salve a tutti, ho appena configurato una vpn ipsec sul 5510. Il client vpn stabilisce correttamente il tunnel ma non riesco a pingare le macchine della rete, ne tanto meno accedere alle shared. Potreste darmi una mano ?
Pensavo fosse un problema di nat0, ma dovrebbe essere ok.
Grazie anticipatamente.
Angelo
Posto l'attuale configurazione
Result of the command: "show running-config"
: Saved
:
ASA Version 8.0(4)
!
hostname ciscoasa
domain-name default.domain.invalid
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
name 172.21.100.1 srvwin01
name 172.21.100.3 srvwin03
name 172.21.100.4 srvwin04
name 172.21.100.5 srvwin05
name 88.xx.xx.132 SRVDOMxxx1
name 172.21.100.2 srvwin02
name 88.xx.xx.131 SRVDOMxxx1OLD
name 88.xx.xx.139 Txxx
name 172.21.100.9 srvwin01f
!
interface Ethernet0/0
nameif wan
security-level 0
ip address 88.xx.xx.130 255.255.255.240
!
interface Ethernet0/1
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet0/3
nameif lan
security-level 90
ip address 172.21.1.1 255.255.0.0
!
interface Management0/0
nameif management
security-level 100
ip address 192.168.70.254 255.255.255.0
management-only
!
ftp mode passive
dns server-group DefaultDNS
domain-name default.domain.invalid
access-list outside_access_in extended permit tcp any host SRVDOMxxx1OLD eq smtp log
access-list outside_access_in extended permit tcp any host SRVDOMxxx1OLD eq lotusnotes log
access-list outside_access_in extended permit tcp any host SRVDOMxxx1OLD eq domain log
access-list outside_access_in extended permit udp any host SRVDOMxxx1OLD log
access-list outside_access_in extended permit tcp any host SRVDOMxxx1 eq smtp log
access-list outside_access_in extended permit tcp any host SRVDOMxxx1 eq lotusnotes log
access-list outside_access_in extended permit tcp any host SRVDOMxxx1 eq domain log
access-list outside_access_in extended permit udp any host SRVDOMxxx1 log
access-list inside_authentication_RADIUS extended deny tcp host srvwin01 any
access-list inside_authentication_RADIUS extended deny tcp host 172.21.50.19 any
access-list inside_authentication_RADIUS extended deny tcp host 172.21.50.3 any
access-list inside_authentication_RADIUS extended deny tcp host srvwin02 any
access-list inside_authentication_RADIUS extended deny tcp host srvwin03 any
access-list inside_authentication_RADIUS extended deny tcp host srvwin04 any
access-list inside_authentication_RADIUS extended deny tcp host srvwin05 any
access-list inside_authentication_RADIUS extended deny tcp host srvwin01f any
access-list inside_authentication_RADIUS extended deny tcp host 172.21.100.11 any
access-list inside_authentication_RADIUS extended permit tcp any any
access-list inside_outbound_nat0_acl extended permit ip 172.21.0.0 255.255.0.0 172.21.0.0 255.255.0.0
access-list outside_cryptomap_dyn_20 extended permit ip any 172.21.20.0 255.255.255.240
access-list inside_access_in extended permit ip any any
access-list 101 extended deny tcp any host SRVDOMxxx1OLD eq 3389 log
access-list 101 extended permit udp any host SRVDOMxxx1OLD eq domain
access-list 101 extended permit tcp any host SRVDOMxxx1OLD eq domain
access-list 101 extended permit tcp any host Txxx eq 8091
access-list 101 extended permit tcp any host Txxx eq 8092
access-list 101 extended permit tcp any host Txxx eq 8093
access-list 101 extended permit tcp any host Txxx eq 8011
access-list 101 extended permit tcp any host Txxx eq 8012
access-list 101 extended permit tcp any host Txxx eq 8013
access-list 101 extended permit tcp any host Txxx eq 8021
access-list 101 extended permit tcp any host Txxx eq 8022
access-list 101 extended permit tcp any host Txxx eq 8023
access-list 101 extended permit tcp any host Txxx eq 8041
access-list 101 extended permit tcp any host SRVDOMxxx1 eq www log
access-list 101 extended permit tcp any host SRVDOMxxx1 eq smtp log
access-list 101 extended deny tcp any host SRVDOMxxx1 eq 3389 log
