ASA5200配置vpn拨号成功,但只有一个人能登录使用,求救!
) _. J, k4 L8 n1 S' V9 Q6 f
9 w: A! L0 U& K4 S9 p7 T# P( I兄弟第一次配置ASA5200' t# B. R& D/ i8 E# f4 {
完全按照wizard进行,顺利配置,vpn拨号在192.168.201网段,能够登录管理dmz区的服务器
6 k! T8 Q/ \$ D- m& W; v% D5 \但是第二台机器就不能访问了,只能一个工程师登录,晕% ~% T; D3 j$ e1 j* ^6 G" h
我开始以为是一个用户只能一个人vpn拨号使用,所以设置了另一个账号user1,但是还是不行,求救
8 ]. W8 f- ?0 l& |5 o# T" P2 r v7 ?: V5 a1 c& d
G: T* K0 t3 z2 Q5 }
/ Y: E5 n, S; v2 n H- t3 ]% N4 b
: Saved
4 V) G. p5 F4 B. y:8 D5 Z$ ?4 s$ w6 o
ASA Version 7.0(8)
7 b0 U0 | F2 X6 X!% y6 P% R2 ]( L2 b& `1 |: j ^
hostname ciscoasa( F3 p2 S# W* M/ d% M- J
domain-name default.domain.invalid
5 U$ [3 [" ~1 e4 C) E8 senable password xOT3yx8bnwMQQFk0 encrypted( N7 J+ N# S: c
passwd 2KFQnbNIdI.2KYOU encrypted
3 j0 T8 @1 P0 C9 t$ A! |names
# H' b- H% A4 ^" |dns-guard/ d7 u9 G- L& F
!
0 O) e5 v. C6 m3 Yinterface GigabitEthernet0/0
; }+ ~+ I4 {& d. R2 q( }, [' [8 b/ m nameif outside, X4 x5 n" d; ?! e- `
security-level 03 D! g: O; E0 b2 q o
ip address 101.182.33.125 255.255.255.192 4 {2 a' C @& u! c5 Q2 d
!0 l2 W+ ^8 e: w& u3 ~* L. d) S
interface GigabitEthernet0/1# g' R# Y" Y9 k7 T
nameif dmz
3 x5 }$ o0 v+ O% Y; p0 h" I0 z security-level 50* h: N" s4 e+ M. L) G$ ?; M
ip address 192.168.100.1 255.255.255.0 5 M% ?- V$ `7 u9 I& e) A
!+ L) t7 u0 z6 G7 P( F8 @3 U% s# r$ }
interface GigabitEthernet0/2
, Z$ K2 j9 x& U2 \ nameif inside+ f0 w# r! h9 J) h
security-level 1000 }# j0 Q6 i: ^/ k
ip address 192.168.200.1 255.255.255.0
8 d( {" r$ C$ x3 Q$ ^. t/ c. }! & {7 J1 k9 P/ R6 y. a; J! X
interface GigabitEthernet0/3
! H8 z/ T$ L9 L- I# V shutdown
' W* j9 }8 B; C. d: n( V no nameif
- p2 ~( A1 r6 G no security-level
% _3 |+ Y; V: E& y# i no ip address$ z+ q9 |- f4 t: O) V( a' ^' P
!& b3 s7 y+ _1 k6 `' j' U7 F
interface Management0/0
7 F1 z0 [- n; L( q nameif management
9 B" L& N0 U# z2 J security-level 100$ r% P+ ~7 s% Z3 ~" R
ip address 192.168.1.1 255.255.255.0
! o/ q- w2 c) G3 N# o" E e: A management-only$ I' y/ {, J. ?( j" [2 E: f" X8 E
!
