资源记录
rsrc.ink

CISCO ASA SSLVPN ANYCONNECT FOR MOBILE & 思科ASA SSLVPN ANYCONNECT 配置

adminPosted in 未分类

需求:

企业总部部署CISCO ASA 做为互联网出口网关,对外部提供ssl vpn服务以使用远程移动办公人员可接入企业内网,访问内部资源。

CISCO ASA SSL配置:

center# show running-config
 
: Hardware:   ASA5550, 1024 MB RAM, CPU Pentium 4 3000 MHz
:
ASA Version 9.1(7)32
!
hostname center
 
ip local pool inheritssluser 10.100.1.1-10.100.1.200 mask 255.255.255.0
!
interface GigabitEthernet0/0
 nameif inside
 security-level 100
 ip address 10.0.0.254 255.255.255.0
!            
interface GigabitEthernet0/1
 nameif outside
 security-level 0
 ip address 20.0.0.1 255.255.255.0
!
object network obj-10.0.0.0
 subnet 10.0.0.0 255.255.255.0
object network obj-ssluser
 subnet 0.0.0.0 0.0.0.0
access-list trust extended permit icmp any4 any4
access-list untrust extended permit icmp any any
access-list splittunnel extended permit ip 10.0.0.0 255.255.255.0 10.100.1.0 255.255.255.0
 
nat (inside,outside) source static obj-10.0.0.0 obj-10.0.0.0 destination static obj-ssluser obj-ssluser
!
object network obj-10.0.0.0
 nat (inside,outside) dynamic interface
 
access-group untrust in interface outside
 
route outside 0.0.0.0 0.0.0.0 20.0.0.100 1
 
crypto key generate rsa label inheritssl
crypto ca trustpoint inherittrust
 enrollment self
 fqdn 20.0.0.1
 enrollment self
 subject-name CN=20.0.0.1
 crl configure
 keypair inheritssl
 crypto ca enroll inherittrust noconfirm
 ssl trust-point inherittrust outside
 
webvpn
 enable outside
 anyconnect-essentials
 anyconnect image disk0:/anyconnect-win-4.7.04056-webdeploy-k9.pkg 1
 anyconnect enable
 tunnel-group-list enable
 cache
  disable
group-policy inherit internal
group-policy inherit attributes
 vpn-tunnel-protocol ssl-client
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value splittunnel
 default-domain value itbj.net
 address-pools value inheritssluser
 
username ssluser1 password 123456
username ssluser1 attributes
 vpn-group-policy inherit
 vpn-simultaneous-logins 100
 
tunnel-group inherittimes type remote-access
tunnel-group inherittimes general-attributes
 default-group-policy inherit
tunnel-group inherittimes webvpn-attributes
 group-alias itbj.net enable
!
: end
asa5550#

SSL VPN用户PC端配置验证:

1、浏览器访问 https://20.0.0.1

2、输入用户名/密码;

3、下载windows客户端;

4、安装 anyconnect for windows客户端;

5、开启 anyconnect 客户端;

6、输入ssl vpn 服务器地址并按图设置连接选项后点击连接;

7、按图选择继续连接;

8、输入用户名/密码后点击ok按钮,ssl vpn服务器开始对用户进行认证;

10、检查、验证 vpn连接状态,查看隧道分离路由;

11、pc 客户端  ping 总部服务器地址和公网地址,验证ssl vpn 可用性;