Hi all,

Hiện tại mình đang cấu hình VPN Remote Access với topology như hình dưới :





Mình đang cấu hình như sau:
- VPN pool Test: 172.16.32.180 - 172.16.32.199 /24

và vấn đề gặp phải ở đây là: Khi mình thử test VPN từ máy 192.168.28.33 thì máy VPN client nhận IP 172.16.32.180, mọi thứ đều OK, ping được mọi mạng 172 lẫn mạng 10 bên trong.

Nhưng khi thử test VPN qua Internet (modem đã mở cổng UDP 500) thì máy VPN client vẫn nhận được IP 172.16.32.180 nhưng lại ko truy cập lẫn ko ping đi được bất cứ đâu ( kể cả trong cùng dải 172.16 của nó - kể cả mình đã mở access list permit ip any any trên tất cả các interface ). Dùng Ethereal bắt gói tin ping đi thì vẫn thấy ARP trả về đúng MAC của các máy trong LAN nhưng chỉ có các gói tin ping request mà ko thấy reply trả về. Tracert thì ko thấy đi qua bất kỳ hop nào cả.

Mình thử tạo thêm 1 pool Outside: 192.168.28.10 - 192.168.28.15 /24 và cho NAT vào trong mạng LAN. Thử lại VPN kết quả vẫn như vậy, get được IP mà ko đi đâu được cả :-&

Các bro giúp mình troubleshoot trường hợp này với.

Cấu hình ASA như bên dưới đây:

