Tweet
Chào mọi người,
Mình làm theo tài liệu hướng dẫn này, kết nối vpn thành công, tuy nhiên gặp phải vấn đề này, xin mọi người giúp đỡ dùm nhé.
1. Khi kết nối thành công, dns-server vẫn là dns-server của đường internet local, không phải dns được khai báo như bên dưới.
2. Sau khi cấu hình thêm split-tunnel như bên dưới, vẫn không có thay đổi gì, default route vẫn là 0.0.0.0 đi qua tunnel.
PIX Version 7.1(1)
!
hostname PIX
domain−name newyouth.com
enable password 9jNfZuG3TC5tCVH0 encrypted
names
!
interface Ethernet0
nameif outside
security−level 0
ip address 10.10.1.2 255.255.255.0
!
interface Ethernet1
nameif inside
security−level 100
ip address 10.11.1.1 255.255.255.0
!
passwd 2KFQnbNIdI.2KYOU encrypted
ftp mode passive
!
dns domain−lookup inside
dns server−group DefaultDNStimeout 30
!
name−server 172.16.1.1
domain−name newyouth.com
!
access−list 101 extended permit ip 172.16.0.0 255.255.0.0 10.16.20.0 255.255.255.0
access−list vpn_in extended permit ip 172.16.0.0 255.255.0.0 10.16.20.0 255.255.255.0 --- phần cấu hình thêm ---
pager lines 24
logging buffer−size 500000
logging console debugging
logging monitor errors
mtu outside 1500
mtu inside 1500
!
ip local pool vpnclient 10.16.20.1−10.16.20.5
no failover
icmp permit any outside
icmp permit any inside
no asdm history enable
arp timeout 14400
!
global (outside) 1 interface
nat (inside) 0 access−list 101
nat (inside) 1 0.0.0.0 0.0.0.0
route outside 10.10.0.0 255.255.255.0 10.10.1.1 1
route outside 0.0.0.0 0.0.0.0 10.11.1.1 1
route inside 172.16.0.0 255.255.0.0 10.11.1.3 1
timeout xlate 3:00:00
timeout conn 1:00:00 half−closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp−pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
!
aaa−server vpn protocol radius
aaa−server vpn host 10.11.1.2
key cisco123
!
group−policy vpn3000 internal
group−policy vpn3000 attributes
dns−server value 172.16.1.1
default−domain value newyouth.com
split-tunnel-policy tunnelspecified --- phần cấu hình thêm ---
split-tunnel-network-list value vpn_in --- phần cấu hình thêm ---
!
username vpn3000 password nPtKy7KDCerzhKeX encrypted
no snmp−server location
no snmp−server contact
snmp−server enable traps snmp authentication linkup linkdown coldstart
!
crypto ipsec transform−set my−set esp−des esp−md5−hmac
!
crypto dynamic−map dynmap 10 set transform−set my−set
!
crypto dynamic−map dynmap 10 set reverse−route
!
crypto map mymap 10 ipsec−isakmp dynamic dynmap
!
crypto map mymap interface outside
!
isakmp enable outside
isakmp policy 10 authentication pre−share
isakmp policy 10 encryption des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 1000
isakmp policy 65535 authentication pre−share
isakmp policy 65535 encryption 3des
isakmp policy 65535 hash sha
isakmp policy 65535 group 2
isakmp policy 65535 lifetime 86400
!
tunnel−group DefaultRAGroup general−attributes
authentication−server−group (outside) vpn
!
tunnel−group vpn3000 type ipsec−ra
!
tunnel−group vpn3000 general−attributes
address−pool vpnclient
authentication−server−group vpn
!
tunnel−group vpn3000 ipsec−attributes
pre−shared−key *
telnet timeout 5
ssh timeout 5
console timeout 0
!
class−map inspection_default
match default−inspection−traffic
!
!
policy−map global_policy
class inspection_default
inspect dns maximum−length 512
inspect ftp
inspect h323 h225
inspect h323 ras
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
!
service−policy global_policy global
Cryptochecksum:ecb58c5d8ce805b3610b198c73a3d0cf
: end
Mình làm theo tài liệu hướng dẫn này, kết nối vpn thành công, tuy nhiên gặp phải vấn đề này, xin mọi người giúp đỡ dùm nhé.
