forum.opennet.ru

Составление сообщения

Исходное сообщение

"VPN ASA 5510 + Cisco VPN Client (не ходят пакеты во внутрь)"
Отправлено AlexeySV, 15-Дек-08 14:22

>>>nat 0 между внутренней сетью и vpn должен помочь
>>
>>Так вроде как нат уже есть....  :-(
>
>Ну тебе сказали об обратном - не натить или NA
------------------------------------------------------------------
----------------------------------------------------------------
Немного изменил конфигурацию и добавил NAT0, но при этом ситуация не меняется....  :-(
:
ASA Version 8.0(3)
!
hostname ASA-VPN-Srv
domain-name dkib.db
enable password blablabla encrypted
names
dns-guard
!
interface Ethernet0/0
nameif inside
security-level 100
ip address 10.0.0.144 255.255.255.0
no igmp
ospf cost 10
!
interface Ethernet0/1
description VPN
nameif outside
security-level 0
ip address xxx.xxx.xxx.xxx 255.255.255.240
no igmp
ospf cost 10
!
interface Ethernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
nameif management
security-level 0
ip address
no igmp
ospf cost 10
management-only
!
passwd blablabla encrypted
boot system disk0:/asa803-k8.bin
ftp mode passive
clock timezone BDT 6
dns server-group DefaultDNS
domain-name dkib.db
same-security-traffic permit inter-interface
object-group network NET_ATM
network-object 192.168.101.0 255.255.255.0
access-list ACL_outside_IN extended permit icmp any any
access-list ACL_inside_IN extended permit icmp any any
access-list ACL_NO_NAT extended permit ip any object-group NET_ATM
access-list outside_ATM_DYN extended permit ip any object-group NET_ATM
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu management 1500
ip local pool ATM_POOL 192.168.101.2-192.168.101.100 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
icmp permit any inside
icmp permit any outside
asdm image disk0:/asdm-603.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list ACL_NO_NAT
nat (inside) 1 10.0.0.0 255.255.255.0
nat (inside) 0 192.168.101.0 255.255.255.0
access-group ACL_inside_IN in interface inside
access-group ACL_outside_IN in interface outside
route outside 0.0.0.0 0.0.0.0 212.42.101.17 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
eou allow none
aaa authentication ssh console LOCAL
aaa authentication telnet console LOCAL
http server enable
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set TRANS_ESP_3DES_MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set TRANS_ESP_3DES_MD5 mode transport
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set 3DESSHA esp-3des esp-sha-hmac
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-3DES-SHA ESP-3DES-MD5 ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-DES-SHA ESP-DES-MD5 TRANS_ESP_3DES_MD5
crypto dynamic-map outside_DYN_MAP 20 match address outside_ATM_DYN
crypto dynamic-map outside_DYN_MAP 20 set transform-set 3DESSHA
crypto dynamic-map outside_DYN_MAP 20 set reverse-route
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map management_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map management_map interface management
crypto map inside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map inside_map interface inside
crypto map outside_MAP 10 ipsec-isakmp dynamic outside_DYN_MAP
crypto map outside_MAP interface outside
crypto ca server
shutdown
issuer-name CN = ASA-VPN-Srv.segment.dn
crypto isakmp enable outside
crypto isakmp enable management
crypto isakmp policy 5
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp policy 20
authentication pre-share
encryption aes
hash sha
group 2
lifetime 86400
crypto isakmp policy 30
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
no vpn-addr-assign aaa
no vpn-addr-assign dhcp
telnet timeout 5
ssh timeout 5
console timeout 0
threat-detection basic-threat
threat-detection statistics
ssl encryption des-sha1 rc4-md5 rc4-sha1 aes128-sha1 aes256-sha1 3des-sha1
webvpn
enable outside
group-policy ATM-GROUP internal
group-policy ATM-GROUP attributes
dns-server value 10.0.0.2
vpn-simultaneous-logins 1
vpn-tunnel-protocol IPSec
username atmuser password blablabla encrypted privilege 7
username atmuser attributes
vpn-group-policy ATM-GROUP
username Root password UX2/n83rDWe4gM81 encrypted privilege 15
tunnel-group ATM_GROUP type remote-access
tunnel-group ATM_GROUP general-attributes
address-pool ATM_POOL
tunnel-group ATM_GROUP ipsec-attributes
pre-shared-key *
!
!
prompt hostname context
Cryptochecksum:0722c37f157cf8cda7c6b73e935c6d7b
: end
-----------------------------------------------------------
Народ помогите. Начался ступор....  :-(

