VPN Poste à Site [Résolu]

[ghostrider95]

Bonjour,

Je n'arrive pas à faire marcher mes clients en VPN
Je me connecte avec mon cisco anyconnect et voici ce qui se passe:

Je perd ma connection à mon LAN ( normal car le spli tunneling n'est pas activé, vu auparavant sur ce forum )

Je ne ping aucune machine du LAN

Voici ma configuration rédigé par moi-même

Citation:

 Affectation d’un pool d’adresse ip pour les clients
• ip local pool pool-client 192.168.10.1-192.168.10.5 mask 255.255.255.0

 Définir d’une politique de groupe
• group-policy client1 internal
• group-policy client1 attributes
• vpn-tunnel-protocol ssl-client
• address-pools value pool-client

 Définir les noms des clients
• username toto password ****
• username toto attributes
• vpn-group-policy client1


 Définir un tunnel-group et affectation du pool et de la politique
• tunnel-group CLIENTGROUP type remote-access
• tunnel-group CLIENTGROUP general-attributes
• address-pool pool-client
• default-group-policy client1

[ghostrider95]

Il y a une phrase dans le CISCO ASA de Jean-Paul ARCHIER que je ne comprend pas:

"Et enfin un détail très important : il faut exclure la plage d'adresse des nomades SSL de la translations d'adresses:"

[ghostrider95]

ASA Version 8.4(2)8
!
hostname ctpasa
enable password n4cxxqqpQmdL7YC1 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface Ethernet0/0
nameif inside
security-level 100
ip address 10.2.0.254 255.255.255.0
!
interface Ethernet0/1
nameif outside
security-level 0
ip address <IP_PUB> 255.255.255.248
!
interface Ethernet0/2
nameif dmz
security-level 50
ip address 172.20.2.1 255.255.255.240
!
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
nameif interface_management_ctp
security-level 100
ip address 192.168.1.1 255.255.255.0
management-only
!
interface Redundant1
no nameif
no security-level
no ip address
!
boot system disk0:/asa842-8-k8.bin
ftp mode passive
clock timezone GMT 0
dns domain-lookup inside
dns domain-lookup outside
dns server-group DefaultDNS
name-server <DNS_PUB>
name-server <DNS_PUB>
object network lan
subnet 10.2.0.0 255.255.255.0
access-list outside_icmp extended permit icmp any any
access-list acl-icmp extended permit icmp any any
access-list acl-out extended permit ip 192.168.10.0 255.255.255.0 any
access-list acl-vpn extended permit ip 192.168.10.0 255.255.255.0 any
access-list no_nat extended permit ip 10.2.0.0 255.255.255.0 192.168.10.0 255.255.255.0
access-list split_tunnel
access-list split_tunnel standard permit 10.2.0.0 255.255.255.0
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu dmz 1500
mtu interface_management_ctp 1500
ip local pool pool-client 192.168.10.1-192.168.10.5 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-645-206.bin
no asdm history enable
arp timeout 14400
!
object network lan
nat (inside,outside) dynamic interface
access-group acl-icmp in interface inside
access-group acl-vpn in interface outside
route outside 0.0.0.0 0.0.0.0 <ip_PUB_RT> 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 192.168.1.0 255.255.255.0 interface_management_ctp
http 10.2.0.0 255.255.255.0 interface_management_ctp
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
virtual http 192.168.1.4
virtual telnet 192.168.1.3
crypto ca trustpoint _SmartCallHome_ServerCA
crl configure
crypto ca certificate chain _SmartCallHome_ServerCA

quit
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd address 192.168.1.2-192.168.1.254 interface_management_ctp
!
threat-detection basic-threat
threat-detection statistics port
threat-detection statistics protocol
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
enable outside
anyconnect image disk0:/anyconnect-win-2.4.1012-k9.pkg 1
anyconnect enable
group-policy clientctp internal
group-policy clientctp attributes
vpn-tunnel-protocol ssl-client
split-tunnel-policy tunnelspecified
split-tunnel-network-list value split_tunnel
address-pools value pool-client
username fred password .AEL9smltD3reBZV encrypted
username fred attributes
vpn-group-policy clientctp
tunnel-group CLIENTCTP type remote-access
tunnel-group CLIENTCTP general-attributes
address-pool pool-client
default-group-policy clientctp
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
inspect dns preset_dns_map
!
service-policy global_policy global
prompt hostname context
call-home reporting anonymous
Cryptochecksum:d41d8cd98f00b204e9800998ecf8427e
: end

[ghostrider95]

C'était bien ça, il faut naté entre le réseau LAN et VPN