安全 : Cisco ASA 5500 系列自适应安全设备

ASA 9.x :AnyConnect VPN客户端U启用的配置示例

2016 年 10 月 27 日 - 机器翻译
其他版本: PDFpdf | 英语 (2015 年 8 月 22 日) | 反馈

简介

本文描述如何设置一可适应安全工具(ASA)版本9.1(2)为了执行在忠心于的安全套接字协议层(SSL) VPN Cisco AnyConnect VPN客户。此设置适用于ASA不允许分割隧道的一个特定案件,并且用户连接直接地对ASA,在他们允许去互联网前。

注意: 为了避免网络中的 IP 地址重叠,请为 VPN 客户端分配一个完全不同的 IP 地址池(例如 10.x.x.x、172.16.x.x 和 192.168.x.x)。此 IP 编址方案有助于排除网络故障。

发夹或 U 字型转向

进入接口的此功能为VPN流量是有用的,但是然后路由在该同样接口外面。例如,如果有安全工具是集线器的星型网VPN网络,并且远程VPN网络是spoke,为了一个发言通信与另一个分支流量必须去安全工具对其他再然后发言。

输入same-security-traffic命令为了允许流量进入和退出同一个接口。

ciscoasa(config)#same-security-traffic permit intra-interface

贡献用Yamil Gazel和古斯塔沃Medina, Cisco TAC工程师。

先决条件

要求

思科建议您符合这些要求,在您尝试此配置前:

  • 集线器ASA安全工具需要运行版本9.x。

  • Cisco AnyConnect VPN客户3.x

    注意:请从 Cisco 软件下载中下载 AnyConnect VPN Client 程序包 (anyconnect-win*.pkg)(仅限注册用户)。将 AnyConnect VPN Client 复制到 ASA 的闪存中以供远程用户计算机下载,以便建立与 ASA 的 SSL VPN 连接。有关 ASA 配置指南的详细信息,请参阅安装 AnyConnect 客户端部分。

使用的组件

本文档中的信息基于以下软件和硬件版本:

  • 运行软件版本9.1(2)的Cisco 5500系列ASA

  • 思科AnyConnect Windows的3.1.05152 SSL VPN客户端版本

  • 运行支持的OS每兼容性图表的PC。

  • Cisco Adaptive Security Device Manager (ASDM)版本7.1(6)

本文档中的信息都是基于特定实验室环境中的设备编写的。本文档中使用的所有设备最初均采用原始(默认)配置。如果您使用的是真实网络,请确保您已经了解所有命令的潜在影响。

背景信息

Cisco AnyConnect VPN Client 为远程用户的安全设备提供了安全的 SSL 连接。如果以前未安装客户端,则远程用户可以在浏览器中输入已配置为接受 SSL VPN 连接的接口的 IP 地址。除非安全设备被配置为将 http:// requests 重定向到 https://,否则用户必须输入 https://<address> 形式的 URL。

在URL被输入后,浏览器连接对该接口并且显示登录画面。如果用户满足登录名和身份验证要求,并且安全设备将用户识别为需要客户端的用户,它将下载匹配远程计算机操作系统的客户端。在下载,客户端安装并且配置后,建立安全SSL连接,并且保持或卸载(这取决于安全工具配置),当连接终止时。

如果以前安装了客户端,则当用户验证身份时,安全设备将会检查客户端的版本,并根据需要升级客户端。

当客户端协商一SSL VPN连接用安全工具时,连接传输层安全(TLS),并且使用数据报传输传送层安全(DTL)。DTL避免延迟和带宽问题关联与一些SSL连接并且改进对信息包延迟是敏感的实时应用的性能。

AnyConnect 客户端可以从安全设备下载,或者可以由系统管理员手动安装到远程 PC 上。关于如何手工安装客户端的更多信息,参考Cisco AnyConnect VPN客户管理员指南

安全工具下载根据建立连接用户的组策略或用户名属性的客户端。您可以配置安全设备自动下载客户端,或者将其配置为提示远程用户选择是否下载客户端。在后一种情况下,如果用户不响应,您可以配置安全设备在超时时间后下载客户端或显示登录页。

配置

本部分提供有关如何配置本文档所述功能的信息。

注意:使用命令查找工具仅限注册用户)可获取有关本部分所使用命令的详细信息。

公共 Internet VPN 的单接口 AnyConnect VPN 客户端的配置示例

网络图

本文档使用以下网络设置:

ASA版本9.1(2)配置用ASDM版本7.1(6)

本文假设,基本配置,例如接口配置,已经完成并且适当地运作。

注意:参考配置ASDM的HTTPS访问为了允许ASDM将配置的ASA。

注意:在版本8.0(2)中及以后, ASA在外部接口的波尔特443支持同时两无客户端SSL VPN (WebVPN)会话和ASDM管理会话。在版本中,除非更换端口号,早于版本8.0(2), WebVPN和ASDM在同一个ASA接口不可能启用。有关详细信息,请参阅在相同 ASA 接口上同时启用 Webvpn 和 ASDM

要在 ASA 的单接口上配置 SSL VPN,请执行以下步骤:

  1. 选择Configuration>设备设置>接口并且检查两个或多个主机之间的Enable (event)流量连接到同一个接口检查复选框为了允许SSL VPN流量进入和退出同一个接口。单击 Apply

    等效 CLI 配置:

    ciscoasa(config)#same-security-traffic permit intra-interface
  2. 选择Configuration>远程访问VPN >网络(客户端)访问>地址分配>地址池>Add为了创建IP地址池vpnpool

  3. 单击 Apply

    等效 CLI 配置:

    ciscoasa(config)#ip local pool vpnpool 192.168.10.1-192.168.10.254 mask 255.255.255.0
  4. 启用 Webvpn。
    1. 选择 Configuration > Remote Access VPN > Network (Client) Access > SSL VPN Connection Profiles,然后在 Access Interfaces 下选中外部接口的 Allow Access 和 Enable DTLS 复选框。此外,请选中 Enable Cisco AnyConnect VPN Client or legacy SSL VPN Client access on the interface selected in the table below 复选框,以对外部接口启用 SSL VPN。

    2. 单击 Apply
    3. 选择Configuration>远程访问VPN >网络(客户端)访问> Anyconnect客户端软件>Add为了从ASA闪存添加Cisco AnyConnect VPN客户镜像如显示。

      等效 CLI 配置:

      ciscoasa(config)#webvpn
      ciscoasa(config-webvpn)#enable outside
      ciscoasa(config-webvpn)#anyconnect image disk0:/anyconnect-win-3.1.05152-k9.pkg 1
      ciscoasa(config-webvpn)#tunnel-group-list enable
      ciscoasa(config-webvpn)#anyconnect enable
  5. 配置组策略。
    1. 选择 Configuration > Remote Access VPN > Network (Client) Access > Group Policies 以创建内部组策略 clientgroup。在 General 选项卡下,选中 SSL VPN Client 复选框以启用 WebVPN 作为隧道协议。

    2. 先进>分割隧道选项卡,从策略的策略下拉列表选择通道所有网络为了做来自远程PC的所有数据包通过安全隧道。

      等效 CLI 配置:

      ciscoasa(config)#group-policy clientgroup internal
      ciscoasa(config)#group-policyclientgroup attributes
      ciscoasa(config-group-policy)#vpn-tunnel-protocol ssl-client
      ciscoasa(config-group-policy)#split-tunnel-policy tunnelall
  6. 选择Configuration>远程访问VPN > AAA/Local用户>本地用户>Add为了创建新用户帐户ssluser1。单击 OK,然后单击 Apply。

    等效 CLI 配置:

    ciscoasa(config)#username ssluser1 password asdmASA@
  7. 配置隧道组。
    1. 选择Configuration>远程访问VPN >网络(客户端)访问> Anyconnect连接配置文件>Add为了创建新通道组sslgroup
    2. Basic 选项卡中,您可以执行如下列出的配置:
      • 将隧道组命名为 sslgroup
      • 在客户端地址分配下,请从客户端地址普尔斯下拉列表选择地址池vpnpool
      • 根据默认组策略,请从组策略下拉列表选择组策略clientgroup

