全系列VPN技术集锦第三卷第2章(SSL VPN)

"" />

Choose the interface to terminate WebVPN users > Enable > Apply.

2 Choose Servers and URLs > Add

Enter a name for the list of servers accessible by WebVPN. Click the Add button. The Add Server or URL dialogue box displays. Enter the name of each server. This is the name that the client sees. Choose the URL drop-down menu for each server and choose the appropriate protocol. Add servers to your list from the Add Server or URL dialogue box and click OK.

Click Apply > Save.

3 Expand General in the left menu of ASDM. Choose Group Policy > Add.

Choose Add Internal Group Policy. Uncheck the Tunneling Protocols: Inherit check box. Check the WebVPN check box.

Choose the WebVPN tab. Uncheck the Inherit check box. Choose from the list of features. Click OK > Apply.

 

4 Choose the Tunnel Group in the left column. Click the Edit button.

 

Click the Group Policy drop-down menu. Choose the policy that was created in Step 3.

 

It is important to note that if new Group Policies and Tunnel Groups are not created, the defaults are GroupPolicy 1 and DefaultWEBVPNGroup. Click the WebVPN tab.

Choose NetBIOS Servers. Click the Add button. Fill in the IP address of the WINS/NBNS server. Click OK > OK. Follow the prompts Apply > Save > Yes to write the configuration.

命令行配置

ciscoasa#show running-config

 Building configuration...

 

ASA Version 7.2(1)

hostname ciscoasa

domain-name cisco.com

enable password 9jNfZuG3TC5tCVH0 encrypted

names

dns-guard

interface Ethernet0/0

 nameif outside

 security-level 0

 ip address 172.22.1.160 255.255.255.0

interface Ethernet0/1

 nameif inside

 security-level 100

 ip address 10.2.2.1 255.255.255.0

interface Ethernet0/2

 nameif DMZ1

 security-level 50

 no ip address

interface Management0/0

 description For Mgt only

 shutdown

 nameif Mgt

 security-level 0

 ip address 10.10.10.1 255.255.255.0

 management-only

passwd 2KFQnbNIdI.2KYOU encrypted

ftp mode passive

dns server-group DefaultDNS

 domain-name cisco.com

pager lines 24

logging enable

logging asdm informational

mtu outside 1500

mtu inside 1500

mtu DMZ1 1500

mtu Mgt 1500

icmp permit any outside

asdm image disk0:/asdm521.bin

no asdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 1 10.2.2.0 255.255.255.0

route outside 0.0.0.0 0.0.0.0 172.22.1.1 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout uauth 0:05:00 absolute

!

!--- group policy configurations

!

group-policy GroupPolicy1 internal

group-policy GroupPolicy1 attributes

 vpn-tunnel-protocol IPSec l2tp-ipsec webvpn

 webvpn

  functions url-entry file-access file-entry file-browsing mapi port-forward filter

   http-proxy auto-download citrix

username cisco password 53QNetqK.Kqqfshe encrypted

!

!--- asdm configurations

!

http server enable

http 10.2.2.0 255.255.255.0 inside

!

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

!

!--- tunnel group configurations

!

tunnel-group DefaultWEBVPNGroup general-attributes

 default-group-policy GroupPolicy1

tunnel-group DefaultWEBVPNGroup webvpn-attributes

 nbns-server 10.2.2.2 master timeout 2 retry 2

!

telnet timeout 5

ssh 172.22.1.0 255.255.255.0 outside

ssh timeout 5

console timeout 0

!

class-map inspection_default

 match default-inspection-traffic

!

policy-map type inspect dns preset_dns_map

 parameters

  message-length maximum 512

policy-map global_policy

 class inspection_default

  inspect dns preset_dns_map

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect rsh

  inspect rtsp

  inspect esmtp

  inspect sqlnet

  inspect skinny

  inspect sunrpc

  inspect xdmcp

  inspect sip

  inspect netbios

  inspect tftp

!

service-policy global_policy global

!

!--- webvpn configurations

!

webvpn

 enable outside

 url-list ServerList "WSHAWLAP" cifs://10.2.2.2 1

t "FOCUS_SRV_1" https://10.2.2.3 2

 url-list ServerList "FOCUS_SRV_2" http://10.2.2.4 3

!

prompt hostname context

 !

 end

 

验证

 

Establish a connection to your ASA device from an outside client to test this:

https://ASA_outside_IP_Address

The client receives a Cisco WebVPN page that allows access to the corporate LAN in a secure fashion. The client is allowed only the access that is listed in the newly created group policy.

Authentication:A simple login and password was created on the ASA for this lab proof of concept.