|
|
遇到个郁闷至极的问题;应客户要求,在ASA上进行设置,当远程用户拨入VPN之后,只能访问内网资源,不允许访问互联网
测试环境:ASA 5520 asa723-18-k8.bin: 网管软件使用如下配置完全满足需求,当用户拨入VPN后只能访问内部资源,不能访问外部资源
但用这个配置模板,到正式环境,就死活限制不了拨入的VPN用户访问互联网!
====================================================================================================
测试环境: ASA 5520 asa723-18-k8.bin
tunnel-group testzt type ipsec-ra
tunnel-group testzt ipsec-attributes
pre-shared-key *
group-policy zttest internal
group-policy zttest attributes
vpn-simultaneous-logins 100
vpn-idle-timeout none
vpn-session-timeout none
vpn-filter value deny-access-internet
split-tunnel-network-list value Deny-access-internet
access-list deny-access-internet extended permit ip 192.168.1.0 255.255.255.0 200.1.0.0 255.255.0.0
access-list deny-access-internet extended permit ip 192.168.1.0 255.255.255.0 172.25.90.0 255.255.255.0
access-list deny-access-internet extended permit ip 192.168.1.0 255.255.255.0 100.1.0.0 255.255.0.0
access-list deny-access-internet extended deny ip 192.168.1.0 255.255.255.0 any
access-list Deny-access-internet extended permit ip 172.25.90.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list Deny-access-internet extended permit ip 100.1.0.0 255.255.0.0 192.168.1.0 255.255.255.0
access-list Deny-access-internet extended permit ip 200.1.0.0 255.255.0.0 192.168.1.0 255.255.255.0
access-list Deny-access-internet extended deny ip any 192.168.1.0 255.255.255.0
username kakaka password 69eXZQeiMSKhVvOt encrypted
username kakaka attributes
vpn-group-policy zttest
vpn-tunnel-protocol IPSec
vpn-framed-ip-address 192.168.1.100 255.255.255.0
测试成功:用户kakaka 只能访问内网,不能访问互联网,正确使用网管软件能有效解决很多问题!
=================================================================================[netxpage]
正式环境: ASA 5540 asa723-18-k8.bin
tunnel-group testzt type ipsec-ra
tunnel-group testzt ipsec-attributes
pre-shared-key *
group-policy zttest internal
group-policy zttest attributes
vpn-simultaneous-logins 100
vpn-idle-timeout none
vpn-session-timeout none
vpn-filter value deny-access-internet
split-tunnel-network-list value Deny-access-internet
access-list deny-access-internet extended permit ip host 172.25.230.188 172.0.0.0 255.0.0.0
access-list deny-access-internet extended permit ip host 172.25.230.188 10.0.0.0 255.0.0.0
access-list deny-access-internet extended deny ip host 172.25.230.188 any
access-list Deny-access-internet extended permit ip 172.0.0.0 255.0.0.0 host 172.25.230.188
access-list Deny-access-internet extended permit ip 10.0.0.0 255.0.0.0 host 172.25.230.188
access-list Deny-access-internet extended deny ip any host 172.25.230.188
username kakaka password 69eXZQeiMSKhVvOt encrypted
username kakaka attributes
vpn-group-policy zttest
vpn-tunnel-protocol IPSec
vpn-framed-ip-address 172.25.230.188 255.255.255.0
测试失败:用户kakaka 既能访问内网,又能访问互联网,晕,没有限制住!
解决方法:我在5540设备上的group-policy zttest attributes 中添加了
split-tunnel-policy excludespecified ,就OK了,限制了用户访问互联网,只能访问内网
此命令的意思:Exclude only networks specified by split-tunnel-network-list(排除上公网的用户) |
|
发表于 2013-4-12 11:21:35
看看