希望有人可以提供帮助。我正在尝试使用两个 cisco asas 设置站点到站点 vpn。站点 A. 192.168.1.0,静态外部 IP,Cisco ASA 5520 站点 B. 10.0.0.0 动态外部 IP,Cisco ASA 5505
经过几天的修修补补,我让隧道打开并运行起来,但我有一些我无法确定的问题。我确定它要么是 nat 问题,要么是 acl,但我不确定是哪个。
站点 A 无法访问站点 B 的任何资源,站点 A 无法 ping 站点 B 的 asa。但是,站点 B 可以访问站点 A 的资源。我也无法从站点 B(HTTP/ASDM)访问站点 A 的 ASA。
有什么想法吗?任何帮助表示赞赏。
站点A:
: Saved
:
: Serial Number: JMX1608X198
: Hardware: ASA5520, 2048 MB RAM, CPU Pentium 4 Celeron 2000 MHz
:
ASA Version 9.1(7)16
!
hostname sm-inau-xasa01
domain-name #################
enable password ############## encrypted
passwd ################### encrypted
names
ip local pool VPN-Pool-4 192.168.1.175-192.168.1.199 mask 255.255.255.0
!
interface GigabitEthernet0/0
nameif outside
security-level 0
ip address x.x.x.x.x 255.255.255.0
!
interface GigabitEthernet0/1
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
!
interface GigabitEthernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
management-only
nameif management
security-level 100
ip address 10.0.0.1 255.255.255.0
!
boot system disk0:/asa917-16-k8.bin
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns domain-lookup inside
dns server-group DefaultDNS
name-server 192.168.1.3
name-server 8.8.8.8
domain-name ww931.3759salem.com
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object network Gateway-Outside
host 192.168.1.1
description IP Gateway
object network WebTest
host 192.168.1.200
object network Web1
host 192.168.1.200
object network Web
host 192.168.1.200
object service WebSR
service tcp source eq www
object network NETWORK_OBJ_192.168.1.128_25
subnet 192.168.1.128 255.255.255.128
object network 3759
subnet 192.168.1.0 255.255.255.0
object network SiteB
subnet 10.0.0.0 255.255.255.0
object network Gateway
host 192.168.0.1
object network NETWORK_OBJ_192.168.1.0_24
subnet 192.168.1.0 255.255.255.0
object-group service DM_INLINE_SERVICE_1
service-object tcp-udp destination eq www
service-object tcp destination eq https
object-group protocol TCPUDP
protocol-object udp
protocol-object tcp
object-group service DM_INLINE_SERVICE_2
service-object icmp
service-object icmp traceroute
service-object icmp6 echo
service-object icmp6 echo-reply
service-object udp destination eq dnsix
access-list outside_access_in extended permit object-group TCPUDP any object Web eq www
access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_1 any interface outside
access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_2 any interface outside
access-list outside_access_in extended permit ip 192.168.1.0 255.255.255.0 object SiteB
access-list Main standard permit 192.168.1.0 255.255.255.0
access-list outside_cryptomap_65535.1_1 extended permit ip 192.168.1.0 255.255.255.0 object SiteB
pager lines 24
logging enable
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu management 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
icmp permit any outside
icmp permit any inside
icmp permit any management
asdm image disk0:/asdm-781.bin
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
nat (inside,outside) source static 3759 3759 destination static SiteB SiteB no-proxy-arp route-lookup
nat (inside,outside) source static Web1 interface service any WebSR
nat (any,outside) source dynamic any interface
nat (inside,outside) source static any any destination static NETWORK_OBJ_192.168.1.128_25 NETWORK_OBJ_192.168.1.128_25 no-proxy-arp route-lookup
!
