本帖最后由 seasonli72658 于 2019-12-11 10:30 编辑 Rocky 发表于 2019-12-10 22:38
最好把配置也贴一贴吧
配置如下
: Saved
:
: Serial Number: FCH204974K5
: Hardware: ASA5515, 8192 MB RAM, CPU Clarkdale 3058 MHz, 1 CPU (4 cores)
:
ASA Version 9.6(3)1
!
hostname ASA5515-SH-new
enable password MKaPtr7WLIRDeknT encrypted
names
ip local pool Remotevpn 172.18.0.2-172.18.0.200 mask 255.255.0.0
!
interface GigabitEthernet0/0
channel-group 1 mode on
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/1
nameif inside1
security-level 100
ip address 192.168.202.1 255.255.255.0
!
interface GigabitEthernet0/2
description "LINK to Telecom Net"
nameif outside
security-level 0
ip address 116.236.222.70 255.255.255.252
!
interface GigabitEthernet0/3
description "LINK to Unicom Net"
nameif outside1
security-level 0
ip address 140.209.8.26 255.255.255.248
!
interface GigabitEthernet0/4
shutdown
nameif outside2
security-level 0
no ip address
interface GigabitEthernet0/5
channel-group 1 mode on
no nameif
no security-level
no ip address
!
interface Management0/0
management-only
nameif management
security-level 100
ip address 10.99.200.100 255.255.255.0
!
interface Port-channel1
lacp max-bundle 8
nameif inside
security-level 100
ip address 192.168.200.1 255.255.255.248
policy-route route-map rmap-to-Liantong
!
interface Port-channel2
no nameif
no security-level
no ip address
!
regex Define "a regular expression"
regex url_filter10 "\.pps\.tv"
regex url_filter11 "\.funshion\.com"
regex url_filter12 "v.baidu\.com"
regex url_filter13 "\.video.qq\.com"
regex url_filter14 "\.amemv\.com"
regex url_filter1 "\.youku\.com"
regex url_filter2 "\.tudou\.com"
regex url_filter3 "\.56\.com"
regex url_filter4 "\.iqiyi\.com"
regex url_filter5 "tv.sohu\.com"
regex url_filter6 "\.letv\.com"
regex url_filter7 "v.qq\.com"
regex url_filter8 "\.kankan\.com"
regex url_filter9 "\.ku6\.com"
boot system disk0:/asa963-1-smp-k8.bin
ftp mode passive
clock timezone beijing 8
object network objPubAddr-0-27
host 140.207.0.27
object network objExpe-202-18
host 192.168.202.18
object network objDianxin2
subnet 192.168.20.0 255.255.252.0
object network objDianxin
subnet 0.0.0.0 0.0.0.0
object network objLiantong
subnet 0.0.0.0 0.0.0.0
object-group network objGrpSH
network-object 10.100.0.0 255.255.0.0
network-object 10.200.0.0 255.255.0.0
network-object 192.168.100.0 255.255.255.0
network-object 192.168.222.0 255.255.255.0
object-group network objGrpSuzhou
network-object 192.168.30.0 255.255.252.0
object-group network objGrp20Fdata
network-object 10.88.1XX.0 255.255.255.0
network-object 10.88.1XX.0 255.255.255.0
object-group network objGrpWiFiGuest
network-object 10.88.1XX.0 255.255.255.0
object-group network objGrpWiFi
network-object 10.88.1XX.0 255.255.252.0
object-group network url_filter_group
network-object 10.88.X.X 255.255.0.0
network-object 10.99.X.X 255.255.0.0
object-group network objGrpVPN
network-object 172.18.0.0 255.255.0.0
access-list acl-SHnew-to-Suzhou extended permit ip object-group objGrpSH object-group objGrpSuzhou
access-list acl-20F-data-to-any extended permit ip object-group objGrp20Fdata any
access-list acl-Suzhou-to-SHnew extended permit ip object-group objGrpSuzhou object-group objGrpSH
access-list url_filter_list extended deny tcp object-group url_perm_group any eq www
access-list url_filter_list extended permit tcp object-group url_filter_group any eq www
access-list acl-WiFiGuest-to-any extended permit ip object-group objGrpWiFiGuest any
access-list acl-WiFi-to-any extended permit ip object-group objGrpWiFi any
access-list acl-expe-to-outside1 extended permit ip object objExpe-202-18 any
access-list acl-raspb-to-outside1 extended permit ip object objRaspb-202-221 any
