
设备为:pix515E(申请加精)( c1 ^4 [% y. G9 @ ~3 [2 [3 P; I9 I
inside接192内网,outside接外网,e2接10专网;6 v( z" x J" X. g( X
问题是通过vpn client拨号后,能访问192内网段,但不能访问10网段(注:192内网段可正常访问10网段),static后还是不行。请各位高手帮忙查下原因,谢谢!# c9 Y( |+ t" k' B) X+ V3 U. D
个人认为,问题可能出在vpn拨号上来没有网关,不知道是不是?如是,请问怎样设置增加vpn的网关,谢谢!
2 y% K) k* g# o5 h& k配置如下:2 N1 L- Y( s/ i/ n" Q/ {
PIX Version 6.3(5)125
4 G( F& W1 P3 ]6 G% Z- B' j9 Vinterface ethernet0 auto
' Q4 b, w6 d' w9 v/ |* u6 S2 uinterface ethernet1 auto
) f x0 Z5 m; u" einterface ethernet2 auto
+ t! p# l' H6 }+ R. @; \interface ethernet3 auto shutdown* j, H8 @+ w; a6 q* Q5 K- X# M
interface ethernet4 auto shutdown% ?2 }% T' [$ ^: l6 {% j% v% B ?
interface ethernet5 auto shutdown
- C0 u r* c$ E# `' lnameif ethernet0 outside security0, A& s! S9 |# r; v* W
nameif ethernet1 inside security100
& q/ X1 b/ v) l; H2 J# {# P5 Tnameif ethernet2 intf2 security99
+ S8 r4 R( W1 U2 o4 dnameif ethernet3 intf3 security15
# w' T1 D/ o6 w; y% \nameif ethernet4 intf4 security20
3 [6 W, x$ v+ s q3 vnameif ethernet5 intf5 security25
2 ]9 y/ B6 q9 t! i& L! R/ B0 Venable password rEDUoAN/yFojuZRu encrypted
0 P* G3 C1 E- y6 ] d$ Wpasswd 75UYEXo172hNDVOX encrypted l9 q1 A+ }$ {0 R9 z
hostname zhongchuang' m- q) l3 F' R# Q2 R
fixup protocol dns maximum-length 512
1 U% Q7 H8 A4 x* ~6 bfixup protocol ftp 21
5 U- ]/ H" _2 Q- ffixup protocol h323 h225 1720. M" @# b! p1 w" d: g8 u
fixup protocol h323 ras 1718-17194 A# {" Z6 F! b
fixup protocol http 80" ~* c2 V; S# N, f3 K' ?
fixup protocol ils 389
* O& K5 h4 |' V# h4 e8 [fixup protocol rsh 514& D' ]: X. i- q% n
fixup protocol rtsp 554" @2 E( e8 _& U$ [9 G4 f* |
fixup protocol sip 5060
# H# o# |: S, F$ I) x% ^# Bfixup protocol sip udp 5060' g @. H* Y+ f
fixup protocol skinny 2000+ q* H( y* t; t3 b0 h
fixup protocol smtp 25. o( H$ K% U/ A. Q* W
fixup protocol sqlnet 1521) Z9 C! F1 h& e8 k8 o" _
fixup protocol tftp 69
4 L" b0 {9 u8 i7 ]# h6 |names. {! Y# O! P4 |+ D- L3 v) K% d
access-list vpn permit ip 192.168.0.0 255.255.255.0 172.16.0.0 255.255.255.0 # K. m6 T. z0 w5 F9 M, O
access-list vpn permit ip 10.0.0.0 255.0.0.0 172.16.0.0 255.255.255.0
) u7 a* [# ^6 daccess-list intf2 permit ip any any
9 W1 m; J6 j) E* Y% [pager lines 24
7 B* E$ }$ Q6 L* G0 T& |. G: Qmtu outside 1500& k$ o ]+ E+ M3 Z* B, f2 M% }; I
mtu inside 1500
" E+ g+ O8 J8 i6 x8 g+ `! Vmtu intf2 1500 J: W: ?2 _8 L1 C2 Z; n
mtu intf3 1500
8 F: J: \3 ~' Q8 O& |6 Q2 emtu intf4 1500/ r" C7 C5 ~0 k. f' s; ?1 u; v
