Simple network configuration diagram:
1, a single public IP network is used to ***.
2, ASA 10.10.1.30 of the outside interface to the public network directly nat XXX.XXX.XX.XX
3, ssl _ *** _ pool is 10.25.10.0/24
4, ASA address of the outside interface vlan 1 10.10.0.0/23.
5, anyconnect client obtains the address 10.25.10.0, you can access the address 10.10.5.0/24 and 10.10.0.0/23.
6, after the SSL *** dial-up, the way the Internet is still using the local Internet
The configuration procedure:
- 配置outside接口
interface Ethernet1/1
nameif outside
security-level 100
ip address 10.10.1.30 255.255.254.0 -
Configuring SSL *** address pool
ip local pool SSLCLIENT_POOL 10.25.10.1-10.25.10.200 mask 255.255.255.0 - 配置ssl *** 的DNS
dns server-group DefaultDNS
name-server 10.10.5.51
name-server 10.10.5.52
domain-name chinavc.com.cn - Turned into the original out of the original
same-security-traffic permit intra- interface - 配置object对象
object network SSL_POOL
subnet 10.25.10.0 255.255.255.0
object-group network inside_vlan
network-object 10.10.0.0 255.255.254.0
network-object 10.10.5.0 255.255.255.0 - 配置AAA的ladp认证
ldap attribute-map Banner
aaa-server LDAP_SRV_GRP protocol ldap
aaa-server LDAP_SRV_GRP (outside) host 10.10.5.51
ldap-base-dn DC=chinavc,DC=com,DC=cn
ldap-scope subtree
ldap-naming-attribute sAMAccountName
ldap-login-password *****
ldap-login-dn CN=Administrator,CN=Users,DC=chinavc,DC=com,DC=cn
server-type microsoft - 配置ASDM
http server enable
http 192.168.45.0 255.255.255.0 management
http 0.0.0.0 0.0.0.0 outside
http 0.0.0.0 0.0.0.0 inside - Configuring NAT Address Translation - destined for addresses in the network, not the NAT
nat (outside, outside) source static *** _ Vlan *** _ Vlan destination static inside_vlan inside_vlan no-proxy-arp route-lookup - 配置ACL列表
access-list web-*** extended permit ip object ***_Vlan object-group inside_vlan
access-list web-*** extended permit ip object-group inside_vlan object ***_Vlan
access-list web-*** extended permit ip object ***_Vlan object inside_vlan_5
access-list web-*** extended permit ip object inside_vlan_5 object ***_Vlan - ACL list to call the interface
access-group web - *** in interface outside - 开启WEB ***
web***
enable outside
enable inside
anyconnect image disk0:/anyconnect-win-4.7.00136-webdeploy-k9.pkg 1
anyconnect enable
tunnel-group-list enable
cache
disable
error-recovery disable -
To configure Group Policy
Group-Policy GroupPolicy_GX_SSL *** _ PROFILE Internal
Group Policy GroupPolicy_GX_SSL-PROFILE *** _ the Attributes
WINS-Server none
dns-Server value 10.10.5.51 10.10.5.52
*** - the Tunnel-Client Protocol ssl-
password-Storage enable
Split -tunnel-policy tunnelspecified - here diversion tunnel configuration
split-tunnel-network-list value web - *** - here diversion tunnel configuration
default-domain value XXXXX.com.cntunnel-group GX_SSL***_PROFILE type remote-access tunnel-group GX_SSL***_PROFILE general-attributes address-pool SSLCLIENT_POOL authentication-server-group LDAP_SRV_GRP default-group-policy GroupPolicy_GX_SSL***_PROFILE tunnel-group GX_SSL***_PROFILE web***-attributes group-alias CRVC enable group-alias GX_SSL***_PROFILE disable group-alias XXX.com.cn disable