更新

最后升级到9.1.4。我完成了所有配置,重新启用了VPN,但仍然遇到相同的问题。因此,我清除了所有VPN配置信息并从头开始。以下是我当前的配置。我能够连接和访问内部网络上的资源。但是,我无法通过VPN访问互联网。

q4312078q

dhcpd地址10.3.3.100-10.3.3.150内部
dhcpd dns xx。内部xx.xx.xx xx.xx.xx.xx接口
dhcpd enable内部

威胁检测基本威胁
威胁检测统计信息主机速率2
威胁检测统计信息端口速率2
威胁检测统计信息协议速率数2
威胁检测统计信息访问列表
无威胁检测统计信息tcp-intercept
组策略vpn_policy内部
组策略vpn_policy属性
vpn-tunnel-protocol l2tp-ipsec
split-tunnel-policy tunnelspecified
split-隧道网络列表值vpn_splitTunnelAcl
用户名mike密码x
用户名mike属性
vpn-tunnel-protocol l2tp-ipsec
用户名admin密码x加密特权15
隧道-group DefaultRAGroup常规属性
地址池VPNPool
default-group-policy vpn_policy
隧道组DefaultRAGroup ipsec属性
ikev1预共享密钥*
隧道组DefaultRAGroup ppp属性
身份验证ms-chap-v​​2

class-map inspection_default
匹配default-inspection-traffic


策略图类型检查dns预设_dns_map
参数
消息长度最大客户端自动
消息长度最大512
策略映射global_policy
类inspection_default
检查dns预设dns_map
检查ftp
检查h323 h225
检查h323 ras
检查ip选项
检查netbios
检查rsh
检查rtsp
检查紧身的
检查esmtp
检查sqlnet
检查sunrpc
检查tftp
检查sip
检查xdmcp
类class-default
用户统计信息
/>!
service-policy global_policy全局
提示主机名上下文
没有回叫报告匿名
回叫
配置文件CiscoTAC-1
没有活动
目标地址http https://tools.cisco.com/its/service/oddce/services/DDCEService
目标地址电子邮件callhome@cisco.com
目标传输方法http
订阅警报组诊断
订阅警报组环境
订阅警报组库存定期每月
订阅警报组配置定期每月
每天定期订阅警报组遥测
:结束



旧资料

我正尝试在ASA 5505版本8.2(5)上通过IPSec远程访问VPN设置L2TP。我可以进行身份​​验证并建立连接。但是,我无法访问内部网络上的资源或访问Internet。此外,ASA无法ping通已连接的客户端。

在已连接的客户端上,我可以ping通ASA的外部IP。当我这样做时,我什至看到加密和解密的数据包数量在show crypto ipsec sa上在ASA上都增加了。

