Здраствуйте!
Схема такая: внешняя сеть / внутренняя сеть
[PC1: WinXP------- ------------[ASA]/--------- --[PC2: WinXP]
ст.адрес от пров-ра yyy.yyy.yyy.yyy xxx.xxx.xxx.xxx /192.168.1.1 192.168.1.2
адрес с дин.пула АСЫ 192.168.1.100 /
Ситуация такая: PC1 подключается к АСЕ через VPN клиента, получает адрес с динамического пула. Но пакеты не ходят даже на внутренний интерфейс АСЫ (192.168.1.1).
Помогите разобраться. Заранее спасибо!
ciscoasa# sh run
: Saved
:
ASA Version 7.2(2)
!
hostname ciscoasa
domain-name default.domain.invalid
enable password PLBb27eKLE1o9FTB encrypted
names
!
interface Vlan1
no nameif
no security-level
no ip address
!
interface Vlan103
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
!
interface Vlan104
nameif outside
security-level 0
pppoe client vpdn group test
ip address pppoe setroute
!
interface Ethernet0/0
switchport access vlan 103
!
interface Ethernet0/1
switchport access vlan 104
!
passwd 2KFQnbNIdI.2KYOU encrypted
ftp mode passive
dns domain-lookup outside
dns server-group DefaultDNS
retries 1
name-server x.x.x.x
domain-name default.domain.invalid
same-security-traffic permit inter-interface
access-list racces extended permit tcp any host x.x.x.x eq x
access-list alownat extended permit ip 192.168.0.0 255.255.255.0 any
access-list alownat extended permit ip 192.168.1.0 255.255.255.0 any
access-list ICMPACL extended permit icmp any any
access-list inside_outside extended permit tcp any any eq www
access-list inside_outside extended permit icmp any any
access-list inside_outside extended permit udp any any eq domain
access-list inside_outside extended permit tcp any any eq aol
access-list inside_outside extended permit tcp any any eq smtp
access-list inside_outside extended permit tcp any any eq pop3
access-list inside_outside extended permit tcp any any eq 9999
access-list inside_outside extended permit tcp any any eq https
access-list inside_outside extended permit tcp any any eq 1194
access-list inside_outside extended permit tcp any any eq 3390
access-list inside_outside extended permit tcp any any eq 3389
access-list inside_outside extended permit udp any any eq 1194
access-list inside_outside extended permit tcp any any eq ftp
access-list inside_outside extended permit tcp any any eq ftp-data
access-list inside_outside extended permit tcp any any eq 8080
access-list inside_outside extended permit tcp any any eq 3355
access-list FTPACL extended permit tcp any any eq ftp
access-list FTPACL extended permit tcp any any eq ftp-data
pager lines 24
mtu inside 1500
mtu outside 1500
ip local pool user_vpn 192.168.1.100-192.168.1.110 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
icmp permit any inside
asdm image disk0:/asdm-522.bin
no asdm history enable
arp timeout 14400
nat-control
global (outside) 1 interface
nat (inside) 1 access-list alownat
static (inside,outside) tcp interface x 192.168.1.2 x netmask 255.255.255.255
access-group inside_outside in interface inside
access-group racces in interface outside
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
group-policy test internal
group-policy test attributes
vpn-tunnel-protocol webvpn
webvpn
svc required
username xxx password hrQJD8m6imkmheRR encrypted
username xxxx password pqTbTfo5OBDPP2x6 encrypted privilege 15
aaa authentication enable console LOCAL
aaa authentication telnet console LOCAL
aaa local authentication attempts max-fail 5
http server enable
http 192.168.1.2 255.255.255.255 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
tunnel-group remote_users type webvpn
tunnel-group remote_users general-attributes
address-pool user_vpn
default-group-policy test
tunnel-group remote_users webvpn-attributes
group-alias itserv enable
telnet 192.168.1.2 255.255.255.255 inside
telnet timeout 60
ssh timeout 5
console timeout 0
vpdn group test request dialout pppoe
vpdn group test localname xxxx
vpdn group test ppp authentication pap
vpdn username xxxxx password ********* store-local
!
class-map FTP-CLASS
match access-list FTPACL
class-map ICMP-CLASS
match access-list ICMPACL
!
!
policy-map ICMP-POLICY
class ICMP-CLASS
inspect icmp
class FTP-CLASS
inspect ftp
!
service-policy ICMP-POLICY global
webvpn
enable outside
svc image disk0:/sslclient-win-1.1.4.179-anyconnect.pkg 1
svc enable
tunnel-group-list enable
prompt hostname context
Cryptochecksum:404c7d9a0a1bbca334bffea1b0459c30
: end