      • 先进下>组别名/组URL选项卡,指定组别名作为sslgroup_users并且点击OK键。

        等效 CLI 配置:

        ciscoasa(config)#tunnel-group sslgroup type remote-access
        ciscoasa(config)#tunnel-group sslgroup general-attributes
        ciscoasa(config-tunnel-general)#address-pool vpnpool
        ciscoasa(config-tunnel-general)#default-group-policy clientgroup
        ciscoasa(config-tunnel-general)#exit
        ciscoasa(config)#tunnel-group sslgroup webvpn-attributes
        ciscoasa(config-tunnel-webvpn)#group-alias sslgroup_users enable
  8. 配置 NAT
    1. 选择Configuration>防火墙> NAT规则>Add “网络对象” NAT规则如此来自网络内部可以翻译与外部IP地址172.16.1.1的流量。

    2. 选择Configuration>防火墙> NAT规则>Add “网络对象” NAT规则如此来自外部网络的流量VPN流量可以翻译与外部IP地址172.16.1.1。

      等效 CLI 配置:

      ciscoasa(config)# object network obj-inside
      ciscoasa(config-network-object)# subnet 10.77.241.128 255.255.255.192
      ciscoasa(config-network-object)# nat (inside,outside) dynamic interface
      ciscoasa(config)# object network obj-AnyconnectPool
      ciscoasa(config-network-object)# subnet 192.168.10.0 255.255.255.0
      ciscoasa(config-network-object)# nat (outside,outside) dynamic interface

ASA在CLI的版本9.1(2)配置

ciscoasa(config)#show running-config
: Saved
:
ASA Version 9.1(2)
!
hostname ciscoasa
domain-name default.domain.invalid
enable password 8Ry2YjIyt7RRXU24 encrypted
names
!
interface GigabitEthernet0/0
nameif outside
security-level 0
ip address 172.16.1.1 255.255.255.0
!
interface GigabitEthernet0/1
nameif inside
security-level 100
ip address 10.77.241.142 255.255.255.192
!
interface Management0/0
shutdown
no nameif
no security-level
no ip address

!
passwd 2KFQnbNIdI.2KYOU encrypted
boot system disk0:/asa802-k8.bin
ftp mode passive
clock timezone IST 5 30
dns server-group DefaultDNS
domain-name default.domain.invalid
same-security-traffic permit intra-interface

!--- Command that permits the SSL VPN traffic to enter and exit the same interface.

object network obj-AnyconnectPool
subnet 192.168.10.0 255.255.255.0
object network obj-inside
subnet 10.77.241.128 255.255.255.192

!--- Commands that define the network objects we will use later on the NAT section.

pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
ip local pool vpnpool 192.168.10.1-192.168.10.254 mask 255.255.255.0


!--- The address pool for the Cisco AnyConnect SSL VPN Clients


no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-602.bin
no asdm history enable
arp timeout 14400

nat (inside,outside) source static obj-inside obj-inside destination static
obj-AnyconnectPool obj-AnyconnectPool

!--- The Manual NAT that prevents the inside network from getting translated
when going to the Anyconnect Pool.

object network obj-AnyconnectPool
nat (outside,outside) dynamic interface
object network obj-inside
nat (inside,outside) dynamic interface

!--- The Object NAT statements for Internet access used by inside users and
Anyconnect Clients.
!--- Note: Uses an RFC 1918 range for lab setup.

route outside 0.0.0.0 0.0.0.0 172.16.1.2 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 0.0.0.0 0.0.0.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
no crypto isakmp nat-traversal
telnet timeout 5
ssh timeout 5
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
!
service-policy global_policy global
webvpn
enable outside


!--- Enable WebVPN on the outside interface


anyconnect image disk0:/anyconnect-win-3.1.05152-k9.pkg 1


!--- Assign an order to the AnyConnect SSL VPN Client image


anyconnect enable


!--- Enable the security appliance to download SVC images to remote computers


tunnel-group-list enable


!--- Enable the display of the tunnel-group list on the WebVPN Login page


group-policy clientgroup internal


!--- Create an internal group policy "clientgroup"


group-policy clientgroup attributes
vpn-tunnel-protocol ssl-client


!--- Specify SSL as a permitted VPN tunneling protocol


split-tunnel-policy tunnelall


!--- Encrypt all the traffic coming from the SSL VPN Clients.

username ssluser1 password ZRhW85jZqEaVd5P. encrypted


!--- Create a user account "ssluser1"


tunnel-group sslgroup type remote-access


!--- Create a tunnel group "sslgroup" with type as remote access


tunnel-group sslgroup general-attributes
address-pool vpnpool


!--- Associate the address pool vpnpool created


default-group-policy clientgroup


!--- Associate the group policy "clientgroup" created


tunnel-group sslgroup webvpn-attributes
group-alias sslgroup_users enable


!--- Configure the group alias as sslgroup-users

prompt hostname context
Cryptochecksum:af3c4bfc4ffc07414c4dfbd29c5262a9
: end
ciscoasa(config)#

