已解决: 回复： SSL vpn 配置

332953358 · ‎12-07-2022

ASA9.1

SSL VPN 好像不起作用，无法从外网通过1.1.1.1的地址拨号，也无法访问https。请大牛们帮忙看看，哪里有问题，配置如下：

ASA(config)# sh run
: Saved
: Hardware: ASA5520, 2048 MB RAM, CPU Pentium 4 Celeron 2000 MHz
:
ASA Version 9.1(7)32
!
hostname EFC-ASA
xlate per-session deny tcp any4 any4
xlate per-session deny tcp any4 any6
xlate per-session deny tcp any6 any4
xlate per-session deny tcp any6 any6
xlate per-session deny udp any4 any6 eq domain
xlate per-session deny udp any6 any4 eq domain
xlate per-session deny udp any6 any6 eq domain
xlate per-session deny udp any4 any4 eq domain
names
dns-guard
ip local pool Anyconnect_pool 10.0.253.10-10.0.253.200 mask 255.255.255.0
!
interface GigabitEthernet0/0
nameif outside0
security-level 0
ip address 1.1.1.1 255.255.255.128 （外部IP化名为1.1.1.1）
!
interface GigabitEthernet0/1
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/3
nameif inside3
security-level 100
ip address 192.168.4.1 255.255.255.0
!
interface Management0/0
management-only
shutdown
no nameif
no security-level
no ip address
!
boot system disk0:/asa917-32-k8.bin
ftp mode passive
clock timezone CST 8
dns domain-lookup outside0
dns domain-lookup inside3
dns server-group DefaultDNS
name-server 202.101.172.35
name-server 202.101.172.47
same-security-traffic permit inter-interface
object network local
subnet 192.168.4.0 255.255.255.0

object network Shanghai
subnet 192.168.3.0 255.255.255.0

object network peer_anyconnect
subnet 10.0.253.0 255.255.255.0

object-group network peer_pool
network-object object Shanghai
network-object object peer_anyconnect

object-group network host_local
network-object host 192.168.4.191
network-object host 192.168.4.190
network-object host 192.168.4.203

access-list outside_cryptomap_1 extended permit ip object local object Shanghai
access-list outbound extended permit ip object local object-group peer_pool
access-list outbound extended permit ip object-group host_local any4
access-list anyconnect_cryptomap extended permit ip object local object peer_anyconnect
pager lines 24
logging enable
logging asdm informational
mtu outside0 1500
mtu inside3 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-7122.bin
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
nat (inside3,any) source static local local destination static peer_pool peer_pool no-proxy-arp route-lookup
!
object host_local
nat (inside3,outside0) dynamic interface
object network peer_anyconnect
nat (outside0,outside0) dynamic interface
access-group inbound in interface outside0
access-group outbound out interface outside0
route outside0 0.0.0.0 0.0.0.0 1.1.1.1 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
http server enable
http 192.168.4.0 255.255.255.0 inside3
no snmp-server location
no snmp-server contact
crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec security-association pmtu-aging infinite
crypto map outside_cryptomap 1 match address outside_cryptomap_1
crypto map outside_cryptomap 1 set peer 2.2.2.2 （对端外网IP化名为2.2.2.2）
crypto map outside_cryptomap 1 set ikev1 transform-set ESP-3DES-MD5
crypto map outside_cryptomap interface outside0
crypto ca trustpool policy
crypto ikev1 enable outside0
crypto ikev1 policy 1
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
telnet 192.168.4.0 255.255.255.0 inside3
telnet timeout 300
ssh stricthostkeycheck
ssh timeout 5
ssh key-exchange group dh-group1-sha1
console timeout 0
dhcpd address 192.168.4.90-192.168.4.220 inside3
dhcpd dns 202.101.172.35 interface inside3
dhcpd domain olandcorp.com interface inside3
dhcpd option 6 ip 202.101.172.35 interface inside3
dhcpd option 3 ip 192.168.4.1 interface inside3
dhcpd enable inside3
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ntp server 114.118.7.161 source outside0 prefer
webvpn
enable outside0
enable inside3
anyconnect image disk0:/anyconnect-win-4.10.06079-webdeploy-k9.pkg 1
anyconnect image disk0:/anyconnect-macos-4.10.06079-webdeploy-k9.pkg 2
anyconnect enable
tunnel-group-list enable
cache
disable
group-policy Anyconnect_policy internal
group-policy Anyconnect_policy attributes
vpn-tunnel-protocol ssl-client （主要使用厚客户端）
split-tunnel-policy tunnelspecified
split-tunnel-network-list value anyconnect_cryptomap
username TEST password t9kAFwnDDZfmD/HX encrypted
tunnel-group 2.2.2.2 type ipsec-l2l
tunnel-group 2.2.2.2 ipsec-attributes
ikev1 pre-shared-key*******
tunnel-group Anyconnect_tunnel type remote-access
tunnel-group Anyconnect_tunnel general-attributes
address-pool Anyconnect_pool
default-group-policy Anyconnect_policy
tunnel-group Anyconnect_tunnel webvpn-attributes
group-alias TESTGROUP enable
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
inspect icmp
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
: end

