1
Tianao 2020-11-29 01:19:28 +08:00 via iPhone
same-security-traffic permit intra-interface
放通同一端口内相同 security-level 的单臂流量(思科叫 hairpin ) nat (outside,outside) dynamic interface 给 anyconnect 对象配置出站源地址转换 route outside 0.0.0.0 0.0.0.0 [outside 接口网关] 配置出站默认路由 |
2
makusuofute OP |
3
lirno 2020-11-29 20:57:39 +08:00
不要开索道分离策略
|
4
Tianao 2020-11-29 23:54:25 +08:00 via iPhone
@makusuofute #2 是在 object 视图下打的吗?
|
5
makusuofute OP |
6
Tianao 2020-11-30 03:14:14 +08:00 via iPhone
@makusuofute #5 还需要给 anyconnect 客户端地址对象一个 outside,outside 的,因为这些客户端是 outside 进来再去访问 outside 的。
|
7
wsycqyz 2020-11-30 10:52:22 +08:00
|
8
makusuofute OP @Tianao
: Saved : : Serial Number: JMX1546417H : Hardware: ASA5505, 1024 MB RAM, CPU Geode 500 MHz : ASA Version 9.2(4) ! hostname ciscoasa enable password 8Ry2YjIyt7RRXU24 encrypted names ip local pool pool_Any 192.168.20.1-192.168.20.30 mask 255.255.255.0 ! interface Ethernet0/0 switchport access vlan 2 ! interface Ethernet0/1 ! interface Ethernet0/2 ! interface Ethernet0/3 ! interface Ethernet0/4 ! interface Ethernet0/5 ! interface Ethernet0/6 ! interface Ethernet0/7 ! interface Vlan1 nameif inside security-level 100 ip address 192.168.1.1 255.255.255.0 ! interface Vlan2 nameif outside security-level 0 ip address dhcp setroute ! ftp mode passive dns domain-lookup inside dns domain-lookup outside same-security-traffic permit intra-interface object network obj_any subnet 0.0.0.0 0.0.0.0 object network NETWORK_OBJ_192.168.20.0_27 subnet 192.168.20.0 255.255.255.224 object network host subnet 192.168.1.0 255.255.255.0 object network any2 subnet 192.168.20.0 255.255.255.0 access-list 102 extended permit icmp any any access-list 102 extended permit ip any any access-list NAT-EXEMPT extended permit ip 192.168.1.0 255.255.255.0 192.168.20.0 255.255.255.0 access-list 234 extended permit ip 192.168.20.0 255.255.255.0 any pager lines 24 logging enable logging asdm informational mtu inside 1500 mtu outside 1500 icmp unreachable rate-limit 1 burst-size 1 no asdm history enable arp timeout 14400 no arp permit-nonconnected ! object network obj_any nat (inside,outside) dynamic interface object network host nat (any,outside) dynamic interface object network any2 nat (any,outside) dynamic interface access-group 102 in interface inside access-group 102 in interface outside timeout xlate 3:00:00 timeout pat-xlate 0:00:30 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02 timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00 timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00 timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute timeout tcp-proxy-reassembly 0:01:00 timeout floating-conn 0:00:00 dynamic-access-policy-record DfltAccessPolicy user-identity default-domain LOCAL aaa authentication http console LOCAL aaa authentication ssh console LOCAL http server enable http 192.168.1.0 255.255.255.0 inside http 0.0.0.0 0.0.0.0 outside no snmp-server location no snmp-server contact crypto ipsec ikev2 ipsec-proposal DES protocol esp encryption des protocol esp integrity sha-1 md5 crypto ipsec ikev2 ipsec-proposal 3DES protocol esp encryption 3des protocol esp integrity sha-1 md5 crypto ipsec ikev2 ipsec-proposal AES protocol esp encryption aes protocol esp integrity sha-1 md5 crypto ipsec ikev2 ipsec-proposal AES192 protocol esp encryption aes-192 protocol esp integrity sha-1 md5 crypto ipsec ikev2 ipsec-proposal AES256 protocol esp encryption aes-256 protocol esp integrity sha-1 md5 crypto ipsec security-association pmtu-aging infinite crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev2 ipsec-proposal AES256 AES192 AES 3DES DES crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP crypto map outside_map interface outside crypto ca trustpoint ASDM_TrustPoint0 enrollment self subject-name CN=ciscoasa