khanharinc
27-07-2008, 10:08 AM
Em chưa học SNPA nhưng công ty có một con ASA5510 và yêu cầu em cấu hình 5510 làm VPN server cho VPN clients truy cập từ xa vào 2 máy trong LAN.
-Máy thứ nhất chỉ cho VPN Clients ping và chạy ứng dụng với port xxxx.
-Máy thứ 2 chỉ cho VPN Clients ping và chạy ứng dụng với port yyyy.
1. Nhưng có lúc thì VPN client truy cập được, có lúc không?????
2. VPN cấu hình bằng ASDM và clients có thể kết nối tốt và được cấp IP trong range IP trong LAN.
3. Nhưng VPN Clients KHÔNG thể móc ứng dụng từ 2 workstations trong LAN được.
4. VPN Client ko thể ping các máy trong cùng LAN????
Nhờ anh em tư vấn giúp vì em chỉ là Amature và chỉ mới đụng ASA lần đầu.
Chân thành cảm ơn anh em.:X
Sơ đồ mô hình như sau:
LAN_Inside<----->e0/0(ASA)e0/1 with StaticIP ADSL<----> Gateway ADSL Modem_Outside
LAN_Inside: e0/0: 172.17.79.0/24
MODEM_Outside e0/1: 222.333.444.555 255.255.255.240 ---> GW: 222.333.444.556
2 workstaions là:
+ WS1: 172.17.79.51 chạy ứng PORT xxxx
+ WS1: 172.17.79.52 chạy ứng PORT yyyy
IP Range để gán cho VPN Clients: 172.17.79.71-172.17.79.75 mask 255.255.255.0
Em đã cấu hình bằng ADSM như sau:
sh run
: Saved
:
ASA Version 7.0(7)
!
hostname MySite1VNP1
domain-name MySite.COM
enable password nv/cQTGLt8u3pAbh encrypted
names
dns-guard
!
interface Ethernet0/0
speed 100
duplex full
nameif LAN_Inside
security-level 100
ip address 172.17.79.70 255.255.255.0
!
interface Ethernet0/1
speed 100
duplex full
nameif MODEM_Outside
security-level 0
ip address 222.333.444.555 255.255.255.240
!
interface Ethernet0/2
<--- More --->
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
management-only
!
passwd 2KFQnbNIdI.2KYOU encrypted
ftp mode passive
access-list LAN_Inside_nat0_outbound_V1 extended permit ip any 172.17.79.64 255.255.255.240 <-- Ca'i do`ng na`y ASDM tu add vo, WS na`y na`m chung Subnet voi Range IP assigned cho VPNClient.
==> Khong biet no' co' chuc nang gi` va` anh huong gi` toi viec permit Port xxxx va` yyyy hay ko??????
