请选择 进入手机版 | 继续访问电脑版

设为首页 收藏本站
思科服务支持社区 点击关注
思科服务支持社区

  
 找回密码
 立即注册

扫一扫,访问微社区

搜索
热搜: 邮件服务器
查看: 457|回复: 12

ASA5505配置AnyconnectVPN问题

[复制链接]
发表于 2018-5-31 00:03:26 | 显示全部楼层 |阅读模式
0可用金钱
我刚接触安全不久,学了几次Anyconnect的配置都没有成功,所以想在这里请教大家一下,麻烦各位大佬给我指点一下,为什么我的Anyconnect连接不成功。下面附录上我的ASA的配置及连接Anyconnect时的报错图片:
ASA# show run
: Saved
:
: Hardware:   ASA5505, 512 MB RAM, CPU Geode 500 MHz
:
ASA Version 9.1(7)23
!
hostname ASA
domain-name ciscoccie.org
xlate per-session deny tcp any4 any4
xlate per-session deny tcp any4 any6
xlate per-session deny tcp any6 any4
xlate per-session deny tcp any6 any6
xlate per-session deny udp any4 any4 eq domain
xlate per-session deny udp any4 any6 eq domain
xlate per-session deny udp any6 any4 eq domain
xlate per-session deny udp any6 any6 eq domain
names
dns-guard
ip local pool TEST 10.0.255.1-10.0.255.25
!
interface Ethernet0/0
description conn_to_Router_2811_F0/1
switchport access vlan 10
!
interface Ethernet0/1
description conn_to_Modem_IPTV
switchport access vlan 12
!
interface Ethernet0/2
description conn_to_TV
switchport access vlan 12
!
interface Ethernet0/3
description conn_to_DELL_NIC_0
switchport trunk allowed vlan 10-17
switchport mode trunk
!
interface Ethernet0/4
description conn_to_DELL_NIC_1
switchport trunk allowed vlan 10-17
switchport mode trunk
!
interface Ethernet0/5
description conn_to_PC_and_AP_1252G
switchport trunk allowed vlan 10-17
switchport trunk native vlan 11
switchport mode trunk
!
interface Ethernet0/6
description conn_to_AP-1
switchport trunk allowed vlan 10-17
switchport trunk native vlan 11
switchport mode trunk
!
interface Ethernet0/7
description conn_to_AP-2
switchport trunk allowed vlan 10-17
switchport trunk native vlan 11
switchport mode trunk
!
interface Vlan10
nameif out
security-level 0
ip address 10.0.0.253 255.255.255.0
!
interface Vlan11
nameif in
security-level 100
ip address 10.0.1.254 255.255.255.0
!
interface Vlan12
nameif DMZ-TV
security-level 50
ip address 10.0.2.254 255.255.255.0
!
interface Vlan13
nameif Sev
security-level 70
ip address 10.0.3.254 255.255.255.0
!
interface Vlan14
nameif AP
security-level 90
ip address 10.0.4.254 255.255.255.0
!
interface Vlan15
nameif DELL
security-level 40
ip address 10.0.5.254 255.255.255.0
!
interface Vlan16
nameif VCSA
security-level 80
ip address 10.6.112.10 255.255.255.0
!            
interface Vlan17
nameif Guest
security-level 5
ip address 10.0.7.254 255.255.255.0
!
boot system disk0:/asa917-23-k8.bin
ftp mode passive
dns server-group DefaultDNS
domain-name ciscoccie.org
access-list Deny-DMZ extended permit ip 10.0.2.0 255.255.255.0 any log
access-list DELL extended permit tcp any host 10.0.7.253 eq 3389
access-list DELL extended permit tcp any host 10.0.1.22 eq 3389
access-list DELL extended permit tcp any host 10.0.5.253 eq 1024
access-list DELL extended permit tcp any host 10.0.5.253 eq 5901
access-list DELL extended permit tcp any host 10.0.5.253 eq 623
access-list DELL extended permit tcp any host 10.0.5.253 eq 1080
access-list DELL extended permit tcp any host 10.0.5.253 eq 5902
access-list DELL extended permit tcp any host 10.6.112.2 eq https
access-list DELL extended permit tcp any host 10.0.3.252 eq www
access-list DELL extended permit tcp any host 10.0.3.252 gt 32768
pager lines 24
logging enable
logging asdm informational
mtu out 1500  
mtu in 1500
mtu DMZ-TV 1500
mtu Sev 1500
mtu AP 1500
mtu DELL 1500
mtu VCSA 1500
mtu Guest 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-791-151.bin
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
access-group DELL in interface out
access-group Deny-DMZ in interface DMZ-TV
!
router eigrp 10
no auto-summary
network 10.0.0.0 255.0.0.0
network 172.16.0.0 255.255.0.0
!
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL
aaa authentication http console LOCAL
http server enable
http 0.0.0.0 0.0.0.0 in
no snmp-server location
no snmp-server contact
crypto ipsec security-association pmtu-aging infinite
crypto ca trustpoint _SmartCallHome_ServerCA
no validation-usage
crl configure
crypto ca trustpool policy
telnet timeout 5
ssh stricthostkeycheck
ssh 10.0.0.252 255.255.255.255 out
ssh 0.0.0.0 0.0.0.0 in
ssh timeout 5
ssh version 2
ssh key-exchange group dh-group1-sha1
console timeout 0

