Deploying webvpn on Cisco ASA

Source: Internet
Author: User
Tags webvpn trustpoint

Cisco ASA webvpn Configuration

I. Lab Environment

Simulate Cisco ASA firewall on Vmware

Network Environment external network

Internal Network

Configure Cisco ASA

Ciscoasa (config) # confg t

Ciscoasa (config) # int ethernet 0/0

Ciscoasa (config-if) # ip add

Ciscoasa (config-if) # nameif outside

Ciscoasa (config-if) # security-level 0

Ciscoasa (config-if) # no shutdown

Ciscoasa (config-if) # int ethernet 0/1

Ciscoasa (config-if) # ip add

Ciscoasa (config-if) # nameif inside

Ciscoasa (config-if) # security-level 100

Ciscoasa (config-if) # no shutdown

Ciscoasa (config) # route outside 0 0

Three configuration ID books

Generate an sslvpnkeypait text visa document and apply the self-signed document to the "outside" interface. By default, the installation device will regenerate our certificate after every restart. This certificate can be purchased from the vendor, this certificate still exists even if our network device restarts.

1. generate an RSA key certificate. The name is unique.

Ciscoasa (config) # crypto key generate rsa label sslvpnkeypair

2. Create a self-trust point to issue a certificate

Ciscoasa (config) # crypto ca trustpoint localtrust

Ciscoasa (config-ca-trustpoint) # enrollment self

Ciscoasa (config-ca-trustpoint) # fqdn

Ciscoasa (config-ca-trustpoint) # subject-name CN =

Ciscoasa (config-ca-trustpoint) # keypair sslvpnkeypair

Ciscoasa (config-ca-trustpoint) # crypto ca enroll localtrust noconfirm

Ciscoasa (config) # ssl trust-point localtrust outside

2. Upload the ssl vpn Client image to the ASA. If not, download the image from the official website. After the download is complete, put it on the local ftp, log on to the asa and copy it to the ASA.

Ciscoasa (config) # copy ftp: // Frank: Frank @ IP/ASA/anyconnect-win-2.2.0133-k9.pkg disk0 :/

Ciscoasa (config) # webvpn

Ciscoasa (config-webvpn) # svc image disk0:/anyconnect-win-2.2.0133-k9.pkg

3. Enable ssl vpn access

If it is not enabled, the ssl vpn page cannot be opened in the browser.

Ciscoasa (config-webvpn) # enable outside

Ciscoasa (config-webvpn) # svc enable

Ciscoasa (config-webvpn) # exit


4. Create an ssl vpn address pool

To remotely access the client, you need to assign an IP address during logon. Therefore, you also need to create a DHCP address pool for the client. However, if a DHCP server exists, you can also use the DHCP server.

Ciscoasa (config # ip local pool SSLClientPool mask

5. Create a group policy

The group policy is used to specify the parameters that apply to the connected client,

Ciscoasa (config) # group-policy SSLClientPolicy internal

Ciscoasa (config) # group-policy SSLClientPolicy attribute

Ciscoasa (config-group-policy) # vpn-tunnel-protocol svc

Ciscoasa (config-group-policy) # default-domain value

Ciscoasa (config-group-policy) # address-pools value SSLClientPool

Ciscoasa (config-group-policy) # exit

6. configure access list Bypass

By using the sysopt connect command, we tell the ASA to allow the access list of the SSL/IPsec client to bypass the interface.

Ciscoasa (config) # sysopt connection permit-vpn

7. Create a connection configuration file and a tunnel group

When a client remotely accesses the ASA, it connects to the connection profile connection configuration file, also known as the tunnel group. This tunnel group is used to define the specific connection parameters it uses.

First, create an SSL client for the tunnel group

Ciscoasa (config) # tunnel-group SSLClientProfile type remote-access

The next step is to create an ssl vpn tunnel and assign specific properties.

Ciscoasa (config) # tunnel-group SSLClientProfile general-attribute

Ciscoasa (config-tunnel-genral) # default-group-policy SSLClientPolicy

Ciscoasa (config-tunnel-genral) # tunnel-group SSLClientProfile webvpn-attributes

Ciscoasa (config-tunnel-genral) # group-alias SSLVPNClient enable

Ciscoasa (config-tunnel-genral) # exit

8. Enable the tunnel group list in webvpn.

After it is enabled, there will be a GROUP upon login, otherwise there will be no GROUP list

Ciscoasa (config) # webvpn

Ciscoasa (config-webvpn) # tunnel-group-list enable

Ciscoasa (config-webvpn) # exit

9 configure NAT Exemption

Tell ASA not to convert network addresses for communications between remote access clients and the internal network to be accessed

First, create an access list that can define the communication, and then use this list for the NAT statement of the interface.

Ciscoasa (config) # access-list inside_nat0_outboud extended permit ip

Ciscoasa (config) # nat (inside) 0 access-list inside_nat0_outbound

10 configure users

Create a user and assign the user to SSLK VPN

Ciscoasa (config) # username Frank password Frank

Ciscoasa (config-username) # username Frank attributes

Ciscoasa (config-username) # exit

11 save

Ciscoasa (config) # write memory

12. Connect with a client

Browsing through https in IE browser

13 configure the practical tunnel separation configuration

Ciscoasa (config) # access-list vpnclient -- splitTunnelAcl standard permit

Ciscoasa (config) # group-policy SSLClientPolicy attributes

Ciscoasa (config-group-policy) # split-tunnel-policy tunnelspecified

Ciscoasa (config-group-policy) # split-tunnel-networ-list value vpnclient_splitTunnelAcl

Ciscoasa (config-group-policy) # exit

Ciscoasa (config) # write memory

From the above, we can see that only the IP address range goes through the ssl vpn, and other data goes through the default network.

Author: "Gone with the wind"

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.