.234.197 ipsec-attributes
ikev1 pre-shared-key *****
ikev2 remote-authentication pre-shared-key *****
ikev2 local-authentication pre-shared-key *****
tunnel-group sslvpn-remote_anyconnect type remote-access
tunnel-group sslvpn-remote_anyconnect general-attributes
address-pool vpn-pool
default-group-policy SSL-vpn_policy_remote
tunnel-group sslvpn-remote_anyconnect webvpn-attributes
group-alias SSLVPNClient enable
tunnel-group-map enable rules
!
!
prompt hostname context
no call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email callhome@cisco.com
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:00055f0b97a5bc792db25f24a62ea3ed
: end
已解决! 转到解答。
标签:
- 标签:
-
防火墙
1 个已接受解答
已接受的解答
你的第二个问题关于端口映射分三个步骤检查
1.object 定义的host是否正确,先检查端口22的object, 可以在定义一个object-group,包含这些object,方便写列表
object network obj_172.16.7.210:22
host 172.16.7.210
object network obj_172.16.7.211:22
host 172.16.7.211
object network obj_172.16.7.212:22
host 172.16.7.212
object network obj_172.16.7.213:22
host 172.16.7.213
object network obj_172.16.7.203:22
host 172.16.7.203
object network obj_192.168.9.67:22
host 192.168.9.67
2. 检查nat 端口映射的配置,端口映射的原则:1一个public IP地址,可以对应不同的服务,www.ftp.ssh等,这么多主机要开放22端口,1个地址肯定是做不到的。我检查你的配置没有发现关于端口22的映射,因为没有拓扑,看不到172.16.7.0/24的流量从哪个接口进入,假设从inside进入,我定义一个nat
object network obj_172.16.7.210:22
nat (inside,outside) static A.B.C.D service tcp 22 22
3.检查从外部访问的ACL的放行流量
检测了你的配置,没有发现关于端口22放行的ACL
access-list outside_access_in extended permit tcp any object obj_172.16.7.210:22 eq 22
希望给你一个思路,整理一下的你的object、NAT和ACL的配置,条目虽然很多,但是思路一定要清晰。
1.object 定义的host是否正确,先检查端口22的object, 可以在定义一个object-group,包含这些object,方便写列表
object network obj_172.16.7.210:22
host 172.16.7.210
object network obj_172.16.7.211:22
host 172.16.7.211
object network obj_172.16.7.212:22
host 172.16.7.212
object network obj_172.16.7.213:22
host 172.16.7.213
object network obj_172.16.7.203:22
host 172.16.7.203
object network obj_192.168.9.67:22
host 192.168.9.67
2. 检查nat 端口映射的配置,端口映射的原则:1一个public IP地址,可以对应不同的服务,www.ftp.ssh等,这么多主机要开放22端口,1个地址肯定是做不到的。我检查你的配置没有发现关于端口22的映射,因为没有拓扑,看不到172.16.7.0/24的流量从哪个接口进入,假设从inside进入,我定义一个nat
object network obj_172.16.7.210:22
nat (inside,outside) static A.B.C.D service tcp 22 22
3.检查从外部访问的ACL的放行流量
检测了你的配置,没有发现关于端口22放行的ACL
access-list outside_access_in extended permit tcp any object obj_172.16.7.210:22 eq 22
希望给你一个思路,整理一下的你的object、NAT和ACL的配置,条目虽然很多,但是思路一定要清晰。
9 条回复9
你的第二个问题关于端口映射分三个步骤检查
1.object 定义的host是否正确,先检查端口22的object, 可以在定义一个object-group,包含这些object,方便写列表
object network obj_172.16.7.210:22
host 172.16.7.210
object network obj_172.16.7.211:22
host 172.16.7.211
object network obj_172.16.7.212:22
host 172.16.7.212
