Cisco ASA(客户端 VPN)到 LAN - 通过第二个 VPN 到第二个 LAN

Cisco ASA(客户端 VPN)到 LAN - 通过第二个 VPN 到第二个 LAN

我们有 2 个站点通过 IPSEC VPN 链接到远程 Cisco ASA:

站点 1 1.5Mb T1 连接 Cisco(1) 2841

站点 2 1.5Mb T1 连接 Cisco 2841

此外:

站点 1 具有第二个 WAN 3Mb 绑定 T1 连接 Cisco 5510,其连接到与 Cisco (1) 2841 相同的 LAN。

基本上,通过 Cisco ASA 5510 连接的远程访问 (VPN) 用户需要访问站点 2 末端的服务。这是由于服务的销售方式所致 - Cisco 2841 路由器不在我们的管理范围内,并且设置为允许从本地 LAN VLAN 1 IP 地址 10.20.0.0/24 进行连接。我的想法是让远程用户通过 Cisco ASA 发往站点 2 的所有流量通过站点 1 和站点 2 之间的 VPN 进行传输。最终结果是到达站点 2 的所有流量都来自站点 1。

我正在努力寻找有关如何设置此设置的信息。那么,首先,有人可以确认我试图实现的目标是否可行吗?其次,有人可以帮助我更正下面的配置或为我指出此类配置的示例吗?

非常感谢。

interface Ethernet0/0
 nameif outside
 security-level 0
 ip address 7.7.7.19 255.255.255.240  


interface Ethernet0/1    
 nameif inside    
 security-level 100    
 ip address 10.20.0.249 255.255.255.0    


object-group network group-inside-vpnclient  
 description All inside networks accessible to vpn clients  
 network-object 10.20.0.0 255.255.255.0  
 network-object 10.20.1.0 255.255.255.0    
object-group network group-adp-network  
 description ADP IP Address or network accessible to vpn clients  
 network-object 207.207.207.173 255.255.255.255  

access-list outside_access_in extended permit icmp any any echo-reply  
access-list outside_access_in extended permit icmp any any source-quench  
access-list outside_access_in extended permit icmp any any unreachable  
access-list outside_access_in extended permit icmp any any time-exceeded  
access-list outside_access_in extended permit tcp any host 7.7.7.20 eq smtp  
access-list outside_access_in extended permit tcp any host 7.7.7.20 eq https  
access-list outside_access_in extended permit tcp any host 7.7.7.20 eq pop3  
access-list outside_access_in extended permit tcp any host 7.7.7.20 eq www  
access-list outside_access_in extended permit tcp any host 7.7.7.21 eq www  
access-list outside_access_in extended permit tcp any host 7.7.7.21 eq https  
access-list outside_access_in extended permit tcp any host 7.7.7.21 eq 5721  
access-list acl-vpnclient extended permit ip object-group group-inside-vpnclient any  
access-list acl-vpnclient extended permit ip object-group group-inside-vpnclient object-group group-adp-network  
access-list acl-vpnclient extended permit ip object-group group-adp-network object-group group-inside-vpnclient  
access-list PinesFLVPNTunnel_splitTunnelAcl standard permit 10.20.0.0 255.255.255.0  
access-list inside_nat0_outbound_1 extended permit ip 10.20.0.0 255.255.255.0 10.20.1.0 255.255.255.0  
access-list inside_nat0_outbound_1 extended permit ip 10.20.0.0 255.255.255.0 host 207.207.207.173  
access-list inside_nat0_outbound_1 extended permit ip 10.20.1.0 255.255.255.0 host 207.207.207.173  

ip local pool VPNPool 10.20.1.100-10.20.1.200 mask 255.255.255.0  

route outside 0.0.0.0 0.0.0.0 7.7.7.17 1  
route inside 207.207.207.173 255.255.255.255 10.20.0.3 1  

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac  
crypto ipsec security-association lifetime seconds 28800  
crypto ipsec security-association lifetime kilobytes 4608000  
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA  
crypto dynamic-map outside_dyn_map 20 set security-association lifetime seconds 288000  
crypto dynamic-map outside_dyn_map 20 set security-association lifetime kilobytes 4608000  
crypto dynamic-map outside_dyn_map 20 set reverse-route  
crypto map outside_map 20 ipsec-isakmp dynamic outside_dyn_map  
crypto map outside_map interface outside  
crypto map outside_dyn_map 20 match address acl-vpnclient  
crypto map outside_dyn_map 20 set security-association lifetime seconds 28800  
crypto map outside_dyn_map 20 set security-association lifetime kilobytes 4608000  
crypto isakmp identity address  
crypto isakmp enable outside  
crypto isakmp policy 20  
 authentication pre-share  
 encryption 3des  
 hash sha  
 group 2  
 lifetime 86400  

group-policy YeahRightflVPNTunnel internal  
group-policy YeahRightflVPNTunnel attributes    
 wins-server value 10.20.0.9  
 dns-server value 10.20.0.9  
 vpn-tunnel-protocol IPSec  
 password-storage disable  
 pfs disable  
 split-tunnel-policy tunnelspecified  
 split-tunnel-network-list value acl-vpnclient  
 default-domain value YeahRight.com  
group-policy YeahRightFLVPNTunnel internal  
group-policy YeahRightFLVPNTunnel attributes  
 wins-server value 10.20.0.9  
 dns-server value 10.20.0.9 10.20.0.7  
 vpn-tunnel-protocol IPSec  
 split-tunnel-policy tunnelspecified  
 split-tunnel-network-list value YeahRightFLVPNTunnel_splitTunnelAcl  
 default-domain value yeahright.com  

tunnel-group YeahRightFLVPN type remote-access  
tunnel-group YeahRightFLVPN general-attributes  
 address-pool VPNPool  

tunnel-group YeahRightFLVPNTunnel type remote-access  
tunnel-group YeahRightFLVPNTunnel general-attributes  
 address-pool VPNPool  
 authentication-server-group WinRadius  
 default-group-policy YeahRightFLVPNTunnel  
tunnel-group YeahRightFLVPNTunnel ipsec-attributes  
 pre-shared-key *  

答案1

当然,您可以实现这种情况。这称为“发夹”。您需要执行以下操作: - 将远程访问用户 POOL 配置为与加密图关联的加密访问列表的一部分 - 配置 NAT-EXEMPT 或 NO-NAT 访问列表以包含池。

最重要的是:

  • 配置此命令:“same-security-traffic permit intra-interface”以允许流量从 Cisco ASA 中的同一接口进出。
  • 配置隧道对等体(路由器)以将远程访问用户池包含在加密访问列表中,因为 L2L 隧道加密访问列表必须在两个对等体中镜像。
  • 如果远程访问用户使用分割隧道,则需要确保远程对等体(路由器)后面的子网包含在分割隧道访问列表中

看看这个:https://supportforums.cisco.com/message/3864922

希望这可以帮助。

马沙尔

答案2

请添加更多信息和架构,这将非常有用。我们不知道您的站点 2 IP。组 group-inside-vpnclient 中似乎缺少该 IP,因为 10.20.0.0/24 在站点 1 上,而 10.21.1.0/24 是您的 vpn 池。您还需要通过站点 1 路由器为站点 2 网络 IP 提供路由如果 207.207.207.173 是您尝试在站点 2 上访问的 IP,我们确实需要更多说明。

相关内容