客户端通过 cisco VPN 客户端连接到 ASA5510。访问 192.168.0.x 子网正常,只是无法访问 192.168.13.x。我可以从 ASA 顺利访问,只是不能通过 VPN 连接。连接应该像这样 VPN 客户端 -> 192.168.0.10 -> 192.168.0.1 -> 192.168.13.x 如果您需要任何其他信息,我将在下面添加。
显示来自 ASA 的路线:
S 10.0.0.0 255.0.0.0 [1/0] via 192.168.0.1, inside
C 192.168.0.0 255.255.255.0 is directly connected, inside
S 192.168.0.161 255.255.255.255 [1/0] via 208.78.x.x, outside
S 192.168.0.162 255.255.255.255 [1/0] via 208.78.x.x, outside
C 208.78.x.x 255.255.255.240 is directly connected, outside
S* 0.0.0.0 0.0.0.0 [1/0] via 208.78.x.x, outside
S 192.168.0.0 255.255.0.0 [1/0] via 192.168.0.1, inside
从 VPN 客户端进行路由打印:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 172.20.4.225 172.20.4.235 20
127.0.0.0 255.0.0.0 On-link 127.0.0.1 306
127.0.0.1 255.255.255.255 On-link 127.0.0.1 306
127.255.255.255 255.255.255.255 On-link 127.0.0.1 306
172.20.1.16 255.255.255.255 172.20.4.225 172.20.4.235 100
172.20.4.224 255.255.255.224 On-link 172.20.4.235 276
172.20.4.235 255.255.255.255 On-link 172.20.4.235 276
172.20.4.255 255.255.255.255 On-link 172.20.4.235 276
192.168.0.0 255.255.0.0 192.168.0.1 192.168.0.161 100
192.168.0.0 255.255.255.0 On-link 192.168.0.161 276
192.168.0.161 255.255.255.255 On-link 192.168.0.161 276
192.168.0.255 255.255.255.255 On-link 192.168.0.161 276
208.78.119.34 255.255.255.255 172.20.4.225 172.20.4.235 100
224.0.0.0 240.0.0.0 On-link 127.0.0.1 306
224.0.0.0 240.0.0.0 On-link 172.20.4.235 276
224.0.0.0 240.0.0.0 On-link 192.168.0.161 276
255.255.255.255 255.255.255.255 On-link 127.0.0.1 306
255.255.255.255 255.255.255.255 On-link 172.20.4.235 276
255.255.255.255 255.255.255.255 On-link 192.168.0.161 276
。
access-list NONAT extended permit ip any 192.168.0.160 255.255.255.240
答案1
您的 VPN 池的 NAT 配置(转换和豁免)是什么样的?
@evolvd 也许可以记录一下解决方案,供未来的谷歌用户使用?我猜想 NAT 上对来自客户端的流量有更严格的 ACL 限制?