Memperbarui
Akhirnya ditingkatkan menjadi 9.1.4. Saya mengatur semuanya, mengaktifkan kembali VPN, dan masih mengalami masalah yang sama. Jadi, saya menghapus semua informasi konfigurasi VPN dan mulai dari awal. Di bawah ini adalah konfigurasi saya saat ini. Saya dapat terhubung dan mengakses sumber daya di jaringan internal. Namun, saya tidak dapat mengakses internet melalui VPN.
xlate per-session deny tcp any4 any4
xlate per-session deny tcp any4 any6
xlate per-session deny tcp any6 any4
xlate per-session deny tcp any6 any6
xlate per-session deny udp any4 any4 eq domain
xlate per-session deny udp any4 any6 eq domain
xlate per-session deny udp any6 any4 eq domain
xlate per-session deny udp any6 any6 eq domain
ip local pool VPNPool 192.168.3.1-192.168.3.30
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
switchport access vlan 2
!
interface Ethernet0/2
switchport access vlan 2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
interface Vlan1
description Private-Interface
nameif inside
security-level 100
ip address 10.3.3.1 255.255.255.0
!
interface Vlan2
description Public-Interface
nameif outside
security-level 0
ip address xx.xx.xx.xx 255.255.255.248
!
boot system disk0:/asa914-k8.bin
object network obj-10.3.3.0
subnet 10.3.3.0 255.255.255.0
object network vpn_nat
subnet 192.168.3.0 255.255.255.0
object-group service Internet-udp udp
description UDP Standard Internet Services
port-object eq domain
port-object eq ntp
object-group service Internet-tcp tcp
description TCP Standard Internet Services
port-object eq www
port-object eq https
port-object eq smtp
port-object eq 465
port-object eq pop3
port-object eq 995
port-object eq ftp
port-object eq ftp-data
port-object eq domain
port-object eq ssh
object-group network Internal-Subnet
object-group network obj-vpnpool
access-list inside-in remark -=[Access Lists for Outgoing Packets from Inside interface]=-
access-list inside-in extended permit udp 10.3.3.0 255.255.255.0 any4 object-group Internet-udp
access-list inside-in extended permit tcp 10.3.3.0 255.255.255.0 any4 object-group Internet-tcp
access-list inside-in extended permit icmp 10.3.3.0 255.255.255.0 any4
access-list outside-in remark -=[Access Lists for Incoming Packets on OUTSIDE interface]=-
access-list outside-in extended permit icmp any4 any4 echo-reply
access-list outside-in extended permit icmp any4 any4 echo
access-list vpn_splitTunnelAcl standard permit 10.3.3.0 255.255.255.0
nat (inside,outside) source static obj-10.3.3.0 obj-10.3.3.0 destination static vpn_nat vpn_nat no-proxy-arp route-lookup
object network obj-10.3.3.0
nat (inside,outside) dynamic interface
access-group inside-in in interface inside
access-group outside-in in interface outside
route outside 0.0.0.0 0.0.0.0 xx.xx.xx.xx 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
aaa authentication telnet console LOCAL
aaa authentication http console LOCAL
aaa authentication ssh console LOCAL
http server enable
http 10.3.3.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec ikev1 transform-set vpn-transform-set-ikev1 esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set vpn-transform-set-ikev1 mode transport
crypto ipsec security-association pmtu-aging infinite
crypto dynamic-map dyno 10 set ikev1 transform-set vpn-transform-set-ikev1
crypto map vpn 20 ipsec-isakmp dynamic dyno
crypto map vpn interface outside
crypto ca trustpool policy
crypto isakmp nat-traversal 3600
crypto ikev1 enable outside
crypto ikev1 policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet timeout 5
ssh 10.3.3.0 255.255.255.0 inside
ssh timeout 20
ssh version 2
ssh key-exchange group dh-group1-sha1
console timeout 0
dhcpd address 10.3.3.100-10.3.3.150 inside
dhcpd dns xx.xx.xx.xx xx.xx.xx.xx interface inside
dhcpd enable inside
!
threat-detection basic-threat
threat-detection statistics host number-of-rate 2
threat-detection statistics port number-of-rate 2
threat-detection statistics protocol number-of-rate 2
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
group-policy vpn_policy internal
group-policy vpn_policy attributes
vpn-tunnel-protocol l2tp-ipsec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value vpn_splitTunnelAcl
username mike password x
username mike attributes
vpn-tunnel-protocol l2tp-ipsec
username admin password x encrypted privilege 15
tunnel-group DefaultRAGroup general-attributes
address-pool VPNPool
default-group-policy vpn_policy
tunnel-group DefaultRAGroup ipsec-attributes
ikev1 pre-shared-key *
tunnel-group DefaultRAGroup ppp-attributes
authentication ms-chap-v2
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect ip-options
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
class class-default
user-statistics accounting
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email [email protected]
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
: end
Barang lama
Saya mencoba menyiapkan L2TP melalui IPSec akses jarak jauh VPN pada ASA 5505, versi 8.2 (5). Saya dapat mengautentikasi dan koneksi dibuat. Namun, saya tidak dapat mengakses sumber daya di jaringan internal atau mengakses internet. Selain itu, ASA tidak dapat melakukan ping ke klien yang terhubung.
