Anticisco http://anticisco.ru/forum/ |
|
Проблемы Remote Access VPN http://anticisco.ru/forum/viewtopic.php?f=2&t=10811 |
Страница 1 из 1 |
Автор: | alex0000007 [ 04 янв 2019, 18:02 ] |
Заголовок сообщения: | Проблемы Remote Access VPN |
Столкнулся с проблемой: Есть ASA 8.3.1 и за ней локалка с серыми адресами, ходит во внешний мир через NAT на ней. Хотелось бы прицепившись к ASA при помощи Cisco AnyConnect Secure Mobility Client Version 3.1.05160 получить доступ к некоторым серверам в локалке. Получилось зацепиться и идентифицироваться на ASA, но сети не хотят взаимодействовать. Понимаю что дело в NAT но ни как не могу родить нужную конфигурацию. В логе имею: "04.01.2019 19:30" 10.11.21.101 Notice "asa %ASA-5-305013: Asymmetric NAT rules matched for forward and reverse flows; Connection for icmp src outside:10.10.2.1 dst inside:10.11.21.5 (type 8, code 0) denied due to NAT reverse path failure " "04.01.2019 19:30" 10.11.21.101 Notice "asa %ASA-5-305013: Asymmetric NAT rules matched for forward and reverse flows; Connection for icmp src outside:10.10.2.1 dst inside:10.11.21.5 (type 8, code 0) denied due to NAT reverse path failure " Конфиг ASA: : Saved : ASA Version 8.3(1) ! hostname asa domain-name bank enable password encrypted passwd encrypted names ! interface Ethernet0/0 nameif outside security-level 0 ip address 91.194.175.253 255.255.255.0 ! interface Ethernet0/1 nameif inside security-level 100 ip address 10.11.21.101 255.255.0.0 ospf cost 1 ospf hello-interval 60 ospf dead-interval 120 ospf authentication null ! interface Ethernet0/2 shutdown no nameif no security-level no ip address ! interface Ethernet0/3 shutdown no nameif no security-level no ip address ! interface Management0/0 shutdown no nameif no security-level no ip address ! ftp mode passive clock timezone SAMST 4 clock summer-time SAMDT recurring last Sun Mar 2:00 last Sun Oct 3:00 dns server-group DefaultDNS domain-name bank same-security-traffic permit intra-interface object network obj-10.11.21.5 host 10.11.21.5 object network obj-10.11.21.200-80 host 10.11.21.200 object network obj-10.11.21.200-443 host 10.11.21.200 object network obj-10.11.21.200-22 host 10.11.21.200 object network vpn_net subnet 10.10.2.0 255.255.255.0 object network local_net subnet 10.11.0.0 255.255.0.0 access-list outside_access_in extended permit icmp any any access-list outside_access_in extended permit icmp any any traceroute access-list outside_access_in extended permit tcp any any eq www access-list outside_access_in extended permit tcp any any eq https access-list outside_access_in extended permit tcp any any eq ssh access-list split-tunnel standard permit host 10.11.21.2 access-list split-tunnel standard permit 10.11.0.0 255.255.0.0 access-list inside_access_in extended permit ip host 10.11.21.2 any access-list inside_access_in extended permit ip host 10.11.21.5 any access-list inside_access_in extended permit ip host 10.11.21.250 any access-list inside_access_in extended permit ip host 10.11.21.253 any access-list inside_access_in extended permit ip host 10.11.21.252 any access-list inside_access_in extended permit ip host 10.11.21.251 any access-list inside_access_in extended permit ip host 10.11.21.249 any access-list inside_access_in extended permit ip host 10.11.100.74 any access-list inside_access_in extended permit ip host 10.11.21.200 any access-list inside_access_in extended permit ip host 10.11.21.199 any access-list inside_access_in extended permit ip host 10.11.21.248 any pager lines 24 logging enable logging monitor informational logging trap informational logging asdm informational logging facility 22 logging device-id hostname logging host inside 10.11.21.5 logging host inside 10.11.21.253 mtu outside 1500 mtu inside 1500 ip local pool vpnpool 10.10.2.1-10.10.2.253 mask 255.255.255.0 no failover icmp unreachable rate-limit 1 burst-size 1 no asdm history enable arp timeout 14400 ! object network obj-10.11.21.200-80 nat (inside,outside) static 91.194.175.252 service tcp www www object network obj-10.11.21.200-443 nat (inside,outside) static 91.194.175.252 service tcp https https object network obj-10.11.21.200-22 nat (inside,outside) static 91.194.175.252 service tcp ssh ssh object network vpn_net nat (outside,inside) dynamic interface object network local_net nat (inside,outside) dynamic interface access-group outside_access_in in