dhcpd dns 114.114.114.114 8.8.8.8
dhcpd domain cisco.home.org
!
dhcpd address 10.0.1.10-10.0.1.200 in
dhcpd enable in
!
dhcpd address 10.0.3.10-10.0.3.200 Sev
dhcpd enable Sev
!
dhcpd address 10.0.4.10-10.0.4.200 AP
dhcpd enable AP
!
dhcpd address 10.0.5.10-10.0.5.200 DELL
dhcpd enable DELL
!            
dhcpd address 10.6.112.100-10.6.112.200 VCSA
dhcpd enable VCSA
!
dhcpd address 10.0.7.10-10.0.7.250 Guest
dhcpd enable Guest
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
port 4443
enable out
enable in
dtls port 4443
anyconnect-essentials
anyconnect image disk0:/anyconnect-win-4.5.02033-webdeploy-k9.pkg 1
anyconnect enable
cache
  disable
group-policy TEST internal
group-policy TEST attributes
vpn-tunnel-protocol l2tp-ipsec ssl-client ssl-clientless
address-pools value TEST
username TEST password test encrypted
username TEST attributes
vpn-group-policy TEST
webvpn
  anyconnect keep-installer installed
username abc password admin privilege 15
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
  message-length maximum client auto
  message-length maximum 512
policy-map global_policy
class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny  
  inspect sunrpc
  inspect xdmcp
  inspect sip  
  inspect netbios
  inspect tftp
  inspect icmp
  inspect ip-options
!
service-policy global_policy global
prompt hostname context
call-home reporting anonymous prompt 2
call-home
profile CiscoTAC-1
  no active
  destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
  destination address email callhome@cisco.com
  destination transport-method http
  subscribe-to-alert-group diagnostic
  subscribe-to-alert-group environment
  subscribe-to-alert-group inventory periodic monthly
  subscribe-to-alert-group configuration periodic monthly
  subscribe-to-alert-group telemetry periodic daily
profile License
  destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
  destination transport-method http
: end


附件: 您需要 登录 才可以下载或查看,没有帐号?立即注册
  • 1
  • 2
  • 3
  • 4
  • 5
  • 1
  • 2
  • 3
  • 4
  • 5
平均得分0 (0 评价)
发表于 2018-5-31 10:39:48 | 显示全部楼层
嗯?tunnel-group呢tunnel-group要指定认证方式和default group-policy
  • 1
  • 2
  • 3
  • 4
  • 5
  • 1
  • 2
  • 3
  • 4
  • 5
平均得分0 (0 评价)
 楼主| 发表于 2018-5-31 16:50:21 | 显示全部楼层
maguanghua2013 发表于 2018-5-31 10:39
嗯?tunnel-group呢tunnel-group要指定认证方式和default group-policy

