監(jiān)理公司管理系統(tǒng) | 工程企業(yè)管理系統(tǒng) | OA系統(tǒng) | ERP系統(tǒng) | 造價咨詢管理系統(tǒng) | 工程設計管理系統(tǒng) | 甲方項目管理系統(tǒng) | 簽約案例 | 客戶案例 | 在線試用
X 關閉

網絡管理維護技巧:如何限制撥入VPN用戶的訪問權限

申請免費試用、咨詢電話:400-8352-114

  測試環(huán)境:ASA 5520 asa723-18-k8.bin: 使用如下配置完全滿足需求,當用戶撥入VPN后只能訪問內部資源,不能訪問外部資源
但用這個配置模板,到正式環(huán)境,就死活限制不了撥入的VPN用戶訪問互聯網!
====================================================================================================
測試環(huán)境: ASA 5520 asa723-18-k8.bin
tunnel-group testzt type ipsec-ra
tunnel-group testzt ipsec-attributes
pre-shared-key *
group-policy zttest internal
group-policy zttest attributes
vpn-simultaneous-logins 100
vpn-idle-timeout none
vpn-session-timeout none
vpn-filter value deny-access-internet
split-tunnel-network-list value Deny-access-internet
access-list deny-access-internet extended permit ip 192.168.1.0 255.255.255.0 200.1.0.0 255.255.0.0
access-list deny-access-internet extended permit ip 192.168.1.0 255.255.255.0 172.25.90.0 255.255.255.0
access-list deny-access-internet extended permit ip 192.168.1.0 255.255.255.0 100.1.0.0 255.255.0.0
access-list deny-access-internet extended deny ip 192.168.1.0 255.255.255.0 any
access-list Deny-access-internet extended permit ip 172.25.90.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list Deny-access-internet extended permit ip 100.1.0.0 255.255.0.0 192.168.1.0 255.255.255.0
access-list Deny-access-internet extended permit ip 200.1.0.0 255.255.0.0 192.168.1.0 255.255.255.0
access-list Deny-access-internet extended deny ip any 192.168.1.0 255.255.255.0
username kakaka password 69eXZQeiMSKhVvOt encrypted
username kakaka attributes
vpn-group-policy zttest
vpn-tunnel-protocol IPSec
vpn-framed-ip-address 192.168.1.100 255.255.255.0
測試成功:用戶kakaka 只能訪問內網,不能訪問互聯網
=================================================================================[netxpage]
正式環(huán)境: ASA 5540 asa723-18-k8.bin
tunnel-group testzt type ipsec-ra
tunnel-group testzt ipsec-attributes
pre-shared-key *
group-policy zttest internal
group-policy zttest attributes
vpn-simultaneous-logins 100
vpn-idle-timeout none
vpn-session-timeout none
vpn-filter value deny-access-internet
split-tunnel-network-list value Deny-access-internet
access-list deny-access-internet extended permit ip host 172.25.230.188 172.0.0.0 255.0.0.0
access-list deny-access-internet extended permit ip host 172.25.230.188 10.0.0.0 255.0.0.0
access-list deny-access-internet extended deny ip host 172.25.230.188 any
access-list Deny-access-internet extended permit ip 172.0.0.0 255.0.0.0 host 172.25.230.188
access-list Deny-access-internet extended permit ip 10.0.0.0 255.0.0.0 host 172.25.230.188
access-list Deny-access-internet extended deny ip any host 172.25.230.188
username kakaka password 69eXZQeiMSKhVvOt encrypted
username kakaka attributes
vpn-group-policy zttest
vpn-tunnel-protocol IPSec
vpn-framed-ip-address 172.25.230.188 255.255.255.0
測試失?。河脩鬹akaka 既能訪問內網,又能訪問互聯網,暈,沒有限制??!
解決方法:我在5540設備上的group-policy zttest attributes 中添加了
split-tunnel-policy excludespecified ,就OK了,限制了用戶訪問互聯網,只能訪問內網
此命令的意思:Exclude only networks specified by split-tunnel-network-list(排除上公網的用戶)

【推薦閱讀】

網管軟件專區(qū)

 ◆網絡管理維護技巧:實現VLAN環(huán)境下DHCP服務

網管員技巧:學會限制路由器多臺電腦上網

網絡管理維護技巧:路由器故障排除技巧

上網行為運維管理專區(qū)

本文來自互聯網,僅供參考
發(fā)布:2007-04-15 10:03    編輯:泛普軟件 · xiaona    [打印此頁]    [關閉]
相關文章:
相關軟件
聯系方式

成都公司:成都市成華區(qū)建設南路160號1層9號

重慶公司:重慶市江北區(qū)紅旗河溝華創(chuàng)商務大廈18樓

咨詢:400-8352-114

加微信,免費獲取試用系統(tǒng)

QQ在線咨詢