我的pix的vpn的remote-to-site的ipsec的配置!
) ?3 z, Z/ ^7 o+ `
+ e2 q8 B9 o$ \' z2 J4 U+ nvpngroup vpnclient address-pool vpnpool# ~+ _1 z* I. V
vpngroup vpnclient dns-server 202.96.209.5 202.96.209.133
s) p" u. C+ y" Q+ _4 Kvpngroup vpnclient split-tunnel vpnclient_splitTunnelAcl
% U$ f4 A/ x4 ~- S0 L: svpngroup vpnclient idle-time 1800
2 M# e: }5 M; K0 |1 ? F7 f- Yvpngroup vpnclient password ********4 o9 t- F- K2 q# B1 F
" Q: }) ?1 \. V* m8 q1 M, h
另外的acl是:' p5 G$ X, j% b
access-list vpnclient_splitTunnelAcl line 1 permit ip 192.168.1.0 255.255.255.0 192.168.100.240 255.255.255.240 (hitcnt=0) 1 [( E; i" E8 p7 M' ~
: |+ K* c. I- o% ?) P% o' F
access-list no_nat line 2 permit ip 192.168.1.0 255.255.255.0 192.168.100.240 255.255.255.240 (hitcnt=3009)
/ \9 P2 X l* L7 s" L
" u J7 J2 A& v9 B: R6 a, Unat (outside) 0 no_nat. d: m7 P) k$ q, e
2 \, a* M7 m' z* o! |- V以上是remote-to-site的vpn能甬道的配置!" E$ J; l- t) [( y& G6 y& j
有了vpngroup ***** split-tunnel vpnclient-splittunnelacl,按照道理来说,vpn 客户端访问内网的时候走的应该是vpnclient_splitTunnelAcl 这个访问列表;' C- C7 ]$ P; L; X
但是事实证明走的还是no_nat这个访问列表!/ f0 D! w; |3 B+ O
& L8 g6 G$ L# x* P
请高手解释一下,为什么? |