刚刚开始了一项工作,他们希望我们重新利用未使用的本地网络,并创建一个 webvpn 门户以允许对其进行 Web 访问。我们已经尝试了一切,到处查看,似乎无法弄清楚我们做错了什么。
所以这就是正在发生的事情,如果我尝试导航到本地机器上的 webvpn 页面没有任何反应,则请求超时。查看 Wireshark 并查看 ASA 的数据包捕获,我看到 https SYN 数据包通过,它没有被阻止,但什么也没发生,然后在 30 秒时请求超时。我在任何地方都看不到任何 SYN-ACK。
如果我将 ASA 配置为允许我的远程计算机地址对 ASA 本身具有 HTTP 访问权限,并且我转到该地址,那么它会显示下载 ASDM 软件的页面,而不是 webvpn 门户。所以这似乎不是任何类型的路由问题。
如果我在一台连接到内部网络的机器上,并在网络浏览器中输入内部网络网关的地址,那么它会将我带到 vpn 门户。我们尝试添加一个 NAT 规则来将外部流量重定向到内部网络网关,并且 NAT 规则似乎正在工作,但我们遇到了请求超时的相同问题。
这里的输出show run:
# Used addresses:
# <outside interface> - IP address of ASA's outside interface
# <internal network> - The network for the internal vlan, also named CILInternal
# <internal gateway> - The gateway addresses for machines on the internal vlan
# <various address> - Any address that is still part of the configuration that I don't
# believe is in use or does not seem relevant to this issue
# <remote address> - The address of my remote computer I want to connect to the SSL WebVPN
# Anything labeled VM is a legacy network that is not currently connected
cilasa# sh run
: Saved
:
ASA Version 9.1(5)
!
hostname cilasa
domain-name CIL.local
enable password <asa password>
xlate per-session deny tcp any4 any4
xlate per-session deny tcp any4 any6
xlate per-session deny tcp any6 any4
xlate per-session deny tcp any6 any6
xlate per-session deny udp any4 any4 eq domain
xlate per-session deny udp any4 any6 eq domain
xlate per-session deny udp any6 any4 eq domain
xlate per-session deny udp any6 any6 eq domain
passwd <passwd> encrypted
names
name <various address> CILInternal
name <various address> DMZ_WebServer
name <various address> Outside
name <various address> Management
name <various address> PPTPUser description PPTPUser1-55 (User's VPN)
name <various address> SSTPPool
name <various address> A2008R2_51
name <various address> SSTPAdmPool description Admin SSTP IP Pool
name <various address> SSTP1 description SSTP1-3 (VPN)
name <various address> SSTPAdmInt description Internal Interface for Admin SSTP
name <various address> User51 description User51 VM access to the Internet
name <various address> User52 description User52 VM access to the Internet
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
switchport access vlan 12
shutdown
!
interface Ethernet0/3
switchport access vlan 12
!
interface Ethernet0/4
switchport access vlan 12
shutdown
!
interface Ethernet0/5
switchport access vlan 22
switchport trunk allowed vlan 22,51-56
switchport trunk native vlan 51
!
interface Ethernet0/6
switchport access vlan 12
!
interface Ethernet0/7
switchport access vlan 12
!
interface Vlan1
management-only
nameif inside
security-level 100
ip address <default address> 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address <outside network> 255.255.255.240
!
interface Vlan12
nameif CILInternal
security-level 10
ip address <internal gateway> 255.255.255.0
!
interface Vlan22 #Legacy vlan
nameif VM
security-level 10
ip address <various address> 255.255.248.0
!
boot system disk0:/asa915-k8.bin
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns domain-lookup inside
dns domain-lookup outside
dns domain-lookup CILInternal
dns server-group DefaultDNS
name-server <various address>
name-server 75.75.76.76
name-server 8.8.8.8
name-server 4.2.2.2
domain-name CIL.local
same-security-traffic permit intra-interface
object network User51 #Legacy I think
subnet <various address> 255.255.255.248
description Created during name migration
object network User52 #Legacy I think
subnet <various address> 255.255.255.248
description Created during name migration
object network SSTPAdmPool #Legacy I think
subnet <various address> 255.255.255.0
object network SSTP1 #legacy I think
host <various address>
object network CILInternal
subnet <internal network> 255.255.255.0
object network PPTPUser #legacy
host <various address>
object network SSTPPool #legacy
subnet <various address> 255.255.255.0
object network VM #legacy
subnet <various address> 255.255.248.0
description VM Machines
object network NAVWEB-DMZ #legacy
host <various address>
description Time and Expense Web Portal
object network internal_gateway
host <internal gateway>
description Gateway for the internal network
object network ssl_vpn
host <internal gateway>
object-group protocol TCPUDP
protocol-object udp
protocol-object tcp
object-group service RDP tcp
port-object eq <some port>
object-group service AdminPPTP tcp
port-object eq <some other port>
object-group network UserAccess
description User VM access to the Internet
network-object object User51
network-object object User52
object-group protocol DM_INLINE_PROTOCOL_1
protocol-object ip
protocol-object tcp
object-group service DM_INLINE_SERVICE_1
service-object tcp
service-object tcp destination eq https
service-object tcp destination eq www
object-group service DM_INLINE_SERVICE_2
service-object icmp
service-object tcp
service-object tcp destination eq https
object-group service DM_INLINE_SERVICE_4
service-object ip
service-object tcp
service-object tcp destination eq https
#--------------------------------------
# Access List Config
#--------------------------------------