我查看show run all  tunnel-group 里面是有default group-policy的,麻烦您给我指点一下,谢谢!
ASA(config)# show run all tunnel-group
tunnel-group DefaultL2LGroup type ipsec-l2l
tunnel-group DefaultL2LGroup general-attributes
no accounting-server-group
default-group-policy DfltGrpPolicy
tunnel-group DefaultL2LGroup ipsec-attributes
no ikev1 pre-shared-key
peer-id-validate req
no chain
no ikev1 trust-point
isakmp keepalive threshold 10 retry 2
no ikev2 remote-authentication
no ikev2 local-authentication
tunnel-group DefaultRAGroup type remote-access
tunnel-group DefaultRAGroup general-attributes
no address-pool
no ipv6-address-pool
authentication-server-group LOCAL
secondary-authentication-server-group none
no accounting-server-group
default-group-policy DfltGrpPolicy
no dhcp-server
no strip-realm
no nat-assigned-to-public-ip
no scep-enrollment enable
no password-management
no override-account-disable
no strip-group
no authorization-required
username-from-certificate CN OU
secondary-username-from-certificate CN OU
authentication-attr-from-server primary
authenticated-session-username primary
tunnel-group DefaultRAGroup webvpn-attributes
customization DfltCustomization
authentication aaa
no override-svc-download
no radius-reject-message
no proxy-auth sdi
no pre-fill-username ssl-client
no pre-fill-username clientless
no secondary-pre-fill-username ssl-client
no secondary-pre-fill-username clientless
dns-group DefaultDNS
no without-csd
tunnel-group DefaultRAGroup ipsec-attributes
no ikev1 pre-shared-key
peer-id-validate req
no chain
no ikev1 trust-point
no ikev1 radius-sdi-xauth
isakmp keepalive threshold 300 retry 2
ikev1 user-authentication xauth
no ikev2 remote-authentication
no ikev2 local-authentication
tunnel-group DefaultRAGroup ppp-attributes
no authentication pap
authentication chap
authentication ms-chap-v1
no authentication ms-chap-v2
no authentication eap-proxy
tunnel-group DefaultWEBVPNGroup type remote-access
tunnel-group DefaultWEBVPNGroup general-attributes
no address-pool
no ipv6-address-pool
authentication-server-group LOCAL
secondary-authentication-server-group none
no accounting-server-group
default-group-policy DfltGrpPolicy
no dhcp-server
no strip-realm
no nat-assigned-to-public-ip
no scep-enrollment enable
no password-management
no override-account-disable
no strip-group
no authorization-required
username-from-certificate CN OU
secondary-username-from-certificate CN OU
authentication-attr-from-server primary
authenticated-session-username primary
tunnel-group DefaultWEBVPNGroup webvpn-attributes
customization DfltCustomization
authentication aaa
no override-svc-download
no radius-reject-message
no proxy-auth sdi
no pre-fill-username ssl-client
no pre-fill-username clientless
no secondary-pre-fill-username ssl-client
no secondary-pre-fill-username clientless
dns-group DefaultDNS
no without-csd
tunnel-group DefaultWEBVPNGroup ipsec-attributes
no ikev1 pre-shared-key
peer-id-validate req
no chain
no ikev1 trust-point
no ikev1 radius-sdi-xauth
isakmp keepalive threshold 300 retry 2
ikev1 user-authentication xauth
no ikev2 remote-authentication
no ikev2 local-authentication
tunnel-group DefaultWEBVPNGroup ppp-attributes
no authentication pap
authentication chap
authentication ms-chap-v1
no authentication ms-chap-v2
no authentication eap-proxy
ASA(config)#
  • 1
  • 2
  • 3
  • 4
  • 5
  • 1
  • 2
  • 3
  • 4
  • 5
平均得分0 (0 评价)
发表于 2018-5-31 17:21:39 | 显示全部楼层
默认webVPN的general-attributes里的认证方式是LOCAL。
你需要再指定一下group-policy:
tunnel-group DefaultWEBVPNGroup general-attributes
default-group-policy TEST

