Tweet
Mình cấu hình VPN client access nhưng khi vpn vào thì thấy lớp mạng bên trong nhưng vẫn không telnet được vào firewall và máy client access lại không ra được internet, còn cái phần split tunnel mình vẫn chưa hiểu rõ nữa, các bạn hướng dẫn mình với !
Show run đây :
Fw-5520-tdttdn# show run
: Saved
:
ASA Version 8.4(2)
!
hostname Fw-5520-tdttdn
enable password Pqi8e1eD2uj36YH/ level 14 encrypted
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd xp/7b8xPD887FrwT encrypted
names
!
interface GigabitEthernet0/0
description #### Ket noi vao Router ####
nameif Outside
security-level 0
ip address 192.168.2.2 255.255.255.0
!
interface GigabitEthernet0/1
description #### Ket noi vao CoreSwitch ####
nameif Inside
security-level 100
ip address 10.59.25.1 255.255.255.0
!
interface GigabitEthernet0/1.1
no vlan
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
shutdown
nameif management
security-level 100
ip address 192.168.100.100 255.255.0.0
management-only
!
banner login #### Firewall ASA 5520 - truong DH TDTT Da Nang ####
ftp mode passive
object network SVR01
host 10.59.25.5
access-list FULL extended permit ip any any
access-list PING extended permit icmp any any
access-list SPLIT_TUNNEL standard permit 10.59.0.0 255.255.0.0
access-list REMOTE extended permit tcp any object SVR01 eq 3389
pager lines 24
logging enable
mtu Outside 1500
mtu Inside 1500
mtu management 1500
ip local pool VPN_POOL 10.59.0.20-10.59.0.100 mask 255.255.255.0
no failover
icmp unreachable rate-limit 1 burst-size 1
icmp permit any Outside
no asdm history enable
arp timeout 14400
access-group REMOTE in interface Outside
access-group FULL in interface Inside
route Outside 0.0.0.0 0.0.0.0 192.168.2.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
aaa authentication telnet console LOCAL
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
crypto ipsec ikev1 transform-set VPN_MYSET esp-3des esp-sha-hmac
crypto dynamic-map VPN_DYNMAP 1 set ikev1 transform-set VPN_MYSET
crypto dynamic-map VPN_DYNMAP 1 set reverse-route
crypto map VPN_MAP 1 ipsec-isakmp dynamic VPN_DYNMAP
crypto map VPN_MAP interface Outside
crypto ikev1 enable Outside
crypto ikev1 policy 1
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 36000
crypto ikev1 policy 65535
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet 10.59.25.0 255.255.255.0 Inside
telnet timeout 5
ssh timeout 5
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
group-policy VPN_DYNMAP internal
group-policy VPN_DYNMAP attributes
dns-server value 10.59.25.10
split-tunnel-policy tunnelspecified
split-tunnel-network-list value SPLIT_TUNNEL
username tdttdn password Q.8uuLSxCw5QrW12 encrypted privilege 15
username admin password ihqPJ78Nh4GnjT59 encrypted
username user4 password TTNKHqfM6YyTcEzA encrypted
username user1 password 8jXOrP2GU4S4Gn/o encrypted
username user3 password TTNKHqfM6YyTcEzA encrypted
username user2 password TTNKHqfM6YyTcEzA encrypted
tunnel-group VPN_TUNNEL type remote-access
tunnel-group VPN_TUNNEL general-attributes
address-pool VPN_POOL
tunnel-group VPN_TUNNEL ipsec-attributes
ikev1 pre-shared-key *****
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect ip-options
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DD
CEService
destination address email callhome@cisco.com
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:ac60b1a2ad47cc126798fa647342fd94
: end
Show run đây :
Fw-5520-tdttdn# show run
: Saved
:
ASA Version 8.4(2)
!
hostname Fw-5520-tdttdn
enable password Pqi8e1eD2uj36YH/ level 14 encrypted
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd xp/7b8xPD887FrwT encrypted
names
!
interface GigabitEthernet0/0
description #### Ket noi vao Router ####
nameif Outside
security-level 0
ip address 192.168.2.2 255.255.255.0
!
interface GigabitEthernet0/1
description #### Ket noi vao CoreSwitch ####
nameif Inside
security-level 100
ip address 10.59.25.1 255.255.255.0
!
interface GigabitEthernet0/1.1
no vlan
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
shutdown
nameif management
security-level 100
ip address 192.168.100.100 255.255.0.0
management-only
!
banner login #### Firewall ASA 5520 - truong DH TDTT Da Nang ####
ftp mode passive
object network SVR01
host 10.59.25.5
access-list FULL extended permit ip any any
access-list PING extended permit icmp any any
access-list SPLIT_TUNNEL standard permit 10.59.0.0 255.255.0.0
access-list REMOTE extended permit tcp any object SVR01 eq 3389
pager lines 24
logging enable
mtu Outside 1500
mtu Inside 1500
mtu management 1500
ip local pool VPN_POOL 10.59.0.20-10.59.0.100 mask 255.255.255.0
no failover
icmp unreachable rate-limit 1 burst-size 1
icmp permit any Outside
no asdm history enable
arp timeout 14400
access-group REMOTE in interface Outside
access-group FULL in interface Inside
route Outside 0.0.0.0 0.0.0.0 192.168.2.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
aaa authentication telnet console LOCAL
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
crypto ipsec ikev1 transform-set VPN_MYSET esp-3des esp-sha-hmac
crypto dynamic-map VPN_DYNMAP 1 set ikev1 transform-set VPN_MYSET
crypto dynamic-map VPN_DYNMAP 1 set reverse-route
crypto map VPN_MAP 1 ipsec-isakmp dynamic VPN_DYNMAP
crypto map VPN_MAP interface Outside
crypto ikev1 enable Outside
crypto ikev1 policy 1
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 36000
crypto ikev1 policy 65535
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet 10.59.25.0 255.255.255.0 Inside
telnet timeout 5
ssh timeout 5
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
group-policy VPN_DYNMAP internal
group-policy VPN_DYNMAP attributes
dns-server value 10.59.25.10
split-tunnel-policy tunnelspecified
split-tunnel-network-list value SPLIT_TUNNEL
username tdttdn password Q.8uuLSxCw5QrW12 encrypted privilege 15
username admin password ihqPJ78Nh4GnjT59 encrypted
username user4 password TTNKHqfM6YyTcEzA encrypted
username user1 password 8jXOrP2GU4S4Gn/o encrypted
username user3 password TTNKHqfM6YyTcEzA encrypted
username user2 password TTNKHqfM6YyTcEzA encrypted
tunnel-group VPN_TUNNEL type remote-access
tunnel-group VPN_TUNNEL general-attributes
address-pool VPN_POOL
tunnel-group VPN_TUNNEL ipsec-attributes
ikev1 pre-shared-key *****
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect ip-options
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DD
CEService
destination address email callhome@cisco.com
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:ac60b1a2ad47cc126798fa647342fd94
: end
Comment