access-list 103 extended permit icmp host 172.17.79.70 host 172.17.79.52
access-list vpn1_splitTunnelAcl standard permit 172.17.79.0 255.255.255.0
pager lines 24
logging asdm informational
mtu management 1500
mtu LAN_Inside 1500
mtu MODEM_Outside 1500
ip local pool VPN_POOL 172.17.79.71-172.17.79.75 mask 255.255.255.0
asdm image disk0:/asdm-507.bin
no asdm history enable
<--- More --->
arp timeout 14400
nat (LAN_Inside) 0 access-list LAN_Inside_nat0_outbound_V1
route MODEM_Outside 0.0.0.0 0.0.0.0 222.333.444.556 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
group-policy vpn1 internal
group-policy vpn1 attributes
split-tunnel-policy tunnelspecified
split-tunnel-network-list value vpn1_splitTunnelAcl
webvpn
username musadmin password BBnv/hAgbZO4Z2Mt encrypted privilege 15
aaa authentication ssh console LOCAL
aaa authentication telnet console LOCAL
http server enable
http 192.168.1.0 255.255.255.0 management
http 222.253.0.0 255.255.0.0 MODEM_Outside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
<--- More --->
crypto dynamic-map MODEM_Outside_dyn_map 40 set transform-set ESP-3DES-SHA
crypto map MODEM_Outside_map 65535 ipsec-isakmp dynamic MODEM_Outside_dyn_map
crypto map MODEM_Outside_map interface MODEM_Outside
isakmp enable MODEM_Outside
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash sha
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
isakmp policy 65535 authentication pre-share
isakmp policy 65535 encryption 3des
isakmp policy 65535 hash sha
isakmp policy 65535 group 2
isakmp policy 65535 lifetime 86400
tunnel-group vpn1 type ipsec-ra
tunnel-group vpn1 general-attributes
address-pool VPN_POOL
default-group-policy vpn1
tunnel-group vpn1 ipsec-attributes
pre-shared-key *
telnet 0.0.0.0 0.0.0.0 MODEM_Outside
telnet timeout 5
ssh 203.0.0.0 255.0.0.0 MODEM_Outside
ssh 210.0.0.0 255.0.0.0 MODEM_Outside
<--- More --->
ssh 58.0.0.0 255.0.0.0 MODEM_Outside
ssh 222.0.0.0 255.0.0.0 MODEM_Outside
ssh timeout 5
console timeout 0
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd lease 3600
dhcpd ping_timeout 50
dhcpd enable management
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map global_policy
class inspection_default
inspect dns maximum-length 512
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
<--- More --->
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
!
service-policy global_policy global
Cryptochecksum:4919856b73ba5b64d7e7632c2d5ddbd0
: end
MySite1VNP1# sh ip
System IP Addresses:
Interface Name IP address Subnet mask Method
Ethernet0/0 LAN_Inside 172.17.79.70 255.255.255.0 manual
Ethernet0/1 MODEM_Outside 222.333.444.555 255.255.255.240 manual
Management0/0 management 192.168.1.1 255.255.255.0 manual
Current IP Addresses:
Interface Name IP address Subnet mask Method
Ethernet0/0 LAN_Inside 172.17.79.70 255.255.255.0 manual
Ethernet0/1 MODEM_Outside 222.333.444.555 255.255.255.240 manual
Management0/0 management 192.168.1.1 255.255.255.0 manual
MySite1VNP1# sh inter
MySite1VNP1# sh interface
Interface Ethernet0/0 "LAN_Inside", is up, line protocol is up
Hardware is i82546GB rev03, BW 100 Mbps
Full-Duplex(Full-duplex), 100 Mbps(100 Mbps)
MAC address 001d.459f.d0ae, MTU 1500
IP address 172.17.79.70, subnet mask 255.255.255.0
517265 packets input, 534624079 bytes, 258 no buffer
Received 493403 broadcasts, 0 runts, 0 giants
0 input errors, 30 CRC, 0 frame, 5037 overrun, 30 ignored, 0 abort
1509 L2 decode drops
27910 packets output, 2450918 bytes, 0 underruns
0 output errors, 0 collisions, 3 interface resets
0 late collisions, 0 deferred
0 input reset drops, 0 output reset drops
input queue (curr/max packets): hardware (5/33)
output queue (curr/max packets): hardware (0/3)
Traffic Statistics for "LAN_Inside":
