URL: https://www.opennet.me/cgi-bin/openforum/vsluhboard.cgi
Форум: vsluhforumID6
Нить номер: 2367
[ Назад ]

Исходное сообщение
"ASA доступ в интернет через VPN"
Отправлено DenP , 06-Сен-18 14:52

Добрый день всем! Подскажите пожалуйста,есть ASA с настроенным Ipsec. Туппель поднимается,клиенты снаружи пингуют внутренню сеть за VPN шлюзом,но в интренет выйти не могут,все внешние IP недоступны. Я думаю что надо дописывать ACL, но как правльно написать не знаю. И еще проблема,почему то не резолвятся внутрение имена внутренних ПК.Подскажеите пожалуйста.
ip local pool vpn_pool 10.47.1.10-10.47.1.20 mask 255.255.255.224
dns server-group DefaultDNS
name-server 109.195.225.1
name-server 109.195.224.1
domain-name workgroup
same-security-traffic permit intra-interface
object network obj_any
subnet 0.0.0.0 0.0.0.0
object network LAN
subnet 192.168.1.0 255.255.255.0
object network ASA
host 192.168.1.1
object network NETWORK_OBJ_10.47.1.0_27
subnet 10.47.1.0 255.255.255.224
object-group network nat1
network-object object ASA
network-object object NETWORK_OBJ_10.47.1.0_27
access-list inside_access_out extended permit ip any any
access-list outside_access_in extended permit object-group
access-list outside_access_in extended deny ip any 192.168.1.0 255.255.255.0 log errors
access-list outside_access_in extended deny object-group TCPUDP any 192.168.1.0 255.255.255.0 log errors
access-list home_splitTunnelAcl standard permit any4
!
tcp-map Test
reserved-bits drop
!
nat (outside,inside) after-auto source static NETWORK_OBJ_10.47.1.0_27 NETWORK_OBJ_10.47.1.0_27 no-proxy-arp
nat (inside,outside) after-auto source dynamic nat1 interface dns
access-group outside_access_in in interface outside
crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec security-association pmtu-aging infinite
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto ca trustpool policy

group-policy home internal
group-policy home attributes
dns-server value 192.168.1.2
vpn-tunnel-protocol ikev1 ikev2
split-tunnel-policy tunnelspecified
split-tunnel-network-list value home_splitTunnelAcl
default-domain value workgroup
split-tunnel-all-dns disable
tunnel-group home type remote-access
tunnel-group home general-attributes
address-pool vpn_pool
default-group-policy home
tunnel-group home ipsec-attributes
ikev1 pre-shared-key Ki2013Pr
tunnel-group-map default-group home
!

Содержание

ASA доступ в интернет через VPN,DenP, 15:39 , 06-Сен-18
- ASA доступ в интернет через VPN,Andrey, 17:30 , 06-Сен-18
  - ASA доступ в интернет через VPN,DenP, 00:40 , 08-Сен-18
    - ASA доступ в интернет через VPN,DenP, 16:02 , 09-Сен-18

Сообщения в этом обсуждении

"ASA доступ в интернет через VPN"
Отправлено DenP , 06-Сен-18 15:39

Спасибо,разобрался) Надо добавить правило НАТ.А вот куда копать по поводу того что не резолвятся dns имена компов?

"ASA доступ в интернет через VPN"
Отправлено Andrey , 06-Сен-18 17:30

> Спасибо,разобрался) Надо добавить правило НАТ.А вот куда копать по поводу того что
> не резолвятся dns имена компов?
А к какому DNS лезут компы для проверки внутренних имен?
Вывод ipconfig /all и nslookup <имя-внутренней-машины> покажете?

"ASA доступ в интернет через VPN"
Отправлено DenP , 08-Сен-18 00:40

>> Спасибо,разобрался) Надо добавить правило НАТ.А вот куда копать по поводу того что
>> не резолвятся dns имена компов?
> А к какому DNS лезут компы для проверки внутренних имен?
> Вывод ipconfig /all и nslookup <имя-внутренней-машины> покажете?
Андрей к сожалению моя теория не сработала,при перезагрузке ASA либо впн не поднимается совсем либо нат (с сети впн пула нет интернета) не работает.
Может у вас есть какие идеи как настроить правильно?
С ДНС потом буду разбираться,не приоритет.