access-list 101 extended permit tcp any host SRVDOMxxx1 eq lotusnotes log
access-list vpngroup_splitTunnelAcl standard permit any
access-list management_nat0_outbound extended permit ip any 172.21.20.0 255.255.255.240
access-list vpngroup_splitTunnelAcl_2 extended permit ip 172.21.0.0 255.255.0.0 172.21.20.0 255.255.255.240
pager lines 24
logging asdm informational
mtu wan 1500
mtu lan 1500
mtu management 1500
ip local pool POOL01 172.21.20.1-172.21.20.10
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-613.bin
no asdm history enable
arp timeout 14400
global (wan) 1 interface
nat (lan) 0 access-list inside_outbound_nat0_acl
nat (lan) 1 0.0.0.0 0.0.0.0
static (lan,wan) tcp Txxx 8011 172.21.30.11 www netmask 255.255.255.255
static (lan,wan) tcp Txxx 8041 172.21.30.41 www netmask 255.255.255.255
static (lan,wan) tcp Txxx 8021 172.21.30.21 www netmask 255.255.255.255
static (lan,wan) tcp Txxx 8022 172.21.30.22 www netmask 255.255.255.255
static (lan,wan) tcp Txxx 8023 172.21.30.23 www netmask 255.255.255.255
static (lan,wan) tcp Txxx 8012 172.21.30.12 www netmask 255.255.255.255
static (lan,wan) tcp Txxx 8013 172.21.30.13 www netmask 255.255.255.255
static (lan,wan) tcp Txxx 8091 172.21.50.24 8091 netmask 255.255.255.255
static (lan,wan) tcp Txxx 8092 172.21.50.25 8092 netmask 255.255.255.255
static (lan,wan) tcp Txxx 8093 172.21.50.26 8093 netmask 255.255.255.255
static (lan,wan) SRVDOMxxx1 srvwin02 netmask 255.255.255.255 dns
static (lan,wan) SRVDOMxxx1OLD srvwin01 netmask 255.255.255.255 dns
access-group 101 in interface wan
access-group inside_access_in in interface lan
route wan 0.0.0.0 0.0.0.0 88.59.155.129 1
timeout xlate 2:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:00:00 absolute uauth 0:30:00 inactivity
dynamic-access-policy-record DfltAccessPolicy
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server RADIUS (lan) host srvwin05
timeout 5
key ***
aaa authentication match inside_authentication_RADIUS lan RADIUS
http server enable
http 192.168.70.0 255.255.255.0 management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
auth-prompt prompt AUTENTICARSI PER LA NAVIGAZIONE INTERNET
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map outside_dyn_map 20 match address outside_cryptomap_dyn_20
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-MD5
crypto dynamic-map outside_dyn_map 20 set security-association lifetime seconds 28800
crypto dynamic-map outside_dyn_map 20 set security-association lifetime kilobytes 4608000
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set security-association lifetime seconds 28800
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set security-association lifetime kilobytes 4608000
crypto map outside_map 65534 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface wan
crypto isakmp enable wan
crypto isakmp policy 40
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp nat-traversal 40
telnet timeout 5
ssh timeout 5
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
group-policy vpngroup internal
group-policy vpngroup attributes
wins-server value 172.21.100.1
dns-server value 172.21.100.1
vpn-tunnel-protocol IPSec svc
split-tunnel-policy tunnelspecified
split-tunnel-network-list value vpngroup_splitTunnelAcl_2
default-domain value xxx
tunnel-group vpngroup type remote-access
tunnel-group vpngroup general-attributes
address-pool POOL01
authentication-server-group RADIUS
default-group-policy vpngroup
tunnel-group vpngroup ipsec-attributes
pre-shared-key *
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:6dfe823b349e6b329ae7296076fce4c2
: end
ASA5510 e vpn client
Moderatore: Federico.Lagni
-
angelo.val
- n00b
- Messaggi: 10
- Iscritto il: mer 14 nov , 2007 12:54 pm
Ho ripulito mediante CLI la configurazione, purtroppo la vpn continua a connettersi ma non vedo le risorte disponibili nella rete.
Avete qualche suggerimento ?
