
设备为:pix515E(申请加精)
3 t# V% }% B7 a' minside接192内网,outside接外网,e2接10专网;
6 }( o! L( u' T% y2 a5 W6 G1 ]3 M% k问题是通过vpn client拨号后,能访问192内网段,但不能访问10网段(注:192内网段可正常访问10网段),static后还是不行。请各位高手帮忙查下原因,谢谢!
% W; E* H" b6 u0 ` ~+ P4 w) y个人认为,问题可能出在vpn拨号上来没有网关,不知道是不是?如是,请问怎样设置增加vpn的网关,谢谢!/ ?$ d- Y% R# p* O5 \. O9 K
配置如下:
* J7 m# \0 W- zPIX Version 6.3(5)125: F w* k+ g' Q) z
interface ethernet0 auto9 M8 O4 r: T" {' [+ `# n" H
interface ethernet1 auto7 g" ^1 ]# ~- e( F
interface ethernet2 auto* R' U m: R$ s) W5 g/ `- x* M
interface ethernet3 auto shutdown
I: u8 {; A, b" c, Iinterface ethernet4 auto shutdown
5 T. n# ~+ C: G. [interface ethernet5 auto shutdown( }) ~9 I) r" F) _* H
nameif ethernet0 outside security0; T; r, L, l Z/ p2 d
nameif ethernet1 inside security100
. J/ J+ S$ _4 m) u1 [ |nameif ethernet2 intf2 security99
0 p. C2 \# R q3 I5 D5 v/ dnameif ethernet3 intf3 security159 ]4 {* W: v* i# e# A2 C
nameif ethernet4 intf4 security20: {. \6 G8 s- S7 e. x, Q
nameif ethernet5 intf5 security25
. V( J* {3 o* Uenable password rEDUoAN/yFojuZRu encrypted
& s2 g4 D' Y" ]7 V+ i# Jpasswd 75UYEXo172hNDVOX encrypted
! `* f1 ]( C$ y" ~3 y! mhostname zhongchuang6 N" J$ }- ~: x- {4 ~
fixup protocol dns maximum-length 512% b5 j8 C4 |8 T( j/ B; X% V
fixup protocol ftp 21
* i1 a" s4 I p9 }' Z9 L; K/ u! p* Dfixup protocol h323 h225 1720; y: Z% L7 s2 Y O
fixup protocol h323 ras 1718-1719. x: Z1 F3 Y0 o" S& M( E
fixup protocol http 80
P" D' W; U+ _" Afixup protocol ils 389
1 |3 y Z2 b0 i+ v8 v1 x2 ~fixup protocol rsh 5146 V' F" g/ h$ q
fixup protocol rtsp 554
0 [: R2 M. }/ Q" p" h3 d- hfixup protocol sip 50606 C" I0 U! r( j
fixup protocol sip udp 5060
: [. i/ V& p1 R" X. Ffixup protocol skinny 2000
) |- d ?& A' b" O* Efixup protocol smtp 25
: Y* P% H3 x7 Y7 K2 Vfixup protocol sqlnet 1521
2 t) W7 |9 @& T! ?+ qfixup protocol tftp 69
$ A; S3 t$ D: v, \/ [1 Cnames
- `- k1 F( X# laccess-list vpn permit ip 192.168.0.0 255.255.255.0 172.16.0.0 255.255.255.0 * Y& {9 O6 G* S/ }% S+ ~( h* a' z9 o
access-list vpn permit ip 10.0.0.0 255.0.0.0 172.16.0.0 255.255.255.0
# } C7 c: q1 p$ _* U6 l- v/ Maccess-list intf2 permit ip any any ) \1 {$ a2 X9 b f5 J* M6 y
pager lines 24
$ O$ \( T+ k: b/ S4 T0 gmtu outside 1500
, u4 V! y, I; \% s5 r% Q E/ K) zmtu inside 1500- R$ j. S0 y1 `: y9 j2 W1 i
mtu intf2 1500
& v+ O; x B+ u" Qmtu intf3 1500
: X$ K- h( Z1 |7 ?% G* gmtu intf4 15007 T e: y) Z9 G
mtu intf5 15005 S# G6 r3 v/ ]: E
ip address outside 221.181.162.210 255.255.255.0# I+ ]5 \/ |# ~! b) _% V' a
ip address inside 192.168.0.1 255.255.255.0: w/ }, a* g" t [2 {! V% G1 m
ip address intf2 10.35.152.141 255.255.255.128' w! Y9 ] u4 w
ip address intf3 127.0.0.1 255.255.255.255
4 F, ]# X U3 x) A& b6 |no ip address intf40 X" D- o) j N) R# {; R1 Y% w