nat (management,outside) after-auto source dynamic any interface
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 192.168.0.1 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
ldap attribute-map anyconnectLDAP
map-name memberOf Group-Policy
map-value memberOf CN=vpnusers,CN=Users,DC=ww931,DC=3759salem,DC=com RemoteUsers
dynamic-access-policy-record DfltAccessPolicy
aaa-server WW931 protocol ldap
aaa-server WW931 (inside) host 192.168.1.8
server-port 389
ldap-base-dn DC=domain,DC=com
ldap-scope subtree
ldap-naming-attribute samaccountname
ldap-login-password *****
ldap-login-dn ciscoasavpn@domain.com
server-type microsoft
ldap-attribute-map anyconnectLDAP
aaa-server DUO-LDAP protocol ldap
aaa-server DUO-LDAP (outside) host api-dc6d7211.duosecurity.com
timeout 60
server-port 636
ldap-base-dn dc=DITXENWKLNDVDHXAW6C5,dc=duosecurity,dc=com
ldap-naming-attribute cn
ldap-login-password *****
ldap-login-dn dc=DITXENWKLNDVDHXAW6C5,dc=duosecurity,dc=com
ldap-over-ssl enable
server-type auto-detect
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL
http server enable
http 10.0.0.0 255.255.255.0 management
http 192.168.1.0 255.255.255.0 inside
http 10.0.0.0 255.255.255.255 inside
no snmp-server location
no snmp-server contact
crypto ipsec ikev1 transform-set Main esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS esp-aes esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS mode transport
crypto ipsec ikev2 ipsec-proposal DES
protocol esp encryption des
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal 3DES
protocol esp encryption 3des
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES
protocol esp encryption aes
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES192
protocol esp encryption aes-192
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES256
protocol esp encryption aes-256
protocol esp integrity sha-1 md5
crypto ipsec security-association pmtu-aging infinite
crypto dynamic-map outside_dyn_map 1 match address outside_cryptomap_65535.1_1
crypto dynamic-map outside_dyn_map 1 set ikev1 transform-set Main
crypto dynamic-map outside_dyn_map 1 set reverse-route
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto ca trustpoint ASDM_TrustPoint0
enrollment self
subject-name CN=sm-inau-xasa01
crl configure
crypto ca trustpoint ASDM_TrustPoint1
enrollment terminal
subject-name CN=secure.blank.com,OU=IT,O=blank,C=US,St=IN,L=,EA=blank
crl configure
crypto ca trustpoint ASDM_TrustPoint1_Pub
enrollment terminal
subject-name CN=secure.blank.com,OU=IT,O=blank,C=US,St=IN,L=,EA=blank
keypair Public
crl configure
crypto ca trustpoint AddTrustExt-Comodo
enrollment terminal
crl configure
crypto ca trustpoint ComodoRSACertA
enrollment terminal
crl configure
crypto ca trustpool policy
crypto ca certificate chain ASDM_TrustPoint0
certificate bdcd1d5a
3082020f 30820178 a0030201 020204bd cd1d5a30 0d06092a 864886f7 0d010105
0500304c 31173015 06035504 03130e73 6d2d696e 61752d78 61736130 31313130
2f06092a 864886f7 0d010902 1622736d 2d696e61 752d7861 73613031 2e777739
33312e33 37353973 616c656d 2e636f6d 301e170d 31373131 32383233 35373337
