Cisco ASA webvpn Configuration
I. Lab Environment
Simulate Cisco ASA firewall on Vmware
Network Environment external network 192.168.1.0
Internal Network 10.80.1.0
Configure Cisco ASA
Ciscoasa (config) # confg t
Ciscoasa (config) # int ethernet 0/0
Ciscoasa (config-if) # ip add 192.168.1.200 255.255.255.0
Ciscoasa (config-if) # nameif outside
Ciscoasa (config-if) # security-level 0
Ciscoasa (config-if) # no shutdown
Ciscoasa (config-if) # int ethernet 0/1
Ciscoasa (config-if) # ip add 10.80.1.254 255.255.255.0
Ciscoasa (config-if) # nameif inside
Ciscoasa (config-if) # security-level 100
Ciscoasa (config-if) # no shutdown
Ciscoasa (config) # route outside 0 0 192.168.1.1
Three configuration ID books
Generate an sslvpnkeypait text visa document and apply the self-signed document to the "outside" interface. By default, the installation device will regenerate our certificate after every restart. This certificate can be purchased from the vendor, this certificate still exists even if our network device restarts.
1. generate an RSA key certificate. The name is unique.
Ciscoasa (config) # crypto key generate rsa label sslvpnkeypair
2. Create a self-trust point to issue a certificate
Ciscoasa (config) # crypto ca trustpoint localtrust
Ciscoasa (config-ca-trustpoint) # enrollment self
Ciscoasa (config-ca-trustpoint) # fqdn sslvpn.frank.org
Ciscoasa (config-ca-trustpoint) # subject-name CN = sslvpn.frank.com
Ciscoasa (config-ca-trustpoint) # keypair sslvpnkeypair
Ciscoasa (config-ca-trustpoint) # crypto ca enroll localtrust noconfirm
Ciscoasa (config) # ssl trust-point localtrust outside
2. Upload the ssl vpn Client image to the ASA. If not, download the image from the official website. After the download is complete, put it on the local ftp, log on to the asa and copy it to the ASA.
Ciscoasa (config) # copy ftp: // Frank: Frank @ IP/ASA/anyconnect-win-2.2.0133-k9.pkg disk0 :/
Ciscoasa (config) # webvpn
Ciscoasa (config-webvpn) # svc image disk0:/anyconnect-win-2.2.0133-k9.pkg
3. Enable ssl vpn access
If it is not enabled, the ssl vpn page cannot be opened in the browser.
Ciscoasa (config-webvpn) # enable outside
Ciscoasa (config-webvpn) # svc enable
Ciscoasa (config-webvpn) # exit
4. Create an ssl vpn address pool
To remotely access the client, you need to assign an IP address during logon. Therefore, you also need to create a DHCP address pool for the client. However, if a DHCP server exists, you can also use the DHCP server.
Ciscoasa (config # ip local pool SSLClientPool 10.80.1.245-10.80.1.250 mask 255.255.255.0
5. Create a group policy
The group policy is used to specify the parameters that apply to the connected client,
Ciscoasa (config) # group-policy SSLClientPolicy internal
Ciscoasa (config) # group-policy SSLClientPolicy attribute
Ciscoasa (config-group-policy) # vpn-tunnel-protocol svc
Ciscoasa (config-group-policy) # default-domain value frank.org
Ciscoasa (config-group-policy) # address-pools value SSLClientPool
Ciscoasa (config-group-policy) # exit
6. configure access list Bypass
By using the sysopt connect command, we tell the ASA to allow the access list of the SSL/IPsec client to bypass the interface.
Ciscoasa (config) # sysopt connection permit-vpn
7. Create a connection configuration file and a tunnel group
When a client remotely accesses the ASA, it connects to the connection profile connection configuration file, also known as the tunnel group. This tunnel group is used to define the specific connection parameters it uses.
First, create an SSL client for the tunnel group
Ciscoasa (config) # tunnel-group SSLClientProfile type remote-access
The next step is to create an ssl vpn tunnel and assign specific properties.
Ciscoasa (config) # tunnel-group SSLClientProfile general-attribute
Ciscoasa (config-tunnel-genral) # default-group-policy SSLClientPolicy
Ciscoasa (config-tunnel-genral) # tunnel-group SSLClientProfile webvpn-attributes
Ciscoasa (config-tunnel-genral) # group-alias SSLVPNClient enable
Ciscoasa (config-tunnel-genral) # exit
8. Enable the tunnel group list in webvpn.
After it is enabled, there will be a GROUP upon login, otherwise there will be no GROUP list
Ciscoasa (config) # webvpn
Ciscoasa (config-webvpn) # tunnel-group-list enable
Ciscoasa (config-webvpn) # exit
9 configure NAT Exemption
Tell ASA not to convert network addresses for communications between remote access clients and the internal network to be accessed
First, create an access list that can define the communication, and then use this list for the NAT statement of the interface.
Ciscoasa (config) # access-list inside_nat0_outboud extended permit ip 10.80.1.0 255.255.255.0 192.168.1.0 255.255.255.0
Ciscoasa (config) # nat (inside) 0 access-list inside_nat0_outbound
10 configure users
Create a user and assign the user to SSLK VPN
Ciscoasa (config) # username Frank password Frank
Ciscoasa (config-username) # username Frank attributes
Ciscoasa (config-username) # exit
11 save
Ciscoasa (config) # write memory
12. Connect with a client
Browsing through https in IE browser
13 configure the practical tunnel separation configuration
Ciscoasa (config) # access-list vpnclient -- splitTunnelAcl standard permit 10.80.1.0 255.255.255.0
Ciscoasa (config) # group-policy SSLClientPolicy attributes
Ciscoasa (config-group-policy) # split-tunnel-policy tunnelspecified
Ciscoasa (config-group-policy) # split-tunnel-networ-list value vpnclient_splitTunnelAcl
Ciscoasa (config-group-policy) # exit
Ciscoasa (config) # write memory
From the above, we can see that only the IP address range 10.80.1.0/24 goes through the ssl vpn, and other data goes through the default network.
Author: "Gone with the wind"
Start building with 50+ products and up to 12 months usage for Elastic Compute Service
1 on 1 presale consultation
24/7 Technical Support 6 Free Tickets per Quarter Faster Response
Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.
A comprehensive suite of global cloud computing services to power your business
Payment Methods We Support