Исходное сообщение
"VPN ASA 5510 + Cisco VPN Client (не ходят пакеты во внутрь)" Отправлено AlexeySV, 15-Дек-08 14:22
>>>nat 0 между внутренней сетью и vpn должен помочь >> >>Так вроде как нат уже есть.... :-( > >Ну тебе сказали об обратном - не натить или NA ------------------------------------------------------------------ ---------------------------------------------------------------- Немного изменил конфигурацию и добавил NAT0, но при этом ситуация не меняется.... :-( : ASA Version 8.0(3) ! hostname ASA-VPN-Srv domain-name dkib.db enable password blablabla encrypted names dns-guard ! interface Ethernet0/0 nameif inside security-level 100 ip address 10.0.0.144 255.255.255.0 no igmp ospf cost 10 ! interface Ethernet0/1 description VPN nameif outside security-level 0 ip address xxx.xxx.xxx.xxx 255.255.255.240 no igmp ospf cost 10 ! interface Ethernet0/2 shutdown no nameif no security-level no ip address ! interface Ethernet0/3 shutdown no nameif no security-level no ip address ! interface Management0/0 nameif management security-level 0 ip address no igmp ospf cost 10 management-only ! passwd blablabla encrypted boot system disk0:/asa803-k8.bin ftp mode passive clock timezone BDT 6 dns server-group DefaultDNS domain-name dkib.db same-security-traffic permit inter-interface object-group network NET_ATM network-object 192.168.101.0 255.255.255.0 access-list ACL_outside_IN extended permit icmp any any access-list ACL_inside_IN extended permit icmp any any access-list ACL_NO_NAT extended permit ip any object-group NET_ATM access-list outside_ATM_DYN extended permit ip any object-group NET_ATM pager lines 24 logging enable logging asdm informational mtu inside 1500 mtu outside 1500 mtu management 1500 ip local pool ATM_POOL 192.168.101.2-192.168.101.100 mask 255.255.255.0 icmp unreachable rate-limit 1 burst-size 1 icmp permit any inside icmp permit any outside asdm image disk0:/asdm-603.bin no asdm history enable arp timeout 14400 global (outside) 1 interface nat (inside) 0 access-list ACL_NO_NAT nat (inside) 1 10.0.0.0 255.255.255.0 nat (inside) 0 192.168.101.0 255.255.255.0 access-group ACL_inside_IN in interface inside access-group ACL_outside_IN in interface outside route outside 0.0.0.0 0.0.0.0 212.42.101.17 1 timeout xlate 3:00:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02 timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00 timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00 timeout uauth 0:05:00 absolute dynamic-access-policy-record DfltAccessPolicy eou allow none aaa authentication ssh console LOCAL aaa authentication telnet console LOCAL http server enable no snmp-server location no snmp-server contact snmp-server enable traps snmp authentication linkup linkdown coldstart crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac crypto ipsec transform-set TRANS_ESP_3DES_MD5 esp-3des esp-md5-hmac crypto ipsec transform-set TRANS_ESP_3DES_MD5 mode transport crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac crypto ipsec transform-set 3DESSHA esp-3des esp-sha-hmac crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-3DES-SHA ESP-3DES-MD5 ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-DES-SHA ESP-DES-MD5 TRANS_ESP_3DES_MD5 crypto dynamic-map outside_DYN_MAP 20 match address outside_ATM_DYN crypto dynamic-map outside_DYN_MAP 20 set transform-set 3DESSHA crypto dynamic-map outside_DYN_MAP 20 set reverse-route crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP crypto map management_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP crypto map management_map interface management crypto map inside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP crypto map inside_map interface inside crypto map outside_MAP 10 ipsec-isakmp dynamic outside_DYN_MAP crypto map outside_MAP interface outside crypto ca server shutdown issuer-name CN = ASA-VPN-Srv.segment.dn crypto isakmp enable outside crypto isakmp enable management crypto isakmp policy 5 authentication pre-share encryption 3des hash sha group 2 lifetime 86400 crypto isakmp policy 20 authentication pre-share encryption aes hash sha group 2 lifetime 86400 crypto isakmp policy 30 authentication pre-share encryption 3des hash md5 group 2 lifetime 86400 no vpn-addr-assign aaa no vpn-addr-assign dhcp telnet timeout 5 ssh timeout 5 console timeout 0 threat-detection basic-threat threat-detection statistics ssl encryption des-sha1 rc4-md5 rc4-sha1 aes128-sha1 aes256-sha1 3des-sha1 webvpn enable outside group-policy ATM-GROUP internal group-policy ATM-GROUP attributes dns-server value 10.0.0.2 vpn-simultaneous-logins 1 vpn-tunnel-protocol IPSec username atmuser password blablabla encrypted privilege 7 username atmuser attributes vpn-group-policy ATM-GROUP username Root password UX2/n83rDWe4gM81 encrypted privilege 15 tunnel-group ATM_GROUP type remote-access tunnel-group ATM_GROUP general-attributes address-pool ATM_POOL tunnel-group ATM_GROUP ipsec-attributes pre-shared-key * ! ! prompt hostname context Cryptochecksum:0722c37f157cf8cda7c6b73e935c6d7b : end ----------------------------------------------------------- Народ помогите. Начался ступор.... :-(