187295 packets input, 191026428 bytes
10351 packets output, 757869 bytes
149031 packets dropped
1 minute input rate 2 pkts/sec, 3052 bytes/sec
1 minute output rate 0 pkts/sec, 0 bytes/sec
1 minute drop rate, 2 pkts/sec
5 minute input rate 2 pkts/sec, 3053 bytes/sec
5 minute output rate 0 pkts/sec, 0 bytes/sec
5 minute drop rate, 2 pkts/sec
<--- More --->
Interface Ethernet0/1 "MODEM_Outside", is up, line protocol is up
Hardware is i82546GB rev03, BW 100 Mbps
Full-Duplex(Full-duplex), 100 Mbps(100 Mbps)
MAC address 001d.459f.d0af, MTU 1500
IP address 222.333.444.555, subnet mask 255.255.255.240
74745 packets input, 9341527 bytes, 0 no buffer
Received 26789 broadcasts, 0 runts, 0 giants
0 input errors, 12 CRC, 0 frame, 0 overrun, 12 ignored, 0 abort
244 L2 decode drops
54221 packets output, 28874737 bytes, 0 underruns
0 output errors, 0 collisions, 6 interface resets
0 late collisions, 0 deferred
0 input reset drops, 0 output reset drops
input queue (curr/max packets): hardware (0/33)
output queue (curr/max packets): hardware (0/6)
Traffic Statistics for "MODEM_Outside":
43632 packets input, 4151798 bytes
41832 packets output, 18669557 bytes
3588 packets dropped
1 minute input rate 3 pkts/sec, 262 bytes/sec
1 minute output rate 3 pkts/sec, 311 bytes/sec
1 minute drop rate, 0 pkts/sec
5 minute input rate 2 pkts/sec, 233 bytes/sec
5 minute output rate 3 pkts/sec, 308 bytes/sec
<--- More --->
5 minute drop rate, 0 pkts/sec
MySite1VNP1# sh access-list
access-list cached ACL log flows: total 0, denied 0 (deny-flow-max 4096)
alert-interval 300
access-list LAN_Inside_nat0_outbound_V1; 1 elements
access-list LAN_Inside_nat0_outbound_V1 line 1 extended permit ip any 172.17.79.64 255.255.255.240 (hitcnt=0)
access-list 103; 1 elements
access-list 103 line 1 extended permit icmp host 172.17.79.70 host 172.17.79.52 (hitcnt=0)
access-list vpn1_splitTunnelAcl; 1 elements
access-list vpn1_splitTunnelAcl line 1 standard permit 172.17.79.0 255.255.255.0 (hitcnt=0)
Nhờ anh em vnpro chỉ bảo giúp.
Chân thành cảm ơn. ^_^
-Máy thứ nhất chỉ cho VPN Clients ping và chạy ứng dụng với port xxxx.
-Máy thứ 2 chỉ cho VPN Clients ping và chạy ứng dụng với port yyyy.
1. Nhưng có lúc thì VPN client truy cập được, có lúc không?????
2. VPN cấu hình bằng ASDM và clients có thể kết nối tốt và được cấp IP trong range IP trong LAN.
3. Nhưng VPN Clients KHÔNG thể móc ứng dụng từ 2 workstations trong LAN được.
4. VPN Client ko thể ping các máy trong cùng LAN????
Nhờ anh em tư vấn giúp vì em chỉ là Amature và chỉ mới đụng ASA lần đầu.
Chân thành cảm ơn anh em.:X
Sơ đồ mô hình như sau:
LAN_Inside<----->e0/0(ASA)e0/1 with StaticIP ADSL<----> Gateway ADSL Modem_Outside
LAN_Inside: e0/0: 172.17.79.0/24
MODEM_Outside e0/1: 222.333.444.555 255.255.255.240 ---> GW: 222.333.444.556
2 workstaions là:
+ WS1: 172.17.79.51 chạy ứng PORT xxxx
+ WS1: 172.17.79.52 chạy ứng PORT yyyy
IP Range để gán cho VPN Clients: 172.17.79.71-172.17.79.75 mask 255.255.255.0
Em đã cấu hình bằng ADSM như sau:
sh run
: Saved
:
ASA Version 7.0(7)
!
hostname MySite1VNP1
domain-name MySite.COM
enable password nv/cQTGLt8u3pAbh encrypted
names
dns-guard
!
interface Ethernet0/0
speed 100
duplex full
nameif LAN_Inside
security-level 100
ip address 172.17.79.70 255.255.255.0
!
interface Ethernet0/1
speed 100
duplex full
nameif MODEM_Outside
security-level 0
ip address 222.333.444.555 255.255.255.240
!
interface Ethernet0/2
<--- More --->
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
management-only
!
passwd 2KFQnbNIdI.2KYOU encrypted
ftp mode passive
access-list LAN_Inside_nat0_outbound_V1 extended permit ip any 172.17.79.64 255.255.255.240 <-- Ca'i do`ng na`y ASDM tu add vo, WS na`y na`m chung Subnet voi Range IP assigned cho VPNClient.