5a170d32 37313132 36323335 3733375a 304c3117 30150603 55040313 0e736d2d
696e6175 2d786173 61303131 31302f06 092a8648 86f70d01 09021622 736d2d69
6e61752d 78617361 30312e77 77393331 2e333735 3973616c 656d2e63 6f6d3081
9f300d06 092a8648 86f70d01 01010500 03818d00 30818902 818100a6 0f809870
36c274f7 0017a34c 208e04d3 a02fef52 51c85edf 210c7bfd b7c2fa29 56dfa49c
6639b893 8824aad0 611fec95 822f6f23 da8bdd66 c2ccc62a 5f2c9dd3 3dedcfe0
bd22176d b7d8b452 a8083560 ab5daa41 c1095471 c0c9a316 aa782d37 6e3a33c6
19f654b2 21d44c9c 0d096358 61786b28 ac013b62 d5d4f7c5 82c4a502 03010001
300d0609 2a864886 f70d0101 05050003 818100a3 dbeba90a c7e98bb8 2ef3a128
4ce58f9a d94005b8 8ce2d5a4 8dd4aac7 0b8fd639 0af93e84 263d45ab cd163102
e9b53d98 044ef2c8 a4158afa d542d0dd 99fdd76d a288a85c 1d8bd7b8 7897e619
789510b0 2f234a93 33e707f2 69efcda4 148fd3fb cf51d5d8 f412a638 ba8dc486
32203329 811e427b 98fd71f2 396a7903 474fec
quit
crypto ca certificate chain ASDM_TrustPoint1_Pub
certificate 64816722b2a7363ab3bd4f2961522b9c
30820565 3082044d a0030201 02021064 816722b2 a7363ab3 bd4f2961 522b9c30
0d06092a 864886f7 0d01010b 05003081 90310b30 09060355 04061302 4742311b
30190603 55040813 12477265 61746572 204d616e 63686573 74657231 10300e06
03550407 13075361 6c666f72 64311a30 18060355 040a1311 434f4d4f 444f2043
41204c69 6d697465 64313630 34060355 0403132d 434f4d4f 444f2052 53412044
6f6d6169 6e205661 6c696461 74696f6e 20536563 75726520 53657276 65722043
41301e17 0d313731 31333030 30303030 305a170d 31383131 33303233 35393539
5a305d31 21301f06 0355040b 1318446f 6d61696e 20436f6e 74726f6c 2056616c
69646174 65643119 30170603 55040b13 10474753 534c2044 6f6d6169 6e205353
4c311d30 1b060355 04031314 73656375 72652e33 37353973 616c656d 2e636f6d
30820122 300d0609 2a864886 f70d0101 01050003 82010f00 3082010a 02820101
00900dc4 352eabdd 6df4b151 f4456e84 8b8aa157 9883b34c 786f962a 715b01bd
9b299ea0 29f7056c d6d16101 df93988e bd18cbc5 db5df756 18b32d58 35c51981
43b57f5b 5eed504c 89330e67 b731f506 042b14fc 88435540 b22ffa99 254fba92
6508b940 07950f8e 8f374bd5 f5c00a96 534abf8d 9403c8fc a626808f 4ac78d06
419ca2ab 9a463b33 ca25a601 333228c8 ae42c58d bd725968 8954b0cc 8e5389ba
cf0ebc4a cbe96355 7b3db252 d935f85c e6a815c8 f8eb4da4 2eaaba28 57964a85
5271b096 7777ef3a bd7e6f11 139f7c3e 83415a83 ee0bbaec 8d0917ad 3bd29bc3
6cbaa84a c50113da 4eef823e d1a05564 d5154b20 fed1cb95 2687e5e5 dbe958ec
49020301 0001a382 01eb3082 01e7301f 0603551d 23041830 16801490 af6a3a94
5a0bd890 ea125673 df43b43a 28dae730 1d060355 1d0e0416 0414d873 88fb4667
5a0b3c29 992cf2c1 22e2dfa4 c592300e 0603551d 0f0101ff 04040302 05a0300c
0603551d 130101ff 04023000 301d0603 551d2504 16301406 082b0601 05050703
0106082b 06010505 07030230 4f060355 1d200448 3046303a 060b2b06 010401b2
31010202 07302b30 2906082b 06010505 07020116 1d687474 70733a2f 2f736563
7572652e 636f6d6f 646f2e63 6f6d2f43 50533008 06066781 0c010201 30540603
551d1f04 4d304b30 49a047a0 45864368 7474703a 2f2f6372 6c2e636f 6d6f646f
63612e63 6f6d2f43 4f4d4f44 4f525341 446f6d61 696e5661 6c696461 74696f6e
53656375 72655365 72766572 43412e63 726c3081 8506082b 06010505 07010104
79307730 4f06082b 06010505 07300286 43687474 703a2f2f 6372742e 636f6d6f
