取消
显示结果 
搜索替代 
您的意思是: 
cancel
15059
查看次数
668
有帮助
12
回复

ASA5505配置AnyconnectVPN问题

Adinm
Level 11
Level 11
我刚接触安全不久,学了几次Anyconnect的配置都没有成功,所以想在这里请教大家一下,麻烦各位大佬给我指点一下,为什么我的Anyconnect连接不成功。下面附录上我的ASA的配置及连接Anyconnect时的报错图片:
ASA# show run
: Saved
:
: Hardware: ASA5505, 512 MB RAM, CPU Geode 500 MHz
:
ASA Version 9.1(7)23
!
hostname ASA
domain-name ciscoccie.org
xlate per-session deny tcp any4 any4
xlate per-session deny tcp any4 any6
xlate per-session deny tcp any6 any4
xlate per-session deny tcp any6 any6
xlate per-session deny udp any4 any4 eq domain
xlate per-session deny udp any4 any6 eq domain
xlate per-session deny udp any6 any4 eq domain
xlate per-session deny udp any6 any6 eq domain
names
dns-guard
ip local pool TEST 10.0.255.1-10.0.255.25
!
interface Ethernet0/0
description conn_to_Router_2811_F0/1
switchport access vlan 10
!
interface Ethernet0/1
description conn_to_Modem_IPTV
switchport access vlan 12
!
interface Ethernet0/2
description conn_to_TV
switchport access vlan 12
!
interface Ethernet0/3
description conn_to_DELL_NIC_0
switchport trunk allowed vlan 10-17
switchport mode trunk
!
interface Ethernet0/4
description conn_to_DELL_NIC_1
switchport trunk allowed vlan 10-17
switchport mode trunk
!
interface Ethernet0/5
description conn_to_PC_and_AP_1252G
switchport trunk allowed vlan 10-17
switchport trunk native vlan 11
switchport mode trunk
!
interface Ethernet0/6
description conn_to_AP-1
switchport trunk allowed vlan 10-17
switchport trunk native vlan 11
switchport mode trunk
!
interface Ethernet0/7
description conn_to_AP-2
switchport trunk allowed vlan 10-17
switchport trunk native vlan 11
switchport mode trunk
!
interface Vlan10
nameif out
security-level 0
ip address 10.0.0.253 255.255.255.0
!
interface Vlan11
nameif in
security-level 100
ip address 10.0.1.254 255.255.255.0
!
interface Vlan12
nameif DMZ-TV
security-level 50
ip address 10.0.2.254 255.255.255.0
!
interface Vlan13
nameif Sev
security-level 70
ip address 10.0.3.254 255.255.255.0
!
interface Vlan14
nameif AP
security-level 90
ip address 10.0.4.254 255.255.255.0
!
interface Vlan15
nameif DELL
security-level 40
ip address 10.0.5.254 255.255.255.0
!
interface Vlan16
nameif VCSA
security-level 80
ip address 10.6.112.10 255.255.255.0
!
interface Vlan17
nameif Guest
security-level 5
ip address 10.0.7.254 255.255.255.0
!
boot system disk0:/asa917-23-k8.bin
ftp mode passive
dns server-group DefaultDNS
domain-name ciscoccie.org
access-list Deny-DMZ extended permit ip 10.0.2.0 255.255.255.0 any log
access-list DELL extended permit tcp any host 10.0.7.253 eq 3389
access-list DELL extended permit tcp any host 10.0.1.22 eq 3389
access-list DELL extended permit tcp any host 10.0.5.253 eq 1024
access-list DELL extended permit tcp any host 10.0.5.253 eq 5901
access-list DELL extended permit tcp any host 10.0.5.253 eq 623
access-list DELL extended permit tcp any host 10.0.5.253 eq 1080
access-list DELL extended permit tcp any host 10.0.5.253 eq 5902
access-list DELL extended permit tcp any host 10.6.112.2 eq https
access-list DELL extended permit tcp any host 10.0.3.252 eq www
access-list DELL extended permit tcp any host 10.0.3.252 gt 32768
pager lines 24
logging enable
logging asdm informational
mtu out 1500
mtu in 1500
mtu DMZ-TV 1500
mtu Sev 1500
mtu AP 1500
mtu DELL 1500
mtu VCSA 1500
mtu Guest 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-791-151.bin
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
access-group DELL in interface out
access-group Deny-DMZ in interface DMZ-TV
!
router eigrp 10
no auto-summary
network 10.0.0.0 255.0.0.0
network 172.16.0.0 255.255.0.0
!
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL
aaa authentication http console LOCAL
http server enable
http 0.0.0.0 0.0.0.0 in
no snmp-server location
no snmp-server contact
crypto ipsec security-association pmtu-aging infinite
crypto ca trustpoint _SmartCallHome_ServerCA
no validation-usage
crl configure
crypto ca trustpool policy
telnet timeout 5
ssh stricthostkeycheck
ssh 10.0.0.252 255.255.255.255 out
ssh 0.0.0.0 0.0.0.0 in
ssh timeout 5
ssh version 2
ssh key-exchange group dh-group1-sha1
console timeout 0
dhcpd dns 114.114.114.114 8.8.8.8
dhcpd domain cisco.home.org
!
dhcpd address 10.0.1.10-10.0.1.200 in
dhcpd enable in
!
dhcpd address 10.0.3.10-10.0.3.200 Sev
dhcpd enable Sev
!
dhcpd address 10.0.4.10-10.0.4.200 AP
dhcpd enable AP
!
dhcpd address 10.0.5.10-10.0.5.200 DELL
dhcpd enable DELL
!
dhcpd address 10.6.112.100-10.6.112.200 VCSA
dhcpd enable VCSA
!
dhcpd address 10.0.7.10-10.0.7.250 Guest
dhcpd enable Guest
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
port 4443
enable out
enable in
dtls port 4443
anyconnect-essentials
anyconnect image disk0:/anyconnect-win-4.5.02033-webdeploy-k9.pkg 1
anyconnect enable
cache
disable
group-policy TEST internal
group-policy TEST attributes
vpn-tunnel-protocol l2tp-ipsec ssl-client ssl-clientless
address-pools value TEST
username TEST password test encrypted
username TEST attributes
vpn-group-policy TEST
webvpn
anyconnect keep-installer installed
username abc password admin privilege 15
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect icmp
inspect ip-options
!
service-policy global_policy global
prompt hostname context
call-home reporting anonymous prompt 2
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email callhome@cisco.com
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
profile License
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination transport-method http
: end
1 个已接受解答