==> Khong biet no' co' chuc nang gi` va` anh huong gi` toi viec permit Port xxxx va` yyyy hay ko??????
access-list 103 extended permit icmp host 172.17.79.70 host 172.17.79.52
access-list vpn1_splitTunnelAcl standard permit 172.17.79.0 255.255.255.0
pager lines 24
logging asdm informational
mtu management 1500
mtu LAN_Inside 1500
mtu MODEM_Outside 1500
ip local pool VPN_POOL 172.17.79.71-172.17.79.75 mask 255.255.255.0
asdm image disk0:/asdm-507.bin
no asdm history enable
<--- More --->
arp timeout 14400
nat (LAN_Inside) 0 access-list LAN_Inside_nat0_outbound_V1
route MODEM_Outside 0.0.0.0 0.0.0.0 222.333.444.556 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
group-policy vpn1 internal
group-policy vpn1 attributes
split-tunnel-policy tunnelspecified
split-tunnel-network-list value vpn1_splitTunnelAcl
webvpn
username musadmin password BBnv/hAgbZO4Z2Mt encrypted privilege 15
aaa authentication ssh console LOCAL
aaa authentication telnet console LOCAL
http server enable
http 192.168.1.0 255.255.255.0 management
http 222.253.0.0 255.255.0.0 MODEM_Outside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
<--- More --->
crypto dynamic-map MODEM_Outside_dyn_map 40 set transform-set ESP-3DES-SHA
crypto map MODEM_Outside_map 65535 ipsec-isakmp dynamic MODEM_Outside_dyn_map
crypto map MODEM_Outside_map interface MODEM_Outside
isakmp enable MODEM_Outside
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash sha
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
isakmp policy 65535 authentication pre-share
isakmp policy 65535 encryption 3des
isakmp policy 65535 hash sha
isakmp policy 65535 group 2
isakmp policy 65535 lifetime 86400
tunnel-group vpn1 type ipsec-ra
tunnel-group vpn1 general-attributes
address-pool VPN_POOL
default-group-policy vpn1
tunnel-group vpn1 ipsec-attributes
pre-shared-key *
telnet 0.0.0.0 0.0.0.0 MODEM_Outside
telnet timeout 5
ssh 203.0.0.0 255.0.0.0 MODEM_Outside
ssh 210.0.0.0 255.0.0.0 MODEM_Outside
<--- More --->
ssh 58.0.0.0 255.0.0.0 MODEM_Outside
ssh 222.0.0.0 255.0.0.0 MODEM_Outside
ssh timeout 5
console timeout 0
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd lease 3600
dhcpd ping_timeout 50
dhcpd enable management
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map global_policy
class inspection_default
inspect dns maximum-length 512
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
<--- More --->
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
!
