我的pix的vpn的remote-to-site的ipsec的配置!3 z/ [, s- h3 S% O: w5 t8 b5 T
' A- L) j7 p& L- l5 B& X6 q) dvpngroup vpnclient address-pool vpnpool. o; z$ f* v1 y2 s! ?/ \
vpngroup vpnclient dns-server 202.96.209.5 202.96.209.133
: {! K5 Z5 j* w. b3 Vvpngroup vpnclient split-tunnel vpnclient_splitTunnelAcl. q/ v, P9 h1 i E- G
vpngroup vpnclient idle-time 1800
! f, y. t C: q& R: S1 _vpngroup vpnclient password ********
# H( n) V2 v: s/ b4 u/ N9 U/ E9 i/ p3 ^' ]/ b: f: Z' L
另外的acl是:
0 C. z1 A7 M( L$ Zaccess-list vpnclient_splitTunnelAcl line 1 permit ip 192.168.1.0 255.255.255.0 192.168.100.240 255.255.255.240 (hitcnt=0) - M2 x7 R4 Q0 E: O0 |: J
1 y4 W! p! K2 ^' D; K
access-list no_nat line 2 permit ip 192.168.1.0 255.255.255.0 192.168.100.240 255.255.255.240 (hitcnt=3009)
( \/ }. G) k, f$ M$ z& d$ N! l# j/ T2 k) z6 `7 H9 t; z% _
nat (outside) 0 no_nat ?' M) ?! d0 t K0 b
- r3 K. i4 w6 K4 C
以上是remote-to-site的vpn能甬道的配置!
6 C: O# ]' C2 g3 ?0 |有了vpngroup ***** split-tunnel vpnclient-splittunnelacl,按照道理来说,vpn 客户端访问内网的时候走的应该是vpnclient_splitTunnelAcl 这个访问列表;
# X3 @ p# P0 ?2 o- h1 Y/ u' Z但是事实证明走的还是no_nat这个访问列表!6 R' K: T) N) R! M
% J# T* @+ `5 ]- r请高手解释一下,为什么? |