已接受的解答

Mansur
Spotlight
Spotlight
默认webVPN的general-attributes里的认证方式是LOCAL。
你需要再指定一下group-policy:
tunnel-group DefaultWEBVPNGroup general-attributes
default-group-policy TEST
SSLVPN配置案例参考思科官网:
https://www.cisco.com/c/en/us/support/docs/security-vpn/webvpn-ssl-vpn/119417-config-asa-00.html
建议你学习一下原理,便于排错

在原帖中查看解决方案

12 条回复12

Mansur
Spotlight
Spotlight
默认webVPN的general-attributes里的认证方式是LOCAL。
你需要再指定一下group-policy:
tunnel-group DefaultWEBVPNGroup general-attributes
default-group-policy TEST
SSLVPN配置案例参考思科官网:
https://www.cisco.com/c/en/us/support/docs/security-vpn/webvpn-ssl-vpn/119417-config-asa-00.html
建议你学习一下原理,便于排错

Mansur
Spotlight
Spotlight
嗯?tunnel-group呢tunnel-group要指定认证方式和default group-policy

Adinm
Level 11
Level 11
maguanghua2013 发表于 2018-5-31 10:39
嗯?tunnel-group呢tunnel-group要指定认证方式和default group-policy

我查看show run all tunnel-group 里面是有default group-policy的,麻烦您给我指点一下,谢谢!
ASA(config)# show run all tunnel-group
tunnel-group DefaultL2LGroup type ipsec-l2l
tunnel-group DefaultL2LGroup general-attributes
no accounting-server-group
default-group-policy DfltGrpPolicy
tunnel-group DefaultL2LGroup ipsec-attributes
no ikev1 pre-shared-key
peer-id-validate req
no chain
no ikev1 trust-point
isakmp keepalive threshold 10 retry 2
no ikev2 remote-authentication
no ikev2 local-authentication
tunnel-group DefaultRAGroup type remote-access
tunnel-group DefaultRAGroup general-attributes
no address-pool
no ipv6-address-pool
authentication-server-group LOCAL
secondary-authentication-server-group none
no accounting-server-group
default-group-policy DfltGrpPolicy
no dhcp-server
no strip-realm
no nat-assigned-to-public-ip
no scep-enrollment enable
no password-management
no override-account-disable
no strip-group
no authorization-required
username-from-certificate CN OU
secondary-username-from-certificate CN OU
authentication-attr-from-server primary
authenticated-session-username primary
tunnel-group DefaultRAGroup webvpn-attributes
customization DfltCustomization
authentication aaa
no override-svc-download
no radius-reject-message
no proxy-auth sdi
no pre-fill-username ssl-client
no pre-fill-username clientless
no secondary-pre-fill-username ssl-client
no secondary-pre-fill-username clientless
dns-group DefaultDNS
no without-csd
tunnel-group DefaultRAGroup ipsec-attributes
no ikev1 pre-shared-key
peer-id-validate req
no chain
no ikev1 trust-point
no ikev1 radius-sdi-xauth
isakmp keepalive threshold 300 retry 2
ikev1 user-authentication xauth
no ikev2 remote-authentication
no ikev2 local-authentication
tunnel-group DefaultRAGroup ppp-attributes
no authentication pap
authentication chap
authentication ms-chap-v1
no authentication ms-chap-v2
no authentication eap-proxy
tunnel-group DefaultWEBVPNGroup type remote-access
tunnel-group DefaultWEBVPNGroup general-attributes
no address-pool
no ipv6-address-pool
authentication-server-group LOCAL
secondary-authentication-server-group none
no accounting-server-group
default-group-policy DfltGrpPolicy
no dhcp-server
no strip-realm
no nat-assigned-to-public-ip
no scep-enrollment enable
no password-management
no override-account-disable
no strip-group
no authorization-required
username-from-certificate CN OU
secondary-username-from-certificate CN OU
authentication-attr-from-server primary
authenticated-session-username primary
tunnel-group DefaultWEBVPNGroup webvpn-attributes
customization DfltCustomization
authentication aaa
no override-svc-download
no radius-reject-message
no proxy-auth sdi
no pre-fill-username ssl-client
no pre-fill-username clientless
no secondary-pre-fill-username ssl-client
no secondary-pre-fill-username clientless
dns-group DefaultDNS
no without-csd
tunnel-group DefaultWEBVPNGroup ipsec-attributes
no ikev1 pre-shared-key
peer-id-validate req
no chain
no ikev1 trust-point
no ikev1 radius-sdi-xauth
isakmp keepalive threshold 300 retry 2
ikev1 user-authentication xauth
no ikev2 remote-authentication
no ikev2 local-authentication
tunnel-group DefaultWEBVPNGroup ppp-attributes
no authentication pap
authentication chap
authentication ms-chap-v1
no authentication ms-chap-v2
no authentication eap-proxy
ASA(config)#

Adinm
Level 11
Level 11
maguanghua2013 发表于 2018-5-31 17:21
默认webVPN的general-attributes里的认证方式是LOCAL。
你需要再指定一下group-policy:
tunnel-group De ...

感谢您,我现在正在学CCIE安全方向,刚开始,因为项目要用Anyconnect VPN但是我还没有学到,我一定好好学一下原理的,谢谢您!

Adinm
Level 11
Level 11
maguanghua2013 发表于 2018-5-31 17:21
默认webVPN的general-attributes里的认证方式是LOCAL。
你需要再指定一下group-policy:
tunnel-group De ...

您好,按照你的方法我添加了两个命令
tunnel-group DefaultWEBVPNGroup general-attributes
default-group-policy TEST
添加后,可以正常连接上Anyconnect客户端了,但是电脑在断开Anyconnect连接之后,怎么再也连接不上了,并报错如图所示:所有的改动如下:
tunnel-group DefaultWEBVPNGroup general-attributes
default-group-policy TEST
access-list Anyconnect_ACL standard permit 10.0.0.0 255.255.0.0
group-policy TEST attributes
split-tunnel-policy tunnelspecified
split-tunnel-network-list value Anyconnect_ACL
webvpn
no anyconnect-essentials
希望您能帮助一下我,谢谢您!

Mansur
Spotlight
Spotlight
asdm 发表于 2018-5-31 23:49
您好,按照你的方法我添加了两个命令
tunnel-group DefaultWEBVPNGroup general-attributes
default-gr ...