service-policy global_policy global
Cryptochecksum:4919856b73ba5b64d7e7632c2d5ddbd0
: end
MySite1VNP1# sh ip
System IP Addresses:
Interface Name IP address Subnet mask Method
Ethernet0/0 LAN_Inside 172.17.79.70 255.255.255.0 manual
Ethernet0/1 MODEM_Outside 222.333.444.555 255.255.255.240 manual
Management0/0 management 192.168.1.1 255.255.255.0 manual
Current IP Addresses:
Interface Name IP address Subnet mask Method
Ethernet0/0 LAN_Inside 172.17.79.70 255.255.255.0 manual
Ethernet0/1 MODEM_Outside 222.333.444.555 255.255.255.240 manual
Management0/0 management 192.168.1.1 255.255.255.0 manual
MySite1VNP1# sh inter
MySite1VNP1# sh interface
Interface Ethernet0/0 "LAN_Inside", is up, line protocol is up
Hardware is i82546GB rev03, BW 100 Mbps
Full-Duplex(Full-duplex), 100 Mbps(100 Mbps)
MAC address 001d.459f.d0ae, MTU 1500
IP address 172.17.79.70, subnet mask 255.255.255.0
517265 packets input, 534624079 bytes, 258 no buffer
Received 493403 broadcasts, 0 runts, 0 giants
0 input errors, 30 CRC, 0 frame, 5037 overrun, 30 ignored, 0 abort
1509 L2 decode drops
27910 packets output, 2450918 bytes, 0 underruns
0 output errors, 0 collisions, 3 interface resets
0 late collisions, 0 deferred
0 input reset drops, 0 output reset drops
input queue (curr/max packets): hardware (5/33)
output queue (curr/max packets): hardware (0/3)
Traffic Statistics for "LAN_Inside":
187295 packets input, 191026428 bytes
10351 packets output, 757869 bytes
149031 packets dropped
1 minute input rate 2 pkts/sec, 3052 bytes/sec
1 minute output rate 0 pkts/sec, 0 bytes/sec
1 minute drop rate, 2 pkts/sec
5 minute input rate 2 pkts/sec, 3053 bytes/sec
5 minute output rate 0 pkts/sec, 0 bytes/sec
5 minute drop rate, 2 pkts/sec
<--- More --->
Interface Ethernet0/1 "MODEM_Outside", is up, line protocol is up
Hardware is i82546GB rev03, BW 100 Mbps
Full-Duplex(Full-duplex), 100 Mbps(100 Mbps)
MAC address 001d.459f.d0af, MTU 1500
IP address 222.333.444.555, subnet mask 255.255.255.240
74745 packets input, 9341527 bytes, 0 no buffer
Received 26789 broadcasts, 0 runts, 0 giants
0 input errors, 12 CRC, 0 frame, 0 overrun, 12 ignored, 0 abort
244 L2 decode drops
54221 packets output, 28874737 bytes, 0 underruns
0 output errors, 0 collisions, 6 interface resets
0 late collisions, 0 deferred
0 input reset drops, 0 output reset drops
input queue (curr/max packets): hardware (0/33)
output queue (curr/max packets): hardware (0/6)
Traffic Statistics for "MODEM_Outside":
43632 packets input, 4151798 bytes
41832 packets output, 18669557 bytes
3588 packets dropped
1 minute input rate 3 pkts/sec, 262 bytes/sec
1 minute output rate 3 pkts/sec, 311 bytes/sec
1 minute drop rate, 0 pkts/sec
5 minute input rate 2 pkts/sec, 233 bytes/sec
5 minute output rate 3 pkts/sec, 308 bytes/sec
<--- More --->
5 minute drop rate, 0 pkts/sec
MySite1VNP1# sh access-list
access-list cached ACL log flows: total 0, denied 0 (deny-flow-max 4096)
alert-interval 300
access-list LAN_Inside_nat0_outbound_V1; 1 elements
access-list LAN_Inside_nat0_outbound_V1 line 1 extended permit ip any 172.17.79.64 255.255.255.240 (hitcnt=0)
access-list 103; 1 elements
access-list 103 line 1 extended permit icmp host 172.17.79.70 host 172.17.79.52 (hitcnt=0)
access-list vpn1_splitTunnelAcl; 1 elements
access-list vpn1_splitTunnelAcl line 1 standard permit 172.17.79.0 255.255.255.0 (hitcnt=0)
Nhờ anh em vnpro chỉ bảo giúp.
Chân thành cảm ơn. ^_^