646f6361 2e636f6d 2f434f4d 4f444f52 5341446f 6d61696e 56616c69 64617469
6f6e5365 63757265 53657276 65724341 2e637274 30240608 2b060105 05073001
86186874 74703a2f 2f6f6373 702e636f 6d6f646f 63612e63 6f6d3039 0603551d
11043230 30821473 65637572 652e3337 35397361 6c656d2e 636f6d82 18777777
2e736563 7572652e 33373539 73616c65 6d2e636f 6d300d06 092a8648 86f70d01
010b0500 03820101 001fec6b 507b8493 714dc7aa fe3fc772 671aad0f c61bd33c
a5b1a251 d0e61db3 e93d6a67 dce8a355 1dd370b4 bf32e1fe 0fba5dc6 69bcdb73
e702072f 125dada1 ad0dcf99 d7853bb1 b7d5b19d b00a7349 81b068c6 98d363f2
3f31346b 58e4c05e 15f54d1d 501daa96 4a9e5087 b1fb9fdc 74834ab7 c6205a6a
faee5c89 323f3bbe 3284dda9 0a38bd99 538e4a3f 479a40c2 cc21c080 c548f5fe
4c01a710 9bab93cb 26fc42ae 558a1db8 a9d3e81e f53de5ea 86c7c8dd 5f686728
b8b47986 b8e12e8f 56a3a937 5fb2b433 f192e868 e0804702 76e1b491 dd99cd5d
2e046131 f3ff8939 6867cbcf efc5ad8b 5cb0641c b75ac10a e7dfc7c4 04a9dd77
12ad7c25 b371976b 5d
quit
crypto ca certificate chain AddTrustExt-Comodo
certificate ca 2766ee56eb49f38eabd770a2fc84de22
30820574 3082045c a0030201 02021027 66ee56eb 49f38eab d770a2fc 84de2230
0d06092a 864886f7 0d01010c 0500306f 310b3009 06035504 06130253 45311430
12060355 040a130b 41646454 72757374 20414231 26302406 0355040b 131d4164
64547275 73742045 78746572 6e616c20 54545020 4e657477 6f726b31 22302006
03550403 13194164 64547275 73742045 78746572 6e616c20 43412052 6f6f7430
1e170d30 30303533 30313034 3833385a 170d3230 30353330 31303438 33385a30
8185310b 30090603 55040613 02474231 1b301906 03550408 13124772 65617465
72204d61 6e636865 73746572 3110300e 06035504 07130753 616c666f 7264311a
30180603 55040a13 11434f4d 4f444f20 4341204c 696d6974 6564312b 30290603
55040313 22434f4d 4f444f20 52534120 43657274 69666963 6174696f 6e204175
74686f72 69747930 82022230 0d06092a 864886f7 0d010101 05000382 020f0030
82020a02 82020100 91e85492 d20a56b1 ac0d24dd c5cf4467 74992b37 a37d2370
0071bc53 dfc4fa2a 128f4b7f 1056bd9f 7072b761 7fc94b0f 17a73de3 b00461ee
ff1197c7 f4863e0a fa3e5cf9 93e6347a d9146be7 9cb385a0 827a76af 7190d7ec
fd0dfa9c 6cfadfb0 82f4147e f9bec4a6 2f4f7f99 7fb5fc67 4372bd0c 00d689eb
6b2cd3ed 8f981c14 ab7ee5e3 6efcd8a8 e49224da 436b62b8 55fdeac1 bc6cb68b
f30e8d9a e49b6c69 99f87848 3045d5ad e10d3c45 60fc3296 5127bc67 c3ca2eb6
6bea46c7 c720a0b1 1f65de48 08baa44e a9f28346 3784ebe8 cc814843 674e722a
9b5cbd4c 1b288a5c 227bb4ab 98d9eee0 5183c309 464e6d3e 99fa9517 da7c3357
413c8d51 ed0bb65c af2c631a df57c83f bce95dc4 9baf4599 e2a35a24 b4baa956
3dcf6faa ff4958be f0a8fff4 b8ade937 fbbab8f4 0b3af9e8 43421e89 d884cb13
f1d9bbe1 8960b88c 2856ac14 1d9c0ae7 71ebcf0e dd3da996 a148bd3c f7afb50d
224cc011 81ec563b f6d3a2e2 5bb7b204 22529580 9369e88e 4c65f191 032d7074
02ea8b67 15296952 02bbd7df 506a5546 bfa0a328 617f70d0 c3a2aa2c 21aa47ce
289c0645 76bf8218 27b4d5ae b4cb50e6 6bf44c86 7130e9a6 df1686e0 d8ff40dd
fbd04288 7fa3333a 2e5c1e41 118163ce 18716b2b eca68ab7 315c3a6a 47e0c379
59d6201a aff26a98 aa72bc57 4ad24b9d bb10fcb0 4c41e5ed 1d3d5e28 9d9cccbf
b351daa7 47e58453 02030100 01a381f4 3081f130 1f060355 1d230418 30168014
adbd987a 34b426f7 fac42654 ef03bde0 24cb541a 301d0603 551d0e04 160414bb