用扩展列表,目的是any

Adinm
Level 11
Level 11
maguanghua2013 发表于 2018-6-1 08:40
用扩展列表,目的是any

我改成扩展的列表了,但是还不行,还是一样的报错。我还是把所有的配置给你看一下吧。麻烦您了!
hostname ASA
xlate per-session deny tcp any4 any4
xlate per-session deny tcp any4 any6
xlate per-session deny tcp any6 any4
xlate per-session deny tcp any6 any6
xlate per-session deny udp any4 any4 eq domain
xlate per-session deny udp any4 any6 eq domain
xlate per-session deny udp any6 any4 eq domain
xlate per-session deny udp any6 any6 eq domain
names
dns-guard
ip local pool TEST 10.0.255.1-10.0.255.25
!
interface Ethernet0/0
description conn_to_Router_2811_F0/1
switchport access vlan 10
!
interface Ethernet0/1
description conn_to_Modem_IPTV
switchport access vlan 12
!
interface Ethernet0/2
description conn_to_TV
switchport access vlan 12
!
interface Ethernet0/3
description conn_to_DELL_NIC_0
switchport trunk allowed vlan 10-17
switchport mode trunk
!
interface Ethernet0/4
description conn_to_DELL_NIC_1
switchport trunk allowed vlan 10-17
switchport mode trunk
!
interface Ethernet0/5
description conn_to_PC_and_AP_1252G
switchport trunk allowed vlan 10-17
switchport trunk native vlan 11
switchport mode trunk
!
interface Ethernet0/6
description conn_to_AP-1
switchport trunk allowed vlan 10-17
switchport trunk native vlan 11
switchport mode trunk
!
interface Ethernet0/7
description conn_to_AP-2
switchport trunk allowed vlan 10-17
switchport trunk native vlan 11
switchport mode trunk
!
interface Vlan10
nameif out
security-level 0
ip address 10.0.0.253 255.255.255.0
!
interface Vlan11
nameif in
security-level 100
ip address 10.0.1.254 255.255.255.0
!
interface Vlan12
nameif DMZ-TV
security-level 50
ip address 10.0.2.254 255.255.255.0
!
interface Vlan13
nameif Sev
security-level 70
ip address 10.0.3.254 255.255.255.0
!
interface Vlan14
nameif AP
security-level 90
ip address 10.0.4.254 255.255.255.0
!
interface Vlan15
nameif DELL
security-level 40
ip address 10.0.5.254 255.255.255.0
!
interface Vlan16
nameif VCSA
security-level 80
ip address 10.6.112.10 255.255.255.0
!
interface Vlan17
nameif Guest
security-level 5
ip address 10.0.7.254 255.255.255.0
!
boot system disk0:/asa917-23-k8.bin
ftp mode passive
clock timezone D 8
dns domain-lookup out
dns server-group DefaultDNS
name-server 114.114.114.114
name-server 8.8.8.8
domain-name ciscoccie.org
access-list Anyconnect_ACL extended permit ip any 10.0.0.0 255.255.0.0
access-list Deny-DMZ extended permit ip 10.0.2.0 255.255.255.0 any log
access-list DELL extended permit tcp any host 10.0.7.253 eq 3389
access-list DELL extended permit tcp any host 10.0.1.22 eq 3389
access-list DELL extended permit tcp any host 10.0.5.253 eq 1024
access-list DELL extended permit tcp any host 10.0.5.253 eq 5901
access-list DELL extended permit tcp any host 10.0.5.253 eq 623
access-list DELL extended permit tcp any host 10.0.5.253 eq 1080