Pada klien yang terhubung saya dapat melakukan ping IP eksternal ASA. Ketika saya melakukan itu, saya bahkan melihat jumlah paket terenkripsi dan dekripsi naik di ASA dengan show crypto ipsec sa.
Saya sudah mencoba melakukan beberapa hal dengan NAT dan dengan rute, tetapi tidak bisa membuatnya bekerja.
Jaringan internal saya adalah 10.3.3.0/24 dan kumpulan VPN saya adalah 192.168.3.0/24. Di bawah ini saya telah menyalin bagian-bagian konfigurasi yang relevan.
object-group service Internet-udp udp
description UDP Standard Internet Services
port-object eq domain
port-object eq ntp
object-group service Internet-tcp tcp
description TCP Standard Internet Services
port-object eq www
port-object eq https
port-object eq smtp
port-object eq 465
port-object eq pop3
port-object eq 995
port-object eq ftp
port-object eq ftp-data
port-object eq domain
port-object eq ssh
port-object eq 993
object-group network Internal-Subnet
object-group network obj-vpnpool
access-list inside-in remark -=[Access Lists for Outgoing Packets from Inside interface]=-
access-list inside-in extended permit udp 10.3.3.0 255.255.255.0 any object-group Internet-udp
access-list inside-in extended permit tcp 10.3.3.0 255.255.255.0 any object-group Internet-tcp
access-list inside-in extended permit icmp 10.3.3.0 255.255.255.0 any
access-list outside-in remark -=[Access Lists for Incoming Packets on OUTSIDE interface]=-
access-list outside-in extended permit icmp any any echo-reply
access-list DefaultRAGroup_splitTunnelAcl standard permit 10.3.3.0 255.255.255.0
access-list DefaultRAGroup_splitTunnelAcl standard permit 192.168.3.96 255.255.255.224
access-list inside_nat0_outbound extended permit ip 10.3.3.0 255.255.255.0 192.168.3.0 255.255.255.0
ip local pool VPNPool 192.168.3.100-192.168.3.120 mask 255.255.255.0
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 10.3.3.0 255.255.255.0
access-group inside-in in interface inside
access-group outside-in in interface outside
route outside 0.0.0.0 0.0.0.0 **.**.**.** 1
group-policy DefaultRAGroup internal
group-policy DefaultRAGroup attributes
dns-server value **.**.**.** **.**.**.**
vpn-tunnel-protocol l2tp-ipsec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value DefaultRAGroup_splitTunnelAcl
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set TRANS_ESP_3DES_SHA esp-3des esp-sha-hmac
crypto ipsec transform-set TRANS_ESP_3DES_SHA mode transport
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set TRANS_ESP_3DES_SHA ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
Perbarui 1
Saya menerima saran Ron dan belajar bagaimana packet-tracerfungsi perintah. Berikut adalah beberapa hal yang saya temukan setelah menerbitkanpacket-tracer input inside icmp 10.3.3.100 8 0 192.168.3.100
Phase: 1
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 192.168.3.100 255.255.255.255 outside
Phase: 2
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group inside-in in interface inside
access-list inside-in extended permit icmp 10.3.3.0 255.255.255.0 any
Additional Information:
Phase: 3
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 4
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
Additional Information:
Phase: 5
Type: NAT-EXEMPT
Subtype:
Result: ALLOW
Config:
match ip inside 10.3.3.0 255.255.255.0 outside 192.168.3.0 255.255.255.0
NAT exempt
translate_hits = 16, untranslate_hits = 2
Additional Information:
Phase: 6
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (inside) 1 10.3.3.0 255.255.255.0
match ip inside 10.3.3.0 255.255.255.0 outside any
dynamic translation to pool 1 (**.**.**.** [Interface PAT])
translate_hits = 21582, untranslate_hits = 2392
Additional Information:
Phase: 7
Type: NAT
Subtype: host-limits
Result: ALLOW
Config:
nat (inside) 1 10.3.3.0 255.255.255.0
match ip inside 10.3.3.0 255.255.255.0 inside any
dynamic translation to pool 1 (No matching global)
translate_hits = 0, untranslate_hits = 0
Additional Information:
Phase: 8
Type: HOST-LIMIT
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 9
Type: L2TP-PPP
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 10
Type: PPP
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 11
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 23037, packet dispatched to next module
Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: allow
Fase 6 menunjukkan terjemahan NAT. Saya kemudian mengecek echo-reply dengan packet-tracer input outside icmp 192.168.3.100 0 0 10.3.3.100.