Result of the command: "show running-config"
: Saved
:
ASA Version 8.0(4)
!
hostname ciscoasa
domain-name default.domain.invalid
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
name 172.21.100.1 srvwin01
name 172.21.100.3 srvwin03
name 172.21.100.4 srvwin04
name 172.21.100.5 srvwin05
name xxx.xxx.xxx.132 SRVDOMxxx1
name 172.21.100.2 srvwin02
name xxx.xxx.xxx.131 SRVDOMxxx1OLD
name xxx.xxx.xxx.139 Txxx
name 172.21.100.9 srvwin01f
!
interface Ethernet0/0
nameif wan
security-level 0
ip address xxx.xxx.xxx.130 255.255.255.240
!
interface Ethernet0/1
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet0/3
nameif lan
security-level 90
ip address 172.21.1.1 255.255.0.0
!
interface Management0/0
nameif management
security-level 100
ip address 192.168.70.254 255.255.255.0
management-only
!
ftp mode passive
dns server-group DefaultDNS
domain-name default.domain.invalid
access-list outside_access_in extended permit tcp any host SRVDOMxxx1OLD eq smtp log
access-list outside_access_in extended permit tcp any host SRVDOMxxx1OLD eq lotusnotes log
access-list outside_access_in extended permit tcp any host SRVDOMxxx1OLD eq domain log
access-list outside_access_in extended permit udp any host SRVDOMxxx1OLD log
access-list outside_access_in extended permit tcp any host SRVDOMxxx1 eq smtp log
access-list outside_access_in extended permit tcp any host SRVDOMxxx1 eq lotusnotes log
access-list outside_access_in extended permit tcp any host SRVDOMxxx1 eq domain log
access-list outside_access_in extended permit udp any host SRVDOMxxx1 log
access-list inside_authentication_RADIUS extended deny tcp host srvwin01 any
access-list inside_authentication_RADIUS extended deny tcp host 172.21.50.19 any
access-list inside_authentication_RADIUS extended deny tcp host 172.21.50.3 any
access-list inside_authentication_RADIUS extended deny tcp host srvwin02 any
access-list inside_authentication_RADIUS extended deny tcp host srvwin03 any
access-list inside_authentication_RADIUS extended deny tcp host srvwin04 any
access-list inside_authentication_RADIUS extended deny tcp host srvwin05 any
access-list inside_authentication_RADIUS extended deny tcp host srvwin01f any
access-list inside_authentication_RADIUS extended deny tcp host 172.21.100.11 any
access-list inside_authentication_RADIUS extended permit tcp any any
access-list vpngroup_splitTunnelAcl standard permit any
access-list management_nat0_outbound_1 extended permit ip any 172.21.20.0 255.255.255.240
access-list inside_access_in extended permit ip any any
access-list 101 extended deny tcp any host SRVDOMxxx1OLD eq 3389 log
access-list 101 extended permit udp any host SRVDOMxxx1OLD eq domain
access-list 101 extended permit tcp any host SRVDOMxxx1OLD eq domain
access-list 101 extended permit tcp any host Txxx eq 8091
access-list 101 extended permit tcp any host Txxx eq 8092
access-list 101 extended permit tcp any host Txxx eq 8093
access-list 101 extended permit tcp any host Txxx eq 8011
access-list 101 extended permit tcp any host Txxx eq 8012
access-list 101 extended permit tcp any host Txxx eq 8013
access-list 101 extended permit tcp any host Txxx eq 8021
access-list 101 extended permit tcp any host Txxx eq 8022
access-list 101 extended permit tcp any host Txxx eq 8023
access-list 101 extended permit tcp any host Txxx eq 8041
access-list 101 extended permit tcp any host SRVDOMxxx1 eq www log
access-list 101 extended permit tcp any host SRVDOMxxx1 eq smtp log
access-list 101 extended deny tcp any host SRVDOMxxx1 eq 3389 log
access-list 101 extended permit tcp any host SRVDOMxxx1 eq lotusnotes log
access-list management_nat0_outbound extended permit ip any 172.21.20.0 255.255.255.240
access-list vpngroup_splitTunnelAcl_3 standard permit 172.21.0.0 255.255.0.0