: Saved
: Written by enable_15 at 10:17:30.656 ICT Fri Jan 8 2010
!
ASA Version 7.2(1)
!
enable password pP9xYB/8wLLKu1yp encrypted
names
!
interface Ethernet0/0
nameif Outside
security-level 0
ip address 192.168.28.253 255.255.255.0
ospf cost 10
!
interface Ethernet0/1
speed 100
duplex full
nameif Inside
security-level 100
ip address 172.16.32.1 255.255.255.0
ospf cost 10
!
interface Ethernet0/2
shutdown
no nameif
security-level 0
no ip address
!
interface Management0/0
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
ospf cost 10
management-only
!
passwd 2KFQnbNIdI.2KYOU encrypted
ftp mode passive
clock timezone ICT 7
object-group service Internet_Acces tcp
port-object eq pop3
port-object eq ftp-data
port-object eq ftp
port-object eq telnet
port-object eq smtp
port-object eq https
port-object eq domain
port-object eq www
port-object range 8080 8081
port-object eq 1533
port-object eq lotusnotes
port-object eq 1863
port-object eq 5050
object-group network TP_subnets
network-object 10.8.130.0 255.255.255.0
network-object 10.8.135.0 255.255.255.0
network-object 10.8.131.0 255.255.255.0
object-group service Internet_Access udp
port-object eq domain
object-group service VPN_Access udp
port-object eq 4500
port-object eq isakmp
access-list Outside_access_in extended permit icmp any any
access-list Outside_access_in extended permit tcp any any eq www
access-list Outside_access_in extended permit udp any any
access-list Outside_access_in remark Ngoc Lenovo
access-list Outside_access_in extended permit tcp host 10.8.130.245 209.85.0.0 255.255.0.0
access-list Outside_access_in remark Loc test Email encrypt
access-list Outside_access_in extended permit ip host 10.8.135.243 209.85.0.0 255.255.0.0
access-list Outside_access_in extended permit ip 192.168.28.0 255.255.255.0 object-group TP_subnets
access-list Outside_access_in extended permit ip any any
access-list Inside_access_in extended permit icmp any any
access-list Inside_access_in extended permit udp any any
access-list Inside_access_in extended permit udp object-group TP_subnets any object-group Internet_Access
access-list Inside_access_in extended permit tcp object-group TP_subnets any object-group Internet_Acces
access-list Inside_access_in extended permit tcp object-group TP_subnets eq 5100 any eq 5100
access-list Inside_access_in extended permit udp object-group TP_subnets any object-group VPN_Access
access-list Inside_access_in extended permit tcp host 10.8.135.14 any inactive
access-list Inside_access_in extended permit tcp host 10.8.130.11 any eq 993 inactive
access-list Inside_access_in extended permit tcp any host 219.142.122.89 eq 81
access-list Inside_access_in extended permit tcp host 10.8.130.245 209.85.0.0 255.255.0.0
access-list Inside_access_in extended permit ip host 10.8.135.243 209.85.0.0 255.255.0.0
access-list Inside_access_in extended permit ip object-group TP_subnets 192.168.28.0 255.255.255.0
access-list Inside_access_in extended permit ip any any
access-list backup_access_in extended permit icmp any any
access-list Inside_access_out extended permit tcp 10.8.130.0 255.255.255.0 host 219.142.122.89 eq 81
access-list Inside_access_out extended permit icmp any any inactive
access-list Inside_access_out extended permit ip any any
access-list Inside_cryptomap extended permit ip any 172.16.32.192 255.255.255.224
access-list tpit_splitTunnelAcl standard permit 172.16.32.0 255.255.255.0
access-list Inside_nat0_outbound extended permit ip 172.16.32.0 255.255.255.0 172.16.32.128 255.255.255.128
access-list Inside_nat0_outbound extended permit ip any 172.16.32.192 255.255.255.224
access-list Inside_nat0_outbound extended permit ip any 192.168.28.8 255.255.255.248
access-list Inside_nat0_outbound extended permit ip any 172.16.32.128 255.255.255.128
access-list Outside_cryptomap extended permit ip any 172.16.32.128 255.255.255.128
access-list tpitgroup_splitTunnelAcl standard permit any
access-list Outside_cryptomap_1 extended permit ip any 172.16.32.192 255.255.255.224
access-list Outside_cryptomap_2 extended permit ip any 172.16.32.192 255.255.255.224
access-list outside_splitTunnelAcl standard permit any
access-list Outside_cryptomap_3 extended permit ip any 172.16.32.192 255.255.255.224
access-list outside_splitTunnelAcl_1 standard permit any
access-list Outside_cryptomap_4 extended permit ip any 172.16.32.192 255.255.255.224
access-list outside_splitTunnelAcl_2 standard permit any
access-list Outside_cryptomap_5 extended permit ip any 192.168.28.8 255.255.255.248
access-list outside1_splitTunnelAcl standard permit any
access-list Outside_cryptomap_6 extended permit ip any 172.16.32.128 255.255.255.128
access-list Outside_cryptomap_7 extended permit ip any 192.168.28.8 255.255.255.248