允许AnyConnect VPN客户端之间的通信与到位Tunnelall配置

网络图

如果Anyconnect客户端之间的通信要求,并且公共互联网的NAT棍子的到位;手工的NAT也必要允许双向通信。

当Anyconnect客户端使用电话服务,并且应该能互相告诉时,这是常见情况。

ASA版本9.1(2)配置用ASDM版本7.1(6)

请选择Configuration>防火墙> NAT规则>Add NAT规则,在“网络对象” NAT如此规定来自外部网络的流量前(Anyconect池),并且注定了给从同一个池的另一个Anyconnect客户端不被转换与外部IP地址172.16.1.1。

等效 CLI 配置:

nat (outside,outside) source static obj-AnyconnectPool obj-AnyconnectPool destination
static obj-AnyconnectPool obj-AnyconnectPool

ASA在CLI的版本9.1(2)配置

ciscoasa(config)#show running-config
: Saved
:
ASA Version 9.1(2)
!
hostname ciscoasa
domain-name default.domain.invalid
enable password 8Ry2YjIyt7RRXU24 encrypted
names
!
interface GigabitEthernet0/0
nameif outside
security-level 0
ip address 172.16.1.1 255.255.255.0
!
interface GigabitEthernet0/1
nameif inside
security-level 100
ip address 10.77.241.142 255.255.255.192
!
interface Management0/0
shutdown
no nameif
no security-level
no ip address

!
passwd 2KFQnbNIdI.2KYOU encrypted
boot system disk0:/asa802-k8.bin
ftp mode passive
clock timezone IST 5 30
dns server-group DefaultDNS
domain-name default.domain.invalid
same-security-traffic permit intra-interface

!--- Command that permits the SSL VPN traffic to enter and exit the same interface.

object network obj-AnyconnectPool
subnet 192.168.10.0 255.255.255.0
object network obj-inside
subnet 10.77.241.128 255.255.255.192

!--- Commands that define the network objects we will use later on the NAT section.

pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
ip local pool vpnpool 192.168.10.1-192.168.10.254 mask 255.255.255.0


!--- The address pool for the Cisco AnyConnect SSL VPN Clients


no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-602.bin
no asdm history enable
arp timeout 14400

nat (inside,outside) source static obj-inside obj-inside destination static
obj-AnyconnectPool obj-AnyconnectPool
nat (outside,outside) source static obj-AnyconnectPool obj-AnyconnectPool
destination static obj-AnyconnectPool obj-AnyconnectPool

!--- The Manual NAT statements used so that traffic from the inside network
destined to the Anyconnect Pool and traffic from the Anyconnect Pool destined
to another Client within the same pool does not get translated.

object network obj-AnyconnectPool
nat (outside,outside) dynamic interface
object network obj-inside
nat (inside,outside) dynamic interface

!--- The Object NAT statements for Internet access used by inside users and
Anyconnect Clients.
!--- Note: Uses an RFC 1918 range for lab setup.

route outside 0.0.0.0 0.0.0.0 172.16.1.2 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 0.0.0.0 0.0.0.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
no crypto isakmp nat-traversal
telnet timeout 5
ssh timeout 5
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
!
service-policy global_policy global
webvpn
enable outside


!--- Enable WebVPN on the outside interface


anyconnect image disk0:/anyconnect-win-3.1.05152-k9.pkg 1


!--- Assign an order to the AnyConnect SSL VPN Client image


anyconnect enable


!--- Enable the security appliance to download SVC images to remote computers


tunnel-group-list enable


!--- Enable the display of the tunnel-group list on the WebVPN Login page


group-policy clientgroup internal


!--- Create an internal group policy "clientgroup"


group-policy clientgroup attributes
vpn-tunnel-protocol ssl-client


!--- Specify SSL as a permitted VPN tunneling protocol


split-tunnel-policy tunnelall


!--- Encrypt all the traffic coming from the SSL VPN Clients.

