看到论坛里已经有一位同学写过anyconnect的配置,但是我个人感觉不是很详细,对于新手来说,还是有一些感到迷茫的地方。因此决定详细的写一下这个主题。目前出货的软件版本都在9.0之后,所以就从9.0之后的配置。
1. 配置自签名证书 (可以不用配置) 可以跳过此步骤
ciscoasa(config)#crypto key generate rsa label anyconnect_keypair modulus 1024
ciscoasa(config)#crypto ca trustpoint self_certificate
ciscoasa(config-ca-trustpoint)#enrollment self
ciscoasa(config-ca-trustpoint)#keypair anyconnect_key
ciscoasa(config-ca-trustpoint)#fqdn anyconnect.cisco.com
ciscoasa(config-ca-trustpoint)#subject-name CN=anyconnect.cisco.com
ciscoasa(config-ca-trustpoint)#crypto ca enroll self_certificate noconfirm
ciscoasa(config)#ssl trust-point self_certificate outside
2. 加载anyconnect vpn 镜像在9.0版本svc命令更改为anyconnect
ciscoasa(config)#webvpn
ciscoasa(config-webvpn)# anyconnect image flash:/ anyconnect-win-3.1.04072-k9.pkg 1
ciscoasa(config-webvpn)#anyconnect image disk0:/anyconnect-macosx-i386-3.1.04072-k9.pkg 2
ciscoasa(config-webvpn)#anyconnect enable
ciscoasa(config-webvpn)#enable outside
3. 配置地址池
ciscoasa(config)#ip local pool anyconnect_clients 10.10.1.1-10.10.1.254 mask 255.255.255.0
4 .配置隧道分割列表及访问控制列表旁路
Access-list tunnel_split permit ip192.168.1.0 255.255.255.0 any (源IP为内网)
ciscoasa(config)#sysopt connectionpermit−vpn
9.0版本NAT配置(非常重要)有些同学的VPN不通,大多数问题都是出现在NAT的问题上
objectnetwork inside ##内网网段
subnet 192.168.1.0 255.255.255.0
objectnetwork anyconnect ##VPN地址池网段
subnet 10.10.1.0 255.255.255.0
access-list tunnel-splitextended permit ip object inside any
nat (inside,outside) sourcestatic inside inside destination static anyconnect anyconnect
5. 配置Group-policy调用地址池和隧道分割列表
ciscoasa(config)#group-policy anyconnect_policy internal
ciscoasa(config)#group-policy anyconnect_policy attributes
ciscoasa(config-group-policy)#address-pools value anyconnect_clients
ciscoasa(config-group-policy)#vpn-tunnel-protocol ssl-client
ciscoasa(config-group-policy)#split-tunnel-policytunnelspecified
ciscoasa(config-group-policy)#split-tunnel-network-listvalue tunnel-split
6. 配置Tunnel-group
ciscoasa(config)#tunnel-group anyconnect-profile type remote-access
ciscoasa(config)#tunnel-group anyconnect-profile general-attributes
ciscoasa(config-tunnel-general)#default-group-policy anyconnect_policy
ciscoasa(config-tunnel-general)#exit
ciscoasa(config)#tunnel-group anyconnect-profile webvpn-attributes
ciscoasa(config-tunnel-webvpn)#group-alias anyconnect
ciscoasa(config-tunnel-webvpn)#exit
ciscoasa(config)#webvpn
ciscoasa(config-webvpn)#tunnel-group-list enable
7. Option 1使用本地用户名及密码并调用Group-policy
ciscoasa(config)# username cisco pass cisco
ciscoasa(config)#username cisco attributes
ciscoasa(config-username)#vpn-group-policy anyconnect_policy
只允许用户使用VPN不能登陆设备
ciscoasa(config)#username cisco attributes
ciscoasa(config-username)#service-typeremote-access
ciscoasa(config)# aaa authorizationexec LOCAL 不做授权的话,既能登陆VPN也能登陆设备
8. Option 2使用ACS为VPN用户做认证
ciscoasa(config)#aaa-server ACSforVPNprotocol radius
ciscoasa(config)#aaa-server aaa-radius (inside) host 19.87.9.21
key cisco
ciscoasa(config)#tunnel-groupanyconnect_profile general-attributes
authentication-server-group ACSforVPN
以下命令用户做设备管理
ciscoasa(config)#aaa-serverACS (inside) host 172.20.1.140
key cisco
ciscoasa(config)#aaaauthentication http console LOCAL
ciscoasa(config)#aaaauthentication ssh console ACS LOCAL
ciscoasa(config)#aaaauthentication telnet console LOCAL
ciscoasa(config)#aaaauthentication enable console ACS LOCAL