1. Khi kết nối thành công, dns-server vẫn là dns-server của đường internet local, không phải dns được khai báo như bên dưới.
2. Sau khi cấu hình thêm split-tunnel như bên dưới, vẫn không có thay đổi gì, default route vẫn là 0.0.0.0 đi qua tunnel.
PIX Version 7.1(1)
!
hostname PIX
domain−name newyouth.com
enable password 9jNfZuG3TC5tCVH0 encrypted
names
!
interface Ethernet0
nameif outside
security−level 0
ip address 10.10.1.2 255.255.255.0
!
interface Ethernet1
nameif inside
security−level 100
ip address 10.11.1.1 255.255.255.0
!
passwd 2KFQnbNIdI.2KYOU encrypted
ftp mode passive
!
dns domain−lookup inside
dns server−group DefaultDNStimeout 30
!
name−server 172.16.1.1
domain−name newyouth.com
!
access−list 101 extended permit ip 172.16.0.0 255.255.0.0 10.16.20.0 255.255.255.0
access−list vpn_in extended permit ip 172.16.0.0 255.255.0.0 10.16.20.0 255.255.255.0 --- phần cấu hình thêm ---
pager lines 24
logging buffer−size 500000
logging console debugging
logging monitor errors
mtu outside 1500
mtu inside 1500
!
ip local pool vpnclient 10.16.20.1−10.16.20.5
no failover
icmp permit any outside
icmp permit any inside
no asdm history enable
arp timeout 14400
!
global (outside) 1 interface
nat (inside) 0 access−list 101
nat (inside) 1 0.0.0.0 0.0.0.0
route outside 10.10.0.0 255.255.255.0 10.10.1.1 1
route outside 0.0.0.0 0.0.0.0 10.11.1.1 1
route inside 172.16.0.0 255.255.0.0 10.11.1.3 1
timeout xlate 3:00:00
timeout conn 1:00:00 half−closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp−pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
!
aaa−server vpn protocol radius
aaa−server vpn host 10.11.1.2
key cisco123
!
group−policy vpn3000 internal
group−policy vpn3000 attributes
dns−server value 172.16.1.1
default−domain value newyouth.com
split-tunnel-policy tunnelspecified --- phần cấu hình thêm ---
split-tunnel-network-list value vpn_in --- phần cấu hình thêm ---
!
username vpn3000 password nPtKy7KDCerzhKeX encrypted
no snmp−server location
no snmp−server contact
snmp−server enable traps snmp authentication linkup linkdown coldstart
!
crypto ipsec transform−set my−set esp−des esp−md5−hmac
!
crypto dynamic−map dynmap 10 set transform−set my−set
!
crypto dynamic−map dynmap 10 set reverse−route
!
crypto map mymap 10 ipsec−isakmp dynamic dynmap
!
crypto map mymap interface outside
!
isakmp enable outside
isakmp policy 10 authentication pre−share
isakmp policy 10 encryption des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 1000
isakmp policy 65535 authentication pre−share
isakmp policy 65535 encryption 3des
isakmp policy 65535 hash sha
isakmp policy 65535 group 2
isakmp policy 65535 lifetime 86400
!
tunnel−group DefaultRAGroup general−attributes
authentication−server−group (outside) vpn
!
tunnel−group vpn3000 type ipsec−ra
!
tunnel−group vpn3000 general−attributes
address−pool vpnclient
authentication−server−group vpn
!
tunnel−group vpn3000 ipsec−attributes
pre−shared−key *
telnet timeout 5
ssh timeout 5
console timeout 0
!
class−map inspection_default
match default−inspection−traffic
!
!
policy−map global_policy
class inspection_default
inspect dns maximum−length 512
inspect ftp
inspect h323 h225
inspect h323 ras
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
!
service−policy global_policy global
Cryptochecksum:ecb58c5d8ce805b3610b198c73a3d0cf
: end
Comment