Vytahuji ASA 5506-X
Přiložen je nejnovější aktuální konfigurace. Problém je v tom, že VPN Anyconnect se nemůže připojit a hlásí chybu “pokus o připojení vypršel. Zkontrolujte připojení k internetu”.
Počítače na vnitřní síti mají přístup k internetu, pingají a získávají DHCP IP z vnitřního rozhraní. Pro bezdrátové klienty také získávají DHCP IP z vnitřního rozhraní, ale přes Verizon Router (který funguje jako přístupový bod, protože na něj jsem povolil IP access through).
Mám blok pěti veřejných IP s /24 podsítěmi a používám jednu z IP na vnější rozhraní. V přiložené konfiguraci uvidíte 1.1.1.1 což je veřejná IP. Nemám ponětí, proč VPN Anyconnect se nemůže připojit. Vypnul jsem veškerou ochranu a firewall na počítači, ale klient VPN stále nefunguje. Jsem nový v Cisco ASA a ocenil bych jakoukoli pomoc.
Níže je konfigurace:
Hardware: ASA5506W, 4096 MB RAM, CPU Atom C2000 série 1250 MHz, 1 CPU (4 jádra)
:
Verze ASA 9.16(4)
!
hostname asa
domain-name abc.com
enable password **** pbkdf2
service-module 0 keepalive-timeout 4
service-module 0 keepalive-counter 6
service-module sfr keepalive-timeout 4
service-module sfr keepalive-counter 6
service-module wlan keepalive-timeout 4
service-module wlan keepalive-counter 6
names
no mac-address auto
ip local pool anyconnect-ernest-pool 172.16.1.7-172.16.1.70 mask 255.255.255.0
!
interface GigabitEthernet1/1
nameif outside
security-level 0
ip address 1.1.1.1 255.255.255.0
!
interface GigabitEthernet1/2
nameif inside
security-level 100
ip address 192.168.3.2 255.255.255.0
!
interface GigabitEthernet1/3
no nameif
security-level 100
no ip address
!
interface GigabitEthernet1/4
no nameif
security-level 100
no ip address
!
interface GigabitEthernet1/5
no nameif
security-level 100
no ip address
!
interface GigabitEthernet1/6
no nameif
security-level 100
no ip address
!
interface GigabitEthernet1/7
no nameif
security-level 100
no ip address
!
interface GigabitEthernet1/8
shutdown
no nameif
security-level 0
no ip address
!
interface GigabitEthernet1/9
nameif wifi
security-level 100
ip address 192.168.10.1 255.255.255.0
!
interface Management1/1
management-only
shutdown
no nameif
no security-level
no ip address
!
interface BVI11
no nameif
security-level 100
no ip address
!
banner motd Neautorizovaný přístup je zakázán
boot system disk0:/asa9-16-4-lfbff-k8.SPA
ftp mode passive
clock timezone EST -5
dns domain-lookup outside
dns server-group DefaultDNS
name-server 1.1.1.1 inside
name-server 8.8.8.8 outside
name-server 4.4.8.8 outside
domain-name pul5ar.com
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object network obj_any_wifi
subnet 0.0.0.0 0.0.0.0
object network Inside-LAN-Network
subnet 192.168.3.0 255.255.255.0
object network NETWORK_OBJ_172.16.1.0_25
subnet 172.16.1.0 255.255.255.128
access-list OUTSIDE_ACCESS_IN extended permit icmp any any
access-list OUTSIDE_ACCESS_IN extended permit ip any any
access-list AnyConnect_Client_Local_Print extended deny ip any4 any4
access-list AnyConnect_Client_Local_Print extended permit tcp any4 any4 eq lpd
access-list AnyConnect_Client_Local_Print remark IPP: Internet Printing Protocol
access-list AnyConnect_Client_Local_Print extended permit tcp any4 any4 eq 631
access-list AnyConnect_Client_Local_Print remark Windows’ printing port
access-list AnyConnect_Client_Local_Print extended permit tcp any4 any4 eq 9100
access-list AnyConnect_Client_Local_Print remark mDNS: multicast DNS protocol
access-list AnyConnect_Client_Local_Print extended permit udp any4 host 224.0.0.251 eq 5353
access-list AnyConnect_Client_Local_Print remark LLMNR: Link Local Multicast Name Resolution protocol
access-list AnyConnect_Client_Local_Print extended permit udp any4 host 224.0.0.252 eq 5355
access-list AnyConnect_Client_Local_Print remark TCP/NetBIOS protocol
access-list AnyConnect_Client_Local_Print extended permit tcp any4 any4 eq 137
access-list AnyConnect_Client_Local_Print extended permit udp any4 any4 eq netbios-ns
pager lines 24
logging enable
logging buffered debugging
logging trap informational
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu wifi 1500
icmp unreachable rate-limit 1 burst-size 1
icmp permit any outside
icmp permit any inside
icmp permit any wifi
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
arp rate-limit 16384
nat (inside,outside) source static any any destination static NETWORK_OBJ_172.16.1.0_25 NETWORK_OBJ_172.16.1.0_25 no-proxy-arp route-lookup
nat (wifi,outside) source static any interface
!