keypair ASA-SSL crl configure crypto ca trustpool policy crypto ca certificate chain ASDM_TrustPoint0 certificate 2079c25f 308201cf 30820138 a0030201 02020420 79c25f30 0d06092a 864886f7 0d010105 0500302c 3111300f 06035504 03130863 6973636f 61736131 17301506 092a8648 86f70d01 09021608 63697363 6f617361 301e170d 32303131 32383136 33343135 5a170d33 30313132 36313633 3431355a 302c3111 300f0603 55040313 08636973 636f6173 61311730 1506092a 864886f7 0d010902 16086369 73636f61 73613081 9f300d06 092a8648 86f70d01 01010500 03818d00 30818902 818100cc 187ec456 17f099c7 76e3b9ac b598c5fd 0d6631a3 3f52b76d 5a222dea ea967130 98d41bea 5ce5a3d8 854e1a22 986f0b88 5d991fbc 2281db21 c1092465 47eac8ab 4d4a0e0d 2685eb72 2bfeb1c0 6b7edb60 daf9957d db46ede4 3bab05f2 3e2626fe eb17046e 6abdc950 1c547833 701c917a 5db9623f 7dc991e0 310e5f34 590fdf02 03010001 300d0609 2a864886 f70d0101 05050003 81810067 cbc18d0d 7dff0412 66ac5a31 bf13d91a 4f23cdd8 fb04b269 cceaeb67 3b9540e2 b09e0441 13598d8c bb01225d 07428d43 4b2da65f 3c1a0be8 e66a3a1b f2f675be 3d08678a 2227787a 1eb1f4ca 698c9c7e 8d99fb94 01bc5185 714dc675 d3bd67a6 f030688d a36dc1ac ccb420cb 4298e890 5718a547 6f41fe76 95c0082e a940a1 quit crypto ikev2 policy 1 encryption aes-256 integrity sha group 5 2 prf sha lifetime seconds 86400 crypto ikev2 policy 10 encryption aes-192 integrity sha group 5 2 prf sha lifetime seconds 86400 crypto ikev2 policy 20 encryption aes integrity sha group 5 2 prf sha lifetime seconds 86400 crypto ikev2 policy 30 encryption 3des integrity sha group 5 2 prf sha lifetime seconds 86400 crypto ikev2 policy 40 encryption des integrity sha group 5 2 prf sha lifetime seconds 86400 crypto ikev2 enable outside client-services port 443 crypto ikev2 remote-access trustpoint ASDM_TrustPoint0 telnet timeout 5 no ssh stricthostkeycheck ssh 0.0.0.0 0.0.0.0 outside ssh timeout 5 ssh key-exchange group dh-group1-sha1 console timeout 0 dhcpd auto_config outside ! dhcpd address 192.168.1.5-192.168.1.36 inside dhcpd enable inside ! threat-detection basic-threat threat-detection statistics access-list no threat-detection statistics tcp-intercept ssl trust-point ASDM_TrustPoint0 inside ssl trust-point ASDM_TrustPoint0 outside webvpn enable outside anyconnect image disk0:/anyconnect-macos-4.9.04043-webdeploy-k9.pkg 1 anyconnect image disk0:/anyconnect-win-4.9.04043-webdeploy-k9.pkg 2 anyconnect profiles Any_client_profile disk0:/Any_client_profile.xml anyconnect enable tunnel-group-list enable group-policy GroupPolicy_Any internal group-policy GroupPolicy_Any attributes wins-server value 114.114.114.114 dns-server value 223.5.5.5 vpn-tunnel-protocol ikev2 ssl-client ssl-clientless split-tunnel-policy tunnelspecified split-tunnel-network-list value 234 default-domain value cisco.com webvpn anyconnect profiles value Any_client_profile type user username cisco password 3USUcOPFUiMCO4Jk encrypted privilege 15 tunnel-group Any type remote-access tunnel-group Any general-attributes address-pool pool_Any default-group-policy GroupPolicy_Any tunnel-group Any webvpn-attributes group-alias Any enable tunnel-group VPN type remote-access ! class-map inspection_default match default-inspection-traffic ! ! policy-map type inspect dns preset_dns_map parameters message-length maximum client auto message-length maximum 512 policy-map global_policy class inspection_default inspect dns preset_dns_map inspect ftp inspect h323 h225 inspect h323 ras inspect rsh inspect rtsp inspect esmtp inspect sqlnet inspect skinny inspect sunrpc inspect xdmcp inspect sip inspect netbios inspect tftp inspect ip-options ! service-policy global_policy global prompt hostname context no call-home reporting anonymous Cryptochecksum:6178a7c91d73664c0348c01caa0ed653 : end no asdm history enable |
9
makusuofute OP @Tianao 看了下配置没有解决思路。
|