The OpenNET Project / Index page

[ новости /+++ | форум | теги | ]

форумы
правила/FAQ
поиск
регистрация
вход
слежка
RSS



Версия для распечатки Пред. тема | След. тема
Новые ответы [ Отслеживать ]
ASA доступ в интернет через VPN, !*! DenP, 06-Сен-18, 14:52  [смотреть все]
Добрый день всем! Подскажите пожалуйста,есть ASA с настроенным Ipsec. Туппель поднимается,клиенты снаружи пингуют внутренню сеть за VPN шлюзом,но в интренет выйти не могут,все внешние IP недоступны. Я думаю что надо дописывать ACL, но как правльно написать не знаю. И еще проблема,почему то не резолвятся внутрение имена внутренних ПК.Подскажеите пожалуйста.

ip local pool vpn_pool 10.47.1.10-10.47.1.20 mask 255.255.255.224

dns server-group DefaultDNS
name-server 109.195.225.1
name-server 109.195.224.1
domain-name workgroup
same-security-traffic permit intra-interface
object network obj_any
subnet 0.0.0.0 0.0.0.0
object network LAN
subnet 192.168.1.0 255.255.255.0
object network ASA
host 192.168.1.1
object network NETWORK_OBJ_10.47.1.0_27
subnet 10.47.1.0 255.255.255.224
object-group network nat1
network-object object ASA
network-object object NETWORK_OBJ_10.47.1.0_27

access-list inside_access_out extended permit ip any any
access-list outside_access_in extended permit object-group
access-list outside_access_in extended deny ip any 192.168.1.0 255.255.255.0 log errors
access-list outside_access_in extended deny object-group TCPUDP any 192.168.1.0 255.255.255.0 log errors
access-list home_splitTunnelAcl standard permit any4
!
tcp-map Test
  reserved-bits drop
!

nat (outside,inside) after-auto source static NETWORK_OBJ_10.47.1.0_27 NETWORK_OBJ_10.47.1.0_27 no-proxy-arp
nat (inside,outside) after-auto source dynamic nat1 interface dns
access-group outside_access_in in interface outside

crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec security-association pmtu-aging infinite
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto ca trustpool policy


group-policy home internal
group-policy home attributes
dns-server value 192.168.1.2
vpn-tunnel-protocol ikev1 ikev2
split-tunnel-policy tunnelspecified
split-tunnel-network-list value home_splitTunnelAcl
default-domain value workgroup
split-tunnel-all-dns disable
tunnel-group home type remote-access
tunnel-group home general-attributes
address-pool vpn_pool
default-group-policy home
tunnel-group home ipsec-attributes
ikev1 pre-shared-key Ki2013Pr
tunnel-group-map default-group home
!

Ответить | Сообщить модератору
  • ASA доступ в интернет через VPN, !*! DenP, 15:39 , 06-Сен-18 (1)
    Спасибо,разобрался) Надо добавить правило НАТ.А вот куда копать по поводу того что не резолвятся dns имена компов?
    Ответить | Сообщить модератору
    • ASA доступ в интернет через VPN, !*! Andrey, 17:30 , 06-Сен-18 (2)
      > Спасибо,разобрался) Надо добавить правило НАТ.А вот куда копать по поводу того что
      > не резолвятся dns имена компов?

      А к какому DNS лезут компы для проверки внутренних имен?
      Вывод ipconfig /all и nslookup <имя-внутренней-машины> покажете?

      Ответить | Сообщить модератору
      • ASA доступ в интернет через VPN, !*! DenP, 00:40 , 08-Сен-18 (3)
        >> Спасибо,разобрался) Надо добавить правило НАТ.А вот куда копать по поводу того что
        >> не резолвятся dns имена компов?
        > А к какому DNS лезут компы для проверки внутренних имен?
        > Вывод ipconfig /all и nslookup <имя-внутренней-машины> покажете?

        Андрей к сожалению моя теория не сработала,при перезагрузке ASA либо впн не поднимается совсем либо нат (с сети впн пула нет интернета) не работает.
        Может у вас есть какие идеи как настроить правильно?
        С ДНС потом буду разбираться,не приоритет.

        Ответить | Сообщить модератору
        • ASA доступ в интернет через VPN, !*! DenP, 16:02 , 09-Сен-18 (4)
          >>> Спасибо,разобрался) Надо добавить правило НАТ.А вот куда копать по поводу того что
          >>> не резолвятся dns имена компов?
          >> А к какому DNS лезут компы для проверки внутренних имен?
          >> Вывод ipconfig /all и nslookup <имя-внутренней-машины> покажете?
          > Андрей к сожалению моя теория не сработала,при перезагрузке ASA либо впн не
          > поднимается совсем либо нат (с сети впн пула нет интернета) не
          > работает.
          > Может у вас есть какие идеи как настроить правильно?
          > С ДНС потом буду разбираться,не приоритет.

