ASA5520vpn拨入问题

服务器端用的ASA5520防火墙，
两条进线
建有ipsec vpn，

有三处办公地点 ，用cisco vpn client 拨入防火墙
1、移动光纤，通过TL－R402路由上网,网内只可一台机器拨入并且可以通讯，其它机器只能拨入，无法通讯
2、有线通宽带，通过TL－WR841N上网，所有机器都是只能拨入，无法通讯；
3、电信ADSL，通过锐捷NBR300路由上网，网内只可一台机器拨入并且可以通讯，其它机器只能拨入，无法通讯。

有高手指明查找原因方向

防火墙配置
ASA Version 7.0(8)
!
hostname ciscoasa
enable password 2KFQnbNIdI.2KYOU encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
dns-guard
!
interface GigabitEthernet0/0
shutdown
nameif outside10
security-level 0
ip address 线路10IP 255.255.255.248
!
interface GigabitEthernet0/1
nameif outside100
security-level 0
ip address 线路100IP 255.255.255.248
!
interface GigabitEthernet0/2
nameif inside
security-level 100
ip address 192.168.10.254 255.255.255.0
!
interface GigabitEthernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
nameif management
security-level 100
no ip address
management-only
!
ftp mode passive
object-group network vpn_pool
network-object host 192.168.10.150
network-object host 192.168.10.151
network-object host 192.168.10.152
network-object host 192.168.10.153
network-object host 192.168.10.154
network-object host 192.168.10.155
network-object host 192.168.10.156
network-object host 192.168.10.157
network-object host 192.168.10.158
network-object host 192.168.10.159
network-object host 192.168.10.160
network-object host 192.168.10.161
network-object host 192.168.10.162
network-object host 192.168.10.163
network-object host 192.168.10.164
network-object host 192.168.10.165
network-object host 192.168.10.166
network-object host 192.168.10.167
network-object host 192.168.10.168
network-object host 192.168.10.169
network-object host 192.168.10.170
network-object host 192.168.10.171
network-object host 192.168.10.172
network-object host 192.168.10.173
network-object host 192.168.10.174
network-object host 192.168.10.175
network-object host 192.168.10.176
network-object host 192.168.10.177
network-object host 192.168.10.178
network-object host 192.168.10.179
network-object host 192.168.10.180
network-object host 192.168.20.150
access-list 110 extended permit ip any any
access-list 110 extended permit icmp any any
access-list 120 extended permit ip 192.168.10.0 255.255.255.0 192.168.20.0 255.255.255.0
access-list spilt extended permit ip 192.168.10.0 255.255.255.0 192.168.20.0 255.255.255.0
access-list spilt extended permit ip 192.168.20.0 255.255.255.0 192.168.10.0 255.255.255.0
pager lines 24
logging asdm informational
mtu outside10 1500
mtu outside100 1500
mtu inside 1500
mtu management 1500
ip local pool testpool 192.168.20.150-192.168.20.200 mask 255.255.255.0
no failover
asdm image disk0:/asdm-508.bin
no asdm history enable
arp timeout 14400
global (outside10) 1 interface
global (outside100) 1 interface
nat (inside) 0 access-list 120
nat (inside) 1 192.168.10.0 255.255.255.0
access-group 110 in interface outside10
access-group 110 in interface outside100
access-group 110 in interface inside
route outside100 0.0.0.0 0.0.0.0 线路100网关 1
route inside 192.168.20.0 255.255.255.0 192.168.10.254 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
group-policy split internal
group-policy split attributes
split-tunnel-policy tunnelspecified
webvpn
username chenbin password iInzhS1kyaAovJu5 encrypted
aaa authentication ssh console LOCAL
http server enable
http 0.0.0.0 0.0.0.0 outside100
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set firstset esp-des esp-md5-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map dyn1 1 set pfs
crypto dynamic-map dyn1 1 set transform-set firstset
crypto dynamic-map dyn1 1 set security-association lifetime seconds 28800
crypto dynamic-map dyn1 1 set security-association lifetime kilobytes 4608000
crypto dynamic-map dyn1 1 set reverse-route
crypto map mymap 1 ipsec-isakmp dynamic dyn1
crypto map mymap interface outside10
crypto map mymap interface outside100
isakmp enable outside100
isakmp policy 1 authentication pre-share
isakmp policy 1 encryption des
isakmp policy 1 hash md5
isakmp policy 1 group 2
isakmp policy 1 lifetime 43200
tunnel-group vpn type ipsec-ra
tunnel-group vpn general-attributes
address-pool testpool
default-group-policy split
tunnel-group vpn ipsec-attributes
pre-shared-key *
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 outside10
ssh 0.0.0.0 0.0.0.0 outside100
ssh 0.0.0.0 0.0.0.0 inside
ssh timeout 60
ssh version 1
console timeout 0
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map global_policy
class inspection_default
inspect dns maximum-length 512
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
!
service-policy global_policy global
ssl encryption des-sha1 rc4-md5
Cryptochecksum:94f408d5bc872ac3d3539cd86c4fde7b
: end

 

1、ASA的VPN Client 是有数量许可的，你需要查询的你许可数。
2、排除许可证的问题后，在同一个局域网或不同的营运商网络中，Client 端拨入后，应该会按你的VPN SERVER的许可来进行网络的访问。
3、如果是一个局域网的所有网络不可以访问，怀疑是其代理上网的NAT设备或营运商限制了。
4、至如一个局域网内有拨入成功的，不可以拨入的，怀疑是客户端的设置问题。
5、拨入成功的用户，却无法访问你的相关服务，请检查VPN SERVER端的ACL 设置。