取消
显示结果 
搜索替代 
您的意思是: 
cancel
7913
查看次数
274
有帮助
4
回复

ASA anyconnect问题

Adinm
Level 11
Level 11
我配置好Anyconnect后,客户端也可以正常拨上,并且获取到ip地址,但是客户端在拨上VPN就是不能与ASA后面的网段通信,但是ASA可以与后面的网段通信,想请见各位安全工程师,这是什么原因,并且怎么解决这个故障,谢谢
下面附录上ASA的配置及测试图:
ASA# show run
: Saved
:
: Hardware: ASA5505, 512 MB RAM, CPU Geode 500 MHz
:
ASA Version 9.1(7)23
!
hostname ASA
domain-name Cisco.com
xlate per-session deny tcp any4 any4
xlate per-session deny tcp any4 any6
xlate per-session deny tcp any6 any4
xlate per-session deny tcp any6 any6
xlate per-session deny udp any4 any4 eq domain
xlate per-session deny udp any4 any6 eq domain
xlate per-session deny udp any6 any4 eq domain
xlate per-session deny udp any6 any6 eq domain
passwd wTKp7jU8HBSlqnx4 encrypted
names
ddns update method DDNS
ddns both
interval maximum 0 0 5 0
!
ip local pool TEST 10.1.255.1-10.1.255.25
!
interface Ethernet0/0
!
interface Ethernet0/1
switchport trunk allowed vlan 1-2,78,100-105
switchport mode trunk
!
interface Ethernet0/2
switchport trunk allowed vlan 1-2,78,100-105
switchport mode trunk
!
interface Ethernet0/3
switchport access vlan 2
switchport trunk allowed vlan 1-2,78,100-105
switchport mode trunk
!
interface Ethernet0/4
switchport access vlan 2
!
interface Ethernet0/5
switchport access vlan 78
!
interface Ethernet0/6
switchport trunk native vlan 2
switchport mode trunk
!
interface Ethernet0/7
switchport trunk native vlan 2
switchport mode trunk
!
interface Vlan1
nameif outside
security-level 0
ddns update hostname svpnsr.ddns.net
ddns update DDNS
dhcp client update dns
pppoe client vpdn group adsl
ip address pppoe setroute
!
interface Vlan2
nameif inside
security-level 100
ip address 10.1.0.1 255.255.255.0
!
interface Vlan78
nameif Guest
security-level 1
ip address 192.168.200.254 255.255.255.0
!
interface Vlan100
nameif DELL
security-level 99
ip address 10.1.100.10 255.255.255.0
!
interface Vlan101
nameif ESXi
security-level 98
ip address 10.6.112.10 255.255.255.0
!
interface Vlan102
nameif WIN7
security-level 97
ip address 10.1.102.10 255.255.255.0
!
interface Vlan103
nameif CentOS
security-level 96
ip address 10.1.103.10 255.255.255.0
!
interface Vlan104
nameif EvE
security-level 95
ip address 10.1.104.10 255.255.255.0
!
interface Vlan105
nameif PPPoE
security-level 0
ip address 10.1.1.3 255.255.255.0
!
boot system disk0:/asa917-23-k8.bin
ftp mode passive
dns domain-lookup outside
dns server-group DefaultDNS
name-server 114.114.114.114
domain-name Cisco.com
object network S_NAT
host 10.1.0.55
object service CON
service tcp source eq 3389
object service DON
service tcp destination eq 65535
object network SOU
subnet 10.1.0.0 255.255.0.0
object network SOU_Gest
host 192.168.200.1
access-list Anyconnect_ACL extended permit ip 10.1.0.0 255.255.255.0 any
access-list Anyconnect_ACL extended permit ip host 10.6.112.2 any
access-list Anyconnect_ACL extended permit ip host 10.1.100.1 any
access-list Anyconnect_ACL extended permit ip host 10.1.102.1 any
access-list Anyconnect_ACL extended permit ip host 10.1.103.1 any
access-list Anyconnect_ACL extended permit ip host 10.1.104.1 any
access-list Anyconnect_ACL extended permit ip host 192.168.200.1 any
pager lines 24
mtu outside 1492
mtu inside 1500
mtu Guest 1500
mtu DELL 1500
mtu ESXi 1500
mtu WIN7 1500
mtu CentOS 1500
mtu EvE 1500
mtu PPPoE 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
nat (inside,outside) source static S_NAT interface service CON DON
nat (any,outside) source dynamic any interface
!
object network SOU
nat (inside,outside) dynamic interface
object network SOU_Gest
nat (Guest,outside) dynamic interface
!
router eigrp 99
no auto-summary
network 10.1.0.0 255.255.255.0
network 10.1.1.0 255.255.255.0
network 10.1.100.0 255.255.255.0
network 10.1.102.0 255.255.255.0
network 10.1.103.0 255.255.255.0
network 10.1.104.0 255.255.255.0
network 10.6.112.0 255.255.255.0
network 192.168.200.0 255.255.255.0
!
route Guest 192.168.199.0 255.255.255.0 192.168.200.17 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
aaa authentication enable console LOCAL
aaa authentication ssh console LOCAL
aaa authentication http console LOCAL
http server enable
http 0.0.0.0 0.0.0.0 inside
no snmp-server location
no snmp-server contact
crypto ipsec security-association pmtu-aging infinite
crypto ca trustpoint _SmartCallHome_ServerCA
no validation-usage
crl configure
crypto ca trustpool policy
telnet timeout 5
ssh stricthostkeycheck
ssh 0.0.0.0 0.0.0.0 outside
ssh 0.0.0.0 0.0.0.0 inside
ssh timeout 30
ssh version 2
ssh key-exchange group dh-group1-sha1
console timeout 0
vpdn group adsl request dialout pppoe
vpdn group adsl localname 900000
vpdn group adsl ppp authentication pap
vpdn username 900000 password *****
dhcpd dns 114.114.114.114
dhcpd lease 300
dhcpd domain cisco.com
dhcpd option 43 ascii 10.1.0.4
!
dhcpd address 10.1.0.20-10.1.0.100 inside
dhcpd enable inside
!
dhcpd address 192.168.200.1-192.168.200.2 Guest
dhcpd enable Guest
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ntp server 202.118.1.81
ntp server 202.112.31.197
webvpn
port 4443
enable outside
enable inside
dtls port 4443
no anyconnect-essentials
anyconnect image disk0:/anyconnect-win-4.5.02033-webdeploy-k9.pkg 1
anyconnect enable
cache
disable
group-policy TEST internal
group-policy TEST attributes
vpn-tunnel-protocol l2tp-ipsec ssl-client ssl-clientless
split-tunnel-policy tunnelspecified
split-tunnel-network-list value Anyconnect_ACL
address-pools value TEST
username test password TZNXh3MQUp.YpbKv encrypted
username testl attributes
vpn-group-policy TEST
webvpn
anyconnect keep-installer installed
username admin password /y0fKuI6IB06HgAO encrypted privilege 15
tunnel-group DefaultWEBVPNGroup general-attributes
default-group-policy TEST
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
inspect icmp
inspect ip-options
inspect netbios
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email callhome@cisco.com
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
hpm topN enable
Cryptochecksum:b8c65076bb61b17279bb60ab4e1bcb48
: end
ASA# ping 10.1.104.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.104.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/10 ms
ASA#
C:\Users\admin>ping 10.1.104.1
正在 Ping 10.1.104.1 具有 32 字节的数据:
请求超时。
请求超时。
请求超时。
请求超时。
10.1.104.1 的 Ping 统计信息:
数据包: 已发送 = 4,已接收 = 0,丢失 = 4 (100% 丢失),
1 个已接受解答

