把ASA配置为单臂VPN接入点

目标

把ASA设置为一个VPN接入点,挂在现有的网关路由器下面,让AnyConnect连入的客户端能够正常访问本地内网和公网。防火墙设为全部放通。

示例中使用以下配置:

  • 现有的内网:10.0.0.0/24
  • 网关:10.0.0.1
  • ASA:10.0.0.2
  • AnyConnect客户端地址池:10.0.253.0/24, fd00::/64

配置

硬件

  • 如果想要装齐桌面平台的AnyConnect包,那么需要升级SD卡到至少1G
  • 如果想要CSD或者Hostscan功能,那么需要升级内存到1G
  • AnyConnect以及下面会用到的trunking功能需要特定的软件授权

基础配置

  • 主机名
  • VLAN
  • IP地址和默认路由
  • DNS
  • NTP
hostname vpngw
domain-name local
clock timezone HKST 8
ntp server 10.0.0.1 source inside prefer
!
interface Ethernet0/0
 switchport mode trunk
 switchport trunk allowed vlan 1
 switchport trunk native vlan 1
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 10.0.0.2 255.255.255.0
 ipv6 nd suppress-ra
!
dns domain-lookup inside
dns server-group DefaultDNS
 name-server 10.0.0.1
 domain-name local
route inside 0.0.0.0 0.0.0.0 10.0.0.1

远程管理

启用ASDM和SSH。因为AnyConnect也会需要http server功能,这里一并打开。(AnyConnect服务不受HTTP的IP白名单影响,白名单只给管理网启用即可。)

asdm image disk0:/asdm-7121.bin
http server enable
http 10.0.0.0 255.255.255.0 inside
ssh 10.0.0.0 255.255.255.0 inside
ssh version 2

基础安全设定

  • 允许相同security level的端口之间转发流量
  • 创建enable password
  • 创建一个用户
  • 设置各种登录的鉴权
  • 关掉不必要的服务

为了简化配置,这里不添加外部认证方式,之后的AnyConnect也会用本地用户数据库作为唯一鉴权方式。

same-security-traffic permit inter-interface
same-security-traffic permit intra-interface

enable password 114514
username admin password 114514 privilege 15
user-identity default-domain LOCAL
aaa authentication http console LOCAL
aaa authentication serial console LOCAL
aaa authentication ssh console LOCAL
aaa authentication telnet console LOCAL
telnet timeout 30
ssh timeout 30
console timeout 30

no call-home reporting anonymous

为AnyConnect客户端地址段添加路由

静态路由方式

在出口路由器上添加到AnyConnect客户端的地址段路由指向ASA的IP地址即可。

动态路由方式

之前我在《Cisco ASA做AnyConnect服务器时的动态路由协议和NAT规则设置》一文中讲过,AnyConnect客户端连接时ASA添加的动态路由重分发到动态路由协议很容易出bug。这边采用新建一个VLAN配置整个地址池为connected路由的方法来绕过这一bug。

以OSPF为例:

interface Ethernet0/0
 switchport trunk allowed vlan 1,999

interface Vlan1
 ospf priority 0

interface Vlan999
 nameif vpn-virtual
 security-level 100
 ip address 10.0.253.1 255.255.255.0 

router ospf 1
 router-id 10.0.0.2
 network 10.0.0.0 255.255.255.0 area 0
 network 10.0.253.1 255.255.255.0  area 0
 log-adj-changes

导入一个TLS证书

自签

crypto ca trustpoint ASDM_Launcher_Access_TrustPoint_0
 enrollment self
 fqdn none
 subject-name CN=10.0.0.2,CN=vpngw
 keypair ASDM_LAUNCHER
 crl configure
crypto ca trustpool policy
crypto ca enroll ASDM_Launcher_Access_TrustPoint_0

导入外部签发的证书

参考之前的文章《向ASA导入证书》。

创建AnyConnect客户端地址池

IPv4

ip local pool AnyConnectV4 10.0.253.20-10.0.253.254 mask 255.255.255.0

IPv6

ipv6 local pool AnyConnectV6 fd00::2/64 254

设置AnyConnect客户端IP段的proxy-arp(可选)

