Tweet
Mình có sơ đồ mạng như sau :
Phần modem draytek mình đã Open các port và trỏ về địa chỉ 192.168.100.101 : TCP 3389, UDP : 500, UDP: 4500. Nhưng vẫn không thể quay vpn về được !
Không biết còn thiếu sót gì không? :((
Phần cấu hình ASA mình post lên các bạn xem giúp với.
ASA Version 8.4(2)
!
hostname ASATDT
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface Ethernet0/0
description ### KET NOI TOI LAN ###
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
!
interface Ethernet0/1
description ### KET NOI TOI INTERNET ###
nameif outside
security-level 0
ip address 192.168.100.100 255.255.255.0
!
interface Ethernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
nameif management
security-level 100
ip address 10.10.10.1 255.255.255.0
management-only
!
ftp mode passive
object network TDT_ANY
subnet 0.0.0.0 0.0.0.0
object network HOST_SVR03
host 192.168.1.3
object network HOST_WAN
host 192.168.100.101
object service RDP_IN
service tcp source eq 3389
object service RDP_OUT
service tcp source eq 3389
object service Out_In
service tcp
object network CAM200
host 192.168.1.200
object network CAM201
host 192.168.1.201
object network CAM202
host 192.168.1.202
object service CAM200_IN
service tcp source eq 8000
object service CAM200_OUT
service tcp source eq 8000
object service CAM201_IN
service tcp source eq 8001
object service CAM201_OUT
service tcp source eq 8001
object service CAM202_IN
service tcp source eq 8002
object service CAM202_OUT
service tcp source eq 8002
access-list 1 extended permit ip 192.168.1.0 255.255.255.0 any
access-list Out_In_ACL extended permit tcp any object CAM201 eq 8001
access-list Out_In_ACL extended permit tcp any object CAM200 eq 8000
access-list Out_In_ACL extended permit tcp any object CAM202 eq 8002
access-list Out_In_ACL extended permit tcp any object HOST_SVR03 eq 3389
pager lines 24
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu management 1500
ip local pool VPN_POOL 192.168.2.10-192.168.2.100
icmp unreachable rate-limit 1 burst-size 1
icmp permit any outside
no asdm history enable
arp timeout 14400
nat (any,any) source static HOST_SVR03 HOST_WAN service RDP_IN RDP_OUT
nat (any,any) source static CAM200 HOST_WAN service CAM200_IN CAM200_OUT
nat (any,any) source static CAM201 HOST_WAN service CAM201_IN CAM201_OUT
nat (any,any) source static CAM202 HOST_WAN service CAM202_IN CAM202_OUT
!
object network TDT_ANY
nat (inside,outside) dynamic interface
access-group 1 in interface inside
access-group Out_In_ACL in interface outside
route outside 0.0.0.0 0.0.0.0 192.168.100.2 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
http server enable
http 192.168.1.0 255.255.255.0 inside
http 10.10.10.0 255.255.255.0 management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
crypto ipsec ikev1 transform-set MY_SET esp-3des esp-sha-hmac
crypto dynamic-map DYN_MAP 1 set ikev1 transform-set MY_SET
crypto dynamic-map DYN_MAP 1 set reverse-route
crypto map MY_MAP 1 ipsec-isakmp dynamic DYN_MAP
crypto map MY_MAP interface outside
crypto ikev1 enable outside
crypto ikev1 policy 1
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 43200
telnet 192.168.1.0 255.255.255.0 inside
telnet 192.168.100.0 255.255.255.0 outside
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 5
console timeout 0
vpdn username truongchinhtri-lxn password ***** store-local
dhcpd dns 203.162.4.190 203.162.4.191
dhcpd lease 172800
!
dhcpd address 192.168.1.40-192.168.1.199 inside
dhcpd enable inside
!
dhcpd address 10.10.10.2-10.10.10.10 management
dhcpd enable management
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
username admin password f3UhLvUj1QsXsuK7 encrypted privilege 15
username user1 password TTNKHqfM6YyTcEzA encrypted
tunnel-group VPN_TUNNEL type remote-access
tunnel-group VPN_TUNNEL general-attributes
address-pool VPN_POOL
tunnel-group VPN_TUNNEL ipsec-attributes
ikev1 pre-shared-key *****
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
inspect icmp
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:7c6eedd6e40e7cb11d13d795f2784450
: end
Phần modem draytek mình đã Open các port và trỏ về địa chỉ 192.168.100.101 : TCP 3389, UDP : 500, UDP: 4500. Nhưng vẫn không thể quay vpn về được !
