win10vpn编辑-()

实验需求,在防火墙上配置SSLVPN,使PC 192.168.1.10 能够使用anyconnect拨号连接上,并且能够访问到内部R1的HTTP Server.

防火墙主要配置:

基本配置部分:

interface 体育 Ethernet0/1

nameif inside

security-level 100

ip address 10.1.1.1 255.255.255.0

interface Ethernet0/3

nameif outside

security-level 0

ip address 200.1.1.1 255.255.255.0

隧道分离ACL:

access-list webvpn extended permit ip 2.2.2.0 255.255.255.0 172.20.1.0 255.255.255.0

access-list webvpn extended permit ip 172.16.1.0 255.255.255.0 172.20.1.0 255.255.255.0

access-list webvpn extended permit ip 10.1.1.0 255.255.255.0 172.20.1.0 255.255.255.0

access-list outside extended deny ip any any access-list inside extended deny ip any any

下发地址池:

ip local pool webvpn 172.20.1.1-172.20.1.100

内部NAT:

global (outside) 1 interface

NAT 0是为了放行内部到拨号后IP的流量,因为如果不放行则数据包被被NAT转换后,不能够被出口识别从而加载到SVC上,此为重点!

nat (inside) 0 access-list webvpnnat (inside) 1 0.0.0.0 0.0.0.体育0

access-group outside in interface outside

access-group inside in interface inside

路由配置:

route outside 0.0.0.0 0.0.0.0 200.1.1.10 1

route inside 2.2.2.0 255.255.255.0 10.1.1.10 1

route inside 172.16.1.0 255.255.255.0 10.1.1.10 1

开启HTTPS 服务:

http server enable 4433

http 0.0.0.0 0.0.0.0 inside

http 0.0.0.0 0.0.0.0 outside

Webvpn 配置:

webvpn enable outside

svc image disk0:/anyconnect-win-2.5.2014-k9(1).pkg.zip 1 svc enable

组策略部分:

group-policy webvpn internal

group-policy webvpn attributes

vpn-tunnel-protocol svc

webvpn split-tunnel-policy tunnelspecified

split-tunnel-network-list value webvpn

address-pools value webvpn webvpn

svc ask enable

用户策略部分:

username cisco password 3USUcOPFUiMCO4Jk encrypted

username cisco attributes

vpn-group-policy webvpn

实验结果: