本文转自:https://www.petenetlive.com/KB/Article/0000069
Problem
Below is a walk through for setting up a client to gateway VPN Tunnel using a Cisco ASA appliance.This was done via the ASDM console. The video was shot with ASA version 8.4(2) and ASDM 6.4(5) and the setup process is a lot less painful than it used to be.
The original article was written with ASA version 8.0(4) and ASDM 6.1(3), which was a little more difficult so I will leave that procedure below just in case 🙂
ASDM cannot be used on the normal port on the outside interface when using SSL VPN SSL VPN AnyConnect from within an RDP session is not supported (and fails – even with a /console switch). SSL (HTTPS ot TCPport 443) needs to be free (i.e. NOT port forwarded to a web server / exchange server etc).
Solution
For Older Versions of the ASA/ASDM
1. Open up the ADSM console. > Click Wizards >SSL VPN Wizard.
2. Select “Both Options”. > Next.
3. Enter a connection name > If you have a certificate already select it here or simply leave it on” -None-” and the ASA will generate an un trusted one. > Next.
4. For this example we are going to use the ASA’s Local database to hold our user database (If you want to use RADIUS/Windows IAS select those options and follow the instructions (To set up IAS read my notes HERE) > Enter a username and Password.
5. Add. > Next.
6. We are going to create a new policy in this case called SSL Users > Next.
7. You can now add bookmarks (Links on the VPN portal page) > Manage > Add > Type in a name > Add. > OK.
8. Give it a name and subtitle (look at step 18 to see how that displays) > Enter the internal URL for the web site > OK.
9. Add > OK.
10 OK.
11 Next.
12. Create an IP Pool (IP range to be leased to the VPN clients that is DIFFERENT to your LAN IP range) > New > enter a name, ip addresses, and the subnet mask > OK.
13. Point the ASA to the Anyconnect client you want to use (Note you can upload a software image from your PC here as well) Next > Accept the warning about NAT Exemptions (Note if you do get a warning to add a NATExemption see the note at the end).
14. Finish.
15. Before It will work you need to Select Configuration > Remote Access VPN > Network (CLient) Access > AnyConnect Connection Profiles > . Double click the Connection profile you created earlier in step 3 > Enter a name in the Aliases section i.e. AnyConnect > OK. > Tick the box that says “Allow user to select connection profile by its alias………” > Apply.
16. File > Save running configuration to flash.
17. Connect externally to https://{public_IP} (Note this has to be in the browsers trusted site list) > Enter a username and password > Login.
18. You are now on the “Portal” site any bookmarks created above will be visible > Click the AnyConnect Tab.
19 Double click to launch AnyConnect.
20. The Anyconnect client will install if not used previously (User needs to be local admin) and connects.
NAT Exemptions: Note if you received a warning about needing to add the remote VPN pool as a NAT Exemption (After step 13) you will need to add the following lines to the ASA
Syntax
access-list {name} extended permit ip {LAN behind ASA} {Subnet behind ASA} {VPN Pool Range} {VPN Pool Subnet}
nat (inside) 0 access-list {name}
Working example
access-list nonat extended permit ip 10.254.254.0 255.255.255.0 10.254.253.0 255.255.255.0
nat (inside) 0 access-list nonat
WARNING: Make sure the name matches any existing no NAT ACLs or your IPsec vpns will fail!
评论