主页
管理咨询
返回
网络管理维护技巧:如何限制拨入VPN用户的访问权限

        测试环境:ASA5520asa723-18-k8.bin:使用如下配置完全满足需求,当用户拨入VPN后只能访问内部资源,不能访问外部资源

        但用这个配置模板,到正式环境,就死活限制不了拨入的VPN用户访问互联网!

        ====================================================================================================

        测试环境:ASA5520asa723-18-k8.bin

        tunnel-grouptestzttypeipsec-ra

        tunnel-grouptestztipsec-attributes

        pre-shared-key*

        group-policyzttestinternal

        group-policyzttestattributes

        vpn-simultaneous-logins100

        vpn-idle-timeoutnone

        vpn-session-timeoutnone

        vpn-filtervaluedeny-access-internet

        split-tunnel-network-listvalueDeny-access-internet

        access-listdeny-access-internetextendedpermitip192.168.1.0255.255.255.0200.1.0.0255.255.0.0

        access-listdeny-access-internetextendedpermitip192.168.1.0255.255.255.0172.25.90.0255.255.255.0

        access-listdeny-access-internetextendedpermitip192.168.1.0255.255.255.0100.1.0.0255.255.0.0

        access-listdeny-access-internetextendeddenyip192.168.1.0255.255.255.0any

        access-listDeny-access-internetextendedpermitip172.25.90.0255.255.255.0192.168.1.0255.255.255.0

        access-listDeny-access-internetextendedpermitip100.1.0.0255.255.0.0192.168.1.0255.255.255.0

        access-listDeny-access-internetextendedpermitip200.1.0.0255.255.0.0192.168.1.0255.255.255.0

        access-listDeny-access-internetextendeddenyipany192.168.1.0255.255.255.0

        usernamekakakapassword69eXZQeiMSKhVvOtencrypted

        usernamekakakaattributes

        vpn-group-policyzttest

        vpn-tunnel-protocolIPSec

        vpn-framed-ip-address192.168.1.100255.255.255.0

        测试成功:用户kakaka只能访问内网,不能访问互联网

        =================================================================================[netxpage]

        正式环境:ASA5540asa723-18-k8.bin

        tunnel-grouptestzttypeipsec-ra

        tunnel-grouptestztipsec-attributes

        pre-shared-key*

        group-policyzttestinternal

        group-policyzttestattributes

        vpn-simultaneous-logins100

        vpn-idle-timeoutnone

        vpn-session-timeoutnone

        vpn-filtervaluedeny-access-internet

        split-tunnel-network-listvalueDeny-access-internet

        access-listdeny-access-internetextendedpermitiphost172.25.230.188172.0.0.0255.0.0.0

        access-listdeny-access-internetextendedpermitiphost172.25.230.18810.0.0.0255.0.0.0

        access-listdeny-access-internetextendeddenyiphost172.25.230.188any

        access-listDeny-access-internetextendedpermitip172.0.0.0255.0.0.0host172.25.230.188

        access-listDeny-access-internetextendedpermitip10.0.0.0255.0.0.0host172.25.230.188

        access-listDeny-access-internetextendeddenyipanyhost172.25.230.188

        usernamekakakapassword69eXZQeiMSKhVvOtencrypted

        usernamekakakaattributes

        vpn-group-policyzttest

        vpn-tunnel-protocolIPSec

        vpn-framed-ip-address172.25.230.188255.255.255.0

        测试失败:用户kakaka既能访问内网,又能访问互联网,晕,没有限制住!

        解决方法:我在5540设备上的group-policyzttestattributes中添加了

        split-tunnel-policyexcludespecified,就OK了,限制了用户访问互联网,只能访问内网

        此命令的意思:Excludeonlynetworksspecifiedbysplit-tunnel-network-list(排除上公网的用户)

         

2013年黑龙江水泥产量分月度统计
项目管理之采购管理
超长混凝土结构无缝设计要点
2015年安全工程师《安全生产法及相关》资料(42)
钢筋气压焊接头验收规定
08监理工程师《合同管理》练习题7
某土建和绿化结合的施工组织设计23p
[河南]体育场工程施工进度总计划(630日历天)
信息发布:名易软件http://www.myidp.net
主页 | 咨询 | 技术 | 问答 | 报价 | 教程 | 名易

©版权所有:名易软件(http://www.myidp.net)