access-list DELL extended permit tcp any host 10.0.5.253 eq 5902
access-list DELL extended permit tcp any host 10.6.112.2 eq https
access-list DELL extended permit tcp any host 10.0.3.252 eq www
access-list DELL extended permit tcp any host 10.0.3.252 gt 32768
pager lines 24
logging enable
logging asdm informational
mtu out 1500
mtu in 1500
mtu DMZ-TV 1500
mtu Sev 1500
mtu AP 1500
mtu DELL 1500
mtu VCSA 1500
mtu Guest 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-791-151.bin
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
access-group DELL in interface out
access-group Deny-DMZ in interface DMZ-TV
!
router eigrp 10
no auto-summary
network 10.0.0.0 255.0.0.0
network 172.16.0.0 255.255.0.0
!
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL
aaa authentication http console LOCAL
http server enable 4443
http 0.0.0.0 0.0.0.0 in
no snmp-server location
no snmp-server contact
crypto ipsec security-association pmtu-aging infinite
crypto ca trustpoint _SmartCallHome_ServerCA
no validation-usage
crl configure
crypto ca trustpool policy
telnet timeout 5
ssh stricthostkeycheck
ssh 10.0.0.254 255.255.255.255 out
ssh 10.0.0.252 255.255.255.255 out
ssh 0.0.0.0 0.0.0.0 in
ssh timeout 5
ssh version 2
ssh key-exchange group dh-group1-sha1
console timeout 0
dhcpd dns 114.114.114.114 8.8.8.8
dhcpd domain cisco.home.org
!
dhcpd address 10.0.1.10-10.0.1.200 in
dhcpd enable in
!
dhcpd address 10.0.3.10-10.0.3.200 Sev
dhcpd enable Sev
!
dhcpd address 10.0.4.10-10.0.4.200 AP
dhcpd enable AP
!
dhcpd address 10.0.5.10-10.0.5.200 DELL
dhcpd enable DELL
!
dhcpd address 10.6.112.100-10.6.112.200 VCSA
dhcpd enable VCSA
!
dhcpd address 10.0.7.10-10.0.7.250 Guest
dhcpd enable Guest
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ntp server 118.122.35.10
ntp server 61.216.153.105
ntp server 61.216.153.106
ntp server 173.255.246.13
webvpn
port 4443
enable out
enable in
dtls port 4443
no anyconnect-essentials
anyconnect image disk0:/anyconnect-win-4.5.02033-webdeploy-k9.pkg 1
anyconnect enable
cache
disable
group-policy TEST internal
group-policy TEST attributes
vpn-tunnel-protocol l2tp-ipsec ssl-client ssl-clientless
split-tunnel-policy tunnelspecified
split-tunnel-network-list value Anyconnect_ACL
address-pools value TEST
username TEST password CpyvyVSC5OXS.Pq1 encrypted
username TEST attributes
vpn-group-policy TEST
webvpn
anyconnect keep-installer installed
tunnel-group DefaultWEBVPNGroup general-attributes
default-group-policy TEST
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect icmp
inspect ip-options
!
service-policy global_policy global
prompt hostname context
call-home reporting anonymous prompt 1
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email callhome@cisco.com
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
profile License
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination transport-method http
: end