access-list NAT0-ACL remark *** NAT0 PER VPN CLIENT ***
access-list NAT0-ACL extended permit ip 172.21.0.0 255.255.0.0 172.21.0.0 255.255.0.0
access-list NAT0-ACL remark *** NAT0 PER VPN CLIENT ***
pager lines 24
logging asdm informational
mtu wan 1500
mtu lan 1500
mtu management 1500
ip local pool POOL01 172.21.20.1-172.21.20.10
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-613.bin
no asdm history enable
arp timeout 14400
global (wan) 1 interface
nat (lan) 0 access-list NAT0-ACL
nat (lan) 1 0.0.0.0 0.0.0.0
nat (management) 0 access-list management_nat0_outbound_1
static (lan,wan) tcp Txxx 8011 172.21.30.11 www netmask 255.255.255.255
static (lan,wan) tcp Txxx 8041 172.21.30.41 www netmask 255.255.255.255
static (lan,wan) tcp Txxx 8021 172.21.30.21 www netmask 255.255.255.255
static (lan,wan) tcp Txxx 8022 172.21.30.22 www netmask 255.255.255.255
static (lan,wan) tcp Txxx 8023 172.21.30.23 www netmask 255.255.255.255
static (lan,wan) tcp Txxx 8012 172.21.30.12 www netmask 255.255.255.255
static (lan,wan) tcp Txxx 8013 172.21.30.13 www netmask 255.255.255.255
static (lan,wan) tcp Txxx 8091 172.21.50.24 8091 netmask 255.255.255.255
static (lan,wan) tcp Txxx 8092 172.21.50.25 8092 netmask 255.255.255.255
static (lan,wan) tcp Txxx 8093 172.21.50.26 8093 netmask 255.255.255.255
static (lan,wan) SRVDOMxxx1 srvwin02 netmask 255.255.255.255 dns
static (lan,wan) SRVDOMxxx1OLD srvwin01 netmask 255.255.255.255 dns
access-group 101 in interface wan
access-group inside_access_in in interface lan
route wan 0.0.0.0 0.0.0.0 xxx.xxx.xxx.129 1
timeout xlate 2:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:00:00 absolute uauth 0:30:00 inactivity
dynamic-access-policy-record DfltAccessPolicy
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server RADIUS (lan) host srvwin05
timeout 5
key xxxxxx
aaa authentication match inside_authentication_RADIUS lan RADIUS
http server enable
http 192.168.70.0 255.255.255.0 management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
auth-prompt prompt AUTENTICARSI PER LA NAVIGAZIONE INTERNET
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map outside_dyn_map 20 set security-association lifetime seconds 28800
crypto dynamic-map outside_dyn_map 20 set security-association lifetime kilobytes 4608000
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-3DES-SHA
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set security-association lifetime seconds 28800
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set security-association lifetime kilobytes 4608000
crypto map outside_map 65534 set security-association lifetime seconds 28800
crypto map outside_map 65534 set security-association lifetime kilobytes 4608000
crypto map outside_map 65535 set security-association lifetime seconds 28800
crypto map outside_map 65535 set security-association lifetime kilobytes 4608000
crypto map wan_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map wan_map interface wan
crypto isakmp enable wan
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp nat-traversal 21
telnet 192.168.70.0 255.255.255.0 management
telnet timeout 5
ssh timeout 5
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
group-policy vpngroup internal
group-policy vpngroup attributes
wins-server value 172.21.100.1
dns-server value 172.21.100.1
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value vpngroup_splitTunnelAcl_3
default-domain value xxx
tunnel-group vpngroup type remote-access
tunnel-group vpngroup general-attributes
address-pool POOL01
authentication-server-group RADIUS
default-group-policy vpngroup
tunnel-group vpngroup ipsec-attributes
pre-shared-key *
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:cdc072f62bf6dc6b88741334d7ae80c7
: end
Avete qualche suggerimento ?
