学员提问:
要求从公网上pc能vpn拨入,可是拨不上,公网端是outside2
配置:
ASA Version 7.2(4)
!
hostname wlan2
enable password VIwoTD3r7KcGrQga encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
dns-guard
!
interface GigabitEthernet0/0
description to-ipwan
no nameif
security-level 0
no ip address
!
interface GigabitEthernet0/0.1
vlan 145
nameif outside
security-level 0
ip address 11.16.4.18 255.255.255.240 standby 11.16.4.19
!
interface GigabitEthernet0/0.2
vlan 146
nameif outside2
security-level 0
ip address 211.239.30.66 255.255.255.240 standby 211.239.30.67
!
interface GigabitEthernet0/1
description inside
nameif inside
security-level 100
ip address 10.1.1.1 255.255.255.0 standby 10.1.1.2
!
interface GigabitEthernet0/2
description to-DCN
nameif dmz
security-level 50
ip address 136.65.5.100 255.255.255.0
!
interface GigabitEthernet0/3
description failover
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
management-only
!
ftp mode passive
access-list outside extended permit icmp any any
access-list outside extended permit tcp any any
access-list outside extended permit udp any any
access-list inside extended permit icmp any any
access-list inside extended permit tcp any any
access-list inside extended permit udp any any
access-list outside2 extended permit icmp any any
access-list outside2 extended permit tcp any any
access-list dmz extended permit icmp any any
access-list dmz extended permit tcp any any
access-list vpnnat0 extended permit ip 10.1.1.0 255.255.255.0 192.168.3.0 25
5.255.0 log
pager lines 24
logging asdm informational
mtu outside 1500
mtu outside2 1500
mtu inside 1500
mtu dmz 1500
mtu management 1500
ip local pool remote 192.168.3.1-192.168.3.200
no failover
icmp unreachable rate-limit 1 burst-size 1
icmp permit any outside
icmp permit any outside2
icmp permit any inside
icmp permit any dmz
asdm image disk0:/ASDM-524.BIN
no asdm history enable
arp timeout 14400
nat (inside) 0 access-list vpnnat0
static (inside,dmz) 136.65.5.102 10.1.1.11 netmask 255.255.255.255
static (inside,dmz) 136.65.5.101 10.1.1.10 netmask 255.255.255.255
static (inside,outside2) 211.239.30.68 10.1.1.11 netmask 255.255.255.255
static (inside,outside2) 211.239.30.70 10.1.1.12 netmask 255.255.255.255
static (inside,outside2) 211.239.30.71 10.1.1.13 netmask 255.255.255.255
static (inside,outside) 11.16.4.20 10.1.1.12 netmask 255.255.255.255
static (inside,outside) 11.16.4.21 10.1.1.13 netmask 255.255.255.255
static (inside,outside2) 211.239.30.69 10.1.1.10 netmask 255.255.255.255
access-group outside in interface outside
access-group outside2 in interface outside2
access-group inside in interface inside
access-group dmz in interface dmz
route outside 10.0.0.0 255.0.0.0 11.16.4.17 1
route outside2 0.0.0.0 0.0.0.0 211.239.30.65 1
route inside 192.168.3.0 255.255.255.0 10.1.1.10 1
route dmz 132.33.3.0 255.255.255.0 136.65.5.65 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
http server enable
http 192.168.1.0 255.255.255.0 management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set testset esp-des esp-md5-hmac
crypto dynamic-map testdyn 10 set transform-set testset
crypto dynamic-map testdyn 10 set reverse-route
crypto map testmap 20 ipsec-isakmp dynamic testdyn
crypto map testmap interface outside2
crypto isakmp enable outside2
crypto isakmp policy 10
authentication pre-share
encryption des
hash sha
group 1
lifetime 86400
telnet 0.0.0.0 0.0.0.0 outside2
telnet 0.0.0.0 0.0.0.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd enable management
!
ssl encryption des-sha1 rc4-md5
group-policy mygroup internal
group-policy mygroup attributes
split-tunnel-policy tunnelspecified
split-tunnel-network-list value vpnnat0
username 1234 password xU6ws8pUOHLBXx9z encrypted
username cisco password 3USUcOPFUiMCO4Jk encrypted
tunnel-group tsetgroup type ipsec-ra
tunnel-group testgroup type ipsec-ra
tunnel-group testgroup general-attributes
address-pool remote
default-group-policy mygroup
tunnel-group testgroup ipsec-attributes
pre-shared-key *
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns migrated_dns_map_1
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns migrated_dns_map_1
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:5cdf5655a7a9767ba7cd6954a5ce5c70
: end
捷盈讲师及学员解答:
看了你的配置文件,在tunnel-group这个地方没有配置authentication-server参数,前面也没有定义AAA,应该是这个问题。