username ssluser1 password ZRhW85jZqEaVd5P. encrypted


!--- Create a user account "ssluser1"


tunnel-group sslgroup type remote-access


!--- Create a tunnel group "sslgroup" with type as remote access


tunnel-group sslgroup general-attributes
address-pool vpnpool


!--- Associate the address pool vpnpool created


default-group-policy clientgroup


!--- Associate the group policy "clientgroup" created


tunnel-group sslgroup webvpn-attributes
group-alias sslgroup_users enable


!--- Configure the group alias as sslgroup-users

prompt hostname context
Cryptochecksum:af3c4bfc4ffc07414c4dfbd29c5262a9
: end
ciscoasa(config)#

允许AnyConnect VPN客户端之间的通信用独立的隧道

网络图

如果Anyconnect客户端之间的通信要求,并且使用独立的隧道;手工的NAT没有要求为了允许双向通信,除非有影响配置的此流量的NAT规则。然而Anyconnect VPN池在独立的隧道ACL必须包括。

当Anyconnect客户端使用电话服务,并且应该能互相告诉时,这是常见情况。

ASA版本9.1(2)配置用ASDM版本7.1(6)

  1. 选择Configuration>远程访问VPN >网络(客户端)访问>地址Assignment>地址池>Add为了创建IP地址池vpnpool

  2. 单击 Apply

    等效 CLI 配置:

    ciscoasa(config)#ip local pool vpnpool 192.168.10.1-192.168.10.254 mask 255.255.255.0
  3. 启用 Webvpn。
    1. 选择 Configuration > Remote Access VPN > Network (Client) Access > SSL VPN Connection Profiles,然后在 Access Interfaces 下选中外部接口的 Allow Access 和 Enable DTLS 复选框。此外,请选中 Enable Cisco AnyConnect VPN Client or legacy SSL VPN Client access on the interface selected in the table below 复选框,以对外部接口启用 SSL VPN。

    2. 单击 Apply
    3. 选择Configuration>远程访问VPN >网络(客户端)访问> Anyconnect客户端软件>Add为了从ASA闪存添加Cisco AnyConnect VPN客户镜像如显示。

      等效 CLI 配置:

      ciscoasa(config)#webvpn
      ciscoasa(config-webvpn)#enable outside
      ciscoasa(config-webvpn)#anyconnect image disk0:/anyconnect-win-3.1.05152-k9.pkg 1
      ciscoasa(config-webvpn)#tunnel-group-list enable
      ciscoasa(config-webvpn)#anyconnect enable
  4. 配置组策略。
    1. 选择 Configuration > Remote Access VPN > Network (Client) Access > Group Policies 以创建内部组策略 clientgroup。在 General 选项卡下,选中 SSL VPN Client 复选框以启用 WebVPN 作为隧道协议。

    2. 先进>分割隧道选项卡,从策略下拉列表选择如下隧道网络列表为了做来自远程PC的所有数据包通过安全隧道。

      等效 CLI 配置:

      ciscoasa(config)#access-list SPLIt-ACL standard permit 10.77.241.0 255.255.255.0
      ciscoasa(config)#access-list SPLIt-ACL standard permit 192.168.10.0 255.255.255.0

      ciscoasa(config)#group-policy clientgroup internal
      ciscoasa(config)#group-policy clientgroup attributes
      ciscoasa(config-group-policy)#vpn-tunnel-protocol ssl-client
      ciscoasa(config-group-policy)#split-tunnel-policy tunnelspecified
      ciscoasa(config-group-policy)#split-tunnel-network-list SPLIt-ACL
  5. 选择Configuration>远程访问VPN > AAA/Local用户>本地用户>Add为了创建新用户帐户ssluser1。单击 OK,然后单击 Apply。

    等效 CLI 配置:

    ciscoasa(config)#username ssluser1 password asdmASA@
  6. 配置隧道组。
    1. 选择Configuration>远程访问VPN >网络(客户端)访问> Anyconnect连接配置文件>Add为了创建新通道组sslgroup
    2. Basic 选项卡中,您可以执行如下列出的配置:
      • 将隧道组命名为 sslgroup
      • 在客户端地址分配下,请从客户端地址普尔斯下拉列表选择地址池vpnpool
      • 根据默认组策略,请从组策略下拉列表选择组策略clientgroup