Không biết còn thiếu sót gì không? :((
Phần cấu hình ASA mình post lên các bạn xem giúp với.
ASA Version 8.4(2)
!
hostname ASATDT
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface Ethernet0/0
description ### KET NOI TOI LAN ###
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
!
interface Ethernet0/1
description ### KET NOI TOI INTERNET ###
nameif outside
security-level 0
ip address 192.168.100.100 255.255.255.0
!
interface Ethernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
nameif management
security-level 100
ip address 10.10.10.1 255.255.255.0
management-only
!
ftp mode passive
object network TDT_ANY
subnet 0.0.0.0 0.0.0.0
object network HOST_SVR03
host 192.168.1.3
object network HOST_WAN
host 192.168.100.101
object service RDP_IN
service tcp source eq 3389
object service RDP_OUT
service tcp source eq 3389
object service Out_In
service tcp
object network CAM200
host 192.168.1.200
object network CAM201
host 192.168.1.201
object network CAM202
host 192.168.1.202
object service CAM200_IN
service tcp source eq 8000
object service CAM200_OUT
service tcp source eq 8000
object service CAM201_IN
service tcp source eq 8001
object service CAM201_OUT
service tcp source eq 8001
object service CAM202_IN
service tcp source eq 8002
object service CAM202_OUT
service tcp source eq 8002
access-list 1 extended permit ip 192.168.1.0 255.255.255.0 any
access-list Out_In_ACL extended permit tcp any object CAM201 eq 8001
access-list Out_In_ACL extended permit tcp any object CAM200 eq 8000
access-list Out_In_ACL extended permit tcp any object CAM202 eq 8002
access-list Out_In_ACL extended permit tcp any object HOST_SVR03 eq 3389
pager lines 24
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu management 1500
ip local pool VPN_POOL 192.168.2.10-192.168.2.100
icmp unreachable rate-limit 1 burst-size 1
icmp permit any outside
no asdm history enable
arp timeout 14400
nat (any,any) source static HOST_SVR03 HOST_WAN service RDP_IN RDP_OUT
nat (any,any) source static CAM200 HOST_WAN service CAM200_IN CAM200_OUT
nat (any,any) source static CAM201 HOST_WAN service CAM201_IN CAM201_OUT
nat (any,any) source static CAM202 HOST_WAN service CAM202_IN CAM202_OUT
!
object network TDT_ANY
nat (inside,outside) dynamic interface
access-group 1 in interface inside
access-group Out_In_ACL in interface outside
route outside 0.0.0.0 0.0.0.0 192.168.100.2 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
http server enable
http 192.168.1.0 255.255.255.0 inside
http 10.10.10.0 255.255.255.0 management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
crypto ipsec ikev1 transform-set MY_SET esp-3des esp-sha-hmac
crypto dynamic-map DYN_MAP 1 set ikev1 transform-set MY_SET
crypto dynamic-map DYN_MAP 1 set reverse-route
crypto map MY_MAP 1 ipsec-isakmp dynamic DYN_MAP
crypto map MY_MAP interface outside
crypto ikev1 enable outside
crypto ikev1 policy 1
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 43200
telnet 192.168.1.0 255.255.255.0 inside
telnet 192.168.100.0 255.255.255.0 outside
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 5
console timeout 0
vpdn username truongchinhtri-lxn password ***** store-local
dhcpd dns 203.162.4.190 203.162.4.191
dhcpd lease 172800
!
dhcpd address 192.168.1.40-192.168.1.199 inside
dhcpd enable inside
!
dhcpd address 10.10.10.2-10.10.10.10 management
dhcpd enable management
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
username admin password f3UhLvUj1QsXsuK7 encrypted privilege 15
username user1 password TTNKHqfM6YyTcEzA encrypted
tunnel-group VPN_TUNNEL type remote-access
tunnel-group VPN_TUNNEL general-attributes
address-pool VPN_POOL
tunnel-group VPN_TUNNEL ipsec-attributes
ikev1 pre-shared-key *****
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
inspect icmp
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:7c6eedd6e40e7cb11d13d795f2784450
: end
Comment