& k3 L: H5 a7 z8 lftp mode passive# T+ g1 ~- `& N# H* ~7 _" D
object-group service user0 tcp
# X( T; T3 ]0 [, v O port-object range 6060 6066
2 }& q2 A7 K w% Q$ m- I1 Q port-object range www 90) z# a3 U7 D3 s2 R: i* z, N5 @
object-group service user10 tcp
6 i; u5 j+ F* d" g port-object range 1755 17557 n, K* l! R' T. }2 V9 l7 |( J/ w4 O
port-object range 6666 6666
% N: ^) L' V) l5 U5 l port-object eq rtsp% O' K0 @$ W2 O3 E+ M9 ?
port-object range 2401 2402
' Y& ~. |6 V6 Y, m+ T port-object eq www
0 }9 f B' `- ?& S4 A port-object range 8080 8081
. d, G6 g3 m5 v2 v+ O, }6 | port-object eq pop3, n2 a) \2 ?. Y8 a1 V
port-object eq smtp6 X2 z0 q6 x. H
access-list inside_nat0_outbound extended permit ip any host 192.168.100.10
6 Z3 Z/ T1 a$ i. i5 [& T$ e7 T6 \access-list inside_nat0_outbound extended permit ip any host 192.168.100.20
5 q" F9 z6 I" P V( Waccess-list outside_access_in extended permit tcp any host 101.182.33.121 object-group user10 , \+ w& y! R) n5 O. Z( V
access-list outside_access_in extended permit icmp any host 101.182.33.121 : |( l9 f$ X/ a$ n9 N+ o5 G3 V! G; V
access-list outside_access_in extended permit tcp any host 101.182.33.120 object-group user0 * h- e' y! h1 p# [' Q
access-list outside_access_in extended permit icmp any host 101.182.33.120 & F [* W3 ]( @ M: d( h
access-list dmz_nat0_outbound extended permit ip 192.168.100.0 255.255.255.0 192.168.201.0 255.255.255.0 " N7 ]8 T& ^: X( c( S- q
access-list user_splitTunnelAcl standard permit 192.168.100.0 255.255.255.0 2 |3 {/ p: e/ u# l H
pager lines 246 S; t( k7 B1 z& w
logging asdm informational
& [9 |7 W) ?3 |2 Q$ z* n8 Emtu management 15005 u! P P) A$ _/ j
mtu inside 1500
- {) ^ Z. R1 c( M+ a) jmtu dmz 1500
4 u8 b1 T) B1 j1 gmtu outside 1500+ W( E8 c7 W0 A* i) }8 V E! Y; I; c
ip local pool user 192.168.201.100-192.168.201.200 mask 255.255.255.08 n+ c3 [, A) _
no failover
% r: D x9 [; l3 R3 t2 W7 D% P6 uasdm image disk0:/asdm-508.bin
1 N9 `& u: s- i$ c5 Yno asdm history enable6 u5 h) W8 c+ Z( `% L
arp timeout 144000 d1 \7 J% V5 }1 Q
global (outside) 10 interface
/ H% f5 u' L* V% ~. Tnat (inside) 0 access-list inside_nat0_outbound6 M% m2 D3 O/ e) p
nat (inside) 10 0.0.0.0 0.0.0.0/ U! S. i H _9 l
nat (dmz) 0 access-list dmz_nat0_outbound
6 b5 Y% Q5 S! Y9 R8 m+ y- cnat (dmz) 10 0.0.0.0 0.0.0.0
; j1 _' I* ]5 C* _1 Estatic (dmz,outside) 101.182.33.121 192.168.100.20 netmask 255.255.255.255 dns 2 J3 d- Q9 f8 u/ Y
static (dmz,outside) 101.182.33.120 192.168.100.10 netmask 255.255.255.255 dns
" @0 y# i: ?- c9 maccess-group outside_access_in in interface outside
1 Z! V5 b. {1 o: froute outside 0.0.0.0 0.0.0.0 101.182.33.65 1 U( k9 I3 j8 Q& Z
timeout xlate 3:00:00+ e$ v2 b9 C" |4 \
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
5 |9 F2 E. y/ R. c) w, l$ {timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
; ?1 ^, n. Q7 p" N0 j. btimeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00! X9 k" W6 H! g7 ^, s5 S" ]: e
timeout uauth 0:05:00 absolute3 H# W9 a g6 y) D9 M( t
