監(jiān)理公司管理系統(tǒng) | 工程企業(yè)管理系統(tǒng) | OA系統(tǒng) | ERP系統(tǒng) | 造價(jià)咨詢管理系統(tǒng) | 工程設(shè)計(jì)管理系統(tǒng) | 甲方項(xiàng)目管理系統(tǒng) | 簽約案例 | 客戶案例 | 在線試用
X 關(guān)閉

網(wǎng)絡(luò)管理維護(hù)技巧:如何限制撥入VPN用戶的訪問權(quán)限

申請(qǐng)免費(fèi)試用、咨詢電話:400-8352-114

  測試環(huán)境:ASA 5520 asa723-18-k8.bin: 使用如下配置完全滿足需求,當(dāng)用戶撥入VPN后只能訪問內(nèi)部資源,不能訪問外部資源
但用這個(gè)配置模板,到正式環(huán)境,就死活限制不了撥入的VPN用戶訪問互聯(lián)網(wǎng)!
====================================================================================================
測試環(huán)境: ASA 5520 asa723-18-k8.bin
tunnel-group testzt type ipsec-ra
tunnel-group testzt ipsec-attributes
pre-shared-key *
group-policy zttest internal
group-policy zttest attributes
vpn-simultaneous-logins 100
vpn-idle-timeout none
vpn-session-timeout none
vpn-filter value deny-access-internet
split-tunnel-network-list value Deny-access-internet
access-list deny-access-internet extended permit ip 192.168.1.0 255.255.255.0 200.1.0.0 255.255.0.0
access-list deny-access-internet extended permit ip 192.168.1.0 255.255.255.0 172.25.90.0 255.255.255.0
access-list deny-access-internet extended permit ip 192.168.1.0 255.255.255.0 100.1.0.0 255.255.0.0
access-list deny-access-internet extended deny ip 192.168.1.0 255.255.255.0 any
access-list Deny-access-internet extended permit ip 172.25.90.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list Deny-access-internet extended permit ip 100.1.0.0 255.255.0.0 192.168.1.0 255.255.255.0
access-list Deny-access-internet extended permit ip 200.1.0.0 255.255.0.0 192.168.1.0 255.255.255.0
access-list Deny-access-internet extended deny ip any 192.168.1.0 255.255.255.0
username kakaka password 69eXZQeiMSKhVvOt encrypted
username kakaka attributes
vpn-group-policy zttest
vpn-tunnel-protocol IPSec
vpn-framed-ip-address 192.168.1.100 255.255.255.0
測試成功:用戶kakaka 只能訪問內(nèi)網(wǎng),不能訪問互聯(lián)網(wǎng)
=================================================================================[netxpage]
正式環(huán)境: ASA 5540 asa723-18-k8.bin
tunnel-group testzt type ipsec-ra
tunnel-group testzt ipsec-attributes
pre-shared-key *
group-policy zttest internal
group-policy zttest attributes
vpn-simultaneous-logins 100
vpn-idle-timeout none
vpn-session-timeout none
vpn-filter value deny-access-internet
split-tunnel-network-list value Deny-access-internet
access-list deny-access-internet extended permit ip host 172.25.230.188 172.0.0.0 255.0.0.0
access-list deny-access-internet extended permit ip host 172.25.230.188 10.0.0.0 255.0.0.0
access-list deny-access-internet extended deny ip host 172.25.230.188 any
access-list Deny-access-internet extended permit ip 172.0.0.0 255.0.0.0 host 172.25.230.188
access-list Deny-access-internet extended permit ip 10.0.0.0 255.0.0.0 host 172.25.230.188
access-list Deny-access-internet extended deny ip any host 172.25.230.188
username kakaka password 69eXZQeiMSKhVvOt encrypted
username kakaka attributes
vpn-group-policy zttest
vpn-tunnel-protocol IPSec
vpn-framed-ip-address 172.25.230.188 255.255.255.0
測試失?。河脩鬹akaka 既能訪問內(nèi)網(wǎng),又能訪問互聯(lián)網(wǎng),暈,沒有限制??!
解決方法:我在5540設(shè)備上的group-policy zttest attributes 中添加了
split-tunnel-policy excludespecified ,就OK了,限制了用戶訪問互聯(lián)網(wǎng),只能訪問內(nèi)網(wǎng)
此命令的意思:Exclude only networks specified by split-tunnel-network-list(排除上公網(wǎng)的用戶)

【推薦閱讀】

網(wǎng)管軟件專區(qū)

 ◆網(wǎng)絡(luò)管理維護(hù)技巧:實(shí)現(xiàn)VLAN環(huán)境下DHCP服務(wù)

網(wǎng)管員技巧:學(xué)會(huì)限制路由器多臺(tái)電腦上網(wǎng)

網(wǎng)絡(luò)管理維護(hù)技巧:路由器故障排除技巧

上網(wǎng)行為運(yùn)維管理專區(qū)

本文來自互聯(lián)網(wǎng),僅供參考
發(fā)布:2007-04-15 10:03    編輯:泛普軟件 · xiaona    [打印此頁]    [關(guān)閉]
相關(guān)文章:
相關(guān)軟件
聯(lián)系方式

成都公司:成都市成華區(qū)建設(shè)南路160號(hào)1層9號(hào)

重慶公司:重慶市江北區(qū)紅旗河溝華創(chuàng)商務(wù)大廈18樓

咨詢:400-8352-114

加微信,免費(fèi)獲取試用系統(tǒng)

QQ在線咨詢