          вроде ок все.

          hostname ciscoasa
          domain-name workgroup
          asp rule-engine transactional-commit access-group
          xlate per-session permit udp 192.168.1.0 255.255.255.0 any4
          xlate per-session permit tcp 192.168.1.0 255.255.255.0 any4
          xlate per-session deny udp any4 any4
          xlate per-session deny tcp any4 any4
          names
          dns-guard
          ip local pool vpn_pool 10.47.1.10-10.47.1.20 mask 255.255.255.224
          !
          interface Ethernet0/0
          switchport access vlan 2
          !
          interface Ethernet0/1
          !
          interface Ethernet0/2
          !
          interface Ethernet0/3
          !
          interface Ethernet0/4
          !
          interface Ethernet0/5
          !
          interface Ethernet0/6
          !
          interface Ethernet0/7
          description 1
          !
          interface Vlan1
          nameif inside
          security-level 100
          ip address 192.168.1.1 255.255.255.0
          !
          interface Vlan2
          mac-address 0024.5427.f6e9 standby 0024.5427.f6e9
          nameif outside
          security-level 0
          ip address pppoe setroute
          !
          !
          time-range test_time
          periodic daily 0:00 to 7:00
          !
          boot system disk0:/asa924-k8.bin
          ftp mode passive
          clock timezone EEST 2
          clock summer-time EEDT recurring last Sun Mar 2:00 last Sun Oct 3:00
          dns domain-lookup inside
          dns server-group DefaultDNS
          name-server 192.168.1.2
          domain-name workgroup
          same-security-traffic permit intra-interface
          object network obj_any
          subnet 0.0.0.0 0.0.0.0
          object network LAN
          subnet 192.168.1.0 255.255.255.0
          object network NETWORK_VPN_10.47.1.0_27
          subnet 10.47.1.0 255.255.255.224
          object-group network nat1
          network-object object SamsNout

