I. Overview:
In the actual work can often see a strong SSL VPN can bypass deployment, and support routing mode and NAT mode: Router mode requires intranet to VPN assigned address pool address can be router; NAT mode, VPN Client access intranet host, intranet host sees address as VPN interface address, Therefore, the address intranet of the VPN address pool is not required to be routed. If you want to test the way Cisco devices are deployed, test l2l and Ezvpn first, and if you have time to test Sslvpn.
Two. Basic ideas:
A. l2l VPN and EZVPN at Headquarters are configured in Dynamic VTI mode
b. If you need to deploy NAT, configure NAT on the virtual template interface
C. It is also easy to see through the experiment that the L2L and Ezvpn configured through the DVTI mode do not interfere with each other.
Three. Test topology:
Four: Basic configuration:
A.inside_router
Interface ethernet0/0
IP address 192.168.1.1 255.255.255.0
No shut
IP Route 0.0.0.0 0.0.0.0 192.168.1.254
b.asa842:
Interface GigabitEthernet0
Nameif Inside
Security-level 100
IP address 192.168.1.254 255.255.255.0
No shut
Interface GigabitEthernet1
Nameif DMZ
Security-level 50
IP address 10.1.1.254 255.255.255.0
No shut
Interface GigabitEthernet2
Nameif Outside
Security-level 0
IP address 202.100.1.1 255.255.255.0
No Sht
Route Outside 0.0.0.0 0.0.0.0 202.100.1.10 1