Result of the command: "show running-config"
: Saved
:
ASA Version 8.0(4)
!
hostname ciscoasa
domain-name default.domain.invalid
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
name 172.21.100.1 srvwin01
name 172.21.100.3 srvwin03
name 172.21.100.4 srvwin04
name 172.21.100.5 srvwin05
name xxx.xxx.xxx.132 SRVDOMxxx1
name 172.21.100.2 srvwin02
name xxx.xxx.xxx.131 SRVDOMxxx1OLD
name xxx.xxx.xxx.139 Txxx
name 172.21.100.9 srvwin01f
!
interface Ethernet0/0
nameif wan
security-level 0
ip address xxx.xxx.xxx.130 255.255.255.240
!
interface Ethernet0/1
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet0/3
nameif lan
security-level 90
ip address 172.21.1.1 255.255.0.0
!
interface Management0/0
nameif management
security-level 100
ip address 192.168.70.254 255.255.255.0
management-only
!
ftp mode passive
dns server-group DefaultDNS
domain-name default.domain.invalid
access-list outside_access_in extended permit tcp any host SRVDOMxxx1OLD eq smtp log
access-list outside_access_in extended permit tcp any host SRVDOMxxx1OLD eq lotusnotes log
access-list outside_access_in extended permit tcp any host SRVDOMxxx1OLD eq domain log
access-list outside_access_in extended permit udp any host SRVDOMxxx1OLD log
access-list outside_access_in extended permit tcp any host SRVDOMxxx1 eq smtp log
access-list outside_access_in extended permit tcp any host SRVDOMxxx1 eq lotusnotes log
access-list outside_access_in extended permit tcp any host SRVDOMxxx1 eq domain log
access-list outside_access_in extended permit udp any host SRVDOMxxx1 log
access-list inside_authentication_RADIUS extended deny tcp host srvwin01 any
access-list inside_authentication_RADIUS extended deny tcp host 172.21.50.19 any
access-list inside_authentication_RADIUS extended deny tcp host 172.21.50.3 any
access-list inside_authentication_RADIUS extended deny tcp host srvwin02 any
access-list inside_authentication_RADIUS extended deny tcp host srvwin03 any
access-list inside_authentication_RADIUS extended deny tcp host srvwin04 any
access-list inside_authentication_RADIUS extended deny tcp host srvwin05 any
access-list inside_authentication_RADIUS extended deny tcp host srvwin01f any
access-list inside_authentication_RADIUS extended deny tcp host 172.21.100.11 any
access-list inside_authentication_RADIUS extended permit tcp any any
access-list vpngroup_splitTunnelAcl standard permit any
access-list management_nat0_outbound_1 extended permit ip any 172.21.20.0 255.255.255.240
access-list inside_access_in extended permit ip any any
access-list 101 extended deny tcp any host SRVDOMxxx1OLD eq 3389 log
access-list 101 extended permit udp any host SRVDOMxxx1OLD eq domain
access-list 101 extended permit tcp any host SRVDOMxxx1OLD eq domain
access-list 101 extended permit tcp any host Txxx eq 8091
access-list 101 extended permit tcp any host Txxx eq 8092
access-list 101 extended permit tcp any host Txxx eq 8093
access-list 101 extended permit tcp any host Txxx eq 8011
access-list 101 extended permit tcp any host Txxx eq 8012
access-list 101 extended permit tcp any host Txxx eq 8013
access-list 101 extended permit tcp any host Txxx eq 8021
access-list 101 extended permit tcp any host Txxx eq 8022
access-list 101 extended permit tcp any host Txxx eq 8023
access-list 101 extended permit tcp any host Txxx eq 8041
access-list 101 extended permit tcp any host SRVDOMxxx1 eq www log
access-list 101 extended permit tcp any host SRVDOMxxx1 eq smtp log
access-list 101 extended deny tcp any host SRVDOMxxx1 eq 3389 log
access-list 101 extended permit tcp any host SRVDOMxxx1 eq lotusnotes log
access-list management_nat0_outbound extended permit ip any 172.21.20.0 255.255.255.240
access-list vpngroup_splitTunnelAcl_3 standard permit 172.21.0.0 255.255.0.0
access-list NAT0-ACL remark *** NAT0 PER VPN CLIENT ***
access-list NAT0-ACL extended permit ip 172.21.0.0 255.255.0.0 172.21.0.0 255.255.0.0
access-list NAT0-ACL remark *** NAT0 PER VPN CLIENT ***
pager lines 24
logging asdm informational
mtu wan 1500
mtu lan 1500
mtu management 1500
ip local pool POOL01 172.21.20.1-172.21.20.10
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-613.bin
