我們有 2 個站點透過 IPSEC VPN 連結到遠端 Cisco ASA:
站點 1 1.5Mb T1 連接 Cisco(1) 2841
站點 2 1.5Mb T1 連接 Cisco 2841
另外:
站點 1 有第二個 WAN 3Mb 綁定 T1 連接 Cisco 5510,它連接到與 Cisco(1) 2841 相同的 LAN。
基本上,透過 Cisco ASA 5510 連線的遠端存取 (VPN) 使用者需要存取網站 2 端的服務。 1 IP 位址10.20.0.0/24 的連線。我的想法是讓來自遠端使用者的所有流量透過 Cisco ASA 發送到網站 2,並透過網站 1 和網站 2 之間的 VPN 進行傳輸。
我正在努力尋找大量有關如何設定的資訊。那麼,首先,有人能確認我想要實現的目標是可能的嗎?其次,任何人都可以幫助我糾正以下配置或為我指出此類配置範例的方向嗎?
非常感謝。
interface Ethernet0/0
nameif outside
security-level 0
ip address 7.7.7.19 255.255.255.240
interface Ethernet0/1
nameif inside
security-level 100
ip address 10.20.0.249 255.255.255.0
object-group network group-inside-vpnclient
description All inside networks accessible to vpn clients
network-object 10.20.0.0 255.255.255.0
network-object 10.20.1.0 255.255.255.0
object-group network group-adp-network
description ADP IP Address or network accessible to vpn clients
network-object 207.207.207.173 255.255.255.255
access-list outside_access_in extended permit icmp any any echo-reply
access-list outside_access_in extended permit icmp any any source-quench
access-list outside_access_in extended permit icmp any any unreachable
access-list outside_access_in extended permit icmp any any time-exceeded
access-list outside_access_in extended permit tcp any host 7.7.7.20 eq smtp
access-list outside_access_in extended permit tcp any host 7.7.7.20 eq https
access-list outside_access_in extended permit tcp any host 7.7.7.20 eq pop3
access-list outside_access_in extended permit tcp any host 7.7.7.20 eq www
access-list outside_access_in extended permit tcp any host 7.7.7.21 eq www
access-list outside_access_in extended permit tcp any host 7.7.7.21 eq https
access-list outside_access_in extended permit tcp any host 7.7.7.21 eq 5721
access-list acl-vpnclient extended permit ip object-group group-inside-vpnclient any
access-list acl-vpnclient extended permit ip object-group group-inside-vpnclient object-group group-adp-network
access-list acl-vpnclient extended permit ip object-group group-adp-network object-group group-inside-vpnclient
access-list PinesFLVPNTunnel_splitTunnelAcl standard permit 10.20.0.0 255.255.255.0
access-list inside_nat0_outbound_1 extended permit ip 10.20.0.0 255.255.255.0 10.20.1.0 255.255.255.0
access-list inside_nat0_outbound_1 extended permit ip 10.20.0.0 255.255.255.0 host 207.207.207.173
access-list inside_nat0_outbound_1 extended permit ip 10.20.1.0 255.255.255.0 host 207.207.207.173
ip local pool VPNPool 10.20.1.100-10.20.1.200 mask 255.255.255.0
route outside 0.0.0.0 0.0.0.0 7.7.7.17 1
route inside 207.207.207.173 255.255.255.255 10.20.0.3 1
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 20 set security-association lifetime seconds 288000
crypto dynamic-map outside_dyn_map 20 set security-association lifetime kilobytes 4608000
crypto dynamic-map outside_dyn_map 20 set reverse-route
crypto map outside_map 20 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto map outside_dyn_map 20 match address acl-vpnclient
crypto map outside_dyn_map 20 set security-association lifetime seconds 28800
crypto map outside_dyn_map 20 set security-association lifetime kilobytes 4608000
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 20
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
group-policy YeahRightflVPNTunnel internal
group-policy YeahRightflVPNTunnel attributes
wins-server value 10.20.0.9
dns-server value 10.20.0.9
vpn-tunnel-protocol IPSec
password-storage disable
pfs disable
split-tunnel-policy tunnelspecified
split-tunnel-network-list value acl-vpnclient
default-domain value YeahRight.com
group-policy YeahRightFLVPNTunnel internal
group-policy YeahRightFLVPNTunnel attributes
wins-server value 10.20.0.9
dns-server value 10.20.0.9 10.20.0.7
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value YeahRightFLVPNTunnel_splitTunnelAcl
default-domain value yeahright.com
tunnel-group YeahRightFLVPN type remote-access
tunnel-group YeahRightFLVPN general-attributes
address-pool VPNPool
tunnel-group YeahRightFLVPNTunnel type remote-access
tunnel-group YeahRightFLVPNTunnel general-attributes
address-pool VPNPool
authentication-server-group WinRadius
default-group-policy YeahRightFLVPNTunnel
tunnel-group YeahRightFLVPNTunnel ipsec-attributes
pre-shared-key *
答案1
當然,你可以實現這個場景。它被稱為“髮夾”。您需要以下內容: - 將遠端存取使用者 POOL 設定為與加密對應關聯的加密存取清單的一部分 - 設定 NAT-EXEMPT 或 NO-NAT 存取清單以包含該池。
最重要的是:
- 設定此命令:「same-security-traffic 允許內部介面」以允許流量流入和流出 Cisco ASA 中的相同介面。
- 設定隧道對等方(路由器)以將遠端存取使用者池包含在加密存取清單中,因為 L2L 隧道加密存取清單必須在兩個對等方中進行鏡像。
- 如果遠端存取使用者使用分割隧道,則您需要確保遠端對等點(路由器)後面的子網路包含在分割隧道存取清單中
看到這個:https://supportforums.cisco.com/message/3864922
希望這可以幫助。
馬沙爾
答案2
請添加更多資訊和架構,這將非常有幫助。我們不知道您的站點 2 IP。群組 group-inside-vpnclient 中似乎缺少,因為 10.20.0.0/24 位於網站 1 上,而 10.21.1.0/24 是您的 VPN 池。您還需要透過網站 1 路由器取得網站 2 網路 IP 的路由。