mtu intf5 15000 H( Z3 _5 _ a" i7 j
ip address outside 221.181.162.210 255.255.255.0
9 q9 q4 K9 K1 ?& s" a0 |# \$ A8 cip address inside 192.168.0.1 255.255.255.0
4 O( j, d1 \8 W, c/ Rip address intf2 10.35.152.141 255.255.255.128
' V* t' h/ V" n B h zip address intf3 127.0.0.1 255.255.255.255
# g" _7 ^8 f' Dno ip address intf4( S* g% X0 t9 F5 K# ^
no ip address intf5
. z! ?) y* l) A( E0 f( m* x. D4 Dip audit info action alarm
* ^2 c7 N n$ U" n* M. M- Qip audit attack action alarm1 v! m: ] U* Y0 T/ w7 y
ip local pool gmvpn 172.16.0.10-172.16.0.50
% L+ h, r! I: C; nno failover
9 h0 {) c8 g. i2 w7 e& afailover timeout 0:00:008 f+ g7 N* H2 F; j' Y j) W" F, m
failover poll 15
5 D# m$ u5 A6 V6 ]( j7 @' Kno failover ip address outside9 d I3 f+ U5 i+ R( i& G9 x
no failover ip address inside$ s* N2 l4 @- s; F- Y# m8 U
no failover ip address intf2
+ j" S/ q: Z7 z1 F9 bno failover ip address intf3
7 b! K" I) y' V2 K9 q7 ano failover ip address intf4
- L0 E" [5 w: Q0 Uno failover ip address intf59 X' R, c4 C) T I
pdm history enable/ u! E. n1 q/ g! T
arp timeout 14400- h) Y1 e/ g! C9 `& @
global (outside) 1 interface
' e6 Q8 W- \7 R6 E3 Pglobal (intf2) 1 interface; h6 o2 M0 R' R5 D& X% R
nat (inside) 0 access-list vpn, C3 X' h2 v$ k$ Z- C" @4 e
nat (inside) 1 0.0.0.0 0.0.0.0 0 0* ~1 ^; b7 l, \2 { e
static (intf2,inside) 192.168.0.101 10.40.10.68 netmask 255.255.255.255 0 0
, q9 l( N! r0 ^! Z& o; {0 B' ]2 Estatic (intf2,inside) 192.168.0.102 10.32.184.54 netmask 255.255.255.255 0 0
3 h9 O. s I: [( [" B0 P8 E- oaccess-group intf2 in interface intf2
" I" O" l7 k6 c+ o0 broute outside 0.0.0.0 0.0.0.0 221.181.162.1 1
2 o' O v7 t8 Z8 d7 _4 a3 g- troute intf2 10.0.0.0 255.0.0.0 10.35.152.129 1: h) h' Q) u) J& S- M7 w6 H
timeout xlate 3:00:00
2 q( r2 @/ k, |/ |timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
2 s, J' O+ M' y r7 l$ E; r8 |/ Rtimeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:002 s* @9 V3 v4 K
timeout sip-disconnect 0:02:00 sip-invite 0:03:00; W7 i( J& }9 ~' A' i8 d$ x# M- ~
timeout uauth 0:05:00 absolute
/ P6 T4 C- v# r! ~1 faaa-server TACACS+ protocol tacacs+
0 z: ~& u& |' f* V! m9 e' [" _) Maaa-server TACACS+ max-failed-attempts 3
G8 A ?9 \/ `7 ~) q8 x8 d4 ]1 eaaa-server TACACS+ deadtime 10
" d) j2 S' K) A' t ?& ^) Haaa-server RADIUS protocol radius # G" d+ H1 l2 A; E7 I% _ R
aaa-server RADIUS max-failed-attempts 3 + r$ I! W3 j* c, c* L
aaa-server RADIUS deadtime 10