group-policy user internal3 _8 V+ H0 O1 K3 J o
group-policy user attributes
* A1 C8 j+ i' F. W( f/ j dns-server value 202.106.0.20
, p2 G( c, r. |8 X+ X; ` split-tunnel-policy tunnelspecified
: i! m [5 H" d( [( {" {0 K: ^ split-tunnel-network-list value user_splitTunnelAcl7 ?$ [3 ]5 `( n( R {
webvpn
# N% O$ Y5 z& _( x& b$ Gusername user0 password QOrwoM79//VQWdhT encrypted privilege 0
6 r% ^9 e. h! E7 \3 R& B5 iusername user0 attributes
: C, L5 C1 ?$ |; y. T vpn-group-policy user
0 m# L" |7 Z, v X8 | webvpn2 `1 c" A' c" h1 g4 H& E) M
username user1 password fVlD5EL1p97NKS8H encrypted privilege 0( w( w Q3 L4 Q+ }* r# o
username user1 attributes
' b$ K' Z$ v( ? vpn-group-policy user8 t+ ~2 u/ L) Q3 R, z' E- c
webvpn
- M+ a& S$ S: A8 Bhttp server enable
) s& y9 i3 a# a; c- U- F9 a; D- Ahttp 192.168.1.0 255.255.255.0 management! U& S, g, Q5 _. x# v; s
http 192.168.200.0 255.255.255.0 inside4 j$ A: }& V/ t
http 0.0.0.0 0.0.0.0 outside
/ f3 `& f" Q2 Y `! |no snmp-server location0 D# E9 H' E0 F* Y/ o
no snmp-server contact$ k) s$ z7 }( J' T" S$ e/ T9 i
snmp-server enable traps snmp authentication linkup linkdown coldstart y9 p# S" S( y+ S( y
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
0 h+ r% J/ c7 `# kcrypto ipsec security-association lifetime seconds 288003 Y4 h8 U4 Q, Y* B
crypto ipsec security-association lifetime kilobytes 4608000- a, [( f/ H" ~$ X* _0 J
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA" S$ w0 C" p$ l& c& d4 ?
crypto dynamic-map outside_dyn_map 20 set security-association lifetime seconds 28800( H, n4 n1 D8 |
crypto dynamic-map outside_dyn_map 20 set security-association lifetime kilobytes 4608000" G/ p% u- z6 M: d
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
' f1 J p( _" F( K6 S9 O2 Y) q/ G) zcrypto map outside_map interface outside6 U- H; c8 E8 G
isakmp enable outside0 O" ]' p% z ~' f7 P0 l) h
isakmp policy 10 authentication pre-share
& P P' [* ]1 U& j, h# A6 k/ {isakmp policy 10 encryption 3des
1 Z- f4 B0 B6 }% T9 u7 eisakmp policy 10 hash sha( |* |- _# }' r+ ^$ Q; ^/ G
isakmp policy 10 group 27 E M/ A/ u) H0 E1 }. w+ a0 ? n
isakmp policy 10 lifetime 86400
# g7 G0 Y: s( z* p. ~4 wtunnel-group user type ipsec-ra
5 {- B2 o/ M J0 O( J% ctunnel-group user general-attributes0 Z& k9 j+ i7 ?0 S/ v) b
address-pool user' ?% f2 E# N; @, O+ Y. h
default-group-policy user0 h2 I$ \" y6 x2 a) l0 d
tunnel-group user ipsec-attributes0 g/ c) A/ V& m' A. N' E
pre-shared-key *
* i5 V) e* Q$ T8 L. C. ^' gtelnet timeout 53 U' X$ B0 `& c* i
ssh 192.168.1.0 255.255.255.0 management7 d/ c+ L, Y0 l. s" j7 o
ssh 192.168.200.0 255.255.255.0 inside! V+ h. W2 L* i3 l
ssh 0.0.0.0 0.0.0.0 outside
! }! H+ v' ]* \0 ?% ^1 X, R5 ~ssh timeout 5" Q" a) }* T5 Y @- P: \+ t
console timeout 0
& C0 d1 D% h. R3 d: S1 V, B4 G: j, ydhcpd address 192.168.1.2-192.168.1.254 management
& |0 ~2 I. U: k7 Z3 P4 Zdhcpd address 192.168.200.100-192.168.200.200 inside
1 Y0 C) x1 ?) g% x0 _3 Gdhcpd dns 202.106.0.20 159.226.8.66 X c, H+ e" R3 K* f
dhcpd lease 3600, H( k* J1 y( J; H! V* ?& ?
