La situazione è questa: ASA 5510 con 1 outside e 2 inside.
In una di questa inside c'è un router che gestisce 5 reti in MPLS,il routing funziona e tutte le reti si vedono.
Il problema è nel client VPN che,senza split-tunnel per scelta,su una rete (inside) riesce solo a pingare gli host permessi nella ACL del NAT0 ma non a fare alcun tipo di traffico.Visto che non voglio toccare l'ACL
Codice: Seleziona tutto
outside_inCodice: Seleziona tutto
....permit ip 172.16.201.0 host 192.168.0.17Codice: Seleziona tutto
sysopt connection permit-vpnCodice: Seleziona tutto
sysopt connection permit-ipsecSulla rete inside2 invece i client VPN neanche pingano......qualche spunto??
Tra l'altro non ricevo nessun tipo di log nè dal client nè dall'ASA..
Codice: Seleziona tutto
interface Ethernet0/0
nameif outside
security-level 0
ip address 88.xx.xx.2 255.255.255.248
!
interface Ethernet0/1
nameif inside
security-level 100
ip address 192.168.0.2 255.255.255.0
!
interface Ethernet0/2
nameif inside2
security-level 100
ip address 192.168.20.1 255.255.255.0
!
route outside 0.0.0.0 0.0.0.0 88.xx.xx.1 1
route inside 192.168.1.0 255.255.255.0 192.168.0.1 1
route inside 192.168.2.0 255.255.255.0 192.168.0.1 1
route inside 192.168.3.0 255.255.255.0 192.168.0.1 1
route inside 192.168.4.0 255.255.255.0 192.168.0.1 1
!
access-list NAT0 remark --INTRA_INTERFACES--
access-list NAT0 extended permit ip object-group LAN 192.168.20.0 255.255.255.0
access-list NAT0 extended permit ip 192.168.20.0 255.255.255.0 object-group LAN
access-list NAT0 remark --CLIENT VPNT INSIDE--
access-list NAT0 extended permit ip host 192.168.0.16 172.16.200.0 255.255.255.0
access-list NAT0 extended permit ip host 192.168.0.17 172.16.200.0 255.255.255.0
access-list NAT0 remark --CLIENT VPNT INSIDE2-
access-list NAT0 extended permit ip 192.168.20.0 255.255.255.0 172.16.201.0 255.255.255.0
!
ip local pool INSIDE 172.16.200.200-172.16.200.254 mask 255.255.255.0
ip local pool INSIDE2 172.16.201.200-172.16.201.254 mask 255.255.255.0
!
global (outside) 1 interface
nat (inside) 0 access-list NAT0
nat (inside) 1 0.0.0.0 0.0.0.0
nat (inside2) 0 access-list NAT0
nat (inside2) 1 0.0.0.0 0.0.0.0
!
group-policy VPN_EXT internal
group-policy VPN_EXT attributes
vpn-simultaneous-logins 5
vpn-idle-timeout 30
vpn-tunnel-protocol IPSec
password-storage disable
!
tunnel-group INSIDE type remote-access
tunnel-group INSIDE general-attributes
address-pool INSIDE
authentication-server-group IAS
default-group-policy VPN_EXT
tunnel-group INSIDE ipsec-attributes
pre-shared-key *
!
tunnel-group INSIDE2 type remote-access
tunnel-group INSIDE2 general-attributes
address-pool INSIDE2
authentication-server-group IASplus
default-group-policy VPN_EXT
tunnel-group INSIDE2 ipsec-attributes
pre-shared-key *
Codice: Seleziona tutto
FW# sh ver
Cisco Adaptive Security Appliance Software Version 8.2(1)
Device Manager Version 6.2(1)
Compiled on Tue 05-May-09 22:45 by builders
System image file is "disk0:/asa821-k8.bin"
Config file at boot was "startup-config"
FW up 3 days 2 hours
Hardware: ASA5510, 256 MB RAM, CPU Pentium 4 Celeron 1600 MHz
Internal ATA Compact Flash, 256MB
BIOS Flash M50FW080 @ 0xffe00000, 1024KB
Encryption hardware device : Cisco ASA-55x0 on-board accelerator (revision 0x0)
..............
This platform has an ASA 5510 Security Plus license.