      • 先进下>组别名/组URL选项卡,指定组别名作为sslgroup_users并且点击OK键。

        等效 CLI 配置:

        ciscoasa(config)#tunnel-group sslgroup type remote-access
        ciscoasa(config)#tunnel-group sslgroup general-attributes
        ciscoasa(config-tunnel-general)#address-pool vpnpool
        ciscoasa(config-tunnel-general)#default-group-policy clientgroup
        ciscoasa(config-tunnel-general)#exit
        ciscoasa(config)#tunnel-group sslgroup webvpn-attributes
        ciscoasa(config-tunnel-webvpn)#group-alias sslgroup_users enable

ASA在CLI的版本9.1(2)配置

 

ciscoasa(config)#show running-config
: Saved
:
ASA Version 9.1(2)
!
hostname ciscoasa
domain-name default.domain.invalid
enable password 8Ry2YjIyt7RRXU24 encrypted
names
!
interface GigabitEthernet0/0
nameif outside
security-level 0
ip address 172.16.1.1 255.255.255.0
!
interface GigabitEthernet0/1
nameif inside
security-level 100
ip address 10.77.241.142 255.255.255.192
!
interface Management0/0
shutdown
no nameif
no security-level
no ip address

!
passwd 2KFQnbNIdI.2KYOU encrypted
boot system disk0:/asa802-k8.bin
ftp mode passive
clock timezone IST 5 30
dns server-group DefaultDNS
domain-name default.domain.invalid
same-security-traffic permit intra-interface

!--- Command that permits the SSL VPN traffic to enter and exit the same interface.

object network obj-inside
subnet 10.77.241.128 255.255.255.192

!--- Commands that define the network objects we will use later on the NAT section.

access-list SPLIt-ACL standard permit 10.77.241.0 255.255.255.0
access-list SPLIt-ACL standard permit 192.168.10.0 255.255.255.0

!--- Standard Split-Tunnel ACL that determines the networks that should travel the
Anyconnect tunnel.

pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
ip local pool vpnpool 192.168.10.1-192.168.10.254 mask 255.255.255.0

!--- The address pool for the Cisco AnyConnect SSL VPN Clients

no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-602.bin
no asdm history enable
arp timeout 14400

nat (inside,outside) source static obj-inside obj-inside destination static
obj-AnyconnectPool obj-AnyconnectPool

!--- The Manual NAT that prevents the inside network from getting translated when
going to the Anyconnect Pool

object network obj-inside
nat (inside,outside) dynamic interface

!--- The Object NAT statements for Internet access used by inside users.
!--- Note: Uses an RFC 1918 range for lab setup.

route outside 0.0.0.0 0.0.0.0 172.16.1.2 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 0.0.0.0 0.0.0.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
no crypto isakmp nat-traversal
telnet timeout 5
ssh timeout 5
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
!
service-policy global_policy global
webvpn
enable outside


!--- Enable WebVPN on the outside interface


anyconnect image disk0:/anyconnect-win-3.1.05152-k9.pkg 1


!--- Assign an order to the AnyConnect SSL VPN Client image


anyconnect enable


!--- Enable the security appliance to download SVC images to remote computers


tunnel-group-list enable


!--- Enable the display of the tunnel-group list on the WebVPN Login page


group-policy clientgroup internal


!--- Create an internal group policy "clientgroup"


group-policy clientgroup attributes
vpn-tunnel-protocol ssl-client


!--- Specify SSL as a permitted VPN tunneling protocol


split-tunnel-policy tunnelspecified


!--- Encrypt only traffic specified on the split-tunnel ACL coming from the SSL
VPN Clients.


split-tunnel-network-list value SPLIt-ACL


!--- Defines the previosly configured ACL to the split-tunnel policy.

username ssluser1 password ZRhW85jZqEaVd5P. encrypted


!--- Create a user account "ssluser1"


tunnel-group sslgroup type remote-access


!--- Create a tunnel group "sslgroup" with type as remote access


tunnel-group sslgroup general-attributes
address-pool vpnpool


!--- Associate the address pool vpnpool created


default-group-policy clientgroup


!--- Associate the group policy "clientgroup" created


tunnel-group sslgroup webvpn-attributes
group-alias sslgroup_users enable


!--- Configure the group alias as sslgroup-users

prompt hostname context
Cryptochecksum:af3c4bfc4ffc07414c4dfbd29c5262a9
: end
ciscoasa(config)#