access-list outside_splitTunnelAcl_3 standard permit any
access-list Outside_cryptomap_8 extended permit ip any 192.168.28.8 255.255.255.248
pager lines 24
logging enable
logging asdm informational
mtu Outside 1500
mtu Inside 1500
mtu management 1500
ip local pool Support 172.16.32.200-172.16.32.210 mask 255.255.255.255
ip local pool Test 172.16.32.180-172.16.32.199 mask 255.255.255.0
ip local pool Outside 192.168.28.10-192.168.28.15 mask 255.255.255.0
asdm image disk0:/asdm521.bin
no asdm history enable
arp timeout 14400
nat-control
global (Outside) 1 interface
nat (Inside) 0 access-list Inside_nat0_outbound
nat (Inside) 1 10.8.0.0 255.255.0.0
nat (Inside) 1 0.0.0.0 0.0.0.0
access-group Outside_access_in in interface Outside
access-group Inside_access_in in interface Inside
access-group Inside_access_out out interface Inside
route Outside 0.0.0.0 0.0.0.0 192.168.28.254 1
route Inside 10.8.0.0 255.255.0.0 172.16.32.254 1
route Inside 10.8.0.0 255.255.0.0 172.16.32.252 1
!
router ospf 1
network 10.0.0.0 255.0.0.0 area 0
log-adj-changes
!
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
group-policy outside internal
group-policy outside attributes
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value outside_splitTunnelAcl
group-policy outside_1 internal
group-policy outside_1 attributes
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value outside_splitTunnelAcl_1
group-policy outside1 internal
group-policy outside1 attributes
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value outside1_splitTunnelAcl
group-policy outside_2 internal
group-policy outside_2 attributes
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value outside_splitTunnelAcl_2
group-policy outside_3 internal
group-policy outside_3 attributes
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value outside_splitTunnelAcl_3
username jjcs password jyvCi/WhkVMqkO1S encrypted privilege 15
username tuan password vsWH5iMrq3ImTPKF encrypted privilege 15
username locduy password NUKjXHsHc.W0A0Ag encrypted privilege 15
username admin password KJTuDWKF9gicYUFP encrypted privilege 15
username phong password c.oXdPEUzd/dQV/7 encrypted privilege 0
username phong attributes
vpn-group-policy DfltGrpPolicy
aaa authentication http console LOCAL
aaa authentication telnet console LOCAL
aaa authorization command LOCAL
http server enable
http 192.168.1.0 255.255.255.0 management
http 10.8.135.0 255.255.255.0 Inside
snmp-server host Inside HuySon community tpasa5500!
snmp-server host Inside 10.8.135.251 community tpasa5500!
no snmp-server location
no snmp-server contact
snmp-server community tpasa5500!
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map Inside_dyn_map 20 set transform-set ESP-3DES-SHA
crypto dynamic-map Outside_dyn_map 20 set transform-set ESP-AES-256-MD5
crypto dynamic-map Outside_dyn_map 40 set transform-set ESP-3DES-SHA
crypto dynamic-map Outside_dyn_map 60 set transform-set ESP-3DES-SHA
crypto dynamic-map Outside_dyn_map 80 set transform-set ESP-3DES-SHA
crypto dynamic-map Outside_dyn_map 100 set transform-set ESP-3DES-SHA
crypto dynamic-map Outside_dyn_map 120 set transform-set ESP-3DES-SHA
crypto dynamic-map Outside_dyn_map 140 set transform-set ESP-3DES-SHA
crypto dynamic-map Outside_dyn_map 160 set transform-set ESP-3DES-SHA
crypto dynamic-map Outside_dyn_map 180 set transform-set ESP-3DES-SHA
crypto map Inside_map 20 ipsec-isakmp dynamic Inside_dyn_map
crypto map Inside_map interface Inside
crypto map Outside_map 20 ipsec-isakmp dynamic Outside_dyn_map
crypto map Outside_map interface Outside
crypto isakmp enable Outside
crypto isakmp enable Inside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp policy 30
authentication pre-share
encryption aes-256
hash md5
group 7
lifetime 86400
tunnel-group SupportTeam type ipsec-ra
tunnel-group SupportTeam general-attributes
address-pool LocSupport
tunnel-group SupportTeam ipsec-attributes
pre-shared-key anhloc
tunnel-group testing type ipsec-ra
tunnel-group testing general-attributes
address-pool LocSupport
tunnel-group testing ipsec-attributes
pre-shared-key 123456
tunnel-group outside type ipsec-ra
tunnel-group outside general-attributes
address-pool Outside
tunnel-group outside ipsec-attributes
pre-shared-key 123456
tunnel-group outside1 type ipsec-ra
tunnel-group outside1 general-attributes
address-pool Test
tunnel-group outside1 ipsec-attributes
pre-shared-key 123456
vpn-sessiondb max-session-limit 3
telnet 10.8.135.0 255.255.255.0 Inside
telnet timeout 5
ssh 10.8.135.0 255.255.255.0 Inside
ssh timeout 5
console timeout 0
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd enable management
!
!
!
ntp server 10.8.129.11 source Inside prefer
prompt hostname context
Cryptochecksum:ccf7d207a923aea50fc24d61c7a95e7c
: end