新足迹

 找回密码
 注册

精华好帖回顾

· 被ATO查海外汇款,犹如:人为刀俎,我为鱼肉。(更新:2013.03.24) (2012-11-23) hongkong8888 · 美食接龙: 阿狗菜谱——糯米酒汁排骨 下一棒:菲菲 食材:排骨 (2008-8-17) 阿Ka
· 那些乐趣 – 讲讲我一个车友 (2017-9-13) 想念天空 · 从富山到松本 - 记一次计划外的旅行 (全文完) (2023-5-6) violinlearner
Advertisement
Advertisement
查看: 1154|回复: 11

[IT] VPN 远程用户无法访问公司网页---ASA5520 [复制链接]

发表于 2009-11-11 11:19 |显示全部楼层
此文章由 夜游神 原创或转贴,不代表本站立场和观点,版权归 oursteps.com.au 和作者 夜游神 所有!转贴必须注明作者、出处和本声明,并保持内容完整
这个是这个礼拜我完成PIX&VPN concentrator migrate to ASA之后才发生的唯一问题,望高人指点。

ASA 防火墙将客户公司网络划分为三个区:
OUTSIDE: network A
INSIDE: network B
DMZ: network C

Static NAT:  web server IP (DMZ, INSIDE) C1==>B1
                           (DMZ, OUTSIDE)C1==>A1

DHCP POOL for VPN group 用sub-net of network C

ASA Firewall rules permit access IP addresses B1&A1 for both outside & inside users.

As VPN users dial into head office via OUTSIDE interface of ASA, they receive IP address B1 for web server from DNS. However they are not able to access web server with IP address B1 and they are able to access WEB with IP address A1.

[ 本帖最后由 夜游神 于 2009-11-11 13:47 编辑 ]
Do My Best!! 把梦实现 走到海的最遥远!!!!!
Advertisement
Advertisement

2008年度奖章获得者

发表于 2009-11-11 11:23 |显示全部楼层
此文章由 degra 原创或转贴,不代表本站立场和观点,版权归 oursteps.com.au 和作者 degra 所有!转贴必须注明作者、出处和本声明,并保持内容完整
vpn client to use split tunneling OR access webserver's internal IP

发表于 2009-11-11 12:31 |显示全部楼层
此文章由 夜游神 原创或转贴,不代表本站立场和观点,版权归 oursteps.com.au 和作者 夜游神 所有!转贴必须注明作者、出处和本声明,并保持内容完整
原帖由 gandu 于 2009-11-11 12:23 发表
vpn client to use split tunneling OR access webserver's internal IP



Split tunneling is enable for VPN client.

But when they tpye in the company URL in their brower, they will receive internal IP---B1 from local DNS.
How to make it work???

[ 本帖最后由 夜游神 于 2009-11-11 13:51 编辑 ]
Do My Best!! 把梦实现 走到海的最遥远!!!!!

发表于 2009-11-11 12:57 |显示全部楼层
此文章由 jimytri 原创或转贴,不代表本站立场和观点,版权归 oursteps.com.au 和作者 jimytri 所有!转贴必须注明作者、出处和本声明,并保持内容完整
either No NAT table or split tunnel

发表于 2009-11-11 12:59 |显示全部楼层
此文章由 夜游神 原创或转贴,不代表本站立场和观点,版权归 oursteps.com.au 和作者 夜游神 所有!转贴必须注明作者、出处和本声明,并保持内容完整
原帖由 jimytri 于 2009-11-11 13:57 发表
either No NAT table or split tunnel



Please make it clearly~~~
Do My Best!! 把梦实现 走到海的最遥远!!!!!

发表于 2009-11-11 13:05 |显示全部楼层
此文章由 zhongbingo 原创或转贴,不代表本站立场和观点,版权归 oursteps.com.au 和作者 zhongbingo 所有!转贴必须注明作者、出处和本声明,并保持内容完整
whole design don't look like right
webserver don't need NAT to Inside,
then allow remote VPN client access DMZ address of webserver
Advertisement
Advertisement

发表于 2009-11-11 13:07 |显示全部楼层
此文章由 zhongbingo 原创或转贴,不代表本站立场和观点,版权归 oursteps.com.au 和作者 zhongbingo 所有!转贴必须注明作者、出处和本声明,并保持内容完整
because u vpn is termiate at inside interface of PIX
and NAT inside also termiate at inside interface, how can u expect firewall to route and understand the traffic

发表于 2009-11-11 15:17 |显示全部楼层
此文章由 夜游神 原创或转贴,不代表本站立场和观点,版权归 oursteps.com.au 和作者 夜游神 所有!转贴必须注明作者、出处和本声明,并保持内容完整
原帖由 zhongbingo 于 2009-11-11 14:07 发表
because u vpn is termiate at inside interface of PIX
and NAT inside also termiate at inside interface, how can u expect firewall to route and understand the traffic



Can't remove inside nat for web server as client wants it work like this way.

Also according to my realtime logs in the box, the VPN termiate at outside interface~~~

So I need to add a static route to resolve it right?

C, already permit "INSIDE" to access any resource in both inside & dmz zones.

[ 本帖最后由 夜游神 于 2009-11-11 16:31 编辑 ]

本帖子中包含更多资源

您需要 登录 才可以下载或查看,没有帐号?注册

x
Do My Best!! 把梦实现 走到海的最遥远!!!!!

发表于 2009-11-11 15:28 |显示全部楼层
此文章由 zhongbingo 原创或转贴,不代表本站立场和观点,版权归 oursteps.com.au 和作者 zhongbingo 所有!转贴必须注明作者、出处和本声明,并保持内容完整
原帖由 夜游神 于 2009-11-11 16:17 发表



Can't remove inside nat for web server as client wants it work like this way

So I need to add a static route to resolve it right?

maybe not working, traffic from vpn termial at inside interface, then they need route to destination, for outside webserve, it just route to outside interface, for DMZ , route to DMZ interface, for inside webserver ip address, if you route to DMZ interface, DMZ will think it is destination to internal ip address, then route back to inside interface.

or just change internal DNS, don't point to inside ip , point outside ip address of webserver.

anyways, u can't always fullfill customer requirement, also KISS solution always best solution

发表于 2009-11-11 15:36 |显示全部楼层

~~~

此文章由 夜游神 原创或转贴,不代表本站立场和观点,版权归 oursteps.com.au 和作者 夜游神 所有!转贴必须注明作者、出处和本声明,并保持内容完整
~~~

本帖子中包含更多资源

您需要 登录 才可以下载或查看,没有帐号?注册

x

发表于 2009-11-11 15:51 |显示全部楼层
此文章由 zhongbingo 原创或转贴,不代表本站立场和观点,版权归 oursteps.com.au 和作者 zhongbingo 所有!转贴必须注明作者、出处和本声明,并保持内容完整
using packet-tracer command , you will know how the traffic go
Advertisement
Advertisement

发表于 2009-11-12 20:51 |显示全部楼层
此文章由 夜游神 原创或转贴,不代表本站立场和观点,版权归 oursteps.com.au 和作者 夜游神 所有!转贴必须注明作者、出处和本声明,并保持内容完整
T过了,真滴速终结在outside的~~~~

发表回复

您需要登录后才可以回帖 登录 | 注册

本版积分规则

Advertisement
Advertisement
返回顶部