已接受的解答

LinusT
Cisco Employee
Cisco Employee
拨通Anyconnect后,主机访问内网地址,数据包可以正常到达内网,但是内网数据包给主机回复的数据包在返回的时候撞上了NAT。所以主机Ping不通内网地址,把NAT中deny掉即可!

在原帖中查看解决方案

4 条回复4

LinusT
Cisco Employee
Cisco Employee
拨通Anyconnect后,主机访问内网地址,数据包可以正常到达内网,但是内网数据包给主机回复的数据包在返回的时候撞上了NAT。所以主机Ping不通内网地址,把NAT中deny掉即可!

bo chen
Spotlight
Spotlight
在后面与ASA互联的设备写一条静态路由目的地址到10.1.255.1-10.1.255.25。

Adinm
Level 11
Level 11
CSCO12178277 发表于 2018-8-17 09:37
在后面与ASA互联的设备写一条静态路由目的地址到10.1.255.1-10.1.255.25。

ASA后面的设备我全部配置的默认路由指向ASA。

Adinm
Level 11
Level 11
原因今天晚上找到了,拨通Anyconnect后,主机访问内网地址,数据包可以正常到达内网,但是内网数据包给主机回复的数据包在返回的时候撞上了NAT。所以主机Ping不通内网地址,把NAT中deny掉即可!
入门指南

使用上面的搜索栏输入关键字、短语或问题,搜索问题的答案。

我们希望您在这里的旅程尽可能顺利,因此这里有一些链接可以帮助您快速熟悉思科社区:









快捷链接