object network obj_172.16.7.213:22
host 172.16.7.213
object network obj_172.16.7.203:22
host 172.16.7.203
object network obj_192.168.9.67:22
host 192.168.9.67
2. 检查nat 端口映射的配置,端口映射的原则:1一个public IP地址,可以对应不同的服务,www.ftp.ssh等,这么多主机要开放22端口,1个地址肯定是做不到的。我检查你的配置没有发现关于端口22的映射,因为没有拓扑,看不到172.16.7.0/24的流量从哪个接口进入,假设从inside进入,我定义一个nat
object network obj_172.16.7.210:22
nat (inside,outside) static A.B.C.D service tcp 22 22
3.检查从外部访问的ACL的放行流量
检测了你的配置,没有发现关于端口22放行的ACL
access-list outside_access_in extended permit tcp any object obj_172.16.7.210:22 eq 22
希望给你一个思路,整理一下的你的object、NAT和ACL的配置,条目虽然很多,但是思路一定要清晰。
1.object 定义的host是否正确,先检查端口22的object, 可以在定义一个object-group,包含这些object,方便写列表
object network obj_172.16.7.210:22
host 172.16.7.210
object network obj_172.16.7.211:22
host 172.16.7.211
object network obj_172.16.7.212:22
host 172.16.7.212
object network obj_172.16.7.213:22
host 172.16.7.213
object network obj_172.16.7.203:22
host 172.16.7.203
object network obj_192.168.9.67:22
host 192.168.9.67
2. 检查nat 端口映射的配置,端口映射的原则:1一个public IP地址,可以对应不同的服务,www.ftp.ssh等,这么多主机要开放22端口,1个地址肯定是做不到的。我检查你的配置没有发现关于端口22的映射,因为没有拓扑,看不到172.16.7.0/24的流量从哪个接口进入,假设从inside进入,我定义一个nat
object network obj_172.16.7.210:22
nat (inside,outside) static A.B.C.D service tcp 22 22
3.检查从外部访问的ACL的放行流量
检测了你的配置,没有发现关于端口22放行的ACL
access-list outside_access_in extended permit tcp any object obj_172.16.7.210:22 eq 22
希望给你一个思路,整理一下的你的object、NAT和ACL的配置,条目虽然很多,但是思路一定要清晰。
本帖最后由 arvinjing 于 2017-3-10 12:04 编辑
先说anyconnect , 不能访问内部网络有2方面的原因,1.没有路由,需要检查分割列表。2.NAT问题,需要检查VPN的NONAT配置, 从内部网络去往vpn pool地址的流量不能NAT
第一、隧道分割列表建议更改为扩展列表,当然使用标准列表也没有问题access-list remote-vpn_splitTunnelAcl standard permit 192.168.255.0 255.255.255.0
建议更改为:access-list remote-vpn_splitTunnelAcl extend permit ip object test192.168.255.0 any
第二、你的VPN pool地址和内网地址在同一个地址段内,我设计VPN的时候是分开的,建议分开,可能会影响其他NAT和ACL的配置,造成思路不清晰, 假如同一网段的话,那么你的NAT 写的也是错误的,原地址是需要访问的目标网段,destination 是vpn pool 地址,应该是这样的语句nat (inside,outside) source static test192.168.255.0 test192.168.255.0 destination static test192.168.255.0 test192.168.255.0
NAT 做对了,anyconnect VPN应该就正常了
先说anyconnect , 不能访问内部网络有2方面的原因,1.没有路由,需要检查分割列表。2.NAT问题,需要检查VPN的NONAT配置, 从内部网络去往vpn pool地址的流量不能NAT
第一、隧道分割列表建议更改为扩展列表,当然使用标准列表也没有问题access-list remote-vpn_splitTunnelAcl standard permit 192.168.255.0 255.255.255.0
建议更改为:access-list remote-vpn_splitTunnelAcl extend permit ip object test192.168.255.0 any
第二、你的VPN pool地址和内网地址在同一个地址段内,我设计VPN的时候是分开的,建议分开,可能会影响其他NAT和ACL的配置,造成思路不清晰, 假如同一网段的话,那么你的NAT 写的也是错误的,原地址是需要访问的目标网段,destination 是vpn pool 地址,应该是这样的语句nat (inside,outside) source static test192.168.255.0 test192.168.255.0 destination static test192.168.255.0 test192.168.255.0
NAT 做对了,anyconnect VPN应该就正常了
