连接到 VPN 时 ASA 停止互联网 - 固件 9.x

连接到 VPN 时 ASA 停止互联网 - 固件 9.x

我在 Cisco ASA(固件 9.1)上设置远程访问 VPN 时遇到问题

我能够通过 VPN 连接并访问所有内部资源,但连接到 VPN 时无法访问互联网。

我不知道分割隧道

这是我的配置:

: Saved
:
ASA Version 9.1(3) 
!
hostname ciscoasa
domain-name mydomain.com
enable password password encrypted
xlate per-session deny tcp any4 any4
xlate per-session deny tcp any4 any6
xlate per-session deny tcp any6 any4
xlate per-session deny tcp any6 any6
xlate per-session deny udp any4 any4 eq domain
xlate per-session deny udp any4 any6 eq domain
xlate per-session deny udp any6 any4 eq domain
xlate per-session deny udp any6 any6 eq domain
passwd another.password encrypted
names
name 192.168.1.254 ciscoasa
name 192.168.1.0 LAN-Home
ip local pool VPN_pool 192.168.1.100-192.168.1.120 mask 255.255.255.0
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
interface Vlan1
 nameif inside
 security-level 100
 ip address ciscoasa 255.255.255.0 
 ipv6 address autoconfig
 ipv6 enable
!
interface Vlan2
 nameif outside
 security-level 0
 ip address dhcp setroute 
 ipv6 enable
!
boot system disk0:/asa913-k8.bin
ftp mode passive
clock timezone GMT/BST 0
clock summer-time GMT/BDT recurring last Sun Mar 1:00 last Sun Oct 2:00
dns domain-lookup inside
dns server-group DefaultDNS
 name-server 192.168.1.50
 domain-name mydomain.com
same-security-traffic permit intra-interface
object network obj_any-01
 subnet 0.0.0.0 0.0.0.0
object network LAN-Home
 subnet 192.168.1.0 255.255.255.0
 description Home LAN

 object network HTTP_server
 host 192.168.1.50
 description HTTP Server
object network HTTPS_Server
 host 192.168.1.50
 description HTTPS Server
object network SMTP
 host 192.168.1.50
 description SMTP
object network IMAPS
 host 192.168.1.50
 description IMAPS
object service imaps
 service tcp source range 1 65535 destination eq 993 
 description imaps
object network IMAP
 host 192.168.1.50
 description IMAP
object network HTTPS_server2
 host 192.168.1.51
 description SomeOther HTTPS mapping

