你应该需要配置SSL VPN,如下是配置示例和截图:
2.1、开启
ASA(config)# same-security-traffic permit intra-interface
2.2、给VPN创建一个地址池
ASA(config)# ip local pool vpnpool 192.168.20.10-192.168.20.50 mask 255.255.255.0
2.3、开启WebVPN
ASA(config)# webvpn
ASA(config-webvpn)# enable outside //!--- Enable WebVPN on the outside interface
INFO: WebVPN and DTLS are enabled on 'outside'.
ASA(config-webvpn)# anyconnect image disk0:/anyconnect-win-4.0.00061-k9.pkg 1 //!--- Assign an order to the AnyConnect SSL VPN Client image
ASA(config-webvpn)# tunnel-group-list enable //!--- Enable the display of the tunnel-group list on the WebVPN Login page
ASA(config-webvpn)# anyconnect enable //!--- Enable the security appliance to download SVC images to remote computers
2.4、配置Group Policy
ASA(config)# group-policy clientgroup internal //!--- Create an internal group policy "clientgroup"
ASA(config)# group-policy clientgroup attributes //!--- Encrypt all the traffic coming from the SSL VPN Clients
ASA(config-group-policy)# vpn-tunnel-protocol ssl-client //!--- Specify SSL as a permitted VPN tunneling protocol
group-policy mode commands/options:
ikev1 IKE version 1
ikev2 IKE version 2
l2tp-ipsec L2TP using IPSec for security
ssl-client SSL VPN Client
ssl-clientless SSL Clientless VPN
ASA(config-group-policy)# split-tunnel-policy tunnelall
2.4、创建一个账户
ASA(config)# username ssluser password cisco
2.5、配置Tunnel Group
ASA(config)# tunnel-group sslgroup type remote-access //!--- Create a tunnel group "sslgroup" with type as remote access
ASA(config)# tunnel-group sslgroup general-attributes
ASA(config-tunnel-general)# address-pool vpnpool //!--- Associate the address pool vpnpool created
ASA(config-tunnel-general)# default-group-policy clientgroup //!--- Associate the group policy "clientgroup" created
ASA(config-tunnel-general)# exit
ASA(config)# tunnel-group sslgroup webvpn-attributes
ASA(config-tunnel-webvpn)# group-alias sslgroup_users enable //!--- Configure the group alias(别名) as sslgroup-users
2.6、配置NAT
ASA(config)# object network obj-inside
ASA(config-network-object)# subnet 192.168.1.0 255.255.255.0
ASA(config-network-object)# nat (inside,outside) dynamic interface
ASA(config-network-object)# exit
ASA(config)# object network obj-SSLVPNPool
ASA(config-network-object)# subnet 192.168.20.0 255.255.255.0
ASA(config-network-object)# nat (outside,outside) dynamic interface
2.1、开启
ASA(config)# same-security-traffic permit intra-interface
2.2、给VPN创建一个地址池
ASA(config)# ip local pool vpnpool 192.168.20.10-192.168.20.50 mask 255.255.255.0
2.3、开启WebVPN
ASA(config)# webvpn
ASA(config-webvpn)# enable outside //!--- Enable WebVPN on the outside interface
INFO: WebVPN and DTLS are enabled on 'outside'.
ASA(config-webvpn)# anyconnect image disk0:/anyconnect-win-4.0.00061-k9.pkg 1 //!--- Assign an order to the AnyConnect SSL VPN Client image
ASA(config-webvpn)# tunnel-group-list enable //!--- Enable the display of the tunnel-group list on the WebVPN Login page
ASA(config-webvpn)# anyconnect enable //!--- Enable the security appliance to download SVC images to remote computers
2.4、配置Group Policy
ASA(config)# group-policy clientgroup internal //!--- Create an internal group policy "clientgroup"
ASA(config)# group-policy clientgroup attributes //!--- Encrypt all the traffic coming from the SSL VPN Clients
ASA(config-group-policy)# vpn-tunnel-protocol ssl-client //!--- Specify SSL as a permitted VPN tunneling protocol
group-policy mode commands/options:
ikev1 IKE version 1
ikev2 IKE version 2
l2tp-ipsec L2TP using IPSec for security
ssl-client SSL VPN Client
ssl-clientless SSL Clientless VPN
ASA(config-group-policy)# split-tunnel-policy tunnelall
2.4、创建一个账户
ASA(config)# username ssluser password cisco
2.5、配置Tunnel Group
ASA(config)# tunnel-group sslgroup type remote-access //!--- Create a tunnel group "sslgroup" with type as remote access
ASA(config)# tunnel-group sslgroup general-attributes
ASA(config-tunnel-general)# address-pool vpnpool //!--- Associate the address pool vpnpool created
ASA(config-tunnel-general)# default-group-policy clientgroup //!--- Associate the group policy "clientgroup" created
ASA(config-tunnel-general)# exit
ASA(config)# tunnel-group sslgroup webvpn-attributes
ASA(config-tunnel-webvpn)# group-alias sslgroup_users enable //!--- Configure the group alias(别名) as sslgroup-users
2.6、配置NAT
ASA(config)# object network obj-inside
ASA(config-network-object)# subnet 192.168.1.0 255.255.255.0
ASA(config-network-object)# nat (inside,outside) dynamic interface
ASA(config-network-object)# exit
ASA(config)# object network obj-SSLVPNPool
ASA(config-network-object)# subnet 192.168.20.0 255.255.255.0
ASA(config-network-object)# nat (outside,outside) dynamic interface