我已经尝试使用NAT和路由来做一些事情,但是不能使其正常工作。

我的内部网络是10.3.3.0/24,我的VPN池是192.168.3.0/24。下面,我复制了配置的相关部分。

xlate per-session deny tcp any4 any4
xlate per-session deny tcp any4 any6
xlate per-session deny tcp any6 any4
xlate per-session deny tcp any6 any6
xlate per-session deny udp any4 any4 eq domain
xlate per-session deny udp any4 any6 eq domain
xlate per-session deny udp any6 any4 eq domain
xlate per-session deny udp any6 any6 eq domain
ip local pool VPNPool 192.168.3.1-192.168.3.30
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
 switchport access vlan 2
!
interface Ethernet0/2
 switchport access vlan 2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
interface Vlan1
 description Private-Interface
 nameif inside
 security-level 100
 ip address 10.3.3.1 255.255.255.0 
!
interface Vlan2
 description Public-Interface
 nameif outside
 security-level 0
 ip address xx.xx.xx.xx 255.255.255.248 
!
boot system disk0:/asa914-k8.bin
object network obj-10.3.3.0
 subnet 10.3.3.0 255.255.255.0
object network vpn_nat
 subnet 192.168.3.0 255.255.255.0
object-group service Internet-udp udp
 description UDP Standard Internet Services
 port-object eq domain
 port-object eq ntp
object-group service Internet-tcp tcp
 description TCP Standard Internet Services
 port-object eq www
 port-object eq https
 port-object eq smtp
 port-object eq 465
 port-object eq pop3
 port-object eq 995
 port-object eq ftp
 port-object eq ftp-data
 port-object eq domain
 port-object eq ssh
object-group network Internal-Subnet
object-group network obj-vpnpool
access-list inside-in remark -=[Access Lists for Outgoing Packets from Inside interface]=-
access-list inside-in extended permit udp 10.3.3.0 255.255.255.0 any4 object-group Internet-udp 
access-list inside-in extended permit tcp 10.3.3.0 255.255.255.0 any4 object-group Internet-tcp 
access-list inside-in extended permit icmp 10.3.3.0 255.255.255.0 any4 
access-list outside-in remark -=[Access Lists for Incoming Packets on OUTSIDE interface]=-
access-list outside-in extended permit icmp any4 any4 echo-reply 
access-list outside-in extended permit icmp any4 any4 echo 
access-list vpn_splitTunnelAcl standard permit 10.3.3.0 255.255.255.0 
nat (inside,outside) source static obj-10.3.3.0 obj-10.3.3.0 destination static vpn_nat vpn_nat no-proxy-arp route-lookup
object network obj-10.3.3.0
 nat (inside,outside) dynamic interface
access-group inside-in in interface inside
access-group outside-in in interface outside
route outside 0.0.0.0 0.0.0.0 xx.xx.xx.xx 1 
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
aaa authentication telnet console LOCAL 
aaa authentication http console LOCAL 
aaa authentication ssh console LOCAL 
http server enable
http 10.3.3.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec ikev1 transform-set vpn-transform-set-ikev1 esp-3des esp-sha-hmac 
crypto ipsec ikev1 transform-set vpn-transform-set-ikev1 mode transport
crypto ipsec security-association pmtu-aging infinite
crypto dynamic-map dyno 10 set ikev1 transform-set vpn-transform-set-ikev1
crypto map vpn 20 ipsec-isakmp dynamic dyno
crypto map vpn interface outside
crypto ca trustpool policy
crypto isakmp nat-traversal 3600
crypto ikev1 enable outside
crypto ikev1 policy 10
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
telnet timeout 5
ssh 10.3.3.0 255.255.255.0 inside
ssh timeout 20
ssh version 2
ssh key-exchange group dh-group1-sha1
console timeout 0



更新1

我接受了Ron的建议并了解了如何packet-tracer命令功能。以下是发出packet-tracer input inside icmp 10.3.3.100 8 0 192.168.3.100

object-group service Internet-udp udp
 description UDP Standard Internet Services
 port-object eq domain
 port-object eq ntp
object-group service Internet-tcp tcp
 description TCP Standard Internet Services
 port-object eq www
 port-object eq https
 port-object eq smtp
 port-object eq 465
 port-object eq pop3
 port-object eq 995
 port-object eq ftp
 port-object eq ftp-data
 port-object eq domain
 port-object eq ssh
 port-object eq 993
object-group network Internal-Subnet
object-group network obj-vpnpool
access-list inside-in remark -=[Access Lists for Outgoing Packets from Inside interface]=-
access-list inside-in extended permit udp 10.3.3.0 255.255.255.0 any object-group Internet-udp
access-list inside-in extended permit tcp 10.3.3.0 255.255.255.0 any object-group Internet-tcp
access-list inside-in extended permit icmp 10.3.3.0 255.255.255.0 any
access-list outside-in remark -=[Access Lists for Incoming Packets on OUTSIDE interface]=-
access-list outside-in extended permit icmp any any echo-reply
access-list DefaultRAGroup_splitTunnelAcl standard permit 10.3.3.0 255.255.255.0
access-list DefaultRAGroup_splitTunnelAcl standard permit 192.168.3.96 255.255.255.224
access-list inside_nat0_outbound extended permit ip 10.3.3.0 255.255.255.0 192.168.3.0 255.255.255.0