access-list acl-fr-outside1 extended permit icmp any any
access-list acl-fr-outside1 extended permit ip any object objRaspb-202-221
access-list acl-fr-outside1 extended permit ip any object objExpe-202-18
access-list acl-fr-outside1 extended permit ip any object objNas2-5-252
access-list acl-fr-outside extended permit icmp any any
access-list acl-fr-outside extended permit tcp any host 192.168.5.61 eq 11543
access-list acl-fr-outside extended permit tcp any host 192.168.5.61 eq 6543
access-list acl-fr-outside extended permit tcp any object obj-5.159 range 20500 20599
access-list acl-fr-outside extended permit tcp any host 192.168.5.155 eq 10001
access-list acl-deny-out extended deny tcp host 192.168.5.225 any
access-list acl-deny-out extended permit tcp any any
access-list acl-SHnew-to-NewYork extended permit ip object-group objGrpSH object-group objGrpNewYork
access-list acl-NewYork-to-SHnew extended permit ip object-group objGrpNewYork object-group objGrpSH
access-list 10 remark split tunnel acl
access-list 10 standard permit 192.168.200.0 255.255.255.0
access-list 10 standard permit 10.100.0.0 255.255.0.0
access-list 10 standard permit 10.200.0.0 255.255.0.0
access-list 10 standard permit 192.168.100.0 255.255.255.0
access-list acl-VPN-to-any extended permit ip any object-group objGrpVPN
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu inside1 1500
mtu outside 1500
mtu outside1 1500
mtu outside2 1500
mtu management 1500
no failover
no monitor-interface service-module
icmp unreachable rate-limit 1 burst-size 1
icmp permit any inside
icmp permit any outside
icmp permit any outside1
asdm image disk0:/asdm-792-152.bin
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
arp rate-limit 16384
nat (inside,outside) source static objGrpSH objGrpSH destination static objGrpSuzhou objGrpSuzhou
nat (inside,outside) source static objGrpSH objGrpSH destination static objGrpVPN objGrpVPN
!
object network objDianxin2
nat (inside,outside2) dynamic interface
object network objDianxin
nat (inside,outside) dynamic interface
object network objLiantong
nat (inside,outside1) dynamic interface
!
route-map rmap-to-Liantong permit 10
match ip address acl-20F-data-to-any acl-WiFiGuest-to-any acl-expe-to-outside1 acl-raspb-to-outside1 acl-nas2-to-outside1
set ip next-hop 140.209.8.25
!
!
route outside 0.0.0.0 0.0.0.0 116.228.191.69 1
route outside1 0.0.0.0 0.0.0.0 140.207.0.25 10
route inside 10.100.0.0 255.255.0.0 10.99.201.4 1
route inside1 10.100.0.0 255.255.0.0 10.99.202.4 10
route inside 10.200.0.0 255.255.0.0 10.99.201.4 1
route inside1 10.200.0.0 255.255.0.0 10.99.202.4 10
route outside1 45.77.148.106 255.255.255.255 140.207.0.25 5
route inside 172.18.0.0 255.255.0.0 10.99.201.4 1
route inside 192.168.100.0 255.255.255.0 10.99.201.4 1
route inside1 192.168.100.0 255.255.255.0 10.99.202.4 10
route inside 192.168.222.0 255.255.255.0 10.99.201.4 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 sctp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
timeout conn-holddown 0:00:15
aaa-server capdc protocol ldap
aaa-server capdc (inside) host 192.168.10.20
ldap-base-dn DC=capvision,DC=com,Dc=cn
ldap-scope subtree
ldap-naming-attribute sAMAccountName
ldap-login-password *****
ldap-login-dn capvision\administrator
server-type microsoft
aaa-server capdc (inside) host 192.168.10.22
ldap-base-dn DC=capvision,DC=com,Dc=cn
ldap-scope subtree
ldap-naming-attribute sAMAccountName
ldap-login-password *****
ldap-login-dn capvision\administrator
server-type microsoft
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL
aaa authentication telnet console LOCAL
http server enable
snmp-server host inside 10.88.111.28 community *****