object network obj_any_wifi
nat (wifi,outside) dynamic interface
!
nat (inside,outside) after-auto source static any interface
route outside 0.0.0.0 0.0.0.0 1.1.1.1 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 sctp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
timeout conn-holddown 0:00:15
timeout igp stale-route 0:01:10
user-identity default-domain LOCAL
aaa authentication http console LOCAL
aaa authentication ssh console LOCAL
aaa authentication serial console LOCAL
aaa authentication login-history duration 150
http server enable 444
http 192.168.10.0 255.255.255.0 inside
http 192.168.3.0 255.255.255.0 inside
http 192.168.10.0 255.255.255.0 wifi
no snmp-server location
no snmp-server contact
service sw-reset-button
crypto ipsec security-association pmtu-aging infinite
crypto ca trustpoint ASDM_TrustPoint203
enrollment self
subject-name CN=asa
ip-address 1.1.1.1
keypair RSA1234
crl configure
crypto ca trustpool policy
crypto ca certificate chain ASDM_TrustPoint203
certificate 64f578b2
… (zkráceno pro délku)
quit
crypto ikev2 remote-access trustpoint ASDM_TrustPoint203
telnet timeout 5
ssh stricthostkeycheck
ssh timeout 60
ssh version 2
ssh key-exchange group dh-group14-sha1
ssh 192.168.3.0 255.255.255.0 inside
ssh 192.168.10.0 255.255.255.0 inside
ssh 192.168.10.0 255.255.255.0 wifi
console timeout 0
no vpn-addr-assign aaa
no vpn-addr-assign local
no ipv6-vpn-addr-assign aaa
no ipv6-vpn-addr-assign local
dhcp-client update dns
dhcpd auto_config outside
!
dhcpd address 192.168.3.5-192.168.3.70 inside
dhcpd dns 192.168.3.2 68.237.161.12 interface inside
dhcpd enable inside
!
dhcpd address 192.168.10.2-192.168.10.250 wifi
dhcpd dns 8.8.8.8 192.168.3.2 interface wifi
dhcpd enable wifi
!
threat-detection basic-threat
threat-detection statistics port
threat-detection statistics protocol
threat-detection statistics access-list
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
ssl client-version tlsv1.1
ssl trust-point ASDM_TrustPoint203 outside
ssl trust-point ASDM_TrustPoint203 inside
ssl trust-point ASDM_TrustPoint203 wifi
webvpn
enable outside
http-headers
hsts-server
enable
max-age 31536000
include-sub-domains
no preload
hsts-client
enable
x-content-type-options
x-xss-protection
content-security-policy
anyconnect image disk0:/anyconnect-win-4.10.07062-webdeploy-k9.pkg 1
anyconnect profiles anyconnect-primary disk0:/anyconnect-primarynull.xml
anyconnect enable
cache
disable
error-recovery disable
group-policy GroupPolicy_Anyconnect-ernest internal
group-policy GroupPolicy_Anyconnect-ernest attributes
wins-server none
dns-server value 8.8.8.8
vpn-tunnel-protocol ssl-client
default-domain value ernst.com
webvpn
anyconnect profiles value anyconnect-primary type user
anyconnect ask none default anyconnect
dynamic-access-policy-record DfltAccessPolicy
username abcxyz password **** pbkdf2
username abxyzz password **** pbkdf2 privilege 15
tunnel-group Anyconnect-ernest type remote-access
tunnel-group Anyconnect-ernest general-attributes
address-pool anyconnect-ernest-pool
authorization-server-group LOCAL
default-group-policy GroupPolicy_Anyconnect-ernest
tunnel-group Anyconnect-ernest webvpn-attributes
group-alias Anyconnect-ernest enable
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map global_policy
class inspection_default
inspect icmp
inspect ftp
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
hpm topN enable
Cryptochecksum:205f7a3df1856cc8ce95a3a500992871
: end