V2EX = way to explore
V2EX 是一个关于分享和探索的地方
现在注册
已注册用户请  登录
makusuofute
V2EX  ›  宽带症候群

ASA5505 使用相关问题

  •  
  •   makusuofute · 2020-11-29 00:32:22 +08:00 · 2796 次点击
    这是一个创建于 1434 天前的主题,其中的信息可能已经有所发展或是发生改变。
    现在遇到的问题是
    ASA 搭建了 AnyConnect
    允许 outside 访问

    如何设置 AnyConnect 拨入后全部数据可以从 outside 出去?
    9 条回复    2020-11-30 15:03:36 +08:00
    Tianao
        1
    Tianao  
       2020-11-29 01:19:28 +08:00 via iPhone
    same-security-traffic permit intra-interface
    放通同一端口内相同 security-level 的单臂流量(思科叫 hairpin )

    nat (outside,outside) dynamic interface
    给 anyconnect 对象配置出站源地址转换

    route outside 0.0.0.0 0.0.0.0 [outside 接口网关]
    配置出站默认路由
    makusuofute
        2
    makusuofute  
    OP
       2020-11-29 20:49:29 +08:00
    @Tianao
    ASA Version 9.2(4)的版本
    第二条原地址转换就直接报错了。
    lirno
        3
    lirno  
       2020-11-29 20:57:39 +08:00
    不要开索道分离策略
    Tianao
        4
    Tianao  
       2020-11-29 23:54:25 +08:00 via iPhone
    @makusuofute #2 是在 object 视图下打的吗?
    makusuofute
        5
    makusuofute  
    OP
       2020-11-30 00:16:24 +08:00
    @Tianao

    看了下已经有了,这个应该是在 ASDM 里面配置生成的?
    object network obj_any
    nat (inside,outside) dynamic interface
    Tianao
        6
    Tianao  
       2020-11-30 03:14:14 +08:00 via iPhone
    @makusuofute #5 还需要给 anyconnect 客户端地址对象一个 outside,outside 的,因为这些客户端是 outside 进来再去访问 outside 的。
    makusuofute
        8
    makusuofute  
    OP
       2020-11-30 14:54:34 +08:00
    @Tianao

