思科认证之限制拨入VPN用户的访问权限

会计考友

思科认证之限制拨入VPN用户的访问权限
限制拨入VPN用户的访问权限
遇到个郁闷至极的问题；应客户要求，在ASA上进行设置，当远程用户拨入VPN之后，只能访问内网资源，不允许访问互联网
测试环境：ASA 5520 asa723-18-k8.bin： 使用如下配置完全满足需求，当用户拨入VPN后只能访问内部资源，不能访问外部资源
, B4 f' |& x' [但用这个配置模板，到正式环境，就死活限制不了拨入的VPN用户访问互联网！
/ @' `0 [& H9 T- h===========================================================================
$ B' A2 L/ Q" W测试环境： ASA 5520 asa723-18-k8.bin
tunnel-group testzt type ipsec-ra
tunnel-group testzt ipsec-attributes
7 A; a& @2 t7 k" D  ^pre-shared-key *
! X2 {/ `! `2 i& _% M* [  ~group-policy zttest internal
' f% C% j! |) |) n5 xgroup-policy zttest attributes
vpn-simultaneous-logins 100
" R/ w% P& e  Vvpn-idle-timeout none
vpn-session-timeout none
vpn-filter value deny-access-internet
split-tunnel-network-list value Deny-access-internet
access-list deny-access-internet extended permit ip 192.168.1.0 255.255.255.0 200.1.0.0 255.255.0.0
access-list deny-access-internet extended permit ip 192.168.1.0 255.255.255.0 172.25.90.0 255.255.255.0
access-list deny-access-internet extended permit ip 192.168.1.0 255.255.255.0 100.1.0.0 255.255.0.0
" i  A: i. F% S0 G& qaccess-list deny-access-internet extended deny ip 192.168.1.0 255.255.255.0 any
4 _/ k% B$ k* Y7 C% Y0 A0 l) j/ daccess-list Deny-access-internet extended permit ip 172.25.90.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list Deny-access-internet extended permit ip 100.1.0.0 255.255.0.0 192.168.1.0 255.255.255.0
access-list Deny-access-internet extended permit ip 200.1.0.0 255.255.0.0 192.168.1.0 255.255.255.0
access-list Deny-access-internet extended deny ip any 192.168.1.0 255.255.255.0
username kakaka password 69eXZQeiMSKhVvOt encrypted
( I! G! O8 g8 A9 @/ h7 {username kakaka attributes
. L" i! M* w3 t. ^. y* gvpn-group-policy zttest
, A. f& z$ R+ i- @0 Z. ]! }! Nvpn-tunnel-protocol IPSec
7 x* X% J8 z' f$ b3 q* {4 m) tvpn-framed-ip-address 192.168.1.100 255.255.255.0
# F( L3 ]8 G; z测试成功：用户kakaka 只能访问内网，不能访问互联网
=======================================================================

/ u' l, b& @" Z* X
正式环境： ASA 5540 asa723-18-k8.bin
tunnel-group testzt type ipsec-ra
; Z9 v% M5 \2 \  L$ N- Mtunnel-group testzt ipsec-attributes
pre-shared-key *
% r0 S- ^. B5 `group-policy zttest internal
group-policy zttest attributes
( F! G% r: q8 R& g# Z$ tvpn-simultaneous-logins 100
vpn-idle-timeout none
+ ?1 W$ R5 x) Lvpn-session-timeout none
5 ]- ~+ v6 D8 [vpn-filter value deny-access-internet
" D& k3 A6 o/ H* r  h) c% b& Bsplit-tunnel-network-list value Deny-access-internet
$ `& }5 h9 Y% J5 d" S" q  Kaccess-list deny-access-internet extended permit ip host 172.25.230.188 172.0.0.0 255.0.0.0
access-list deny-access-internet extended permit ip host 172.25.230.188 10.0.0.0 255.0.0.0
: x8 I' F0 `2 Q' H- q+ t7 l2 }5 d5 faccess-list deny-access-internet extended deny ip host 172.25.230.188 any
! p' F6 `3 t, s! L# B5 G/ aaccess-list Deny-access-internet extended permit ip 172.0.0.0 255.0.0.0 host 172.25.230.188
access-list Deny-access-internet extended permit ip 10.0.0.0 255.0.0.0 host 172.25.230.188
" Y+ V" x, z. z3 faccess-list Deny-access-internet extended deny ip any host 172.25.230.188
! u7 K0 k. M' I* ?! L: E/ s  y2 nusername kakaka password 69eXZQeiMSKhVvOt encrypted
username kakaka attributes
vpn-group-policy zttest
vpn-tunnel-protocol IPSec
' ^- Y9 v$ ^7 ?4 P" O, Evpn-framed-ip-address 172.25.230.188 255.255.255.0
0 t4 N9 e, P* U" S测试失败：用户kakaka 既能访问内网，又能访问互联网，晕，没有限制住！
解决方法：我在5540设备上的group-policy zttest attributes 中添加了
+ y4 L/ b) ]# Q1 t% K& l6 Lsplit-tunnel-policy excludespecified ，就OK了，限制了用户访问互联网，只能访问内网
此命令的意思：Exclude only networks specified by split-tunnel-network-list（排除上公网的用户）