# Note: Rules like "any any ip permit" are just temporary
# for diagnostics, this network is not currently
# operational
access-list acl-out extended permit tcp any4 object PPTPUser eq pptp
access-list acl-out extended permit tcp any4 interface outside eq https
access-list acl-out extended permit tcp any interface outside eq https
access-list acl-out extended permit tcp interface outside interface outside eq https
access-list acl-out extended permit ip any interface outside
access-list acl-out extended permit object-group TCPUDP interface outside interface inside eq www
access-list acl-out extended permit tcp interface outside interface inside eq ssh
access-list acl-out extended permit ip any any
access-list acl-out extended permit tcp interface outside interface outside eq www
access-list acl-out extended permit tcp any4 interface outside
access-list acl-out extended permit tcp any interface outside eq ssh
access-list acl-out extended permit tcp any any eq ssh
access-list test_acl extended permit ip any4 any4
access-list outside_access_out extended permit object-group DM_INLINE_PROTOCOL_1 object CILInternal any
access-list outside_access_out extended permit udp object CILInternal any eq domain
access-list outside_access_out extended permit icmp object CILInternal any
access-list outside_access_out extended permit tcp any interface outside eq https
access-list outside_access_out extended permit object-group DM_INLINE_SERVICE_2 host <remote address> any
access-list ACL_IN extended permit ip any4 any4
access-list ACL_IN extended permit object-group DM_INLINE_SERVICE_1 any interface outside
#--------------------------------------
# End Access List Config
#--------------------------------------
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu CILInternal 1500
mtu VM 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-731-101.bin
asdm history enable
arp timeout 14400
arp permit-nonconnected
nat (outside,outside) source static any any destination static interface ssl_vpn net-to-net
nat (outside,outside) source static any any destination static interface internal_gateway net-to-net no-proxy-arp
nat (CILInternal,outside) source static any interface no-proxy-arp
nat (outside,CILInternal) source static any any destination static internal_gateway internal_gateway
!
object network CILInternal
nat (CILInternal,outside) dynamic interface
object network SSTPPool
nat (VM,VM) static SSTPPool no-proxy-arp route-lookup service tcp 3389 3389
object network VM
nat (VM,outside) dynamic interface
access-group outside_access_out out interface outside
!
router rip
passive-interface default
version 2
!
route outside 0.0.0.0 0.0.0.0 173.166.135.206 1
route VM SSTPPool 255.255.255.0 PPTPUser 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
http server enable
http Management 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
sysopt connection tcpmss 0
service resetinbound interface outside
crypto ipsec security-association pmtu-aging infinite
crypto ca trustpool policy
telnet timeout 5
ssh stricthostkeycheck
ssh timeout 5
ssh key-exchange group dh-group1-sha1
console timeout 0
management-access inside
dhcpd auto_config outside
!
dhcpd address 192.168.1.5-192.168.1.254 inside
dhcpd enable inside
!
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ssl encryption rc4-sha1 dhe-aes128-sha1 dhe-aes256-sha1 aes128-sha1 aes256-sha1 3des-sha1 rc4-md5 des-sha1 null-sha1
#------------------------------
# WebVPN Config
#------------------------------
webvpn
enable outside
enable CILInternal
tunnel-group-list enable
internal-password enable
group-policy sslvpngp1 internal
group-policy sslvpngp1 attributes
vpn-tunnel-protocol l2tp-ipsec
webvpn
url-list value webaccess
group-policy DfltGrpPolicy attributes
vpn-tunnel-protocol ikev1 ikev2 l2tp-ipsec
webvpn
url-list value Test_bookmark_list
group-policy GroupPolicy1 internal
group-policy GroupPolicy1 attributes
vpn-tunnel-protocol ssl-clientless
username test_user password <password> encrypted privilege 0
username test_user attributes
vpn-group-policy DfltGrpPolicy
username spu password <password> encrypted privilege 0
username spu attributes
vpn-group-policy sslvpngp1
username <username> password <password>. encrypted
username <username> attributes
group-lock value VDTG_test
tunnel-group VDTG_test type remote-access
tunnel-group VDTG_test general-attributes
default-group-policy GroupPolicy1
tunnel-group VDTG_test webvpn-attributes
group-alias Interns enable
group-url https://<machine on local network> enable
!
#-----------------------------
# End VPN Stuff
#-----------------------------
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
inspect pptp
inspect icmp
policy-map CONNS
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email callhome@cisco.com
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:020ed7a25844649339d817e33242d316
: end
任何帮助将不胜感激。
编辑:还值得注意的是,内部网络上的机器确实可以访问互联网。
编辑:尝试访问 vpn 时,日志显示重复的“Built tcp connection...”和“Teardown tcp...0 SYN Timeout”消息。目前,我们有一个 NAT 规则来将所有流量转发到外部接口以到达内部网关地址,并且我们有访问列表规则允许所有流量通过 https 协议到达内部网关。日志显示数据包的目的地是内部网关和端口 443。
编辑:很多公司只是让我们的一位专家进来并在我们不在的时候重新进行整个配置。所以它现在有效,但不幸的是我不知道解决方案是什么。