ASA 5505不能从Anyconnect SSL连接访问网络内部

Question

所以我有一个ASA，我可以通过SSL连接，非常好，接收internet.My，问题是我不能在网络上任何设备，特别是路由器的内部网络。我的拓扑结构是ASA 5505 - 1841路由器- 2960交换机终端设备，我希望能够通过VPN访问我的终端设备。下面是我的ASA Config：

ASA Version 9.0(4)
!
hostname AwBTech-ASA
enable password 8Ry2YjIyt7RRXU24 encrypted
names
ip local pool VPN_POOL 192.168.10.100-192.168.10.200 mask 255.255.255.0
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 11.0.0.1 255.0.0.0
!
interface Vlan2
 nameif outside
 security-level 0
 ip address dhcp setroute
!
ftp mode passive
object network obj_any
 subnet 0.0.0.0 0.0.0.0
object network Permit_Lan_IP
 subnet 11.0.0.0 255.0.0.0
access-list SPLIT_TUNNEL standard permit 11.0.0.0 255.0.0.0
pager lines 24
logging asdm informational
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
nat (inside,outside) source dynamic any interface
!
object network obj_any
 nat (inside,outside) dynamic interface
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
http server enable
http 192.168.1.0 255.255.255.0 inside
http redirect outside 80
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
crypto ipsec security-association pmtu-aging infinite
crypto ca trustpool policy
telnet timeout 5
ssh timeout 5
console timeout 0

dhcpd dns 4.2.2.2
dhcpd auto_config outside
!
dhcpd address 11.0.0.2-11.0.0.32 inside
dhcpd enable inside
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
sysopt connection permit-vpn
webvpn
 enable outside
 anyconnect-essentials
 anyconnect image disk0:/anyconnect-win-2.5.2014-k9.pkg 1
 anyconnect enable
 tunnel-group-list enable
group-policy ANYCONNECT_POLICY internal
group-policy ANYCONNECT_POLICY attributes
 dns-server value 8.8.8.8
 vpn-tunnel-protocol ssl-client ssl-clientless
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value SPLIT_TUNNEL
 webvpn
  anyconnect keep-installer installed
  anyconnect dpd-interval client 30
  anyconnect ask none default anyconnect
username andrew.burger password hPmaC1bXkbJlXpLy encrypted privilege 15
username andrew.burger attributes
 service-type remote-access
tunnel-group MY_TUNNEL type remote-access
tunnel-group MY_TUNNEL general-attributes
 address-pool VPN_POOL
 default-group-policy ANYCONNECT_POLICY
tunnel-group MY_TUNNEL webvpn-attributes
 group-alias SSL_USERS enable
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum client auto
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
  inspect ip-options
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:75f7cc40a6a189853de7e2f8cb472b60
: end

路由器配置：

version 15.1
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname AwBTech-Router
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
!
dot11 syslog
ip source-route
!
!
ip dhcp excluded-address 192.168.0.1 192.168.0.2
ip dhcp excluded-address 192.168.0.1 192.168.0.3
!
ip dhcp pool DATA
   import all
   network 10.10.10.0 255.255.255.0
   dns-server 4.2.2.2
   default-router 10.10.10.1
!
!
ip cef
no ipv6 cef
!
multilink bundle-name authenticated
!
!
!
!
!
license udi pid CISCO1841 sn FTX1044W1U4
!
redundancy
!
!
!
!
!
!
!
!
!
interface FastEthernet0/0
 ip address dhcp
 ip nat outside
 ip virtual-reassembly
 duplex auto
 speed auto
!
interface FastEthernet0/1
 ip address 10.10.10.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly
 duplex auto
 speed auto
!
ip forward-protocol nd
no ip http server
no ip http secure-server
!
!
ip nat inside source list 101 interface FastEthernet0/0 overload
ip route 0.0.0.0 0.0.0.0 dhcp
!
access-list 101 permit ip 10.10.10.0 0.0.0.255 any
!
!
!
!
!
!
control-plane
!
!
line con 0
line aux 0
line vty 0 4
 login
 transport input all
!
scheduler allocate 20000 1000
end

Answer 1

问题是您的VPN终止于路由器的外部源NAT.要做您想做的事情，您需要终止路由器内部的VPN源NAT。

在这种情况下，你已经解释：

ASA 5505 - 1841 Router - 2960 switch - end devices

您通常会在ASA上而不是在路由器上NAT，或者您将终止路由器上的VPN，或者将路由器置于ASA之外。您应该只在实际需要NAT的地方使用NAT，它位于公共地址和私有地址之间。

您的问题是，源NAT内部的路由器内的地址并不存在于VPN终止的地方。VPN端点只能看到外部路由器地址，您需要特定的NAT条目来允许从外部到内部的访问。

而且，您在ASA上使用的11.0.0.018网络不属于您，因此您不应该使用该地址范围。