no ip address intf5
2 e9 \& n4 ^# R" Q1 {; i7 D0 }ip audit info action alarm
" i# s4 Q/ f3 U9 _. z8 Lip audit attack action alarm
% k. o9 k+ \- V- a2 C, eip local pool gmvpn 172.16.0.10-172.16.0.50' T% ~1 Q7 d% W2 \& X1 [- e5 B% M
no failover4 v$ [/ H! R9 g# t" U: @3 |
failover timeout 0:00:00
1 Y# ^; X z8 T! D5 E# A2 ?failover poll 15( }! x$ h: `5 ^8 v9 m
no failover ip address outside
" N2 [ `) A- F/ s( K5 P, bno failover ip address inside
! e0 g! T( v2 n x x) ano failover ip address intf2/ G- b! l1 ]! J
no failover ip address intf3
/ o3 s* D( s+ r a \3 M5 ino failover ip address intf4 z2 u0 u. Z; O& {; U- T9 K3 }: i
no failover ip address intf5. h6 s4 j) C2 u, y# |! F* J
pdm history enable) }% G2 Y7 ?4 P& A
arp timeout 14400
0 A: G' L5 v2 ?& n8 j5 |- Jglobal (outside) 1 interface
2 Q" W7 A0 X2 D. L2 ?global (intf2) 1 interface
l+ `: _7 E' @" P. gnat (inside) 0 access-list vpn0 o" N0 [, f; m3 t
nat (inside) 1 0.0.0.0 0.0.0.0 0 0* B6 d& @% i H' n0 r
static (intf2,inside) 192.168.0.101 10.40.10.68 netmask 255.255.255.255 0 0 * C7 I) K9 Y }# z" ~$ B2 {4 W
static (intf2,inside) 192.168.0.102 10.32.184.54 netmask 255.255.255.255 0 0
, d3 v, m( R1 m/ X D2 t% w8 r2 Waccess-group intf2 in interface intf24 i1 }; X! m+ e% f
route outside 0.0.0.0 0.0.0.0 221.181.162.1 17 a# V! h4 H" e9 ~ }" D
route intf2 10.0.0.0 255.0.0.0 10.35.152.129 1% q; n8 ]7 u9 [0 d
timeout xlate 3:00:00- x5 O& `5 O. L2 E% v. B
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00# y9 h" R& }% k \; f* S
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
8 b; u" \! }8 m, Gtimeout sip-disconnect 0:02:00 sip-invite 0:03:005 b. g+ _* v0 ^+ S$ C0 y1 @
timeout uauth 0:05:00 absolute
) ^" w7 Q* g7 R; C1 |$ paaa-server TACACS+ protocol tacacs+ ! R2 q7 h! F' i
aaa-server TACACS+ max-failed-attempts 3 Y9 `- ] V- v* l5 f
aaa-server TACACS+ deadtime 10 & j5 u1 v5 t: \
aaa-server RADIUS protocol radius + Y: k$ v2 L6 t% b" i* z
aaa-server RADIUS max-failed-attempts 3
! [4 X3 o& _9 ]; D" N3 Iaaa-server RADIUS deadtime 10 , I# }* Q4 n4 w7 `% ^
aaa-server LOCAL protocol local u: z' j- ?* d7 A
no snmp-server location5 I: I$ g) S% m
no snmp-server contact" Y2 P( G$ Y5 u$ q
snmp-server community public) d" q2 g" L3 f6 G' |4 H
no snmp-server enable traps# t, Q T# c5 I) E
floodguard enable. y/ _) S: Q$ m/ i7 n9 K& A
sysopt connection permit-ipsec! m0 q% B# o# p- O! @
crypto ipsec transform-set yzgmvpn esp-des esp-md5-hmac # B2 M! Q+ V7 S5 l! b5 v
crypto dynamic-map chinayz 10 set transform-set yzgmvpn$ k/ j3 F: P; h: c d4 V: T" Z3 b6 T" P
crypto map yzgm 20 ipsec-isakmp dynamic chinayz
& n/ }( N3 r$ Acrypto map yzgm client authentication LOCAL ( n# U! \0 ~, }) v5 H" Z2 Q6 u
crypto map yzgm interface outside) R0 T9 ~! |' P; l* B5 ?
isakmp enable outside
! v6 T- U3 [. O5 `4 J+ d6 L( Yisakmp nat-traversal 100
) N! ^ r) `& U6 x# o$ M* |isakmp policy 10 authentication pre-share0 p+ ~* J7 a, r+ H
isakmp policy 10 encryption des1 Y; |2 E( A; t9 H* B
isakmp policy 10 hash md5
5 o5 f. L# m c! Q2 P' Y( r9 @! nisakmp policy 10 group 23 V; h* q( `$ l! `
isakmp policy 10 lifetime 864007 H# u+ v5 }2 M5 p1 N1 ~
vpngroup gmvpn address-pool gmvpn
5 `2 J ^ ~* L# l- y8 ], yvpngroup gmvpn split-tunnel vpn! v+ X5 b c6 h, B4 d6 ]2 ^, T8 A
vpngroup gmvpn idle-time 1800
. `" l+ e$ A) tvpngroup gmvpn password ********- w. v8 i3 O2 I" s q* V7 a5 S
telnet 192.168.0.0 255.255.255.0 inside7 v5 t& Y: x' L" c" Z5 G
telnet timeout 5. b6 g+ r9 k8 i( Y! c7 m. ?
ssh timeout 5
3 z% ~) \5 J/ ^0 A, N% |& P9 _/ t% econsole timeout 0
+ W; X% p) z% [0 I: Z- C4 |dhcpd address 192.168.0.10-192.168.0.50 inside
9 w2 P% \+ W7 x' ydhcpd dns 221.131.143.69 112.4.0.55* I0 `* K" G2 P7 |* U7 Y4 M
dhcpd lease 360000! h) h6 I% w! O' `/ J, i
dhcpd ping_timeout 750" _- z1 w* e. F5 _- ^9 r3 B
dhcpd enable inside
' o& A8 V+ E. x0 V# M gusername zhongchuang015 password srI6zKtqf4nHu9Ma encrypted privilege 26 }% A9 F+ w- }0 X" L
username zhongchuang014 password 8dk7oqbV5dIBXx6e encrypted privilege 2$ |6 f [1 M! d, @) d. F% d% Y' g
username zhongchuang013 password rhi1utB5GXFuuJ6m encrypted privilege 2
' }/ o% l+ v; ^' t8 B0 lusername zhongchuang012 password bpQGsC6PBE/uelSQ encrypted privilege 2
# L: n* |; d% \' v6 w. uusername zhongchuang011 password wGg46la7QfoEN3HK encrypted privilege 2
' l6 c! Z% M/ _7 o0 `terminal width 80( s4 w- L; Q: e0 c* c
Cryptochecksum:a915cbf2b6f8fedb476a02c0fe658c5c
5 O1 n) {+ F, b1 h: end |
|