SSLVPN配置案例参考思科官网:
https://www.cisco.com/c/en/us/su ... -config-asa-00.html

建议你学习一下原理,便于排错
  • 1
  • 2
  • 3
  • 4
  • 5
  • 1
  • 2
  • 3
  • 4
  • 5
平均得分5 (1 评价)
 楼主| 发表于 2018-5-31 20:38:05 | 显示全部楼层
maguanghua2013 发表于 2018-5-31 17:21
默认webVPN的general-attributes里的认证方式是LOCAL。
你需要再指定一下group-policy:
tunnel-group De ...

感谢您,我现在正在学CCIE安全方向,刚开始,因为项目要用Anyconnect VPN但是我还没有学到,我一定好好学一下原理的,谢谢您!
  • 1
  • 2
  • 3
  • 4
  • 5
  • 1
  • 2
  • 3
  • 4
  • 5
平均得分0 (0 评价)
 楼主| 发表于 2018-5-31 23:49:55 | 显示全部楼层
maguanghua2013 发表于 2018-5-31 17:21
默认webVPN的general-attributes里的认证方式是LOCAL。
你需要再指定一下group-policy:
tunnel-group De ...

您好,按照你的方法我添加了两个命令
tunnel-group DefaultWEBVPNGroup general-attributes
default-group-policy TEST
添加后,可以正常连接上Anyconnect客户端了,但是电脑在断开Anyconnect连接之后,怎么再也连接不上了,并报错如图所示:所有的改动如下:
tunnel-group DefaultWEBVPNGroup general-attributes
  default-group-policy TEST
access-list Anyconnect_ACL standard permit 10.0.0.0 255.255.0.0
group-policy TEST attributes
split-tunnel-policy tunnelspecified
split-tunnel-network-list value Anyconnect_ACL

webvpn
no anyconnect-essentials

希望您能帮助一下我,谢谢您!

本帖子中包含更多资源

您需要 登录 才可以下载或查看,没有帐号?立即注册

x
  • 1
  • 2
  • 3
  • 4
  • 5
  • 1
  • 2
  • 3
  • 4
  • 5
平均得分0 (0 评价)
发表于 2018-6-1 08:40:47 来自手机 | 显示全部楼层
asdm 发表于 2018-5-31 23:49
您好,按照你的方法我添加了两个命令
tunnel-group DefaultWEBVPNGroup general-attributes
default-gr ...

用扩展列表,目的是any
  • 1
  • 2
  • 3
  • 4
  • 5
  • 1
  • 2
  • 3
  • 4
  • 5
平均得分0 (0 评价)
 楼主| 发表于 2018-6-1 10:39:50 | 显示全部楼层
maguanghua2013 发表于 2018-6-1 08:40
用扩展列表,目的是any

