【真实项目】ASA 8.x AnyConnect VPN Client on the ASA Configu
时间:2011-07-17 来源:未知 作者:西安-王sir 如下的配置是在客户的ASA 5520配置的SSL VPN,目前正在使用,用户体验还不错。我将配置及客户端共享出来。
注意:
1、ASA在出厂的license只有2个免费的ssl vpn 用户,在项目中根据用户的需求可以升级license。如下图最大的用户支持数量:
--------------------------------------------------------------------------------------------------------------------------------------------------
2、在这个项目中,ASA工作在路由模式,处于网络边界。涉及到的公网IP地址我已隐藏掉了。
3、我只列出关于SSL VPN有关的重要的配置,ASA默认的配置就不贴进来了。
4、拓扑示意图: =======INTERNET>>>>>>(Outside)>ASA>(inside)>>>>Cisco Switch>>>>LAN>>>>
5、此项目中ASA与核心交换机运行OSPF (这条和SSL VPN没有关系,其他路由协议也可以)
------------------------------------------------------------------------------------------------------------------
ASA Version 8.2(1)
!
interface GigabitEthernet0/0
description Connection to ===Internet_12X.X.X.X/30===
nameif outside
security-level 0
ip address 12X.X.X.X 255.255.255.252
!
interface GigabitEthernet0/1
description Connection to ===CoreSwitch_G1/0/24===
speed 1000
duplex full
nameif inside
security-level 100
ip address 192.168.0.1 255.255.255.0
ospf message-digest-key 1 md5 XXXX
ospf authentication message-digest
!
i
access-list split-tunnel remark Internet
access-list split-tunnel standard permit 192.168.5.0 255.255.255.0
access-list no_nat remark "Cisco SSL VPN"
access-list no_nat extended permit ip 192.168.5.0 255.255.255.0 100.100.100.0 255.255.255.0
access-list no_nat extended permit ip 100.100.100.0 255.255.255.0 192.168.5.0 255.255.255.0
ip local pool vpnpool 100.100.100.1-100.100.100.254 mask 255.255.255.0
nat-control
global (outside) 101 interface
nat (inside) 0 access-list no_nat
nat (inside) 101 192.168.0.0 255.255.0.0
router ospf 100
router-id 192.168.0.1
network 192.168.0.0 255.255.0.0 area 0
log-adj-changes
default-information originate always
!
route outside 0.0.0.0 0.0.0.0 X.X.X.X 1
aaa authentication ssh console LOCAL
aaa local authentication attempts max-fail 16
webvpn
enable outside
svc image disk0:/anyconnect-win-2.5.3046-k9.pkg 1
svc enable
tunnel-group-list enable
group-policy clientgroup internal
group-policy clientgroup attributes
dns-server value x.x.x.x
vpn-tunnel-protocol l2tp-ipsec svc
split-tunnel-policy tunnelspecified
split-tunnel-network-list value split-tunnel
webvpn
svc keep-installer installed
svc rekey time 30
svc rekey method ssl
svc ask none default svc
username ssluser1 password D.Z5/3pRqrj7eTPO encrypted privilege 15
tunnel-group sslgroup type remote-access
tunnel-group sslgroup general-attributes
address-pool vpnpool
default-group-policy clientgroup
tunnel-group sslgroup webvpn-attributes
group-alias sslgroup_users enable
-----------------------------------------------------------------------------------------
测试效果
5、登录界面
6、连接过程
7、连接成功
8、AnyConnect client状态信息
9、隧道分离,自动推送的路由条目。
10、本地路由表
11、测试连通性
12、Client连接成功后,ASA自动生成的静态路由,客户端断开后自动消失。