Ваше сообщение

Имя*:

EMail:

Для отправки новых сообщений в текущей нити на email укажите знак ! перед адресом, например, !user@host.ru (!! - не показывать email).
Более тонкая настройка отправки ответов производится в профиле зарегистрированного участника форума.

Заголовок*:

Сообщение*:

>>>>nat 0 между внутренней сетью и vpn должен помочь 
>>> 
>>>Так вроде как нат уже есть....  :-( 
>> 
>>Ну тебе сказали об обратном - не натить или NA

> ------------------------------------------------------------------ 
> ---------------------------------------------------------------- 
> Немного изменил конфигурацию и добавил NAT0, но при этом ситуация не меняется.... 
>  :-(

> : 
> ASA Version 8.0(3) 
> !
> hostname ASA-VPN-Srv 
> domain-name dkib.db 
> enable password blablabla encrypted 
> names 
> dns-guard 
> !
> interface Ethernet0/0 
>  nameif inside 
>  security-level 100 
>  ip address 10.0.0.144 255.255.255.0 
>  no igmp 
>  ospf cost 10 
> !
> interface Ethernet0/1 
>  description VPN 
>  nameif outside 
>  security-level 0 
>  ip address xxx.xxx.xxx.xxx 255.255.255.240 
>  no igmp 
>  ospf cost 10 
> !
> interface Ethernet0/2 
>  shutdown 
>  no nameif 
>  no security-level 
>  no ip address 
> !
> interface Ethernet0/3 
>  shutdown 
>  no nameif 
>  no security-level 
>  no ip address 
> !
> interface Management0/0 
>  nameif management 
>  security-level 0 
>  ip address 
>  no igmp 
>  ospf cost 10 
>  management-only 
> !
> passwd blablabla encrypted 
> boot system disk0:/asa803-k8.bin 
> ftp mode passive 
> clock timezone BDT 6 
> dns server-group DefaultDNS 
>  domain-name dkib.db 
> same-security-traffic permit inter-interface 
> object-group network NET_ATM 
>  network-object 192.168.101.0 255.255.255.0 
> access-list ACL_outside_IN extended permit icmp any any 
> access-list ACL_inside_IN extended permit icmp any any 
> access-list ACL_NO_NAT extended permit ip any object-group NET_ATM 
> access-list outside_ATM_DYN extended permit ip any object-group NET_ATM 
> pager lines 24 
> logging enable 
> logging asdm informational 
> mtu inside 1500 
> mtu outside 1500 
> mtu management 1500 
> ip local pool ATM_POOL 192.168.101.2-192.168.101.100 mask 255.255.255.0 
> icmp unreachable rate-limit 1 burst-size 1 
> icmp permit any inside 
> icmp permit any outside 
> asdm image disk0:/asdm-603.bin 
> no asdm history enable 
> arp timeout 14400 
> global (outside) 1 interface 
> nat (inside) 0 access-list ACL_NO_NAT 
> nat (inside) 1 10.0.0.0 255.255.255.0 
> nat (inside) 0 192.168.101.0 255.255.255.0 
> access-group ACL_inside_IN in interface inside 
> access-group ACL_outside_IN in interface outside 
> route outside 0.0.0.0 0.0.0.0 212.42.101.17 1 
> timeout xlate 3:00:00 
> timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02 
> timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00 
> timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00 
> timeout uauth 0:05:00 absolute 
> dynamic-access-policy-record DfltAccessPolicy 
> eou allow none 
> aaa authentication ssh console LOCAL 
> aaa authentication telnet console LOCAL 
> http server enable 
> no snmp-server location 
> no snmp-server contact 
> snmp-server enable traps snmp authentication linkup linkdown coldstart 
> crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac 
> crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac 
> crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac 
> crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac 
> crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac 
> crypto ipsec transform-set TRANS_ESP_3DES_MD5 esp-3des esp-md5-hmac 
> crypto ipsec transform-set TRANS_ESP_3DES_MD5 mode transport 
> crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac 
> crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac 
> crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac 
> crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac 
> crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac 
> crypto ipsec transform-set 3DESSHA esp-3des esp-sha-hmac 
> crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs 
> crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-3DES-SHA ESP-3DES-MD5 
> ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 
> ESP-DES-SHA ESP-DES-MD5 TRANS_ESP_3DES_MD5 
> crypto dynamic-map outside_DYN_MAP 20 match address outside_ATM_DYN 
> crypto dynamic-map outside_DYN_MAP 20 set transform-set 3DESSHA 
> crypto dynamic-map outside_DYN_MAP 20 set reverse-route 
> crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP 
> crypto map management_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP 
> crypto map management_map interface management 
> crypto map inside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP 
> crypto map inside_map interface inside 
> crypto map outside_MAP 10 ipsec-isakmp dynamic outside_DYN_MAP 
> crypto map outside_MAP interface outside 
> crypto ca server 
>  shutdown 
>  issuer-name CN = ASA-VPN-Srv.segment.dn 
> crypto isakmp enable outside 
> crypto isakmp enable management 
> crypto isakmp policy 5 
>  authentication pre-share 
>  encryption 3des 
>  hash sha 
>  group 2 
>  lifetime 86400 
> crypto isakmp policy 20 
>  authentication pre-share 
>  encryption aes 
>  hash sha 
>  group 2 
>  lifetime 86400 
> crypto isakmp policy 30 
>  authentication pre-share 
>  encryption 3des 
>  hash md5 
>  group 2 
>  lifetime 86400 
> no vpn-addr-assign aaa 
> no vpn-addr-assign dhcp 
> telnet timeout 5 
> ssh timeout 5 
> console timeout 0 
> threat-detection basic-threat 
> threat-detection statistics 
> ssl encryption des-sha1 rc4-md5 rc4-sha1 aes128-sha1 aes256-sha1 3des-sha1 
> webvpn 
>  enable outside 
> group-policy ATM-GROUP internal 
> group-policy ATM-GROUP attributes 
>  dns-server value 10.0.0.2 
>  vpn-simultaneous-logins 1 
>  vpn-tunnel-protocol IPSec 
> username atmuser password blablabla encrypted privilege 7 
> username atmuser attributes 
>  vpn-group-policy ATM-GROUP 
> username Root password UX2/n83rDWe4gM81 encrypted privilege 15 
> tunnel-group ATM_GROUP type remote-access 
> tunnel-group ATM_GROUP general-attributes 
>  address-pool ATM_POOL 
> tunnel-group ATM_GROUP ipsec-attributes 
>  pre-shared-key * 
> !
> !
> prompt hostname context 
> Cryptochecksum:0722c37f157cf8cda7c6b73e935c6d7b 
> : end 
> -----------------------------------------------------------

> Народ помогите. Начался ступор....  :-(

При общении не допускается: неуважительное отношение к собеседнику, хамство, унизительное обращение, ненормативная лексика, переход на личности, агрессивное поведение, обесценивание собеседника, провоцирование флейма голословными и заведомо ложными заявлениями. Не отвечайте на сообщения, явно нарушающие правила - удаляются не только сами нарушения, но и все ответы на них. Лог модерирования.

Партнёры:

Хостинг:

Закладки на сайте
Проследить за страницей

Created 1996-2024 by Maxim Chirkov
Добавить, Поддержать, Вебмастеру