snmp-server host inside 192.168.5.81 community *****
snmp-server host inside 192.168.5.80 community *****
snmp-server host inside 10.88.111.27 community *****
no snmp-server location
no snmp-server contact
snmp-server community *****
snmp-server enable traps syslog
sysopt connection tcpmss minimum 1290
crypto ipsec ikev1 transform-set transet-ks esp-3des esp-md5-hmac
crypto ipsec security-association pmtu-aging infinite
crypto dynamic-map outside_dyn_map 50 set ikev1 transform-set transet-ks
crypto dynamic-map outside_dyn_map 50 set reverse-route
crypto map map-vpn 20 match address acl-SHnew-to-Suzhou
crypto map map-vpn 20 set peer 153.38.219.211
crypto map map-vpn 20 set ikev1 transform-set transet-ks
crypto map map-vpn 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map map-vpn interface outside
crypto ca trustpool policy
crypto ikev1 enable outside
crypto ikev1 enable outside1
crypto ikev1 enable outside2
crypto ikev1 policy 1
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 43200
telnet 0.0.0.0 0.0.0.0 inside
telnet timeout 5
no ssh stricthostkeycheck
ssh 0.0.0.0 0.0.0.0 inside
ssh 0.0.0.0 0.0.0.0 outside
ssh 0.0.0.0 0.0.0.0 outside2
ssh timeout 60
ssh key-exchange group dh-group1-sha1
console timeout 5
management-access inside
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ntp authentication-key 1 md5 *****
ntp authenticate
ntp trusted-key 1
ntp server 202.120.2.101
ntp server 210.72.145.44
ssl cipher default custom "RC4-SHA:AES128-SHA:AES256-SHAES-CBC3-SHA"
ssl cipher tlsv1 custom "RC4-SHA:AES128-SHA:AES256-SHAES-CBC3-SHA"
ssl cipher dtlsv1 custom "RC4-SHA:AES128-SHA:AES256-SHAES-CBC3-SHA"
group-policy DfltGrpPolicy attributes
vpn-tunnel-protocol ikev1 l2tp-ipsec ssl-clientless
group-policy VPN internal
group-policy VPN attributes
dns-server value 192.168.10.20 100.99.199.31
vpn-tunnel-protocol ikev1
split-tunnel-policy tunnelspecified
split-tunnel-network-list value 10
default-domain value capvision.com
nem enable
dynamic-access-policy-record DfltAccessPolicy
username admincisco password zbQPdVfMYFh.vJBv encrypted privilege 15
tunnel-group DefaultL2LGroup ipsec-attributes
tunnel-group 153.38.219.211 type ipsec-l2l
tunnel-group 153.38.219.211 ipsec-attributes
ikev1 pre-shared-key *****
tunnel-group VPN type remote-access
tunnel-group VPN general-attributes
address-pool Remotevpn
authentication-server-group capdc LOCAL
default-group-policy VPN
tunnel-group VPN ipsec-attributes
ikev1 pre-shared-key *****
!
class-map url_class
match access-list url_filter_list
class-map type regex match-any url_class_regex
match regex url_filter1
match regex url_filter2
match regex url_filter3
match regex url_filter4
match regex url_filter5
match regex url_filter6
match regex url_filter7
match regex url_filter8
match regex url_filter9
match regex url_filter10
match regex url_filter11
match regex url_filter12
match regex url_filter13
match regex url_filter14
class-map inspection_default
match default-inspection-traffic
class-map type inspect http match-all url_class_inspect
match request header host regex class url_class_regex
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
no tcp-inspection
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
inspect icmp
policy-map type inspect http url_policy_inspect
parameters
class url_class_inspect
drop-connection log
policy-map url_policy
class url_class
inspect http url_policy_inspect
!
service-policy global_policy global
service-policy url_policy interface inside
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:71925a8b09026fde0f6e6866fd8dd782
: end
nat (inside) 0 access-list acl-SHnew-to-VPN 我是这样写的但是提示此写法版本不支持过时了
我配置了Remote Access IPsec VPNs后用客户端可以拔上去,但是不能访问内网,也就是10.100 和10.200这两个网段呢