我改成扩展的列表了,但是还不行,还是一样的报错。我还是把所有的配置给你看一下吧。麻烦您了!
hostname ASA
xlate per-session deny tcp any4 any4
xlate per-session deny tcp any4 any6
xlate per-session deny tcp any6 any4
xlate per-session deny tcp any6 any6
xlate per-session deny udp any4 any4 eq domain
xlate per-session deny udp any4 any6 eq domain
xlate per-session deny udp any6 any4 eq domain
xlate per-session deny udp any6 any6 eq domain
names
dns-guard
ip local pool TEST 10.0.255.1-10.0.255.25
!
interface Ethernet0/0
description conn_to_Router_2811_F0/1
switchport access vlan 10
!
interface Ethernet0/1
description conn_to_Modem_IPTV
switchport access vlan 12
!
interface Ethernet0/2
description conn_to_TV
switchport access vlan 12
!
interface Ethernet0/3
description conn_to_DELL_NIC_0
switchport trunk allowed vlan 10-17
switchport mode trunk
!
interface Ethernet0/4
description conn_to_DELL_NIC_1
switchport trunk allowed vlan 10-17
switchport mode trunk
!
interface Ethernet0/5
description conn_to_PC_and_AP_1252G
switchport trunk allowed vlan 10-17
switchport trunk native vlan 11
switchport mode trunk
!
interface Ethernet0/6
description conn_to_AP-1
switchport trunk allowed vlan 10-17
switchport trunk native vlan 11
switchport mode trunk
!
interface Ethernet0/7
description conn_to_AP-2
switchport trunk allowed vlan 10-17
switchport trunk native vlan 11
switchport mode trunk
!
interface Vlan10
nameif out
security-level 0
ip address 10.0.0.253 255.255.255.0
!
interface Vlan11
nameif in
security-level 100
ip address 10.0.1.254 255.255.255.0
!
interface Vlan12
nameif DMZ-TV
security-level 50
ip address 10.0.2.254 255.255.255.0
!
interface Vlan13
nameif Sev
security-level 70
ip address 10.0.3.254 255.255.255.0
!
interface Vlan14
nameif AP
security-level 90
ip address 10.0.4.254 255.255.255.0
!
interface Vlan15
nameif DELL
security-level 40
ip address 10.0.5.254 255.255.255.0
!
interface Vlan16
nameif VCSA
security-level 80
ip address 10.6.112.10 255.255.255.0
!            
interface Vlan17
nameif Guest
security-level 5
ip address 10.0.7.254 255.255.255.0
!
boot system disk0:/asa917-23-k8.bin
ftp mode passive
clock timezone D 8
dns domain-lookup out
dns server-group DefaultDNS
name-server 114.114.114.114
name-server 8.8.8.8
domain-name ciscoccie.org
access-list Anyconnect_ACL extended permit ip any 10.0.0.0 255.255.0.0
access-list Deny-DMZ extended permit ip 10.0.2.0 255.255.255.0 any log
access-list DELL extended permit tcp any host 10.0.7.253 eq 3389
access-list DELL extended permit tcp any host 10.0.1.22 eq 3389
access-list DELL extended permit tcp any host 10.0.5.253 eq 1024
access-list DELL extended permit tcp any host 10.0.5.253 eq 5901
access-list DELL extended permit tcp any host 10.0.5.253 eq 623
access-list DELL extended permit tcp any host 10.0.5.253 eq 1080
access-list DELL extended permit tcp any host 10.0.5.253 eq 5902
access-list DELL extended permit tcp any host 10.6.112.2 eq https
access-list DELL extended permit tcp any host 10.0.3.252 eq www
access-list DELL extended permit tcp any host 10.0.3.252 gt 32768
pager lines 24
logging enable
logging asdm informational
mtu out 1500
mtu in 1500
mtu DMZ-TV 1500
mtu Sev 1500
mtu AP 1500
mtu DELL 1500
mtu VCSA 1500
mtu Guest 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-791-151.bin
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
access-group DELL in interface out
access-group Deny-DMZ in interface DMZ-TV
!
router eigrp 10
no auto-summary
network 10.0.0.0 255.0.0.0
network 172.16.0.0 255.255.0.0
!
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL
aaa authentication http console LOCAL
http server enable 4443
http 0.0.0.0 0.0.0.0 in
no snmp-server location
no snmp-server contact
crypto ipsec security-association pmtu-aging infinite
crypto ca trustpoint _SmartCallHome_ServerCA
no validation-usage
crl configure
crypto ca trustpool policy
telnet timeout 5
ssh stricthostkeycheck
ssh 10.0.0.254 255.255.255.255 out
ssh 10.0.0.252 255.255.255.255 out
ssh 0.0.0.0 0.0.0.0 in
ssh timeout 5
ssh version 2
ssh key-exchange group dh-group1-sha1
console timeout 0
dhcpd dns 114.114.114.114 8.8.8.8
dhcpd domain cisco.home.org
!
dhcpd address 10.0.1.10-10.0.1.200 in
dhcpd enable in
!
dhcpd address 10.0.3.10-10.0.3.200 Sev
dhcpd enable Sev
!
dhcpd address 10.0.4.10-10.0.4.200 AP
dhcpd enable AP
!
dhcpd address 10.0.5.10-10.0.5.200 DELL
dhcpd enable DELL
!
dhcpd address 10.6.112.100-10.6.112.200 VCSA
dhcpd enable VCSA
!
dhcpd address 10.0.7.10-10.0.7.250 Guest
dhcpd enable Guest
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ntp server 118.122.35.10
ntp server 61.216.153.105
ntp server 61.216.153.106
ntp server 173.255.246.13
webvpn
port 4443
enable out
enable in
dtls port 4443
no anyconnect-essentials
anyconnect image disk0:/anyconnect-win-4.5.02033-webdeploy-k9.pkg 1
anyconnect enable
cache
  disable
group-policy TEST internal
group-policy TEST attributes
vpn-tunnel-protocol l2tp-ipsec ssl-client ssl-clientless
split-tunnel-policy tunnelspecified
split-tunnel-network-list value Anyconnect_ACL
address-pools value TEST
username TEST password CpyvyVSC5OXS.Pq1 encrypted
username TEST attributes
vpn-group-policy TEST
webvpn
  anyconnect keep-installer installed
tunnel-group DefaultWEBVPNGroup general-attributes
default-group-policy TEST
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
  message-length maximum client auto
  message-length maximum 512
policy-map global_policy
class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny  
  inspect sunrpc
  inspect xdmcp
  inspect sip  
  inspect netbios
  inspect tftp
  inspect icmp
  inspect ip-options
!
service-policy global_policy global
prompt hostname context
call-home reporting anonymous prompt 1
call-home
profile CiscoTAC-1
  no active
  destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
  destination address email callhome@cisco.com
  destination transport-method http
  subscribe-to-alert-group diagnostic
  subscribe-to-alert-group environment
  subscribe-to-alert-group inventory periodic monthly
  subscribe-to-alert-group configuration periodic monthly
  subscribe-to-alert-group telemetry periodic daily
profile License
  destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
  destination transport-method http
: end
  • 1
  • 2
  • 3
  • 4
  • 5
  • 1
  • 2
  • 3
  • 4
  • 5
平均得分0 (0 评价)
发表于 2018-6-1 18:31:09 | 显示全部楼层
asdm 发表于 2018-6-1 10:39
我改成扩展的列表了,但是还不行,还是一样的报错。我还是把所有的配置给你看一下吧。麻烦您了!
hostna ...

