我们有 2 个站点通过 IPSEC VPN 链接到远程 Cisco ASA:
站点 1 1.5Mb T1 连接 Cisco(1) 2841
站点 2 1.5Mb T1 连接 Cisco 2841
此外:
站点 1 具有第二个 WAN 3Mb 绑定 T1 连接 Cisco 5510,其连接到与 Cisco (1) 2841 相同的 LAN。
基本上,通过 Cisco ASA 5510 连接的远程访问 (VPN) 用户需要访问站点 2 末端的服务。这是由于服务的销售方式所致 - Cisco 2841 路由器不在我们的管理范围内,并且设置为允许从本地 LAN VLAN 1 IP 地址 10.20.0.0/24 进行连接。我的想法是让远程用户通过 Cisco ASA 发往站点 2 的所有流量通过站点 1 和站点 2 之间的 VPN 进行传输。最终结果是到达站点 2 的所有流量都来自站点 1。
我正在努力寻找有关如何设置此设置的信息。那么,首先,有人可以确认我试图实现的目标是否可行吗?其次,有人可以帮助我更正下面的配置或为我指出此类配置的示例吗?
非常感谢。
interface Ethernet0/0
nameif outside
security-level 0
ip address 7.7.7.19 255.255.255.240
interface Ethernet0/1
nameif inside
security-level 100
ip address 10.20.0.249 255.255.255.0
object-group network group-inside-vpnclient
description All inside networks accessible to vpn clients
network-object 10.20.0.0 255.255.255.0
network-object 10.20.1.0 255.255.255.0
object-group network group-adp-network
description ADP IP Address or network accessible to vpn clients
network-object 207.207.207.173 255.255.255.255
access-list outside_access_in extended permit icmp any any echo-reply
access-list outside_access_in extended permit icmp any any source-quench
access-list outside_access_in extended permit icmp any any unreachable
access-list outside_access_in extended permit icmp any any time-exceeded
access-list outside_access_in extended permit tcp any host 7.7.7.20 eq smtp
access-list outside_access_in extended permit tcp any host 7.7.7.20 eq https
access-list outside_access_in extended permit tcp any host 7.7.7.20 eq pop3
access-list outside_access_in extended permit tcp any host 7.7.7.20 eq www
access-list outside_access_in extended permit tcp any host 7.7.7.21 eq www
access-list outside_access_in extended permit tcp any host 7.7.7.21 eq https
access-list outside_access_in extended permit tcp any host 7.7.7.21 eq 5721
access-list acl-vpnclient extended permit ip object-group group-inside-vpnclient any
access-list acl-vpnclient extended permit ip object-group group-inside-vpnclient object-group group-adp-network
access-list acl-vpnclient extended permit ip object-group group-adp-network object-group group-inside-vpnclient
access-list PinesFLVPNTunnel_splitTunnelAcl standard permit 10.20.0.0 255.255.255.0
access-list inside_nat0_outbound_1 extended permit ip 10.20.0.0 255.255.255.0 10.20.1.0 255.255.255.0
access-list inside_nat0_outbound_1 extended permit ip 10.20.0.0 255.255.255.0 host 207.207.207.173
access-list inside_nat0_outbound_1 extended permit ip 10.20.1.0 255.255.255.0 host 207.207.207.173
ip local pool VPNPool 10.20.1.100-10.20.1.200 mask 255.255.255.0
route outside 0.0.0.0 0.0.0.0 7.7.7.17 1
route inside 207.207.207.173 255.255.255.255 10.20.0.3 1
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 20 set security-association lifetime seconds 288000
crypto dynamic-map outside_dyn_map 20 set security-association lifetime kilobytes 4608000
crypto dynamic-map outside_dyn_map 20 set reverse-route
crypto map outside_map 20 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto map outside_dyn_map 20 match address acl-vpnclient
crypto map outside_dyn_map 20 set security-association lifetime seconds 28800
crypto map outside_dyn_map 20 set security-association lifetime kilobytes 4608000
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 20
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
group-policy YeahRightflVPNTunnel internal
group-policy YeahRightflVPNTunnel attributes
wins-server value 10.20.0.9
dns-server value 10.20.0.9
vpn-tunnel-protocol IPSec
password-storage disable
pfs disable
split-tunnel-policy tunnelspecified
split-tunnel-network-list value acl-vpnclient
default-domain value YeahRight.com
group-policy YeahRightFLVPNTunnel internal
group-policy YeahRightFLVPNTunnel attributes
wins-server value 10.20.0.9
dns-server value 10.20.0.9 10.20.0.7
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value YeahRightFLVPNTunnel_splitTunnelAcl
default-domain value yeahright.com
tunnel-group YeahRightFLVPN type remote-access
tunnel-group YeahRightFLVPN general-attributes
address-pool VPNPool
tunnel-group YeahRightFLVPNTunnel type remote-access
tunnel-group YeahRightFLVPNTunnel general-attributes
address-pool VPNPool
authentication-server-group WinRadius
default-group-policy YeahRightFLVPNTunnel
tunnel-group YeahRightFLVPNTunnel ipsec-attributes
pre-shared-key *
答案1
当然,您可以实现这种情况。这称为“发夹”。您需要执行以下操作: - 将远程访问用户 POOL 配置为与加密图关联的加密访问列表的一部分 - 配置 NAT-EXEMPT 或 NO-NAT 访问列表以包含池。
最重要的是:
- 配置此命令:“same-security-traffic permit intra-interface”以允许流量从 Cisco ASA 中的同一接口进出。
- 配置隧道对等体(路由器)以将远程访问用户池包含在加密访问列表中,因为 L2L 隧道加密访问列表必须在两个对等体中镜像。
- 如果远程访问用户使用分割隧道,则需要确保远程对等体(路由器)后面的子网包含在分割隧道访问列表中
看看这个:https://supportforums.cisco.com/message/3864922
希望这可以帮助。
马沙尔
答案2
请添加更多信息和架构,这将非常有用。我们不知道您的站点 2 IP。组 group-inside-vpnclient 中似乎缺少该 IP,因为 10.20.0.0/24 在站点 1 上,而 10.21.1.0/24 是您的 vpn 池。您还需要通过站点 1 路由器为站点 2 网络 IP 提供路由如果 207.207.207.173 是您尝试在站点 2 上访问的 IP,我们确实需要更多说明。