|
測(cè)試環(huán)境:ASA5520asa723-18-k8.bin:使用如下配置完全滿足需求����,當(dāng)用戶撥入VPN后只能訪問內(nèi)部資源,不能訪問外部資源 但用這個(gè)配置模板����,到正式環(huán)境,就死活限制不了撥入的VPN用戶訪問互聯(lián)網(wǎng)��! ==================================================================================================== 測(cè)試環(huán)境:ASA5520asa723-18-k8.bin tunnel-grouptestzttypeipsec-ra tunnel-grouptestztipsec-attributes pre-shared-key* group-policyzttestinternal group-policyzttestattributes vpn-simultaneous-logins100 vpn-idle-timeoutnone vpn-session-timeoutnone vpn-filtervaluedeny-access-internet split-tunnel-network-listvalueDeny-access-internet access-listdeny-access-internetextendedpermitip192.168.1.0255.255.255.0200.1.0.0255.255.0.0 access-listdeny-access-internetextendedpermitip192.168.1.0255.255.255.0172.25.90.0255.255.255.0 access-listdeny-access-internetextendedpermitip192.168.1.0255.255.255.0100.1.0.0255.255.0.0 access-listdeny-access-internetextendeddenyip192.168.1.0255.255.255.0any access-listDeny-access-internetextendedpermitip172.25.90.0255.255.255.0192.168.1.0255.255.255.0 access-listDeny-access-internetextendedpermitip100.1.0.0255.255.0.0192.168.1.0255.255.255.0 access-listDeny-access-internetextendedpermitip200.1.0.0255.255.0.0192.168.1.0255.255.255.0 access-listDeny-access-internetextendeddenyipany192.168.1.0255.255.255.0 usernamekakakapassword69eXZQeiMSKhVvOtencrypted usernamekakakaattributes vpn-group-policyzttest vpn-tunnel-protocolIPSec vpn-framed-ip-address192.168.1.100255.255.255.0 測(cè)試成功:用戶kakaka只能訪問內(nèi)網(wǎng)����,不能訪問互聯(lián)網(wǎng) =================================================================================[netxpage] 正式環(huán)境:ASA5540asa723-18-k8.bin tunnel-grouptestzttypeipsec-ra tunnel-grouptestztipsec-attributes pre-shared-key* group-policyzttestinternal group-policyzttestattributes vpn-simultaneous-logins100 vpn-idle-timeoutnone vpn-session-timeoutnone vpn-filtervaluedeny-access-internet split-tunnel-network-listvalueDeny-access-internet access-listdeny-access-internetextendedpermitiphost172.25.230.188172.0.0.0255.0.0.0 access-listdeny-access-internetextendedpermitiphost172.25.230.18810.0.0.0255.0.0.0 access-listdeny-access-internetextendeddenyiphost172.25.230.188any access-listDeny-access-internetextendedpermitip172.0.0.0255.0.0.0host172.25.230.188 access-listDeny-access-internetextendedpermitip10.0.0.0255.0.0.0host172.25.230.188 access-listDeny-access-internetextendeddenyipanyhost172.25.230.188 usernamekakakapassword69eXZQeiMSKhVvOtencrypted usernamekakakaattributes vpn-group-policyzttest vpn-tunnel-protocolIPSec vpn-framed-ip-address172.25.230.188255.255.255.0 測(cè)試失?���。河脩鬹akaka既能訪問內(nèi)網(wǎng),又能訪問互聯(lián)網(wǎng)�,暈,沒有限制?���。?/p> 解決方法:我在5540設(shè)備上的group-policyzttestattributes中添加了 split-tunnel-policyexcludespecified�����,就OK了����,限制了用戶訪問互聯(lián)網(wǎng)��,只能訪問內(nèi)網(wǎng) 此命令的意思:Excludeonlynetworksspecifiedbysplit-tunnel-network-list(排除上公網(wǎng)的用戶)
信息發(fā)布:廣州名易軟件有限公司 http://m.jetlc.com
|
名易MyOA協(xié)同綜合辦公平臺(tái)
名易MyCRM客戶關(guān)系管理平臺(tái)
名易MyHR人力資源管理平臺(tái)
名易MyIDP智能開發(fā)平臺(tái)
名易MyIBP保險(xiǎn)業(yè)務(wù)管理平臺(tái)
名易MyHMS酒店綜合管理系統(tǒng)
名易MyPM項(xiàng)目管理平臺(tái)
名易MyTMS物流運(yùn)輸管理平臺(tái)
名易MyVMS汽車綜合管理系統(tǒng)
名易MyIMS貸款管理系統(tǒng)
名易MyEDU教育管理平臺(tái)
名易MyPCS生產(chǎn)事務(wù)協(xié)調(diào)系統(tǒng)
名易MyWIDP微信智能開發(fā)平臺(tái)
