主页
管理咨询
返回
网络管理维护技巧:如何限制拨入VPN用户的访问权限

        测试环境:ASA5520asa723-18-k8.bin:使用如下配置完全满足需求,当用户拨入VPN后只能访问内部资源,不能访问外部资源

        但用这个配置模板,到正式环境,就死活限制不了拨入的VPN用户访问互联网!

        ====================================================================================================

        测试环境:ASA5520asa723-18-k8.bin

        tunnel-grouptestzttypeipsec-ra

        tunnel-grouptestztipsec-attributes

        pre-shared-key*

        group-policyzttestinternal

        group-policyzttestattributes

        vpn-simultaneous-logins100

        vpn-idle-timeoutnone

        vpn-session-timeoutnone

        vpn-filtervaluedeny-access-internet

        split-tunnel-network-listvalueDeny-access-internet

        access-listdeny-access-internetextendedpermitip192.168.1.0255.255.255.0200.1.0.0255.255.0.0

        access-listdeny-access-internetextendedpermitip192.168.1.0255.255.255.0172.25.90.0255.255.255.0

        access-listdeny-access-internetextendedpermitip192.168.1.0255.255.255.0100.1.0.0255.255.0.0

        access-listdeny-access-internetextendeddenyip192.168.1.0255.255.255.0any

        access-listDeny-access-internetextendedpermitip172.25.90.0255.255.255.0192.168.1.0255.255.255.0

        access-listDeny-access-internetextendedpermitip100.1.0.0255.255.0.0192.168.1.0255.255.255.0

        access-listDeny-access-internetextendedpermitip200.1.0.0255.255.0.0192.168.1.0255.255.255.0

        access-listDeny-access-internetextendeddenyipany192.168.1.0255.255.255.0

        usernamekakakapassword69eXZQeiMSKhVvOtencrypted

        usernamekakakaattributes

        vpn-group-policyzttest

        vpn-tunnel-protocolIPSec

        vpn-framed-ip-address192.168.1.100255.255.255.0

        测试成功:用户kakaka只能访问内网,不能访问互联网

        =================================================================================[netxpage]

        正式环境:ASA5540asa723-18-k8.bin

        tunnel-grouptestzttypeipsec-ra

        tunnel-grouptestztipsec-attributes

        pre-shared-key*

        group-policyzttestinternal

        group-policyzttestattributes

        vpn-simultaneous-logins100

        vpn-idle-timeoutnone

        vpn-session-timeoutnone

        vpn-filtervaluedeny-access-internet

        split-tunnel-network-listvalueDeny-access-internet

        access-listdeny-access-internetextendedpermitiphost172.25.230.188172.0.0.0255.0.0.0

        access-listdeny-access-internetextendedpermitiphost172.25.230.18810.0.0.0255.0.0.0

        access-listdeny-access-internetextendeddenyiphost172.25.230.188any

        access-listDeny-access-internetextendedpermitip172.0.0.0255.0.0.0host172.25.230.188

        access-listDeny-access-internetextendedpermitip10.0.0.0255.0.0.0host172.25.230.188

        access-listDeny-access-internetextendeddenyipanyhost172.25.230.188

        usernamekakakapassword69eXZQeiMSKhVvOtencrypted

        usernamekakakaattributes

        vpn-group-policyzttest

        vpn-tunnel-protocolIPSec

        vpn-framed-ip-address172.25.230.188255.255.255.0

        测试失败:用户kakaka既能访问内网,又能访问互联网,晕,没有限制住!

        解决方法:我在5540设备上的group-policyzttestattributes中添加了

        split-tunnel-policyexcludespecified,就OK了,限制了用户访问互联网,只能访问内网

        此命令的意思:Excludeonlynetworksspecifiedbysplit-tunnel-network-list(排除上公网的用户)

         

2014年1-8月全国实木木地板产量分省市统计表
2015年1-4月全国中板产量分省市统计表
国务院取消一级注册建筑师执业资格认定及走势详解
2014年1-3月全国冷轧薄宽钢带产量分省市统计表
安徽省多个厅办联发通知加强工地业余学校建设
浅谈充填液压支架研究设计
富商赵晋开发楼盘擅改结构谋暴利 其秘书长父亲落马
浅论对建筑防水工程在实施中的几点思考
信息发布:名易软件http://www.myidp.net
主页 | 咨询 | 技术 | 问答 | 报价 | 教程 | 名易

©版权所有:名易软件(http://www.myidp.net)