"ASA доступ в интернет через VPN"
Отправлено DenP , 09-Сен-18 16:02

>>> Спасибо,разобрался) Надо добавить правило НАТ.А вот куда копать по поводу того что
>>> не резолвятся dns имена компов?
>> А к какому DNS лезут компы для проверки внутренних имен?
>> Вывод ipconfig /all и nslookup <имя-внутренней-машины> покажете?
> Андрей к сожалению моя теория не сработала,при перезагрузке ASA либо впн не
> поднимается совсем либо нат (с сети впн пула нет интернета) не
> работает.
> Может у вас есть какие идеи как настроить правильно?
> С ДНС потом буду разбираться,не приоритет.
вроде ок все.
hostname ciscoasa
domain-name workgroup
asp rule-engine transactional-commit access-group
xlate per-session permit udp 192.168.1.0 255.255.255.0 any4
xlate per-session permit tcp 192.168.1.0 255.255.255.0 any4
xlate per-session deny udp any4 any4
xlate per-session deny tcp any4 any4
names
dns-guard
ip local pool vpn_pool 10.47.1.10-10.47.1.20 mask 255.255.255.224
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
description 1
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
!
interface Vlan2
mac-address 0024.5427.f6e9 standby 0024.5427.f6e9
nameif outside
security-level 0
ip address pppoe setroute
!
!
time-range test_time
periodic daily 0:00 to 7:00
!
boot system disk0:/asa924-k8.bin
ftp mode passive
clock timezone EEST 2
clock summer-time EEDT recurring last Sun Mar 2:00 last Sun Oct 3:00
dns domain-lookup inside
dns server-group DefaultDNS
name-server 192.168.1.2
domain-name workgroup
same-security-traffic permit intra-interface
object network obj_any
subnet 0.0.0.0 0.0.0.0
object network LAN
subnet 192.168.1.0 255.255.255.0
object network NETWORK_VPN_10.47.1.0_27
subnet 10.47.1.0 255.255.255.224
object-group network nat1
network-object object SamsNout