YilinChen · ‎12-08-2022

看起来问题点不只一处，大体说一下需要关注的几点要点吧：

1、现有设备配置如下：

http server enable

http 192.168.4.0 255.255.255.0 inside3

webvpn

enable inside3

设备开了HTTP 管理，同时开了WEBVPN，同时你在webvpn配置下，还enable了 inside接口，这时候因为默认共用TCP 443端口，会产生端口冲突，建议webvpn下改用其它高位端口；在变更为其它高位端口后，可以通过浏览器去访问看是否能正常打开，如果能正常显示 VPN的登陆认证界面，那就代表正常了（同时注意对应接口的ACL，默认是不需要额外添加ACL去放通的）

2、需要配置 twice-nat ，来解决VPN IP POOL地址被NAT的问题；

3、Outside 接口挂ACL要充许 VPN IP POOL 地址访问 LAN 内地址；

参考配置如下：

interface GigabitEthernet0/0
nameif Inside
security-level 100
ip address 192.168.255.1 255.255.255.0
!
interface GigabitEthernet0/1
nameif Outside
security-level 0
ip address 1.1.1.1 255.255.255.0

route Inside 172.16.10.0 255.255.255.0 192.168.255.2
route Outside 0.0.0.0 0.0.0.0 1.1.1.2

ip local pool VPN_IP_Pool 192.168.255.100-192.168.255.200 mask 255.255.255.0

access-list SplitACL standard permit 172.16.10.0 255.255.255.0

group-policy SSLVPN-GP internal
group-policy SSLVPN-GP attributes
wins-server none
dns-server none
vpn-tunnel-protocol ikev1 ikev2 ssl-client
split-tunnel-policy tunnelspecified
split-tunnel-network-list value SplitACL

tunnel-group SSLVPN-TG type remote-access
tunnel-group SSLVPN-TG general-attributes
address-pool VPN_IP_Pool
default-group-policy SSLVPN-GP
tunnel-group SSLVPN-TG webvpn-attributes
group-alias SSLVPN enable
tunnel-group SSLVPN-TG ipsec-attributes
ikev1 pre-shared-key *****

webvpn
port 9999
enable Outside
dtls port 9999
anyconnect image disk0:/anyconnect-win-4.7.01076-webdeploy-k9.pkg 1
anyconnect enable
tunnel-group-list enable

crypto ipsec ikev1 transform-set SSLVPN-TSet esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set SSLVPN-TSet mode transport
crypto ikev1 policy 10
authentication pre-share
encryption aes-256
hash sha
group 5
lifetime 86400

crypto ikev1 enable Outside

object network LAN
subnet 172.16.10.0 255.255.255.0
nat (Inside,Outside) dynamic interface

object network VPN-Pool
range 192.168.255.100 192.168.255.200

nat (Inside,Outside) source static LAN LAN destination static VPN-Pool VPN-Pool no-proxy-arp route-lookup

access-list RAVPN extended permit ip object VPN-Pool object LAN log

access-group RAVPN in interface Outside

在原帖中查看解决方案

YilinChen · ‎12-08-2022