ip local pool VPNPool 192.168.3.100-192.168.3.120 mask 255.255.255.0

nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 10.3.3.0 255.255.255.0
access-group inside-in in interface inside
access-group outside-in in interface outside
route outside 0.0.0.0 0.0.0.0 **.**.**.** 1

group-policy DefaultRAGroup internal
group-policy DefaultRAGroup attributes
 dns-server value **.**.**.** **.**.**.**
 vpn-tunnel-protocol l2tp-ipsec
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value DefaultRAGroup_splitTunnelAcl

crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac 
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac 
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac 
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac 
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac 
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac 
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac 
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac 
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac 
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac 
crypto ipsec transform-set TRANS_ESP_3DES_SHA esp-3des esp-sha-hmac 
crypto ipsec transform-set TRANS_ESP_3DES_SHA mode transport
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set TRANS_ESP_3DES_SHA ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
 authentication pre-share
 encryption 3des
 hash sha     
 group 2
 lifetime 86400



阶段6之后显示的一些内容。然后,我用packet-tracer input outside icmp 192.168.3.100 0 0 10.3.3.100检查回显。


Phase: 1
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in   192.168.3.100   255.255.255.255 outside

Phase: 2
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group inside-in in interface inside
access-list inside-in extended permit icmp 10.3.3.0 255.255.255.0 any 
Additional Information:

Phase: 3
Type: IP-OPTIONS
Subtype: 
Result: ALLOW
Config:
Additional Information:

Phase: 4      
Type: INSPECT 
Subtype: np-inspect
Result: ALLOW
Config:
Additional Information:

Phase: 5
Type: NAT-EXEMPT
Subtype: 
Result: ALLOW
Config:
  match ip inside 10.3.3.0 255.255.255.0 outside 192.168.3.0 255.255.255.0
    NAT exempt
    translate_hits = 16, untranslate_hits = 2
Additional Information:

Phase: 6
Type: NAT
Subtype: 
Result: ALLOW
Config:
nat (inside) 1 10.3.3.0 255.255.255.0
  match ip inside 10.3.3.0 255.255.255.0 outside any
    dynamic translation to pool 1 (**.**.**.** [Interface PAT])
    translate_hits = 21582, untranslate_hits = 2392
Additional Information:

Phase: 7
Type: NAT
Subtype: host-limits
Result: ALLOW
Config:
nat (inside) 1 10.3.3.0 255.255.255.0
  match ip inside 10.3.3.0 255.255.255.0 inside any
    dynamic translation to pool 1 (No matching global)
    translate_hits = 0, untranslate_hits = 0
Additional Information:

Phase: 8
Type: HOST-LIMIT
Subtype: 
Result: ALLOW
Config:
Additional Information:

Phase: 9
Type: L2TP-PPP
Subtype: 
Result: ALLOW 
Config:
Additional Information:

Phase: 10
Type: PPP
Subtype: 
Result: ALLOW
Config:
Additional Information:

Phase: 11
Type: FLOW-CREATION
Subtype: 
Result: ALLOW
Config:
Additional Information:
New flow created with id 23037, packet dispatched to next module

Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: allow



阶段8显示NAT-EXEMPT,但是阶段10显示NAT转换。这将是有问题的。


更新2

当前,show vpn-sessiondb detail remote filter protocol L2TPOverIPSec在连接客户端时不返回任何内容。

另一方面,show vpn-sessiondb detail remote filter protocol L2TPOverIPSecOverNatT显示已连接的客户端。在尝试在客户端上执行操作时,Bytes Rx和Pkts Rx增加。字节Tx和Pkts Tx不会增加(Pkts Tx保持为17)。 Pkts Tx Drop和Pkts Rx Drop均为0。如果我ping 192.168.3.100(vpn客户端),则每次ping的Pkts Tx都会增加。