object-group icmp-type ICPM
icmp-object unreachable
icmp-object echo-reply
icmp-object source-quench
icmp-object time-exceeded
icmp-object echo
icmp-object traceroute
icmp-object timestamp-reply
icmp-object timestamp-request
icmp-object information-reply
icmp-object information-request
icmp-object router-advertisement
icmp-object router-solicitation
icmp-object alternate-address
icmp-object conversion-error
icmp-object mask-reply
icmp-object mask-request
icmp-object mobile-redirect
icmp-object parameter-problem
icmp-object redirect
object-group service SIP tcp-udp
port-object eq sip
object-group protocol TCPUDP
protocol-object udp
protocol-object tcp
object-group protocol DM_INLINE_PROTOCOL_1
protocol-object ip
protocol-object icmp
access-list outside_access_in extended permit udp any object NAS object-group NASUDP log disable
access-list outside_access_in extended permit tcp any object NAS object-group NASTCP log disable
access-list outside_access_in extended permit object-group TCPUDP any object NAS object-group SIP log disable inactive
access-list outside_access_in extended permit object-group DM_INLINE_PROTOCOL_1 object NETWORK_VPN_10.47.1.0_27 192.168.1.0 255.255.255.0 inactive
access-list outside_access_in extended deny ip any 192.168.1.0 255.255.255.0 log alerts
access-list outside_access_in extended deny object-group TCPUDP any 192.168.1.0 255.255.255.0 log alerts
access-list inside_access_in extended permit ip 192.168.1.0 255.255.255.0 any log disable
access-list home_splitTunnelAcl standard permit 192.168.1.0 255.255.255.0
access-list http-acl extended permit object-group TCPUDP 192.168.1.0 255.255.255.0 host 188.42.129.148 eq www log disable
!
tcp-map Test
  reserved-bits drop
!
pager lines 24
logging enable
logging timestamp
logging buffer-size 8096
logging monitor warnings
logging trap warnings
logging asdm warnings
logging mail critical
logging device-id ipaddress inside
logging host inside 192.168.1.2
logging debug-trace
logging flash-bufferwrap
logging permit-hostdown
logging class auth monitor emergencies
no logging message 106100
logging message 313001 level warnings
logging message 403503 level critical
logging message 403504 level warnings
logging message 106023 level notifications
logging message 106021 level notifications
logging message 106016 level warnings
logging rate-limit 5 1 level 2
logging rate-limit 3 3 level 3
flow-export destination inside 192.168.1.15 9996
flow-export template timeout-rate 1
flow-export delay flow-create 15
mtu inside 1500
mtu outside 1492
ip verify reverse-path interface outside
ip audit name Attack attack action alarm drop
ip audit interface outside Attack
ip audit attack action alarm drop
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-792-152.bin
asdm history enable
arp timeout 14400
no arp permit-nonconnected
nat (inside,outside) source static any any destination static NETWORK_VPN_10.47.1.0_27 NETWORK_VPN_10.47.1.0_27 no-proxy-arp route-lookup
!
nat (inside,outside) after-auto source dynamic nat1 interface dns
access-group inside_access_in in interface inside
access-group outside_access_in in interface outside
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL
http server enable
http server idle-timeout 60
http server session-timeout 60
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
sysopt connection timewait
crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec security-association pmtu-aging infinite
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto ca trustpool policy
crypto ikev1 enable outside
crypto ikev1 policy 10
authentication crack
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 20
authentication rsa-sig
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 30
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 40
authentication crack
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 50
authentication rsa-sig
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 60
authentication pre-share
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 70
authentication crack
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 80
authentication rsa-sig
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 90
authentication pre-share
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 100
authentication crack
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 110
authentication rsa-sig
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 120
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 130
authentication crack
encryption des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 140
authentication rsa-sig
encryption des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 150
authentication pre-share
encryption des
hash sha
group 2
lifetime 86400
telnet timeout 60
no ssh stricthostkeycheck
ssh timeout 60
ssh version 2
ssh key-exchange group dh-group1-sha1
console timeout 0
management-access inside
dhcprelay server 192.168.1.5 inside
priority-queue outside
threat-detection basic-threat
threat-detection scanning-threat shun except ip-address 10.47.1.0 255.255.255.0
threat-detection scanning-threat shun except ip-address 192.168.1.0 255.255.255.0
threat-detection scanning-threat shun duration 3600
threat-detection statistics
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
dynamic-filter updater-client enable
dynamic-filter use-database
dynamic-filter enable interface outside
dynamic-filter drop blacklist interface outside
dynamic-filter ambiguous-is-black
dynamic-filter whitelist
name update-manifests.ironport.com
ntp server 192.168.1.2 source inside prefer
ssl encryption aes128-sha1 aes256-sha1 3des-sha1
webvpn
anyconnect-essentials
group-policy home attributes
dns-server value 192.168.1.2
vpn-tunnel-protocol ikev1
split-tunnel-policy tunnelspecified
split-tunnel-network-list value home_splitTunnelAcl
default-domain value workgroup
split-tunnel-all-dns disable
tunnel-group home type remote-access
tunnel-group home general-attributes
address-pool vpn_pool
default-group-policy home
tunnel-group home ipsec-attributes
!
class-map outside-class3
match default-inspection-traffic
class-map global-class
description flow_export
match any
class-map QOS
description QOS
match any
class-map QOS-class
match any
class-map Nyeflow_global-class
match any
class-map type regex match-any block-url-class_class
match regex blockex1
match regex blockex2
match regex blockex3
match regex blockex4
match regex blockex7
match regex blockex6
match regex blockex5
match regex blockex8
match regex blockex9
match regex blocex10
match regex blocex11
class-map type inspect http match-all asdm_medium_security_methods
match not request method head
match not request method post
match not request method get
class-map type inspect http match-any block-url-class
match request header host regex class block-url-class_class
match request uri regex class block-url-class_class
class-map type inspect http match-all asdm_high_security_methods
match not request method get
match not request method head
class-map outside-class
match access-list http-acl
!
!
policy-map type inspect dns preset_dns_map
parameters
  message-length maximum client auto
  message-length maximum 512
  id-randomization
  id-mismatch action log
policy-map type inspect skinny SCCP_Map
parameters
  message-id max 0x141
  timeout media 0:01:00
  timeout signaling 0:05:00
  rtp-conformance
policy-map type inspect ftp FTP_Map
parameters
  mask-banner
  mask-syst-reply
policy-map type inspect http block-url-policy
parameters
  protocol-violation action drop-connection log
class asdm_high_security_methods
  drop-connection
match request uri regex class block-url-class_class
  drop-connection log
policy-map LAN
description Inspection
class QOS
  set connection timeout idle 1:00:00 dcd 0:15:00 5
  set connection advanced-options Test
  set connection decrement-ttl
policy-map type inspect im IM_Map
parameters
match protocol msn-im yahoo-im
  drop-connection log
policy-map type inspect sip SIP_MAP
parameters
  max-forwards-validation action drop log
  state-checking action drop log
  software-version action mask log
  strict-header-validation action drop log
  no traffic-non-sip
  uri-non-sip action mask log
  rtp-conformance
policy-map type inspect netbios NetBIOS_Map
parameters
  protocol-violation action drop log
policy-map QOS
policy-map Netflow
policy-map global_policy
description flow_export
class global-class
  flow-export event-type all destination 192.168.1.15
policy-map type inspect esmtp ESMTP_MAP
parameters
  special-character action drop-connection log
  no allow-tls
match sender-address length gt 320
  drop-connection
match MIME filename length gt 255
  drop-connection
match cmd line length gt 512
  drop-connection
match cmd RCPT count gt 100
  drop-connection
match body line length gt 998
  drop-connection
policy-map type inspect h323 H323_MAP
parameters
  state-checking h225
  state-checking ras
  rtp-conformance
policy-map outside-policy
class outside-class3
  inspect ctiqbe
  inspect dcerpc
  inspect esmtp ESMTP_MAP
  inspect ftp strict FTP_Map
  inspect h323 h225 H323_MAP
  inspect h323 ras H323_MAP
  inspect icmp
  inspect icmp error
  inspect ils
  inspect im IM_Map
  inspect ip-options
  inspect ipsec-pass-thru
  inspect mgcp
  inspect netbios NetBIOS_Map
  inspect pptp
  inspect rsh
  inspect rtsp
  inspect sip SIP_MAP
  inspect skinny SCCP_Map
  inspect snmp
  inspect sqlnet
  inspect sunrpc
  inspect tftp
  inspect waas
  inspect xdmcp
  inspect dns preset_dns_map dynamic-filter-snoop
  inspect http block-url-policy
class outside-class
  inspect http
!
service-policy global_policy global
service-policy outside-policy interface outside fail-close
smtp-server 192.168.1.2
prompt hostname context
no call-home reporting anonymous
hpm topN enable