• 日期: 2027-07-14 01:27:45
  • 标签: 教育
  1. 配置SSL证书

crypto ca trustpoint TP_SSL enrollment selfsigned subject-name CN=sslvpn.example.com keypair sslvpn_keypair crl configure crypto ca authenticate TP_SSL

  1. 配置SSLVPN策略

group-policy SSLVPN_POLICY internal group-policy SSLVPN_POLICY attributes vpn-tunnel-protocol ssl-client split-tunnel-policy tunnelspecified split-tunnel-network-list value SSLVPN_SPLIT_TUNNEL address-pools value SSLVPN_POOL default-domain value example.com webvpn ssl trustpoint TP_SSL svc dns-server primary 8.8.8.8 svc keep-installer installed svc split include 192.168.0.0 255.255.255.0 svc split include 10.0.0.0 255.255.255.0 svc split include 172.16.0.0 255.255.0.0 svc split include 192.168.1.0 255.255.255.0

  1. 配置SSLVPN用户

username user1 password pass1 username user2 password pass2

  1. 配置访问列表

access-list SSLVPN_SPLIT_TUNNEL standard permit 192.168.0.0 255.255.255.0 access-list SSLVPN_SPLIT_TUNNEL standard permit 10.0.0.0 255.255.255.0 access-list SSLVPN_SPLIT_TUNNEL standard permit 172.16.0.0 255.255.0.0 access-list SSLVPN_SPLIT_TUNNEL standard permit 192.168.1.0 255.255.255.0

  1. 配置地址池

ip local pool SSLVPN_POOL 192.168.255.1 192.168.255.10

  1. 配置接口

interface GigabitEthernet0/0 ip address 10.0.0.1 255.255.255.0 nameif inside security-level 100 exit

interface GigabitEthernet0/1 ip address 192.168.1.1 255.255.255.0 nameif outside security-level 0 exit

  1. 配置NAT

nat (inside,outside) source static any any destination static SSLVPN_POOL SSLVPN_POOL

  1. 配置全局参数

webvpn enable outside exit

ssl encryption aes256-sha1 aes128-sha1 3des-sha1 ssl trust-point TP_SSL outside

  1. 配置认证服务器

aaa-server LDAP protocol ldap aaa-server LDAP (outside) host 192.168.1.10 ldap-base-dn DC=example,DC=com ldap-scope subtree ldap-naming-attribute sAMAccountName ldap-login-password ****** ldap-login-dn CN=Administrator,CN=Users,DC=example,DC=com exit

  1. 配置认证方式

tunnel-group SSLVPN_TUNNEL type remote-access tunnel-group SSLVPN_TUNNEL general-attributes default-group-policy SSLVPN_POLICY address-pool SSLVPN_POOL authentication-server-group LDAP tunnel-group SSLVPN_TUNNEL webvpn-attributes group-alias SSLVPN_ALIAS enable exit

  1. 配置SSLVPN端口

ssl trust-point TP_SSL outside ssl trust-point TP_SSL inside

  1. 配置SSLVPN端口ACL

access-list SSLVPN_ACL extended permit tcp any any eq 443 access-list SSLVPN_ACL extended permit udp any any eq 443 access-list SSLVPN_ACL extended permit tcp any any eq 4434 access-list SSLVPN_ACL extended permit tcp any any eq 4444 access-list SSLVPN_ACL extended permit tcp any any eq 8443 access-list SSLVPN_ACL extended permit tcp any any eq 12000

  1. 启用SSLVPN

crypto isakmp enable outside crypto isakmp policy 10 authentication pre-share encryption aes-256 hash sha group 2 lifetime 86400 exit

crypto map SSLVPN_MAP 10 match address SSLVPN_ACL crypto map SSLVPN_MAP 10 set pfs group2 crypto map SSLVPN_MAP 10 set peer 192.168.1.1 crypto map SSLVPN_MAP 10 set ikev1 transform-set ESP-AES-256-SHA crypto map SSLVPN_MAP interface outside

ssl trust-point TP_SSL outside

ssl trust-point TP_SSL inside

webvpn enable outside exit

ssl encryption aes256-sha1 aes128-sha1 3des-sha1 ssl trust-point TP_SSL outsid

ASA防火墙 anyconnect sslvpn配置命令

原文地址: https://www.cveoy.top/t/topic/fgjA 著作权归作者所有。请勿转载和采集!

免费AI点我,无需注册和登录