Phase: 1
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 10.3.3.0 255.255.255.0 inside
Phase: 2
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group outside-in in interface outside
access-list outside-in extended permit icmp any any echo-reply
Additional Information:
Phase: 3
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 4
Type: CP-PUNT
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 5
Type: L2TP-PPP
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 6
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
Additional Information:
Phase: 7
Type: VPN
Subtype: ipsec-tunnel-flow
Result: ALLOW
Config:
Additional Information:
Phase: 8
Type: NAT-EXEMPT
Subtype: rpf-check
Result: ALLOW
Config:
Additional Information:
Phase: 9
Type: HOST-LIMIT
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 10
Type: NAT
Subtype: rpf-check
Result: ALLOW
Config:
nat (inside) 1 10.3.3.0 255.255.255.0
match ip inside 10.3.3.0 255.255.255.0 outside any
dynamic translation to pool 1 (**.**.**.** [Interface PAT])
translate_hits = 21589, untranslate_hits = 2392
Additional Information:
Phase: 11
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 23079, packet dispatched to next module
Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: inside
output-status: up
output-line-status: up
Action: allow
Fase 8 menunjukkan NAT-EXEMPTtetapi Fase 10 menunjukkan terjemahan NAT. Itu akan bermasalah.
Perbarui 2
Saat ini show vpn-sessiondb detail remote filter protocol L2TPOverIPSectidak mengembalikan apa-apa saat klien terhubung.
Di sisi lain show vpn-sessiondb detail remote filter protocol L2TPOverIPSecOverNatTmenunjukkan klien yang terhubung. Saat mencoba melakukan hal-hal pada klien, Bytes Rx dan Pkts Rx meningkat. Bytes Tx dan Pkts Tx tidak bertambah (Pkts Tx tetap di 17). Pkts Tx Drop dan Pkts Rx Drop keduanya 0. Jika saya ping 192.168.3.100 (klien vpn), maka Pkts Tx meningkat untuk setiap ping.
Perbarui 3
Saya mengaktifkan logging pada ASA dan membuat koneksi. Berikut adalah beberapa pesan log menarik yang saya lihat
%ASA-6-737026: IPAA: Client assigned 192.168.3.100 from local pool
ppp_virtual_interface_id is 1, client_dynamic_ip is 192.168.3.100
%ASA-7-609001: Built local-host outside:192.168.3.100
%ASA-2-106001: Inbound TCP connection denied from 192.168.3.100/57013 to **.**.**.**/443 flags SYN on interface outside
%ASA-2-106001: Inbound TCP connection denied from 192.168.3.100/57013 to **.**.**.**/443 flags SYN on interface outside
%ASA-2-106001: Inbound TCP connection denied from 192.168.3.100/57013 to **.**.**.**/443 flags SYN on interface outside
%ASA-2-106007: Deny inbound UDP from 192.168.3.100/9562 to **.**.**.**/53 due to DNS Query
%ASA-2-106007: Deny inbound UDP from 192.168.3.100/61529 to **.**.**.**/53 due to DNS Query
%ASA-2-106007: Deny inbound UDP from 192.168.3.100/38824 to **.**.**.**/53 due to DNS Query
%ASA-3-713042: IKE Initiator unable to find policy: Intf inside, Src: 10.3.3.100, Dst: 192.168.3.100
%ASA-3-713042: IKE Initiator unable to find policy: Intf inside, Src: 10.3.3.100, Dst: 192.168.3.100
Jawaban:
Agar klien dapat terhubung ke sumber daya di luar terowongan VPN, terowongan split harus dikonfigurasi. Ini akan memungkinkan adaptor untuk mewarisi rute di luar tabel rute itu sendiri serta memungkinkan lalu lintas keluar. Menambahkan rute saat terhubung hanya merupakan bagian dari masalah.
Berikut ini tautan dengan instruksi untuk ADM dan CLI http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/70917-asa -split-tunnel-vpn-client.html
sumber
Semua jawaban menyarankan terowongan yang terbelah, yang saya yakin telah saya setup dengan benar.
Pada akhirnya, saya menyiapkan server proxy di jaringan internal. Jika browser saya diarahkan pada hal itu, maka saya dapat mengakses internet melalui itu.
sumber
Untuk mengakses internet, Anda harus mengkonfigurasi split tunnel, karena tunnel split menentukan lalu lintas apa yang akan pergi melalui terowongan dan apa yang tidak, karena secara default semua lalu lintas akan melalui terowongan. Anda dapat melihat di komputer Anda dengan mengetik (print route), bahwa semua lalu lintas akan melalui terowongan, dan jika Anda tidak ingin menggunakan split tunnel, maka kami memiliki satu solusi lagi Anda dapat mengonfigurasi reverse natting, paket pertama akan pergi ke remote Anda server dan server jauh akan mengirim kembali ke internet
sumber
Saya menduga bahwa Split Tunneling mungkin tidak didukung dengan L2TP melalui IPSec. Bisakah Anda mencoba yang berikut untuk saya?
Saya juga memperhatikan bahwa konfigurasi server DNS tidak ada dalam Kebijakan Grup Anda yang diperbarui.
sumber