思科认证之限制拨入VPN用户的访问权限

会计考友

思科认证之限制拨入VPN用户的访问权限
限制拨入VPN用户的访问权限
遇到个郁闷至极的问题；应客户要求，在ASA上进行设置，当远程用户拨入VPN之后，只能访问内网资源，不允许访问互联网
0 }5 c% K2 p2 ~7 p测试环境：ASA 5520 asa723-18-k8.bin： 使用如下配置完全满足需求，当用户拨入VPN后只能访问内部资源，不能访问外部资源
# J" {2 |- w9 s- L- J但用这个配置模板，到正式环境，就死活限制不了拨入的VPN用户访问互联网！
===========================================================================
测试环境： ASA 5520 asa723-18-k8.bin
% S( f" l& j- R! e/ ?( atunnel-group testzt type ipsec-ra
tunnel-group testzt ipsec-attributes
* g& C, Y& P2 x: ypre-shared-key *
- o& f4 m& h; \! _& Wgroup-policy zttest internal
8 i7 z7 e( L" cgroup-policy zttest attributes
$ a+ c6 F* K% ]0 \vpn-simultaneous-logins 100
vpn-idle-timeout none
; q+ g0 f, Y, }# I0 L( W6 W- vvpn-session-timeout none
vpn-filter value deny-access-internet
split-tunnel-network-list value Deny-access-internet
3 F0 x3 ]1 _: @& eaccess-list deny-access-internet extended permit ip 192.168.1.0 255.255.255.0 200.1.0.0 255.255.0.0
6 u; u8 `2 x: W1 ^access-list deny-access-internet extended permit ip 192.168.1.0 255.255.255.0 172.25.90.0 255.255.255.0
  {0 X% p# M* L5 U. j3 B) Gaccess-list deny-access-internet extended permit ip 192.168.1.0 255.255.255.0 100.1.0.0 255.255.0.0
access-list deny-access-internet extended deny ip 192.168.1.0 255.255.255.0 any
/ _+ H; D+ B* i* P$ @+ u: S* Daccess-list Deny-access-internet extended permit ip 172.25.90.0 255.255.255.0 192.168.1.0 255.255.255.0
0 y, `' j( x+ p0 M7 raccess-list Deny-access-internet extended permit ip 100.1.0.0 255.255.0.0 192.168.1.0 255.255.255.0
, V  [4 M5 O/ J% ~1 n* Saccess-list Deny-access-internet extended permit ip 200.1.0.0 255.255.0.0 192.168.1.0 255.255.255.0
access-list Deny-access-internet extended deny ip any 192.168.1.0 255.255.255.0
+ {: C# }+ O  r  t( vusername kakaka password 69eXZQeiMSKhVvOt encrypted
username kakaka attributes
vpn-group-policy zttest
" K% }1 e7 O7 s& l. ^; xvpn-tunnel-protocol IPSec
: t7 y5 H) _5 Z9 n6 l  @- }/ Cvpn-framed-ip-address 192.168.1.100 255.255.255.0
测试成功：用户kakaka 只能访问内网，不能访问互联网
=======================================================================
4 W) k3 J9 ^( O- M5 L9 e
6 m8 W8 U. G: ~: Q6 i
8 Q5 {6 d! u& S* {0 S' C正式环境： ASA 5540 asa723-18-k8.bin
' n. i- \8 k2 u, }7 J2 B" J. Otunnel-group testzt type ipsec-ra
0 J5 K# T$ T1 I$ m% \8 i* gtunnel-group testzt ipsec-attributes
pre-shared-key *
group-policy zttest internal
8 k6 f# L( ]* E$ \* y6 Xgroup-policy zttest attributes
vpn-simultaneous-logins 100
# C5 t  Q& X7 L' r/ ovpn-idle-timeout none
. ?1 @2 m. x5 p/ Q6 N( V( K1 tvpn-session-timeout none
5 x5 l+ H9 u. F$ ~2 ?# Hvpn-filter value deny-access-internet
7 T, s( O- |8 h1 I7 _9 Ssplit-tunnel-network-list value Deny-access-internet
, Z/ b) j# y7 H! n+ H2 I  n& E# Iaccess-list deny-access-internet extended permit ip host 172.25.230.188 172.0.0.0 255.0.0.0
access-list deny-access-internet extended permit ip host 172.25.230.188 10.0.0.0 255.0.0.0
access-list deny-access-internet extended deny ip host 172.25.230.188 any
3 ?5 w8 l% a" _$ |access-list Deny-access-internet extended permit ip 172.0.0.0 255.0.0.0 host 172.25.230.188
3 e  J4 D8 R" I: c. Z, ^. Saccess-list Deny-access-internet extended permit ip 10.0.0.0 255.0.0.0 host 172.25.230.188
# u7 D* ^) m9 o1 N0 U- E  n9 z$ gaccess-list Deny-access-internet extended deny ip any host 172.25.230.188
2 l% S' J, |7 [username kakaka password 69eXZQeiMSKhVvOt encrypted
username kakaka attributes
' m4 B8 r0 K" h) N2 avpn-group-policy zttest
" r+ l7 b7 D' Q/ S. Jvpn-tunnel-protocol IPSec
vpn-framed-ip-address 172.25.230.188 255.255.255.0
测试失败：用户kakaka 既能访问内网，又能访问互联网，晕，没有限制住！
解决方法：我在5540设备上的group-policy zttest attributes 中添加了
$ n! ^1 S  i: W" x5 qsplit-tunnel-policy excludespecified ，就OK了，限制了用户访问互联网，只能访问内网
此命令的意思：Exclude only networks specified by split-tunnel-network-list（排除上公网的用户）