更新3

我启用了在ASA上的登录并建立了连接。这是我看到的一些有趣的日志消息


Phase: 1
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in   10.3.3.0        255.255.255.0   inside

Phase: 2
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group outside-in in interface outside
access-list outside-in extended permit icmp any any echo-reply 
Additional Information:

Phase: 3
Type: IP-OPTIONS
Subtype: 
Result: ALLOW
Config:
Additional Information:

Phase: 4      
Type: CP-PUNT
Subtype: 
Result: ALLOW
Config:
Additional Information:

Phase: 5
Type: L2TP-PPP
Subtype: 
Result: ALLOW
Config:
Additional Information:

Phase: 6
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
Additional Information:

Phase: 7
Type: VPN
Subtype: ipsec-tunnel-flow
Result: ALLOW 
Config:
Additional Information:

Phase: 8
Type: NAT-EXEMPT
Subtype: rpf-check
Result: ALLOW
Config:
Additional Information:

Phase: 9
Type: HOST-LIMIT
Subtype: 
Result: ALLOW
Config:
Additional Information:

Phase: 10
Type: NAT
Subtype: rpf-check
Result: ALLOW
Config:
nat (inside) 1 10.3.3.0 255.255.255.0
  match ip inside 10.3.3.0 255.255.255.0 outside any
    dynamic translation to pool 1 (**.**.**.** [Interface PAT])
    translate_hits = 21589, untranslate_hits = 2392
Additional Information:

Phase: 11
Type: FLOW-CREATION
Subtype: 
Result: ALLOW
Config:
Additional Information:
New flow created with id 23079, packet dispatched to next module

Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: inside
output-status: up
output-line-status: up
Action: allow



评论

您是否尝试过使用ASA的数据包跟踪器功能来查看可能出现问题的地方?

@Ron模拟来自VPN的http数据包,我会在192.168.3.100 50612 8.8.8.8 80之外使用此数据包跟踪器输入吗?我对于应该在外部还是内部使用VPN流量感到困惑。

作为实验,删除nat(1)语句,看看它是否有效。

让我们继续在聊天中进行讨论

但是,我无法通过VPN访问互联网。您似乎已配置了拆分隧道,因此不会将隧道用于互联网流量。如果您通过隧道传输所有流量,则应该能够通过VPN访问Internet。

#1 楼

为了使客户端能够连接到VPN隧道之外的资源,必须配置拆分隧道。这将允许适配器继承其自身路由表之外的路由,并允许流量流出。在连接时添加路由只是问题的一部分。

此处是有关ADM和CLI的说明的链接
http://www.cisco.com/c/en/us/ support / docs / security / asa-5500-x-series-next-generation-firewalls / 70917-asa-split-tunnel-vpn-client.html

#2 楼

所有答案都建议使用分割隧道,我相信我已正确设置了该隧道。

最后,我在内部网络上设置了代理服务器。如果我的浏览器就是这样,那么我可以通过它访问Internet。

#3 楼

要访问Internet,您将必须配置拆分隧道,因为拆分隧道定义了将通过隧道传输的流量,而不会定义哪些流量,因为默认情况下,所有流量都将通过tunnel传输。您可以通过键入(打印路由)在您的计算机上看到所有流量都将通过隧道传输,并且如果您不想使用Split Tunnel,那么我们还有另一个解决方案可以配置反向设置,第一个数据包将到达您的远程服务器和远程服务器将发送回Internet

#4 楼

我怀疑通过IPSec的L2TP可能不支持拆分隧道。您能为我尝试以下方法吗?

conf t
!
same-security-traffic permit intra-interface
!
object network vpn_nat
 nat (outside,outside) dynamic interface
!


我还注意到更新的组策略中缺少DNS服务器配置。