主页
管理咨询
返回
网络管理维护技巧:如何限制拨入VPN用户的访问权限

        测试环境:ASA5520asa723-18-k8.bin:使用如下配置完全满足需求,当用户拨入VPN后只能访问内部资源,不能访问外部资源

        但用这个配置模板,到正式环境,就死活限制不了拨入的VPN用户访问互联网!

        ====================================================================================================

        测试环境:ASA5520asa723-18-k8.bin

        tunnel-grouptestzttypeipsec-ra

        tunnel-grouptestztipsec-attributes

        pre-shared-key*

        group-policyzttestinternal

        group-policyzttestattributes

        vpn-simultaneous-logins100

        vpn-idle-timeoutnone

        vpn-session-timeoutnone

        vpn-filtervaluedeny-access-internet

        split-tunnel-network-listvalueDeny-access-internet

        access-listdeny-access-internetextendedpermitip192.168.1.0255.255.255.0200.1.0.0255.255.0.0

        access-listdeny-access-internetextendedpermitip192.168.1.0255.255.255.0172.25.90.0255.255.255.0

        access-listdeny-access-internetextendedpermitip192.168.1.0255.255.255.0100.1.0.0255.255.0.0

        access-listdeny-access-internetextendeddenyip192.168.1.0255.255.255.0any

        access-listDeny-access-internetextendedpermitip172.25.90.0255.255.255.0192.168.1.0255.255.255.0

        access-listDeny-access-internetextendedpermitip100.1.0.0255.255.0.0192.168.1.0255.255.255.0

        access-listDeny-access-internetextendedpermitip200.1.0.0255.255.0.0192.168.1.0255.255.255.0

        access-listDeny-access-internetextendeddenyipany192.168.1.0255.255.255.0

        usernamekakakapassword69eXZQeiMSKhVvOtencrypted

        usernamekakakaattributes

        vpn-group-policyzttest

        vpn-tunnel-protocolIPSec

        vpn-framed-ip-address192.168.1.100255.255.255.0

        测试成功:用户kakaka只能访问内网,不能访问互联网

        =================================================================================[netxpage]

        正式环境:ASA5540asa723-18-k8.bin

        tunnel-grouptestzttypeipsec-ra

        tunnel-grouptestztipsec-attributes

        pre-shared-key*

        group-policyzttestinternal

        group-policyzttestattributes

        vpn-simultaneous-logins100

        vpn-idle-timeoutnone

        vpn-session-timeoutnone

        vpn-filtervaluedeny-access-internet

        split-tunnel-network-listvalueDeny-access-internet

        access-listdeny-access-internetextendedpermitiphost172.25.230.188172.0.0.0255.0.0.0

        access-listdeny-access-internetextendedpermitiphost172.25.230.18810.0.0.0255.0.0.0

        access-listdeny-access-internetextendeddenyiphost172.25.230.188any

        access-listDeny-access-internetextendedpermitip172.0.0.0255.0.0.0host172.25.230.188

        access-listDeny-access-internetextendedpermitip10.0.0.0255.0.0.0host172.25.230.188

        access-listDeny-access-internetextendeddenyipanyhost172.25.230.188

        usernamekakakapassword69eXZQeiMSKhVvOtencrypted

        usernamekakakaattributes

        vpn-group-policyzttest

        vpn-tunnel-protocolIPSec

        vpn-framed-ip-address172.25.230.188255.255.255.0

        测试失败:用户kakaka既能访问内网,又能访问互联网,晕,没有限制住!

        解决方法:我在5540设备上的group-policyzttestattributes中添加了

        split-tunnel-policyexcludespecified,就OK了,限制了用户访问互联网,只能访问内网

        此命令的意思:Excludeonlynetworksspecifiedbysplit-tunnel-network-list(排除上公网的用户)

         

[浙江]建筑工程支撑拆除施工方案
大型机械土方平整工程施工方案
[湖南]框架剪力墙结构高层住宅施工组织设计
混凝土裂缝原因及防治措施的几点探讨
某小区消防工程施工组织设计(五)
高新区双积路某标段施工组织设计
浅谈路网改建工程二灰碎石基层施工工艺与质量控制
浅谈项目管理中的时间管理
信息发布:名易软件http://www.myidp.net
主页 | 咨询 | 技术 | 问答 | 报价 | 教程 | 名易

©版权所有:名易软件(http://www.myidp.net)