There are many VPN products on the Cisco ASA Web VPN configuration market and their technologies are different. For example, in the traditional IPSec VPN, SSL allows the company to achieve more remote users to access the VPN in different locations, this service enables more network resources to be accessed and has low requirements on client devices, reducing the configuration and operation support costs. Many enterprise users adopt ssl vpn as the remote secure access technology and focus on its access control function. Ssl vpn provides enhanced remote secure access. IPSec VPN provides direct (non-proxy) Access by creating a tunnel between the two sites to achieve transparent access to the entire network. Once the tunnel is created, the user's PC is physically in the enterprise LAN. This brings a lot of security risks, especially when the access permissions of users are too large. Ssl vpn provides secure and proxy connections. Only authenticated users can access resources, which is much safer. Www.2cto.com ssl vpn can segment the encrypted tunnel so that end users can access the Internet and access internal enterprise network resources at the same time, that is, it has controllable functions. In addition, ssl vpn can refine the access control function to grant different access permissions to different users for scalable access; this precise access control function is almost impossible for remote access to IPSec VPN. Ssl vpn is basically not restricted by access locations. It can access network resources from numerous Internet access devices and from any remote location. Ssl vpn communication is transmitted based on the standard TCP/UDP protocol. Therefore, it can traverse all NAT devices, proxy-based firewalls, and status detection firewalls. This allows users to access from anywhere, whether in a proxy-based firewall in another company's network or through broadband connections. IPSec VPN is difficult to implement in a slightly complex network structure because it is difficult to implement firewall and NAT traversal, and cannot resolve IP address conflicts. In addition, ssl vpn can be connected from manageable enterprise devices or non-managed devices, such as home PCs or public Internet access sites, while IPSec VPN clients can only be connected from manageable or fixed devices. With the increasing demand for remote access, remote access to IPSec VPN is greatly challenged in terms of access control, and the management and operation support costs are high. It is the best solution to achieve point-to-point connection, however, to achieve remote secure access anywhere, ssl vpn is much more ideal. Www.2cto.com ssl vpn does not require complex client support, which is easy to install and configure, significantly reducing costs. IPSec VPN needs to install a specific device on the remote end user side to establish a secure tunnel, and in many cases it is quite difficult to establish a tunnel in an external (or non-enterprise-controlled) device. In addition, such complex clients are difficult to upgrade, and new users may face more troubles, such as system operation support, time overhead, and management issues. The initial cost of the IPSec solution is low, but the operation support cost is high. Today, SSL developers can provide network-Layer Support for network application access, just as remote machines are in the LAN. At the same time, it provides application-layer access for Web applications and access to many client/server applications. After learning about the above basic factors, we will start the experiment below: Step 1 of www.2cto.com, the basic configuration of ASA: Archasa (config) # int e0/0 Archasa (config-if) # ip add 192.168.0.1 255.255.255.0Archasa (config-if) # nameif outside Archasa (config-if) # no shutArchasa (config-if) # exitArchasa (config) # int e0/1 Archasa (config-if) # ip add 172.20.59.10 255.255.255.0Archasa (config-if) # nameif insideArchasa (config-if) # no shutArchasa (config-if) # exitArchasa (config) # webvpnArchasa (config-webvpn) # enable outsideArchasa (config-webvpn) # svc image disk0:/sslclient-win-1.1.2.169.pkgArchasa (config-webvpn) # svc enable # The above configuration is to start WEBVPN on the outer network port and start the ssl vpn function at the same time. 2. ssl vpn configuration preparation # create an ssl vpn user address pool Archasa (config) # ip local pool ssl-user 10.10.10.1-10.10.10.50 # Configure ssl vpn data streams without NAT translation Archasa (config) # access-list go-vpn permit ip 172.20.50.0 255.255.255.0 10.10.0#255.255.0archasa (config) # nat (inside) 0 access-list go-vpnwww.2cto.com 3, web vpn tunnel group and policy group configuration # create a group policy named mysslvpn-group-policy Archasa (config) # group-policy mysslvpn-group-policy internalArchasa (config) # group-policy mysslvpn-group-policy attributesArchasa (config-group-policy) # vpn-tunnel-protocol webvpnArchasa (config-group-policy) # webvpn # enable SSL VPNArchasa (config-group-webvpn) in the group policy) # svc enableArchasa (config-group-webvpn) # exitArchasa (config-group-policy) # exitArchasa (config )#
# Create an ssl vpn user Archasa (config-webvpn) # username test password woaicisco # grant the mysslvpn-group-plicy policy to the user testArchasa (config) # username test attributesArchasa (config-username) # vpn-group-policy mysslvpn-group-policyArchasa (config-username) # exitArchasa (config) # tunnel-group mysslvpn-group type webvpnArchasa (config) # tunnel-group mysslvpn-group general-attributes # Use the user address pool Archasa (config-tunnel-general) # addres S-pool ssl-userArchasa (config-tunnel-general) # exitArchasa (config) # tunnel-group mysslvpn-group webvpn-attributesArchasa (config-tunnel-webvpn) # group-alias group2 enable Archasa (config-tunnel-webvpn) # exitArchasa (config) # webvpnArchasa (config-webvpn) # tunnel-group-list enable www.2cto.com 4. Configure ssl vpn tunnel separation # note that ssl vpn tunnel separation is optional and can be performed based on actual needs. # The source address here is the INSIDE address of ASA, and the target address is always ANYArchasa (config) # access-list split-ssl extended permit ip 10.10.1.0 255.255.255.0 anyArchasa (config) # group-policy mysslvpn-group-policy attributesArchasa (config-group-policy) # split-tunnel-policy tunnelspecifiedArchasa (config-group-policy) # split-tunnel-network-list value split-ssl basically the entire configuration is complete. You can perform the test below: enter [domain name access web vpn in the browser, in the dialog box that appears, enter the user name and password and click Login. At this time, the system will pop up asking to install the ssl vpn client Program, click "YES", the system will automatically install and connect to SSLVPN, after SSLVPN connection, a small key will appear on the taskbar in the lower right corner. You can double-click it to view its status.