af7e023d faa6f13c 848eadee 3898ecd9 3232d430 0e060355 1d0f0101 ff040403
02018630 0f060355 1d130101 ff040530 030101ff 30110603 551d2004 0a300830
06060455 1d200030 44060355 1d1f043d 303b3039 a037a035 86336874 74703a2f
2f63726c 2e757365 72747275 73742e63 6f6d2f41 64645472 75737445 78746572
6e616c43 41526f6f 742e6372 6c303506 082b0601 05050701 01042930 27302506
082b0601 05050730 01861968 7474703a 2f2f6f63 73702e75 73657274 72757374
2e636f6d 300d0609 2a864886 f70d0101 0c050003 82010100 64bf83f1 5f9a85d0
cdb8a129 570de85a f7d1e93e f276046e f15270bb 1e3cff4d 0d746acc 818225d3
c3a02a5d 4cf5ba8b a16dc454 0975c7e3 270e5d84 79374013 77f5b4ac 1cd03bab
1712d6ef 34187e2b e979d3ab 57450caf 28fad0db e5509588 bbdf8557 697d92d8
52ca7381 bf1cf3e6 b86e6611 05b31e94 2d7f9195 9259f14c cea39171 4c7c470c
3b0b19f6 a1b16c86 3e5caac4 2e82cbf9 0796ba48 4d90f294 c8a973a2 eb067b23
9ddea2f3 4d559f7a 61459818 68c75e40 6b23f579 7aef8cb5 6b8bb76f 46f47bf1
3d4b04d8 9380595a e041241d b28f1560 5847dbef 6e46fd15 f5d95f9a b3dbd8b8
e440b3cd 9739ae85 bb1d8ebc dc879bd1 a6eff13b 6f10386f
quit
crypto ca certificate chain ComodoRSACertA
certificate ca 2b2e6eead975366c148a6edba37c8c07
30820608 308203f0 a0030201 0202102b 2e6eead9 75366c14 8a6edba3 7c8c0730
0d06092a 864886f7 0d01010c 05003081 85310b30 09060355 04061302 4742311b
30190603 55040813 12477265 61746572 204d616e 63686573 74657231 10300e06
03550407 13075361 6c666f72 64311a30 18060355 040a1311 434f4d4f 444f2043
41204c69 6d697465 64312b30 29060355 04031322 434f4d4f 444f2052 53412043
65727469 66696361 74696f6e 20417574 686f7269 7479301e 170d3134 30323132
30303030 30305a17 0d323930 32313132 33353935 395a3081 90310b30 09060355
04061302 4742311b 30190603 55040813 12477265 61746572 204d616e 63686573
74657231 10300e06 03550407 13075361 6c666f72 64311a30 18060355 040a1311
434f4d4f 444f2043 41204c69 6d697465 64313630 34060355 0403132d 434f4d4f
444f2052 53412044 6f6d6169 6e205661 6c696461 74696f6e 20536563 75726520
53657276 65722043 41308201 22300d06 092a8648 86f70d01 01010500 0382010f
00308201 0a028201 01008ec2 0219e1a0 59a4eb38 358d2cfd 01d0d349 c064c70b
62054516 3aa8a0c0 0c027f1d ccdbc4a1 6d7703a3 0f86f9e3 069c3e0b 818a9b49
1bad03be fa4bdb8c 20edd5ce 5e658e3e 0daf4cc2 b0b7455e 522f34de 482464b4
41ae0097 f7be67de 9ed07aa7 53803b7c adf59655 6f97470a 7c858b22 978db384
e09657d0 70186096 8fee2d07 939da1ba cad1cd7b e9c42a9a 2821914d 6f924f25
a5f27a35 dd26dc46 a5d0ac59 358cff4e 9143503f 59931e6c 5121ee58 14abfe75
50783e4c b01c8613 fa6b98bc e03b941e 8552dc03 9324186e cb275145 e670de25
43a40de1 4aa5edb6 7ec8cd6d ee2e1d27 735ddc45 3080aae3 b2410baf bd4487da
b9e51b9d 7faee585 82a50203 010001a3 82016530 82016130 1f060355 1d230418
30168014 bbaf7e02 3dfaa6f1 3c848ead ee3898ec d93232d4 301d0603 551d0e04
16041490 af6a3a94 5a0bd890 ea125673 df43b43a 28dae730 0e060355 1d0f0101
ff040403 02018630 12060355 1d130101 ff040830 060101ff 02010030 1d060355
1d250416 30140608 2b060105 05070301 06082b06 01050507 0302301b 0603551d
20041430 12300606 04551d20 00300806 0667810c 01020130 4c060355 1d1f0445
30433041 a03fa03d 863b6874 74703a2f 2f63726c 2e636f6d 6f646f63 612e636f
