鲁达 实验拓扑:
实验需求,在防火墙上配置SSLVPN,使PC 192.168.1.10 能够使用anyconnect拨号连接上,并且能够访问到内部R1的HTTP Server.
防火墙主要配置:
基本配置部分:
interface Ethernet0/1
nameif inside
security-level 100
ip address 10.1.1.1 255.255.255.0
interface Ethernet0/3
nameif outside
security-level 0
ip address 200.1.1.1 255.255.255.0
隧道分离ACL:
access-list webvpn extended permit ip 2.2.2.0 255.255.255.0 172.20.1.0 255.255.255.0
access-list webvpn extended permit ip 172.16.1.0 255.255.255.0 172.20.1.0 255.255.255.0
access-list webvpn extended permit ip 10.1.1.0 255.255.255.0 172.20.1.0 255.255.255.0
access-list outside extended deny ip any any access-list inside extended deny ip any any
下发地址池:
ip local pool webvpn 172.20.1.1-172.20.1.100
内部nat:
global (outside) 1 interface
NAT 0是为了放行内部到拨号后IP的流量,因为如果不放行则数据包被被NAT转换后,不能够被出口识别从而加载到SVC上,此为重点!
nat (inside) 0 access-list webvpnnat (inside) 1 0.0.0.0 0.0.0.0
access-group outside in interface outside
access-group inside in interface inside
路由配置:
route outside 0.0.0.0 0.0.0.0 200.1.1.10 1
route inside 2.2.2.0 255.255.255.0 10.1.1.10 1
route inside 172.16.1.0 255.255.255.0 10.1.1.10 1
开启HTTPS 服务:
http server enable 4433
http 0.0.0.0 0.0.0.0 inside
http 0.0.0.0 0.0.0.0 outside
Webvpn 配置:
webvpn enable outside
svc image disk0:/anyconnect-win-2.5.2014-k9(1). 1 svc enable
组策略部分:
group-policy webvpn internal
group-policy webvpn attributes
vpn-tunnel-protocol svc
webvpn split-tunnel-policy tunnelspecified
split-tunnel-network-list value webvpn
address-pools value webvpn webvpn
svc ask enable
用户策略部分:
username cisco password 3USUcOPFUiMCO4Jk encrypted
username cisco attributes
vpn-group-policy webvpn
实验结果: