主页
管理咨询
返回
网络管理维护技巧:如何限制拨入VPN用户的访问权限

        测试环境:ASA5520asa723-18-k8.bin:使用如下配置完全满足需求,当用户拨入VPN后只能访问内部资源,不能访问外部资源

        但用这个配置模板,到正式环境,就死活限制不了拨入的VPN用户访问互联网!

        ====================================================================================================

        测试环境:ASA5520asa723-18-k8.bin

        tunnel-grouptestzttypeipsec-ra

        tunnel-grouptestztipsec-attributes

        pre-shared-key*

        group-policyzttestinternal

        group-policyzttestattributes

        vpn-simultaneous-logins100

        vpn-idle-timeoutnone

        vpn-session-timeoutnone

        vpn-filtervaluedeny-access-internet

        split-tunnel-network-listvalueDeny-access-internet

        access-listdeny-access-internetextendedpermitip192.168.1.0255.255.255.0200.1.0.0255.255.0.0

        access-listdeny-access-internetextendedpermitip192.168.1.0255.255.255.0172.25.90.0255.255.255.0

        access-listdeny-access-internetextendedpermitip192.168.1.0255.255.255.0100.1.0.0255.255.0.0

        access-listdeny-access-internetextendeddenyip192.168.1.0255.255.255.0any

        access-listDeny-access-internetextendedpermitip172.25.90.0255.255.255.0192.168.1.0255.255.255.0

        access-listDeny-access-internetextendedpermitip100.1.0.0255.255.0.0192.168.1.0255.255.255.0

        access-listDeny-access-internetextendedpermitip200.1.0.0255.255.0.0192.168.1.0255.255.255.0

        access-listDeny-access-internetextendeddenyipany192.168.1.0255.255.255.0

        usernamekakakapassword69eXZQeiMSKhVvOtencrypted

        usernamekakakaattributes

        vpn-group-policyzttest

        vpn-tunnel-protocolIPSec

        vpn-framed-ip-address192.168.1.100255.255.255.0

        测试成功:用户kakaka只能访问内网,不能访问互联网

        =================================================================================[netxpage]

        正式环境:ASA5540asa723-18-k8.bin

        tunnel-grouptestzttypeipsec-ra

        tunnel-grouptestztipsec-attributes

        pre-shared-key*

        group-policyzttestinternal

        group-policyzttestattributes

        vpn-simultaneous-logins100

        vpn-idle-timeoutnone

        vpn-session-timeoutnone

        vpn-filtervaluedeny-access-internet

        split-tunnel-network-listvalueDeny-access-internet

        access-listdeny-access-internetextendedpermitiphost172.25.230.188172.0.0.0255.0.0.0

        access-listdeny-access-internetextendedpermitiphost172.25.230.18810.0.0.0255.0.0.0

        access-listdeny-access-internetextendeddenyiphost172.25.230.188any

        access-listDeny-access-internetextendedpermitip172.0.0.0255.0.0.0host172.25.230.188

        access-listDeny-access-internetextendedpermitip10.0.0.0255.0.0.0host172.25.230.188

        access-listDeny-access-internetextendeddenyipanyhost172.25.230.188

        usernamekakakapassword69eXZQeiMSKhVvOtencrypted

        usernamekakakaattributes

        vpn-group-policyzttest

        vpn-tunnel-protocolIPSec

        vpn-framed-ip-address172.25.230.188255.255.255.0

        测试失败:用户kakaka既能访问内网,又能访问互联网,晕,没有限制住!

        解决方法:我在5540设备上的group-policyzttestattributes中添加了

        split-tunnel-policyexcludespecified,就OK了,限制了用户访问互联网,只能访问内网

        此命令的意思:Excludeonlynetworksspecifiedbysplit-tunnel-network-list(排除上公网的用户)

         


长春市某政府新建办公楼工程窗帘盒、暖气罩施工技术交底记录
2015年1-10月中国冷轧薄板产量分省市统计
江西某博物馆墙柱面石材干挂施工技术交底
2013年1-12月四川省水泥专用设备产量统计(分月度)
发电厂工程施工组织设计282p
09年注册安全工程师事故案例分析模拟试题(四十)
[南方]400米以上地表建筑给排水施工组织设计
新城镇化建设与绿色建筑为石膏板业创造广阔市场
信息发布:名易软件http://www.myidp.net