原文作者: Mansur

原文链接: http://nbma.info/cisco-asa-ssl-vpn-configure/

在ASA配置SSL VPN过程如下,

接口和默认路由 略

创建地址池SSL-POOL

1ip local pool SSL-POOL 172.17.44.2-172.17.47.254 mask 255.255.252.0

配置区域策略

1
2		same-security-traffic permit inter-interface
same-security-traffic permit intra-interface

定义下发路由SSL-SPL

1
2
3
4
5
6		access-list SSL-SPL extended permit ip 172.17.0.0 255.255.0.0 any
access-list SSL-SPL extended permit ip 10.0.0.0 255.255.0.0 any
access-list SSL-SPL extended permit ip 10.201.0.0 255.255.0.0 any
access-list SSL-SPL extended permit ip 192.168.96.0 255.255.224.0 any
access-list SSL-SPL extended permit ip 10.101.0.0 255.255.0.0 any
access-list SSL-SPL extended permit ip 10.12.0.0 255.255.0.0 any

定义ACL策略SSL-ACL(可选)

1access-list SSL-ACL extended permit ip any any

定义radius认证服务器SSL(可选)

1
2
3
4
5		aaa-server SSL protocol radius
aaa-server SSL (inside) host 172.17.40.41
key XXXXXXXX
authentication-port 1812
accounting-port 1813

允许inside管理(可选)

1management-access inside

指定anyconnect客户端

1
2
3
4
5
6
7
8
9		webvpn
enable inside
anyconnect image disk0:/anyconnect-win-4.4.03034-webdeploy-k9.pkg 1
anyconnect image disk0:/anyconnect-macos-4.4.04030-webdeploy-k9.pkg 2
anyconnect image disk0:/anyconnect-linux64-4.4.04030-webdeploy-k9.pkg 3
anyconnect enable
cache
disable
error-recovery disable

配置group策略SSL-POLICY,关联需要下发的路由SSL-SPL、访问控制SSL-ACL、地址池SSL-POOL

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17		group-policy SSL-POLICY internal
group-policy SSL-POLICY attributes
dns-server value 192.168.115.11 192.168.115.12
vpn-simultaneous-logins 30
vpn-idle-timeout 120
#VPN过滤可选……
vpn-filter value SSL-ACL
vpn-tunnel-protocol ssl-client
split-tunnel-policy tunnelspecified
split-tunnel-network-list value SSL-SPL
address-pools value SSL-POOL
webvpn
anyconnect ssl dtls enable
anyconnect mtu 1200
anyconnect keep-installer installed
anyconnect dtls compression lzs
anyconnect ask none default anyconnect

如果mtu太大,可能会出现“首次连接后断线,再次连接正常”的现象

默认tunnel-group关联策略,关联认证radius服务器SSL和group策略SSL-POLICY

1
2
3
4		tunnel-group DefaultWEBVPNGroup general-attributes
authentication-server-group SSL
accounting-server-group SSL
default-group-policy SSL-POLICY