验证

使用本部分可确认配置能否正常运行。

命令输出解释程序仅限注册用户)(OIT) 支持某些 show 命令。使用 OIT 可查看对 show 命令输出的分析。

  • 显示vpn-sessiondb svc显示关于当前SSL连接的信息。

    ciscoasa#show vpn-sessiondb anyconnect

    Session Type: SVC

    Username : ssluser1 Index : 12
    Assigned IP : 192.168.10.1 Public IP : 192.168.1.1
    Protocol : Clientless SSL-Tunnel DTLS-Tunnel
    Encryption : RC4 AES128 Hashing : SHA1
    Bytes Tx : 194118 Bytes Rx : 197448
    Group Policy : clientgroup Tunnel Group : sslgroup
    Login Time : 17:12:23 IST Mon Mar 24 2008
    Duration : 0h:12m:00s
    NAC Result : Unknown
    VLAN Mapping : N/A VLAN : none
  • 显示WebVPN组别名显示多种组的已配置的别名。
    ciscoasa#show webvpn group-alias
    Tunnel Group: sslgroup Group Alias: sslgroup_users enabled
  • 在ASDM,请选择Monitoring> VPN > VPN统计信息>塞申斯为了认识ASA的当前会话。

故障排除

本部分提供的信息可用于对配置进行故障排除。

  • vpn-sessiondb注销注销特定的用户名的SSL VPN会话的名称<username>-Command
    ciscoasa#vpn-sessiondb logoff name ssluser1
    Do you want to logoff the VPN session(s)? [confirm] Y
    INFO: Number of sessions with name "ssluser1" logged off : 1

    ciscoasa#Called vpn_remove_uauth: success!
    webvpn_svc_np_tear_down: no ACL
    webvpn_svc_np_tear_down: no IPv6 ACL
    np_svc_destroy_session(0xB000)