interface outside access-group inside_access_in in interface inside ! router ospf 74 router-id 250.250.250.250 network 10.11.0.0 255.255.0.0 area 74 log-adj-changes ! route outside 0.0.0.0 0.0.0.0 91.194.175.1 1 timeout xlate 3:00:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02 timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00 timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00 timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute timeout tcp-proxy-reassembly 0:01:00 dynamic-access-policy-record DfltAccessPolicy aaa authentication ssh console LOCAL aaa authentication telnet console LOCAL aaa local authentication attempts max-fail 16 http server enable http 10.11.21.5 255.255.255.255 inside http 10.11.100.74 255.255.255.255 inside http 10.11.21.253 255.255.255.255 inside snmp-server host inside 10.11.21.249 community ***** version 2c snmp-server host outside 10.11.21.251 poll community ***** version 2c snmp-server host inside 10.11.21.253 poll community ***** version 2c snmp-server host inside 10.11.21.5 poll community ***** version 2c snmp-server location My Table no snmp-server contact snmp-server enable traps snmp authentication linkup linkdown coldstart crypto ipsec security-association lifetime seconds 28800 crypto ipsec security-association lifetime kilobytes 4608000 telnet timeout 5 ssh 10.11.21.251 255.255.255.255 outside ssh 10.11.21.5 255.255.255.255 inside ssh 10.11.21.249 255.255.255.255 inside ssh 10.11.21.253 255.255.255.255 inside ssh timeout 5 console timeout 0 threat-detection basic-threat threat-detection statistics access-list no threat-detection statistics tcp-intercept ntp server 10.11.100.1 source inside webvpn enable outside svc image disk0:/anyconnect-win-3.1.05160-k9.pkg 1 svc enable tunnel-group-list enable group-policy clientgroup internal group-policy clientgroup attributes vpn-tunnel-protocol svc webvpn split-tunnel-policy tunnelall split-tunnel-network-list value split-tunnel webvpn svc keep-installer installed svc rekey time 30 svc rekey method ssl svc ask none default svc username ssluser1 password encrypted username akrylov password encrypted tunnel-group sslgroup type remote-access tunnel-group sslgroup general-attributes address-pool vpnpool default-group-policy clientgroup tunnel-group sslgroup webvpn-attributes group-alias sslgroup_users enable ! class-map inspection_default match default-inspection-traffic ! ! policy-map type inspect dns preset_dns_map parameters message-length maximum client auto message-length maximum 512 policy-map global_policy class inspection_default inspect dns preset_dns_map inspect ftp inspect h323 h225 inspect h323 ras inspect ip-options inspect netbios inspect rsh inspect rtsp inspect skinny inspect esmtp inspect sqlnet inspect sunrpc inspect tftp inspect sip inspect xdmcp ! service-policy global_policy global prompt hostname context call-home profile CiscoTAC-1 no active destination address http https://tools.cisco.com/its/service/odd ... DCEService destination address email callhome@cisco.com destination transport-method http subscribe-to-alert-group diagnostic subscribe-to-alert-group environment subscribe-to-alert-group inventory periodic monthly subscribe-to-alert-group configuration periodic monthly subscribe-to-alert-group telemetry periodic daily Cryptochecksum:f7ec53acf4b4d12c106d069e3d7d2373 : end |
Автор: | root99 [ 04 янв 2019, 18:13 ] |
Заголовок сообщения: | Re: Проблемы Remote Access VPN |
Если не понимаете как всё настроить через ЦМД установите АСДМ и настройте всё через визард - заодно обновитесь на текущие версии софта АСА 9.1.х и AnyConnect 4.7 |
Автор: | crash [ 04 янв 2019, 18:52 ] |
Заголовок сообщения: | Re: Проблемы Remote Access VPN |
видимо вам надо отключить nat для сетей между anyconnect и которые внутри сети за ASA. |
Автор: | alex0000007 [ 04 янв 2019, 19:58 ] |
Заголовок сообщения: | Re: Проблемы Remote Access VPN |
Я понимаю, что это надо сделать, но ни как не могу сообразить как это написать в конфигурации. Совет на счёт ASDM, по нему и делал, результат вы видите. |
Автор: | root99 [ 04 янв 2019, 20:18 ] |
Заголовок сообщения: | Re: Проблемы Remote Access VPN |
Вот тут же есть документация с картинками https://www.cisco.com/c/en/us/support/s ... -list.html |
Страница 1 из 1 | Часовой пояс: UTC + 3 часа |
Powered by phpBB® Forum Software © phpBB Group http://www.phpbb.com/ |