    : Saved
    :
    : Serial Number: JMX1546417H
    : Hardware: ASA5505, 1024 MB RAM, CPU Geode 500 MHz
    :
    ASA Version 9.2(4)
    !
    hostname ciscoasa
    enable password 8Ry2YjIyt7RRXU24 encrypted
    names
    ip local pool pool_Any 192.168.20.1-192.168.20.30 mask 255.255.255.0
    !
    interface Ethernet0/0
    switchport access vlan 2
    !
    interface Ethernet0/1
    !
    interface Ethernet0/2
    !
    interface Ethernet0/3
    !
    interface Ethernet0/4
    !
    interface Ethernet0/5
    !
    interface Ethernet0/6
    !
    interface Ethernet0/7
    !
    interface Vlan1
    nameif inside
    security-level 100
    ip address 192.168.1.1 255.255.255.0
    !
    interface Vlan2
    nameif outside
    security-level 0
    ip address dhcp setroute
    !
    ftp mode passive
    dns domain-lookup inside
    dns domain-lookup outside
    same-security-traffic permit intra-interface
    object network obj_any
    subnet 0.0.0.0 0.0.0.0
    object network NETWORK_OBJ_192.168.20.0_27
    subnet 192.168.20.0 255.255.255.224
    object network host
    subnet 192.168.1.0 255.255.255.0
    object network any2
    subnet 192.168.20.0 255.255.255.0
    access-list 102 extended permit icmp any any
    access-list 102 extended permit ip any any
    access-list NAT-EXEMPT extended permit ip 192.168.1.0 255.255.255.0 192.168.20.0 255.255.255.0
    access-list 234 extended permit ip 192.168.20.0 255.255.255.0 any
    pager lines 24
    logging enable
    logging asdm informational
    mtu inside 1500
    mtu outside 1500
    icmp unreachable rate-limit 1 burst-size 1
    no asdm history enable
    arp timeout 14400
    no arp permit-nonconnected
    !
    object network obj_any
    nat (inside,outside) dynamic interface
    object network host
    nat (any,outside) dynamic interface
    object network any2
    nat (any,outside) dynamic interface
    access-group 102 in interface inside
    access-group 102 in interface outside
    timeout xlate 3:00:00
    timeout pat-xlate 0:00:30
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
    timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
    timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
    timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
    timeout tcp-proxy-reassembly 0:01:00
    timeout floating-conn 0:00:00
    dynamic-access-policy-record DfltAccessPolicy
    user-identity default-domain LOCAL
    aaa authentication http console LOCAL
    aaa authentication ssh console LOCAL
    http server enable
    http 192.168.1.0 255.255.255.0 inside
    http 0.0.0.0 0.0.0.0 outside
    no snmp-server location
    no snmp-server contact
    crypto ipsec ikev2 ipsec-proposal DES
    protocol esp encryption des
    protocol esp integrity sha-1 md5
    crypto ipsec ikev2 ipsec-proposal 3DES
    protocol esp encryption 3des
    protocol esp integrity sha-1 md5
    crypto ipsec ikev2 ipsec-proposal AES
    protocol esp encryption aes
    protocol esp integrity sha-1 md5
    crypto ipsec ikev2 ipsec-proposal AES192
    protocol esp encryption aes-192
    protocol esp integrity sha-1 md5
    crypto ipsec ikev2 ipsec-proposal AES256
    protocol esp encryption aes-256
    protocol esp integrity sha-1 md5
    crypto ipsec security-association pmtu-aging infinite
    crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev2 ipsec-proposal AES256 AES192 AES 3DES DES
    crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
    crypto map outside_map interface outside
    crypto ca trustpoint ASDM_TrustPoint0
    enrollment self
    subject-name CN=ciscoasa
    keypair ASA-SSL
    crl configure
    crypto ca trustpool policy
    crypto ca certificate chain ASDM_TrustPoint0
    certificate 2079c25f
    308201cf 30820138 a0030201 02020420 79c25f30 0d06092a 864886f7 0d010105
    0500302c 3111300f 06035504 03130863 6973636f 61736131 17301506 092a8648
    86f70d01 09021608 63697363 6f617361 301e170d 32303131 32383136 33343135
    5a170d33 30313132 36313633 3431355a 302c3111 300f0603 55040313 08636973
    636f6173 61311730 1506092a 864886f7 0d010902 16086369 73636f61 73613081
    9f300d06 092a8648 86f70d01 01010500 03818d00 30818902 818100cc 187ec456
    17f099c7 76e3b9ac b598c5fd 0d6631a3 3f52b76d 5a222dea ea967130 98d41bea
    5ce5a3d8 854e1a22 986f0b88 5d991fbc 2281db21 c1092465 47eac8ab 4d4a0e0d
    2685eb72 2bfeb1c0 6b7edb60 daf9957d db46ede4 3bab05f2 3e2626fe eb17046e
    6abdc950 1c547833 701c917a 5db9623f 7dc991e0 310e5f34 590fdf02 03010001
    300d0609 2a864886 f70d0101 05050003 81810067 cbc18d0d 7dff0412 66ac5a31
    bf13d91a 4f23cdd8 fb04b269 cceaeb67 3b9540e2 b09e0441 13598d8c bb01225d
    07428d43 4b2da65f 3c1a0be8 e66a3a1b f2f675be 3d08678a 2227787a 1eb1f4ca
    698c9c7e 8d99fb94 01bc5185 714dc675 d3bd67a6 f030688d a36dc1ac ccb420cb
    4298e890 5718a547 6f41fe76 95c0082e a940a1
    quit
    crypto ikev2 policy 1
    encryption aes-256
    integrity sha
    group 5 2
    prf sha
    lifetime seconds 86400
    crypto ikev2 policy 10
    encryption aes-192
    integrity sha
    group 5 2
    prf sha
    lifetime seconds 86400
    crypto ikev2 policy 20
    encryption aes
    integrity sha
    group 5 2
    prf sha
    lifetime seconds 86400
    crypto ikev2 policy 30
    encryption 3des
    integrity sha
    group 5 2
    prf sha
    lifetime seconds 86400
    crypto ikev2 policy 40
    encryption des
    integrity sha
    group 5 2
    prf sha
    lifetime seconds 86400
    crypto ikev2 enable outside client-services port 443
    crypto ikev2 remote-access trustpoint ASDM_TrustPoint0
    telnet timeout 5
    no ssh stricthostkeycheck
    ssh 0.0.0.0 0.0.0.0 outside
    ssh timeout 5
    ssh key-exchange group dh-group1-sha1
    console timeout 0