9 j! q7 ^8 E2 H# Q* aaaa-server LOCAL protocol local
, h( a2 A3 {3 Q3 ~4 B" Mno snmp-server location
6 g: U6 P; F4 M' k j9 D1 sno snmp-server contact
0 I, G* I6 _3 n/ ?snmp-server community public1 Z2 g5 i6 ^" _. r
no snmp-server enable traps6 p' D& h' ^4 R3 f+ p% r% s: r
floodguard enable
7 r! w% B& j8 p' _! J" w! Ysysopt connection permit-ipsec: d6 u$ W& x6 X" A( e/ Q5 h
crypto ipsec transform-set yzgmvpn esp-des esp-md5-hmac ' E9 ~" w/ k. i5 P, K
crypto dynamic-map chinayz 10 set transform-set yzgmvpn3 P7 f' Q- P" d8 Y2 z4 P4 C
crypto map yzgm 20 ipsec-isakmp dynamic chinayz( \7 F/ o$ o& ~- \- a" P( v
crypto map yzgm client authentication LOCAL
/ i& F4 \ t9 r0 p0 ]' rcrypto map yzgm interface outside
6 r: W$ U, _, _3 T* risakmp enable outside' k1 W/ N3 i/ f Q) T( t4 o8 u
isakmp nat-traversal 100
& l& {( \9 Y& |3 uisakmp policy 10 authentication pre-share. |/ c4 j1 G) m
isakmp policy 10 encryption des
# q2 a) \" C% x( H/ hisakmp policy 10 hash md5/ ?! z: b0 ^' r5 e9 R/ n1 k
isakmp policy 10 group 2: ^1 G! V6 a7 r% w) I
isakmp policy 10 lifetime 86400
: s6 B: o5 O+ M5 h" Q+ V4 W4 Qvpngroup gmvpn address-pool gmvpn+ L2 Y- x" y- z/ n' ]* Y5 |, S+ J7 b
vpngroup gmvpn split-tunnel vpn
% x4 N. V) V) A. m* c6 T. P3 T6 u' f# kvpngroup gmvpn idle-time 1800
}) t- a% K) |& [7 r5 i9 @0 m- avpngroup gmvpn password ********
! z' Y+ x9 Q) c* I+ Rtelnet 192.168.0.0 255.255.255.0 inside
; Z- D: J! f5 ~0 J% F8 W2 itelnet timeout 5
5 t- O- W4 P0 v1 x% q! t; Essh timeout 54 o- t6 c! S. P5 _, D
console timeout 05 W( A; P. o: p9 Q6 s' J9 n
dhcpd address 192.168.0.10-192.168.0.50 inside* I6 { {2 f& ^5 C
dhcpd dns 221.131.143.69 112.4.0.55
0 X# c9 X1 i* C/ G* v6 Gdhcpd lease 360000
1 A0 C2 C; e; c! f) \dhcpd ping_timeout 750! {1 ]. ~- e; S% \) X& f- x0 Y0 [3 v
dhcpd enable inside' u6 U" d4 Q% g
username zhongchuang015 password srI6zKtqf4nHu9Ma encrypted privilege 20 K; D" \$ A: Q4 b: x1 `+ d0 d4 ^
username zhongchuang014 password 8dk7oqbV5dIBXx6e encrypted privilege 2. B! F. k4 c7 }7 P5 |0 f
username zhongchuang013 password rhi1utB5GXFuuJ6m encrypted privilege 2
6 P$ @7 U+ E4 y6 {- T& @9 Yusername zhongchuang012 password bpQGsC6PBE/uelSQ encrypted privilege 2
$ A4 j6 O' N8 K9 D2 l* X. ousername zhongchuang011 password wGg46la7QfoEN3HK encrypted privilege 2
$ {2 u, K: Z% x% `+ Bterminal width 803 c9 M$ e. T7 M+ `% M
Cryptochecksum:a915cbf2b6f8fedb476a02c0fe658c5c) y- J" k1 E; k% h; @. ^
: end |
|