object network obj-vpnpool
 subnet 192.168.1.0 255.255.255.0
object-group network obj_any
object-group protocol TCPUDP
 protocol-object udp
 protocol-object tcp
access-list 115 extended permit tcp any4 any4 eq telnet 
access-list dhcp extended permit ip any4 any4 
access-list external extended permit icmp any4 any4 echo-reply 
access-list external extended permit object-group TCPUDP any object HTTP_server eq www 
access-list external extended permit tcp any object HTTPS_Server eq https 
access-list external extended permit tcp any object SMTP eq smtp 
access-list external extended permit object imaps any object IMAPS 
access-list external extended permit tcp any object IMAP eq imap4 
access-list external extended permit tcp any object HTTPS_server2 eq https 
pager lines 24
logging enable
logging asdm warnings
logging from-address [email protected]
logging recipient-address [email protected] level errors
mtu inside 1500
mtu outside 1500
ip verify reverse-path interface outside
no failover
icmp unreachable rate-limit 1 burst-size 1
icmp permit any echo-reply outside
icmp deny any outside
icmp permit any time-exceeded outside
asdm image disk0:/asdm-715.bin
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
!
object network obj_any-01
 nat (inside,outside) dynamic interface
object network HTTP_server
 nat (inside,outside) static interface service tcp www www 
object network HTTPS_Server
 nat (inside,outside) static interface service tcp https https 
object network SMTP
 nat (inside,outside) static interface service tcp smtp smtp 
object network IMAPS
 nat (inside,outside) static interface service tcp 993 993 
object network IMAP
 nat (inside,outside) static interface service tcp imap4 imap4 
object network HTTPS_server2
 nat (inside,outside) static interface service tcp https 8080 
object network obj-vpnpool
 nat (outside,outside) dynamic interface
access-group external in interface outside
timeout xlate 1:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
aaa-server RADIUS protocol radius
aaa-server AuthInbound protocol radius
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL 
aaa authentication http console LOCAL 
aaa local authentication attempts max-fail 5
http server enable
http LAN-Home 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
auth-prompt prompt No Unauthorised Access. Please enter your User Credentials. 
auth-prompt accept Welcome! or are you... 
auth-prompt reject Access has been denied. 
crypto ipsec ikev1 transform-set dessha esp-des esp-sha-hmac 
crypto ipsec ikev1 transform-set espdes esp-des esp-sha-hmac 
crypto ipsec ikev1 transform-set desmd5 esp-des esp-md5-hmac 
crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac 
crypto ipsec ikev1 transform-set 3dessha esp-3des esp-sha-hmac 
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac 
crypto ipsec security-association pmtu-aging infinite
crypto dynamic-map outside_dyn_map 60000 set ikev1 transform-set ESP-3DES-SHA
crypto map corpvpn 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map corpvpn interface outside
crypto isakmp identity address 
crypto ikev1 enable outside
crypto ikev1 policy 1
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 36000
crypto ikev1 policy 2
 authentication pre-share
 encryption des
 hash md5
 group 1
 lifetime 36000
crypto ikev1 policy 3
 authentication pre-share
 encryption 3des
 hash sha
 group 1
 lifetime 86400
crypto ikev1 policy 5
 authentication pre-share
 encryption des
 hash sha
 group 2
 lifetime 36000
crypto ikev1 policy 7
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 28800
crypto ikev1 policy 9
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 65535
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
telnet LAN-Home 255.255.255.0 inside
telnet timeout 20
ssh LAN-Home 255.255.255.0 inside
ssh timeout 20
ssh key-exchange group dh-group1-sha1
console timeout 0
management-access inside
vpn-addr-assign local reuse-delay 360

dhcp-client broadcast-flag
dhcp-client client-id interface outside
dhcpd dns 192.168.1.50
dhcpd domain mydomain.com
dhcpd auto_config outside
!
dhcpd address 192.168.1.220-192.168.1.250 inside
dhcpd dns 192.168.1.50 interface inside
dhcpd domain mydomain.com interface inside
dhcpd option 3 ip ciscoasa interface inside
dhcpd enable inside
!
webvpn
 csd image disk0:/securedesktop-asa-3.3.0.151-k9.pkg
group-policy RemoteAccessVPN internal
group-policy RemoteAccessVPN attributes
 dns-server value 192.168.1.50
 vpn-tunnel-protocol ikev1 
 default-domain value mydomain.com
 split-tunnel-all-dns enable
username user password password encrypted privilege 15
tunnel-group RemoteAccessVPN type remote-access
tunnel-group RemoteAccessVPN general-attributes
 address-pool VPN_pool
 default-group-policy RemoteAccessVPN
tunnel-group RemoteAccessVPN ipsec-attributes
 ikev1 pre-shared-key *****
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum client auto
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map 
  inspect ftp 
  inspect h323 h225 
  inspect h323 ras 
  inspect rsh 
  inspect rtsp 
  inspect esmtp 
  inspect sqlnet 
  inspect skinny  
  inspect sunrpc 
  inspect xdmcp 
  inspect sip  
  inspect netbios 
  inspect tftp 
  inspect ip-options 
  inspect http 
  inspect ils 
  inspect ipsec-pass-thru 
 class class-default
  user-statistics accounting
!
service-policy global_policy global
prompt hostname context 
no call-home reporting anonymous

asdm image disk0:/asdm-715.bin
no asdm history enable

任何建议将不胜感激

答案1

您需要启用分割隧道以便在从远程客户端连接时访问本地(非 VPN 保护的)资源。

您是如何配置 VPN 的?您使用 ASDM 了吗?如果使用 Windows 客户端,您是否选中了“允许本地网络访问”开关?

相关内容