6d2f434f 4d4f444f 52534143 65727469 66696361 74696f6e 41757468 6f726974
792e6372 6c307106 082b0601 05050701 01046530 63303b06 082b0601 05050730
02862f68 7474703a 2f2f6372 742e636f 6d6f646f 63612e63 6f6d2f43 4f4d4f44
4f525341 41646454 72757374 43412e63 72743024 06082b06 01050507 30018618
68747470 3a2f2f6f 6373702e 636f6d6f 646f6361 2e636f6d 300d0609 2a864886
f70d0101 0c050003 82020100 4e2b764f 921c6236 89ba77c1 2705f41c d6449da9
9a3eaad5 6666013e ea49e6a2 35bcfaf6 dd958e99 35980e36 1875b1dd dd50727c
aedc7788 ce0ff790 20caa367 2e1f567f 7be144ea 4295c45d 0d015046 15f28189
596c8add 8cf112a1 8d3a428a 98f84b34 7b273b08 b46f243b 729d6374 583c1a6c
3f4fc711 9ac8a8f5 b537ef10 45c66cd9 e05e9526 b3ebada3 b9ee7f0c 9a663573
32604ee5 dd8a612c 6e521177 6896d318 75511500 1b7488dd e1c73804 4328e916
fdd905d4 5d472760 d6fb383b 6c72a294 f8421adf ed6f068c 45c20600 aae4e8dc
d9b5e173 78ecf623 dcd1dd6c 8e1a8fa5 ea547c96 b7c3fe55 8e8d495e fc64bbcf
3ebd96eb 69cdbfe0 48f16282 10e50c46 57f233da d0c863ed c61f9405 964a1a91
d1f7ebcf 8f52ae0d 08d93ea8 a051e9c1 8774d5c9 f774ab2e 53fbbb7a fb97e2f8
1f268fb3 d2a0e037 5b283b31 e50e572d 5ab8ad79 ac5e2066 1aa5b9a6 b539c1f5
9843ffee f9a7a7fd eeca243d 8016c417 8f8ac160 a10cae5b 4347914b d59a175f
f9d487c1 c28cb7e7 e20f3019 3786ace0 dc4203e6 94a89dae fd0f2451 94ce9208
d1fc50f0 03407b88 59ed0edd acd27782 34dc0695 02d890f9 2dea37d5 1a60d067
20d7d842 0b45af82 68dedd66 24379029 94194619 25b880d7 cbd48628 6a447026
2362a99f 866fbfba 9070d256 778578ef ea25a917 ce50728c 003aaae3 db63349f
f8067101 e28220d4 fe6fbdb1
quit
crypto ikev2 policy 1
encryption aes-256
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 10
encryption aes-192
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 20
encryption aes
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 30
encryption 3des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 40
encryption des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 enable outside
crypto ikev2 remote-access trustpoint ASDM_TrustPoint1_Pub
crypto ikev1 enable outside
crypto ikev1 policy 10
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 20
authentication rsa-sig
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 40
authentication pre-share
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 50
authentication rsa-sig
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 70
authentication pre-share
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 80
authentication rsa-sig
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 100
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 110
authentication rsa-sig
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 130
authentication pre-share
encryption des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 140
authentication rsa-sig
encryption des
hash sha
group 2
lifetime 86400
telnet 192.168.1.0 255.255.255.0 inside
telnet 10.0.0.0 255.255.255.0 management
telnet timeout 5
ssh stricthostkeycheck
ssh 192.168.1.0 255.255.255.0 inside
ssh 10.0.0.0 255.255.255.0 management
ssh timeout 5
ssh key-exchange group dh-group1-sha1
console timeout 0
management-access inside
dhcpd dns 192.168.1.3 8.8.8.8
dhcpd update dns both
!