          object-group icmp-type ICPM
          icmp-object unreachable
          icmp-object echo-reply
          icmp-object source-quench
          icmp-object time-exceeded
          icmp-object echo
          icmp-object traceroute
          icmp-object timestamp-reply
          icmp-object timestamp-request
          icmp-object information-reply
          icmp-object information-request
          icmp-object router-advertisement
          icmp-object router-solicitation
          icmp-object alternate-address
          icmp-object conversion-error
          icmp-object mask-reply
          icmp-object mask-request
          icmp-object mobile-redirect
          icmp-object parameter-problem
          icmp-object redirect
          object-group service SIP tcp-udp
          port-object eq sip
          object-group protocol TCPUDP
          protocol-object udp
          protocol-object tcp
          object-group protocol DM_INLINE_PROTOCOL_1
          protocol-object ip
          protocol-object icmp
          access-list outside_access_in extended permit udp any object NAS object-group NASUDP log disable
          access-list outside_access_in extended permit tcp any object NAS object-group NASTCP log disable
          access-list outside_access_in extended permit object-group TCPUDP any object NAS object-group SIP log disable inactive
          access-list outside_access_in extended permit object-group DM_INLINE_PROTOCOL_1 object NETWORK_VPN_10.47.1.0_27 192.168.1.0 255.255.255.0 inactive
          access-list outside_access_in extended deny ip any 192.168.1.0 255.255.255.0 log alerts
          access-list outside_access_in extended deny object-group TCPUDP any 192.168.1.0 255.255.255.0 log alerts
          access-list inside_access_in extended permit ip 192.168.1.0 255.255.255.0 any log disable
          access-list home_splitTunnelAcl standard permit 192.168.1.0 255.255.255.0
          access-list http-acl extended permit object-group TCPUDP 192.168.1.0 255.255.255.0 host 188.42.129.148 eq www log disable
          !
          tcp-map Test
            reserved-bits drop
          !
          pager lines 24
          logging enable
          logging timestamp
          logging buffer-size 8096
          logging monitor warnings
          logging trap warnings
          logging asdm warnings
          logging mail critical
          logging device-id ipaddress inside
          logging host inside 192.168.1.2
          logging debug-trace
          logging flash-bufferwrap
          logging permit-hostdown
          logging class auth monitor emergencies
          no logging message 106100
          logging message 313001 level warnings
          logging message 403503 level critical
          logging message 403504 level warnings
          logging message 106023 level notifications
          logging message 106021 level notifications
          logging message 106016 level warnings
          logging rate-limit 5 1 level 2
          logging rate-limit 3 3 level 3
          flow-export destination inside 192.168.1.15 9996
          flow-export template timeout-rate 1
          flow-export delay flow-create 15
          mtu inside 1500
          mtu outside 1492
          ip verify reverse-path interface outside
          ip audit name Attack attack action alarm drop
          ip audit interface outside Attack
          ip audit attack action alarm drop
          no failover
          icmp unreachable rate-limit 1 burst-size 1
          asdm image disk0:/asdm-792-152.bin
          asdm history enable
          arp timeout 14400
          no arp permit-nonconnected
          nat (inside,outside) source static any any destination static NETWORK_VPN_10.47.1.0_27 NETWORK_VPN_10.47.1.0_27 no-proxy-arp route-lookup
          !
          nat (inside,outside) after-auto source dynamic nat1 interface dns
          access-group inside_access_in in interface inside
          access-group outside_access_in in interface outside
          timeout xlate 3:00:00
          timeout pat-xlate 0:00:30
          timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
          timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
          timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
          timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
          timeout tcp-proxy-reassembly 0:01:00
          timeout floating-conn 0:00:00
          dynamic-access-policy-record DfltAccessPolicy
          user-identity default-domain LOCAL
          aaa authentication ssh console LOCAL
          http server enable
          http server idle-timeout 60
          http server session-timeout 60
          http 192.168.1.0 255.255.255.0 inside
          no snmp-server location
          no snmp-server contact
          sysopt connection timewait
          crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
          crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
          crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
          crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
          crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
          crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
          crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
          crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
          crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
          crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
          crypto ipsec security-association pmtu-aging infinite
          crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
          crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
          crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
          crypto map outside_map interface outside
          crypto ca trustpool policy
          crypto ikev1 enable outside
          crypto ikev1 policy 10
          authentication crack
          encryption aes-256
          hash sha
          group 2
          lifetime 86400
          crypto ikev1 policy 20
          authentication rsa-sig
          encryption aes-256
          hash sha
          group 2
          lifetime 86400
          crypto ikev1 policy 30
          authentication pre-share
          encryption aes-256
          hash sha
          group 2
          lifetime 86400
          crypto ikev1 policy 40
          authentication crack
          encryption aes-192
          hash sha
          group 2
          lifetime 86400
          crypto ikev1 policy 50
          authentication rsa-sig
          encryption aes-192
          hash sha
          group 2
          lifetime 86400
          crypto ikev1 policy 60
          authentication pre-share
          encryption aes-192
          hash sha
          group 2
          lifetime 86400
          crypto ikev1 policy 70
          authentication crack
          encryption aes
          hash sha
          group 2
          lifetime 86400
          crypto ikev1 policy 80
          authentication rsa-sig
          encryption aes
          hash sha
          group 2
          lifetime 86400
          crypto ikev1 policy 90
          authentication pre-share
          encryption aes
          hash sha
          group 2
          lifetime 86400
          crypto ikev1 policy 100
          authentication crack
          encryption 3des
          hash sha
          group 2
          lifetime 86400
          crypto ikev1 policy 110
          authentication rsa-sig
          encryption 3des
          hash sha
          group 2
          lifetime 86400
          crypto ikev1 policy 120
          authentication pre-share
          encryption 3des
          hash sha
          group 2
          lifetime 86400
          crypto ikev1 policy 130
          authentication crack
          encryption des
          hash sha
          group 2
          lifetime 86400
          crypto ikev1 policy 140
          authentication rsa-sig
          encryption des
          hash sha
          group 2
          lifetime 86400
          crypto ikev1 policy 150
          authentication pre-share
          encryption des
          hash sha
          group 2
          lifetime 86400
          telnet timeout 60
          no ssh stricthostkeycheck
          ssh timeout 60
          ssh version 2
          ssh key-exchange group dh-group1-sha1
          console timeout 0
          management-access inside