Mansur
Spotlight
Spotlight
asdm 发表于 2018-6-1 10:39
我改成扩展的列表了,但是还不行,还是一样的报错。我还是把所有的配置给你看一下吧。麻烦您了!
hostna ...

似乎是acl的源目写反了?目的是any啊。
给你个生产的配置案例参考下:
https://nbma.info/cisco-asa-ssl-vpn-configure/

Adinm
Level 11
Level 11
maguanghua2013 发表于 2018-6-1 18:31
似乎是acl的源目写反了?目的是any啊。
给你个生产的配置案例参考下:
https://nbma.info/cisco-asa-ss ...

ACL应该不会影响Anyconnect的连接,只会影响连接上Anyconnect的路由条目,我认为不是ACL的原因导致Anyconnect连接失败的。但是我又不知道是什么原因

Adinm
Level 11
Level 11
maguanghua2013 发表于 2018-6-1 18:31
似乎是acl的源目写反了?目的是any啊。
给你个生产的配置案例参考下:
https://nbma.info/cisco-asa-ss ...

我按照这个案例改了一下,还是不行,和原来连接时的错误一样。还不是ACL的原因!求教

Mansur
Spotlight
Spotlight
asdm 发表于 2018-6-1 22:11
我按照这个案例改了一下,还是不行,和原来连接时的错误一样。还不是ACL的原因!求教

没道理啊,这个案例是我生产环境的配置。。在asa 9.32和9.71上都没问题,设备室5525和asav

Adinm
Level 11
Level 11
maguanghua2013 发表于 2018-6-2 00:20
没道理啊,这个案例是我生产环境的配置。。在asa 9.32和9.71上都没问题,设备室5525和asav

我配置的是ASA5505,要不然麻烦您帮我远程一下,我给你我的TeamViewer的ID,谢谢您!
入门指南

使用上面的搜索栏输入关键字、短语或问题,搜索问题的答案。

我们希望您在这里的旅程尽可能顺利,因此这里有一些链接可以帮助您快速熟悉思科社区:









快捷链接