dhcpd address 192.168.1.200-192.168.1.254 inside
dhcpd dns 192.168.1.3 8.8.8.8 interface inside
dhcpd enable inside
!
dhcpd address 10.0.0.2-10.0.0.254 management
dhcpd domain domain.com interface management
dhcpd enable management
!
threat-detection basic-threat
threat-detection statistics port
threat-detection statistics protocol
no threat-detection statistics access-list
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
ssl trust-point ASDM_TrustPoint1_Pub outside
webvpn
enable outside
no anyconnect-essentials
anyconnect image disk0:/anyconnect-win-3.1.09013-k9.pkg 1
anyconnect image disk0:/anyconnect-macosx-i386-3.1.09013-k9.pkg 2
anyconnect image disk0:/anyconnect-linux-64-3.1.09013-k9.pkg 3
anyconnect image disk0:/anyconnect-linux-3.1.03103-k9.pkg 4
anyconnect profiles Main disk0:/main.xml
anyconnect enable
tunnel-group-list enable
cache
disable
group-policy NOACCESS internal
group-policy NOACCESS attributes
wins-server none
dns-server value 192.168.1.3
vpn-simultaneous-logins 0
vpn-tunnel-protocol ssl-client ssl-clientless
default-domain value blank.com
group-policy DfltGrpPolicy attributes
vpn-tunnel-protocol ikev1 l2tp-ipsec
default-domain value blank.com
group-policy GroupPolicy_InternalVPN internal
group-policy GroupPolicy_InternalVPN attributes
wins-server none
dns-server value 192.168.1.3
vpn-tunnel-protocol l2tp-ipsec
default-domain value ww931.3759salem.com
group-policy RemoteUsers internal
group-policy RemoteUsers attributes
vpn-simultaneous-logins 25
vpn-idle-timeout 999
vpn-session-timeout none
vpn-tunnel-protocol ssl-client ssl-clientless
split-tunnel-policy tunnelspecified
split-tunnel-network-list value Main
split-tunnel-all-dns disable
webvpn
anyconnect profiles value Main type user
username test password ######## encrypted
username local password ###### encrypted privilege 15
tunnel-group DefaultL2LGroup ipsec-attributes
ikev1 pre-shared-key *****
ikev2 local-authentication pre-shared-key *****
tunnel-group InternalVPN type remote-access
tunnel-group InternalVPN general-attributes
address-pool VPN-Pool-4
default-group-policy GroupPolicy_InternalVPN
tunnel-group InternalVPN webvpn-attributes
group-alias InternalVPN disable
tunnel-group CORPVPN type remote-access
tunnel-group CORPVPN general-attributes
address-pool VPN-Pool-4
authentication-server-group WW931
secondary-authentication-server-group DUO-LDAP use-primary-username
default-group-policy NOACCESS
tunnel-group CORPVPN webvpn-attributes
group-alias CorpVPN enable
!
class-map global-class
match default-inspection-traffic
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
policy-map global-policy
class global-class
inspect ftp
inspect h323 h225
inspect h323 ras
inspect icmp
!
service-policy global-policy global
prompt hostname context
no call-home reporting anonymous
hpm topN enable
Cryptochecksum:e9c019392317c59180e16a0f1352cce0
: end
我无法在不删除部分文本的情况下直接将站点 B 配置添加到这篇文章中,为了保持其完整性,我只是链接到它。如果有人可以提供另一种选择,那将不胜感激。 https://pastebin.com/D8kpibsJ