    同样地,您能使用vpn-sessiondb注销anyconnect命令为了终止所有AnyConnect会话。

  • 调试WebVPN anyconnect <1-255>-Provides实时WebVPN事件为了建立会话。
    Ciscoasa#debug webvpn anyconnect 7
    CSTP state = HEADER_PROCESSING
    http_parse_cstp_method()
    ...input: 'CONNECT /CSCOSSLC/tunnel HTTP/1.1'
    webvpn_cstp_parse_request_field()
    ...input: 'Host: 10.198.16.132'
    Processing CSTP header line: 'Host: 10.198.16.132'
    webvpn_cstp_parse_request_field()
    ...input: 'User-Agent: Cisco AnyConnect VPN Agent for Windows 3.1.05152'
    Processing CSTP header line: 'User-Agent: Cisco AnyConnect VPN Agent for Windows
    3.1.05152'
    Setting user-agent to: 'Cisco AnyConnect VPN Agent for Windows 3.1.05152'
    webvpn_cstp_parse_request_field()
    ...input: 'Cookie: webvpn=146E70@20480@567F@50A0DFF04AFC2411E0DD4F681D330922F4B21F60'
    Processing CSTP header line: 'Cookie: webvpn=
    146E70@20480@567F@50A0DFF04AFC2411E0DD4F681D330922F4B21F60'
    Found WebVPN cookie: 'webvpn=146E70@20480@567F@50A0DFF04AFC2411E0DD4F681D330922F4B21F60'
    WebVPN Cookie: 'webvpn=146E70@20480@567F@50A0DFF04AFC2411E0DD4F681D330922F4B21F60'
    webvpn_cstp_parse_request_field()
    ...input: 'X-CSTP-Version: 1'
    Processing CSTP header line: 'X-CSTP-Version: 1'
    Setting version to '1'
    webvpn_cstp_parse_request_field()
    ...input: 'X-CSTP-Hostname: WCRSJOW7Pnbc038'
    Processing CSTP header line: 'X-CSTP-Hostname: WCRSJOW7Pnbc038'
    Setting hostname to: 'WCRSJOW7Pnbc038'
    webvpn_cstp_parse_request_field()
    ...input: 'X-CSTP-MTU: 1280'
    Processing CSTP header line: 'X-CSTP-MTU: 1280'
    webvpn_cstp_parse_request_field()
    ...input: 'X-CSTP-Address-Type: IPv6,IPv4'
    Processing CSTP header line: 'X-CSTP-Address-Type: IPv6,IPv4'
    webvpn_cstp_parse_request_field()
    webvpn_cstp_parse_request_field()
    ...input: 'X-CSTP-Base-MTU: 1300'
    Processing CSTP header line: 'X-CSTP-Base-MTU: 1300'
    webvpn_cstp_parse_request_field()
    webvpn_cstp_parse_request_field()
    ...input: 'X-CSTP-Full-IPv6-Capability: true'
    Processing CSTP header line: 'X-CSTP-Full-IPv6-Capability: true'
    webvpn_cstp_parse_request_field()
    ...input: 'X-DTLS-Master-Secret: F1810A764A0646376F7D254202A0A602CF075972F91EAD1
    9BB6BE387BB8C6F893BFB49886D47F9A4BE2EA2A030BF620D'
    Processing CSTP header line: 'X-DTLS-Master-Secret: F1810A764A0646376F7D254202A0
    A602CF075972F91EAD19BB6BE387BB8C6F893BFB49886D47F9A4BE2EA2A030BF620D'
    webvpn_cstp_parse_request_field()
    ...input: 'X-DTLS-CipherSuite: AES256-SHA:AES128-SHA:DES-CBC3-SHA:DES-CBC-SHA'
    Processing CSTP header line: 'X-DTLS-CipherSuite: AES256-SHA:AES128-SHA:DES-CBC3
    -SHA:DES-CBC-SHA'
    webvpn_cstp_parse_request_field()
    ...input: 'X-DTLS-Accept-Encoding: lzs'
    Processing CSTL header line: 'X-DTLS-Accept-Encoding: lzs'
    webvpn_cstp_parse_request_field()
    ...input: 'X-DTLS-Header-Pad-Length: 0'
    webvpn_cstp_parse_request_field()
    ...input: 'X-CSTP-Accept-Encoding: lzs,deflate'
    Processing CSTP header line: 'X-CSTP-Accept-Encoding: lzs,deflate'
    webvpn_cstp_parse_request_field()
    ...input: 'X-CSTP-Protocol: Copyright (c) 2004 Cisco Systems, Inc.'
    Processing CSTP header line: 'X-CSTP-Protocol: Copyright (c) 2004 Cisco Systems, Inc.'
    Validating address: 0.0.0.0
    CSTP state = WAIT_FOR_ADDRESS
    webvpn_cstp_accept_address: 192.168.10.1/255.255.255.0
    webvpn_cstp_accept_ipv6_address: No IPv6 Address
    CSTP state = HAVE_ADDRESS
    SVC: Sent gratuitous ARP for 192.168.10.1.
    SVC: NP setup
    np_svc_create_session(0x5000, 0xa930a180, TRUE)
    webvpn_svc_np_setup
    SVC ACL Name: NULL
    SVC ACL ID: -1
    vpn_put_uauth success for ip 192.168.10.1!
    No SVC ACL
    Iphdr=20 base-mtu=1300 def-mtu=1500 conf-mtu=1406
    tcp-mss = 1260
    path-mtu = 1260(mss)
    mtu = 1260(path-mtu) - 0(opts) - 5(ssl) - 8(cstp) = 1247
    tls-mtu = 1247(mtu) - 20(mac) = 1227
    DTLS Block size = 16
    mtu = 1300(base-mtu) - 20(ip) - 8(udp) - 13(dtlshdr) - 16(dtlsiv) = 1243
    mod-mtu = 1243(mtu) & 0xfff0(complement) = 1232
    dtls-mtu = 1232(mod-mtu) - 1(cdtp) - 20(mac) - 1(pad) = 1210
    computed tls-mtu=1227 dtls-mtu=1210 conf-mtu=1406
    DTLS enabled for intf=2 (outside)
    tls-mtu=1227 dtls-mtu=1210
    SVC: adding to sessmgmt

    Unable to initiate NAC, NAC might not be enabled or invalid policy
    CSTP state = CONNECTED
    webvpn_rx_data_cstp
    webvpn_rx_data_cstp: got internal message
    Unable to initiate NAC, NAC might not be enabled or invalid policy
  • 在 ASDM 中,选择 Monitoring > Logging > Real-time Log Viewer > View 以查看实时事件。此示例通过ASA 172.16.1.1显示在AnyConnect 192.168.10.1和Telnet server 10.2.2.2之间的会话信息在互联网里。

相关信息



Document ID: 100918