dhcpd ping_timeout 50
3 ~% l1 R! {2 }8 H$ idhcpd enable management# l4 l. |9 R6 J9 |1 H$ t
dhcpd enable inside
s) N6 u& \9 @!
! A U( H/ C; h7 ~8 e U! kclass-map inspection_default
) p0 k( Y( U1 T, r5 ` match default-inspection-traffic' _/ {/ k" {8 H# i( q% S! y& P
!
, K# s1 y( p, M5 B1 O7 S! K!6 ^5 U& e0 s5 ]( l/ \0 }
policy-map global_policy% R' s( i! K. b Y8 B1 m
class inspection_default
* \% h9 s/ Y0 b$ a4 i/ b7 B( b inspect dns maximum-length 512
7 m$ }* w. F$ D8 N inspect ftp ! ?5 L) C8 e6 e" d
inspect h323 h225
4 D- d( [4 e. C" `1 m5 b inspect h323 ras ) @, ?4 v# ~1 q) b, u
inspect rsh . O; R) g9 W$ Z, m, |
inspect esmtp 0 N; n/ r% A$ u/ v* O E% _
inspect sqlnet
9 d0 |' p1 ~( j5 T* o( [2 u/ F5 Q inspect skinny
; }' K: I4 Y# `+ i inspect sunrpc ; E0 @" h! B# r1 I; K* ^/ t
inspect xdmcp
D, ~, |- c; b inspect sip
5 E4 n. o5 F8 a. \0 u$ K( g- x& N inspect netbios & _9 f6 W1 c- k8 K p. R
inspect tftp # m0 e8 K& s. ~" y5 C) @/ E
!! j/ D# `- e! Q5 l+ I& }- S+ t
service-policy global_policy global; |0 w$ A+ ^* V( y' q
Cryptochecksum:e9e12784a1b429db7744ffca49582504
! z% U) D1 T7 E1 w7 g/ D4 }: end |
|
所有IT类厂商认证考试题库下载
【新盟教育】2023最新华为HCIA全套视频合集【网工基础全覆盖】---国sir公开课合集
【新盟教育】网工小白必看的!2023最新版华为认证HCIA Datacom零基础全套实战课
原创_超融合自动化运维工具cvTools
重量级~~30多套JAVA就业班全套 视频教程(请尽快下载,链接失效后不补)
链接已失效【超过几百G】EVE 国内和国外镜像 全有了 百度群分享
某linux大佬,积累多年的电子书(约300本)
乾颐堂现任明教教主Python完整版
乾颐堂 教主技术进化论 2018-2019年 最新31-50期合集视频(各种最新技术杂谈视频)
Python学习视频 0起点视频 入门到项目实战篇 Python3.5.2视频教程 共847集 能学102天
约21套Python视频合集 核心基础视频教程(共310G,已压缩)
最新20180811录制 IT爱好者-清风羽毛 - 网络安全IPSec VPN实验指南视频教程
最新20180807录制EVE开机自启动虚拟路由器并桥接物理网卡充当思科路由器