    dhcpd auto_config outside
    !
    dhcpd address 192.168.1.5-192.168.1.36 inside
    dhcpd enable inside
    !
    threat-detection basic-threat
    threat-detection statistics access-list
    no threat-detection statistics tcp-intercept
    ssl trust-point ASDM_TrustPoint0 inside
    ssl trust-point ASDM_TrustPoint0 outside
    webvpn
    enable outside
    anyconnect image disk0:/anyconnect-macos-4.9.04043-webdeploy-k9.pkg 1
    anyconnect image disk0:/anyconnect-win-4.9.04043-webdeploy-k9.pkg 2
    anyconnect profiles Any_client_profile disk0:/Any_client_profile.xml
    anyconnect enable
    tunnel-group-list enable
    group-policy GroupPolicy_Any internal
    group-policy GroupPolicy_Any attributes
    wins-server value 114.114.114.114
    dns-server value 223.5.5.5
    vpn-tunnel-protocol ikev2 ssl-client ssl-clientless
    split-tunnel-policy tunnelspecified
    split-tunnel-network-list value 234
    default-domain value cisco.com
    webvpn
    anyconnect profiles value Any_client_profile type user
    username cisco password 3USUcOPFUiMCO4Jk encrypted privilege 15
    tunnel-group Any type remote-access
    tunnel-group Any general-attributes
    address-pool pool_Any
    default-group-policy GroupPolicy_Any
    tunnel-group Any webvpn-attributes
    group-alias Any enable
    tunnel-group VPN type remote-access
    !
    class-map inspection_default
    match default-inspection-traffic
    !
    !
    policy-map type inspect dns preset_dns_map
    parameters
    message-length maximum client auto
    message-length maximum 512
    policy-map global_policy
    class inspection_default
    inspect dns preset_dns_map
    inspect ftp
    inspect h323 h225
    inspect h323 ras
    inspect rsh
    inspect rtsp
    inspect esmtp
    inspect sqlnet
    inspect skinny
    inspect sunrpc
    inspect xdmcp
    inspect sip
    inspect netbios
    inspect tftp
    inspect ip-options
    !
    service-policy global_policy global
    prompt hostname context
    no call-home reporting anonymous
    Cryptochecksum:6178a7c91d73664c0348c01caa0ed653
    : end
    no asdm history enable
    makusuofute
        9
    makusuofute  
    OP
       2020-11-30 15:03:36 +08:00
    @Tianao 看了下配置没有解决思路。
    关于   ·   帮助文档   ·   博客   ·   API   ·   FAQ   ·   实用小工具   ·   2584 人在线   最高记录 6679   ·     Select Language
    创意工作者们的社区
    World is powered by solitude
    VERSION: 3.9.8.5 · 22ms · UTC 15:37 · PVG 23:37 · LAX 08:37 · JFK 11:37
    Developed with CodeLauncher
    ♥ Do have faith in what you're doing.