似乎是acl的源目写反了?目的是any啊。
给你个生产的配置案例参考下:
https://nbma.info/cisco-asa-ssl-vpn-configure/
  • 1
  • 2
  • 3
  • 4
  • 5
  • 1
  • 2
  • 3
  • 4
  • 5
平均得分0 (0 评价)
 楼主| 发表于 2018-6-1 21:59:06 | 显示全部楼层
maguanghua2013 发表于 2018-6-1 18:31
似乎是acl的源目写反了?目的是any啊。
给你个生产的配置案例参考下:
https://nbma.info/cisco-asa-ss ...

ACL应该不会影响Anyconnect的连接,只会影响连接上Anyconnect的路由条目,我认为不是ACL的原因导致Anyconnect连接失败的。但是我又不知道是什么原因
  • 1
  • 2
  • 3
  • 4
  • 5
  • 1
  • 2
  • 3
  • 4
  • 5
平均得分0 (0 评价)
您需要登录后才可以回帖 登录 | 立即注册

本版积分规则

Archiver | 思科服务支持社区  

GMT+8, 2018-6-22 00:32 , Processed in 0.100173 second(s), 55 queries .

京ICP备09041801号-187

版权所有 :copyright:1992-2019 思科系统  重要声明 | 保密声明 | 隐私权政策 | 商标 |

快速回复 返回顶部 返回列表