遇到个郁闷至极的问题;应客户要求,在ASA上进行设置,当远程用户拨入VPN之后,只能访问内网资源,不允许访问互联网
测试环境:ASA 5520 asa723-18-k8.bin: 使用如下配置完全满足需求,当用户拨入VPN后只能访问内部资源,不能访问外部资源
但用这个配置模板,到正式环境,就死活限制不了拨入的VPN用户访问互联网!
===========================================================================
测试环境: ASA 5520 asa723-18-k8.bin
tunnel-group testzt type ipsec-ra
tunnel-group testzt ipsec-attributes
pre-shared-key *
group-policy zttest internal
group-policy zttest attributes
vpn-simultaneous-logins 100
vpn-idle-timeout none
vpn-session-timeout none
vpn-filter value deny-access-internet
split-tunnel-network-list value Deny-access-internet
access-list deny-access-internet extended permit ip 192.168.1.0 255.255.255.0 200.1.0.0 255.255.0.0
access-list deny-access-internet extended permit ip 192.168.1.0 255.255.255.0 172.25.90.0 255.255.255.0
access-list deny-access-internet extended permit ip 192.168.1.0 255.255.255.0 100.1.0.0 255.255.0.0
access-list deny-access-internet extended deny ip 192.168.1.0 255.255.255.0 any
access-list Deny-access-internet extended permit ip 172.25.90.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list Deny-access-internet extended permit ip 100.1.0.0 255.255.0.0 192.168.1.0 255.255.255.0
access-list Deny-access-internet extended permit ip 200.1.0.0 255.255.0.0 192.168.1.0 255.255.255.0
access-list Deny-access-internet extended deny ip any 192.168.1.0 255.255.255.0
username kakaka password 69eXZQeiMSKhVvOt encrypted
username kakaka attributes
vpn-group-policy zttest
vpn-tunnel-protocol IPSec
vpn-framed-ip-address 192.168.1.100 255.255.255.0
测试成功:用户kakaka 只能访问内网,不能访问互联网
=======================================================================
正式环境: ASA 5540 asa723-18-k8.bin
tunnel-group testzt type ipsec-ra
tunnel-group testzt ipsec-attributes
pre-shared-key *
group-policy zttest internal
group-policy zttest attributes
vpn-simultaneous-logins 100
vpn-idle-timeout none
vpn-session-timeout none
vpn-filter value deny-access-internet
split-tunnel-network-list value Deny-access-internet
access-list deny-access-internet extended permit ip host 172.25.230.188 172.0.0.0 255.0.0.0
access-list deny-access-internet extended permit ip host 172.25.230.188 10.0.0.0 255.0.0.0
access-list deny-access-internet extended deny ip host 172.25.230.188 any
access-list Deny-access-internet extended permit ip 172.0.0.0 255.0.0.0 host 172.25.230.188
access-list Deny-access-internet extended permit ip 10.0.0.0 255.0.0.0 host 172.25.230.188
access-list Deny-access-internet extended deny ip any host 172.25.230.188
username kakaka password 69eXZQeiMSKhVvOt encrypted
username kakaka attributes
vpn-group-policy zttest
vpn-tunnel-protocol IPSec
vpn-framed-ip-address 172.25.230.188 255.255.255.0
测试失败:用户kakaka 既能访问内网,又能访问互联网,晕,没有限制住!
解决方法:我在5540设备上的group-policy zttest attributes 中添加了
split-tunnel-policy excludespecified ,就OK了,限制了用户访问互联网,只能访问内网
此命令的意思:Exclude only networks specified by split-tunnel-network-list(排除上公网的用户)
申明:本内容来源于网络,仅代表作者个人观点,与本站立场无关,仅供您学习交流使用。其中可能有部分文章经过多次转载而造成文章内容缺失、错误或文章作者不详等问题,请您谅解。如有侵犯您的权利,请联系我们,本站会立即予以处理。
编辑推荐:
H3CIPv6全网解决方案
简谈DHCP服务器的迁移
D-LINK无线与有线宽带路由器快速设置说明