深圳市鸿华锐信息技术有限公司欢迎您!
服务创新提升价值!
百度地图| SiteMap| 知识库| 联系我们
全国服务热线:0755-88855786   深圳:13058107600

知识库

全国服务热线:
0755-88855786
深圳:
13058107600

ASA9.0 and later Anyconnect VPN配置指南

1. 配置自签名证书 (可以不用配置) 可以跳过此步骤
ciscoasa(config)#crypto key generate rsa label anyconnect_keypair modulus 1024
ciscoasa(config)#crypto ca trustpoint self_certificate
ciscoasa(config-ca-trustpoint)#enrollment self
ciscoasa(config-ca-trustpoint)#keypair anyconnect_key
ciscoasa(config-ca-trustpoint)#fqdn anyconnect.cisco.com
ciscoasa(config-ca-trustpoint)#subject-name CN=anyconnect.cisco.com
ciscoasa(config-ca-trustpoint)#crypto ca enroll self_certificate noconfirm
ciscoasa(config)#ssl trust-point self_certificate outside


2. 加载anyconnect vpn 镜像在9.0版本svc命令更改为anyconnect
ciscoasa(config)#webvpn
ciscoasa(config-webvpn)# anyconnect image flash:/ anyconnect-win-3.1.04072-k9.pkg 1
ciscoasa(config-webvpn)#anyconnect image disk0:/anyconnect-macosx-i386-3.1.04072-k9.pkg 2
ciscoasa(config-webvpn)#anyconnect enable
ciscoasa(config-webvpn)#enable outside


3. 配置地址池
ciscoasa(config)#ip local pool anyconnect_clients 10.10.1.1-10.10.1.254 mask 255.255.255.0


.配置隧道分割列表及访问控制列表旁路
Access-list tunnel_split permit ip192.168.1.0 255.255.255.0 any (源IP为内网)
ciscoasa(config)#sysopt connectionpermit−vpn


9.0版本NAT配置(非常重要)有些同学的VPN不通,大多数问题都是出现在NAT的问题上
objectnetwork inside ##内网网段
subnet 192.168.1.0 255.255.255.0
objectnetwork anyconnect ##VPN地址池网段
subnet 10.10.1.0 255.255.255.0
access-list tunnel-splitextended permit ip object inside any
nat (inside,outside) sourcestatic inside inside destination static anyconnect anyconnect


5. 配置Group-policy调用地址池和隧道分割列表
ciscoasa(config)#group-policy anyconnect_policy internal
ciscoasa(config)#group-policy anyconnect_policy attributes
ciscoasa(config-group-policy)#address-pools value anyconnect_clients
ciscoasa(config-group-policy)#vpn-tunnel-protocol ssl-client
ciscoasa(config-group-policy)#split-tunnel-policytunnelspecified
ciscoasa(config-group-policy)#split-tunnel-network-listvalue tunnel-split


6. 配置Tunnel-group
ciscoasa(config)#tunnel-group anyconnect-profile type remote-access
ciscoasa(config)#tunnel-group anyconnect-profile general-attributes
ciscoasa(config-tunnel-general)#default-group-policy anyconnect_policy
ciscoasa(config-tunnel-general)#exit
ciscoasa(config)#tunnel-group anyconnect-profile webvpn-attributes
ciscoasa(config-tunnel-webvpn)#group-alias anyconnect
ciscoasa(config-tunnel-webvpn)#exit
ciscoasa(config)#webvpn
ciscoasa(config-webvpn)#tunnel-group-list enable


7. Option 1使用本地用户名及密码并调用Group-policy
ciscoasa(config)# username cisco pass cisco
ciscoasa(config)#username cisco attributes
ciscoasa(config-username)#vpn-group-policy anyconnect_policy


只允许用户使用VPN不能登陆设备
ciscoasa(config)#username cisco attributes
ciscoasa(config-username)#service-typeremote-access
ciscoasa(config)# aaa authorizationexec LOCAL 不做授权的话,既能登陆VPN也能登陆设备


8. Option 2使用ACSVPN用户做认证


ciscoasa(config)#aaa-server ACSforVPNprotocol radius
ciscoasa(config)#aaa-server aaa-radius (inside) host 19.87.9.21
key cisco
ciscoasa(config)#tunnel-groupanyconnect_profile general-attributes
authentication-server-group ACSforVPN


以下命令用户做设备管理
ciscoasa(config)#aaa-serverACS (inside) host 172.20.1.140
key cisco
ciscoasa(config)#aaaauthentication http console LOCAL
ciscoasa(config)#aaaauthentication ssh console ACS LOCAL
ciscoasa(config)#aaaauthentication telnet console LOCAL
ciscoasa(config)#aaaauthentication enable console ACS LOCAL


QQ客服在线咨询
业务咨询:
223883921
QQ客服在线咨询
技术支持:
56802890
联系方式
联系电话:
0755-88855786
微信客服
扫码二维码
返回顶部