no asdm history enable
arp timeout 14400
global (wan) 1 interface
nat (lan) 0 access-list NAT0-ACL
nat (lan) 1 0.0.0.0 0.0.0.0
nat (management) 0 access-list management_nat0_outbound_1
static (lan,wan) tcp Txxx 8011 172.21.30.11 www netmask 255.255.255.255
static (lan,wan) tcp Txxx 8041 172.21.30.41 www netmask 255.255.255.255
static (lan,wan) tcp Txxx 8021 172.21.30.21 www netmask 255.255.255.255
static (lan,wan) tcp Txxx 8022 172.21.30.22 www netmask 255.255.255.255
static (lan,wan) tcp Txxx 8023 172.21.30.23 www netmask 255.255.255.255
static (lan,wan) tcp Txxx 8012 172.21.30.12 www netmask 255.255.255.255
static (lan,wan) tcp Txxx 8013 172.21.30.13 www netmask 255.255.255.255
static (lan,wan) tcp Txxx 8091 172.21.50.24 8091 netmask 255.255.255.255
static (lan,wan) tcp Txxx 8092 172.21.50.25 8092 netmask 255.255.255.255
static (lan,wan) tcp Txxx 8093 172.21.50.26 8093 netmask 255.255.255.255
static (lan,wan) SRVDOMxxx1 srvwin02 netmask 255.255.255.255 dns
static (lan,wan) SRVDOMxxx1OLD srvwin01 netmask 255.255.255.255 dns
access-group 101 in interface wan
access-group inside_access_in in interface lan
route wan 0.0.0.0 0.0.0.0 xxx.xxx.xxx.129 1
timeout xlate 2:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:00:00 absolute uauth 0:30:00 inactivity
dynamic-access-policy-record DfltAccessPolicy
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server RADIUS (lan) host srvwin05
timeout 5
key xxxxxx
aaa authentication match inside_authentication_RADIUS lan RADIUS
http server enable
http 192.168.70.0 255.255.255.0 management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
auth-prompt prompt AUTENTICARSI PER LA NAVIGAZIONE INTERNET
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map outside_dyn_map 20 set security-association lifetime seconds 28800
crypto dynamic-map outside_dyn_map 20 set security-association lifetime kilobytes 4608000
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-3DES-SHA
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set security-association lifetime seconds 28800
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set security-association lifetime kilobytes 4608000
crypto map outside_map 65534 set security-association lifetime seconds 28800
crypto map outside_map 65534 set security-association lifetime kilobytes 4608000
crypto map outside_map 65535 set security-association lifetime seconds 28800
crypto map outside_map 65535 set security-association lifetime kilobytes 4608000
crypto map wan_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map wan_map interface wan
crypto isakmp enable wan
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp nat-traversal 21
telnet 192.168.70.0 255.255.255.0 management
telnet timeout 5
ssh timeout 5
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
group-policy vpngroup internal
group-policy vpngroup attributes
wins-server value 172.21.100.1
dns-server value 172.21.100.1
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value vpngroup_splitTunnelAcl_3
default-domain value xxx
tunnel-group vpngroup type remote-access
tunnel-group vpngroup general-attributes
address-pool POOL01
authentication-server-group RADIUS
default-group-policy vpngroup
tunnel-group vpngroup ipsec-attributes
pre-shared-key *
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:cdc072f62bf6dc6b88741334d7ae80c7
: end
-
Wizard
- Intergalactic subspace network admin
- Messaggi: 3441
- Iscritto il: ven 03 feb , 2006 10:04 am
- Località: Emilia Romagna
- Contatta:
nat0 ok
split tunnel ok
vedi dalle statistiche del vpn client se split tunnel e nat-t sono ok
prova anche da un altro pc a collegarti
split tunnel ok
vedi dalle statistiche del vpn client se split tunnel e nat-t sono ok
prova anche da un altro pc a collegarti
Il futuro è fatto di persone che hanno delle intuizioni e visioni .....sono quelle persone che fanno la differenza...... quelle dotate di un TERZO OCCHIO....
-
angelo.val
- n00b
- Messaggi: 10
- Iscritto il: mer 14 nov , 2007 12:54 pm
Grazie per il consiglio Wizard,
appena posso farò i test che mi hai suggerito e vi terrò informati
appena posso farò i test che mi hai suggerito e vi terrò informati