          dhcprelay server 192.168.1.5 inside
          priority-queue outside
          threat-detection basic-threat
          threat-detection scanning-threat shun except ip-address 10.47.1.0 255.255.255.0
          threat-detection scanning-threat shun except ip-address 192.168.1.0 255.255.255.0
          threat-detection scanning-threat shun duration 3600
          threat-detection statistics
          threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
          dynamic-filter updater-client enable
          dynamic-filter use-database
          dynamic-filter enable interface outside
          dynamic-filter drop blacklist interface outside
          dynamic-filter ambiguous-is-black
          dynamic-filter whitelist
          name update-manifests.ironport.com
          ntp server 192.168.1.2 source inside prefer
          ssl encryption aes128-sha1 aes256-sha1 3des-sha1
          webvpn
          anyconnect-essentials
          group-policy home attributes
          dns-server value 192.168.1.2
          vpn-tunnel-protocol ikev1
          split-tunnel-policy tunnelspecified
          split-tunnel-network-list value home_splitTunnelAcl
          default-domain value workgroup
          split-tunnel-all-dns disable
          tunnel-group home type remote-access
          tunnel-group home general-attributes
          address-pool vpn_pool
          default-group-policy home
          tunnel-group home ipsec-attributes
          !
          class-map outside-class3
          match default-inspection-traffic
          class-map global-class
          description flow_export
          match any
          class-map QOS
          description QOS
          match any
          class-map QOS-class
          match any
          class-map Nyeflow_global-class
          match any
          class-map type regex match-any block-url-class_class
          match regex blockex1
          match regex blockex2
          match regex blockex3
          match regex blockex4
          match regex blockex7
          match regex blockex6
          match regex blockex5
          match regex blockex8
          match regex blockex9
          match regex blocex10
          match regex blocex11
          class-map type inspect http match-all asdm_medium_security_methods
          match not request method head
          match not request method post
          match not request method get
          class-map type inspect http match-any block-url-class
          match request header host regex class block-url-class_class
          match request uri regex class block-url-class_class
          class-map type inspect http match-all asdm_high_security_methods
          match not request method get
          match not request method head
          class-map outside-class
          match access-list http-acl
          !
          !
          policy-map type inspect dns preset_dns_map
          parameters
            message-length maximum client auto
            message-length maximum 512
            id-randomization
            id-mismatch action log
          policy-map type inspect skinny SCCP_Map
          parameters
            message-id max 0x141
            timeout media 0:01:00
            timeout signaling 0:05:00
            rtp-conformance
          policy-map type inspect ftp FTP_Map
          parameters
            mask-banner
            mask-syst-reply
          policy-map type inspect http block-url-policy
          parameters
            protocol-violation action drop-connection log
          class asdm_high_security_methods
            drop-connection
          match request uri regex class block-url-class_class
            drop-connection log
          policy-map LAN
          description Inspection
          class QOS
            set connection timeout idle 1:00:00 dcd 0:15:00 5
            set connection advanced-options Test
            set connection decrement-ttl
          policy-map type inspect im IM_Map
          parameters
          match protocol msn-im yahoo-im
            drop-connection log
          policy-map type inspect sip SIP_MAP
          parameters
            max-forwards-validation action drop log
            state-checking action drop log
            software-version action mask log
            strict-header-validation action drop log
            no traffic-non-sip
            uri-non-sip action mask log
            rtp-conformance
          policy-map type inspect netbios NetBIOS_Map
          parameters
            protocol-violation action drop log
          policy-map QOS
          policy-map Netflow
          policy-map global_policy
          description flow_export
          class global-class
            flow-export event-type all destination 192.168.1.15
          policy-map type inspect esmtp ESMTP_MAP
          parameters
            special-character action drop-connection log
            no allow-tls
          match sender-address length gt 320
            drop-connection
          match MIME filename length gt 255
            drop-connection
          match cmd line length gt 512
            drop-connection
          match cmd RCPT count gt 100
            drop-connection
          match body line length gt 998
            drop-connection
          policy-map type inspect h323 H323_MAP
          parameters
            state-checking h225
            state-checking ras
            rtp-conformance
          policy-map outside-policy
          class outside-class3
            inspect ctiqbe
            inspect dcerpc
            inspect esmtp ESMTP_MAP
            inspect ftp strict FTP_Map
            inspect h323 h225 H323_MAP
            inspect h323 ras H323_MAP
            inspect icmp
            inspect icmp error
            inspect ils
            inspect im IM_Map
            inspect ip-options
            inspect ipsec-pass-thru
            inspect mgcp
            inspect netbios NetBIOS_Map
            inspect pptp
            inspect rsh
            inspect rtsp
            inspect sip SIP_MAP
            inspect skinny SCCP_Map
            inspect snmp
            inspect sqlnet
            inspect sunrpc
            inspect tftp
            inspect waas
            inspect xdmcp
            inspect dns preset_dns_map dynamic-filter-snoop
            inspect http block-url-policy
          class outside-class
            inspect http
          !
          service-policy global_policy global
          service-policy outside-policy interface outside fail-close
          smtp-server 192.168.1.2
          prompt hostname context
          no call-home reporting anonymous
          hpm topN enable

          Ответить | Сообщить модератору

Партнёры:
PostgresPro
Inferno Solutions
Hosting by Hoster.ru
Хостинг:

Закладки на сайте
Проследить за страницей 		Created 1996-2024 by Maxim Chirkov
Добавить, Поддержать, Вебмастеру