这样设置以后客户端就没法traceroute了。我也不知道为什么要这么做,但是ASDM的AnyConnect向导会默认创建这条规则,因此写在这里以供参考。

object network AnyConnectV4
 subnet 10.0.253.0 255.255.255.0
object network AnyConnectV6
 subnet fd00::/64
object-group network AnyConnect_client_pool
 network-object object AnyConnectV4
 network-object object AnyConnectV6

nat (inside,inside) source static any any destination static AnyConnect_client_pool AnyConnect_client_pool no-proxy-arp route-lookup

添加AnyConnect安装包

每个桌面平台都必须添加webdeploy包才能连接。移动端倒是只要下载了相应的应用程序就可以。

webvpn
 anyconnect image disk0:/anyconnect-win-4.8.01090-webdeploy-k9.pkg 1
 anyconnect image disk0:/anyconnect-macos-4.8.01090-webdeploy-k9.pkg 2
 anyconnect image disk0:/anyconnect-linux64-4.8.01090-webdeploy-k9.pkg 3

设置AnyConnect端口

设置端口需要暂时禁用AnyConnect服务器,所以在下一步之前完成。

crypto ikev2 enable inside client-services port 5443
webvpn
 port 5443
 dtls port 5443

确定了端口以后,在网关上设置一下source NAT把相应端口转发到ASA的IP上。

配置AnyConnect服务器

仅SSLVPN,仅IPv4

webvpn
 enable inside
 no anyconnect-essentials
 anyconnect enable
 tunnel-group-list enable
group-policy GroupPolicy_DfltAnyConnectProfile internal
group-policy GroupPolicy_DfltAnyConnectProfile attributes
 wins-server none
 dns-server value 10.0.0.1
 vpn-tunnel-protocol ssl-client
 default-domain value local
tunnel-group DfltAnyConnectProfile type remote-access
tunnel-group DfltAnyConnectProfile general-attributes
 address-pool AnyConnectV4
 default-group-policy GroupPolicy_DfltAnyConnectProfile
tunnel-group DfltAnyConnectProfile webvpn-attributes
 group-alias DfltAnyConnectProfile enable

添加IPv6(可选)

tunnel-group DfltAnyConnectProfile2 general-attributes
 ipv6-address-pool AnyConnectV6

添加IPSec VPN(可选)

注意IPSec VPN一定要有个客户端配置文件,在配置之前要先把这个客户端配置文件传上去或者通过ASDM创建出来。

crypto ipsec ikev2 ipsec-proposal DES
 protocol esp encryption des
 protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal 3DES
 protocol esp encryption 3des
 protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES
 protocol esp encryption aes
 protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES192
 protocol esp encryption aes-192
 protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES256
 protocol esp encryption aes-256
 protocol esp integrity sha-1 md5
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev2 ipsec-proposal AES256 AES192 AES 3DES DES
crypto map inside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map inside_map interface inside

crypto ikev2 policy 1
 encryption aes-256
 integrity sha
 group 5 2
 prf sha
 lifetime seconds 86400
crypto ikev2 policy 10
 encryption aes-192
 integrity sha
 group 5 2
 prf sha
 lifetime seconds 86400
crypto ikev2 policy 20
 encryption aes
 integrity sha
 group 5 2
 prf sha
 lifetime seconds 86400
crypto ikev2 policy 30
 encryption 3des
 integrity sha
 group 5 2
 prf sha
 lifetime seconds 86400
crypto ikev2 policy 40
 encryption des
 integrity sha
 group 5 2
 prf sha
 lifetime seconds 86400
crypto ikev2 enable inside client-services port 443
crypto ikev2 remote-access trustpoint ASDM_Launcher_Access_TrustPoint_0

webvpn
 anyconnect profiles DfltAnyConnectProfile_client_profile disk0:/DfltAnyConnectProfile_client_profile.xml

group-policy GroupPolicy_DfltAnyConnectProfile attributes
 vpn-tunnel-protocol ikev2 ssl-client
 webvpn
 anyconnect profiles value DfltAnyConnectProfile_client_profile type user

其它设置

访问控制

这里因为AnyConnect客户端进出流量走的同一个interface,所以防火墙默认规则为放通。如果设备上配置了其它interface并且希望AnyConnect客户端能访问,就需要配置放行规则。

如果要对AnyConnect客户端的流量设置防火墙,需要同时设置:

  • 接口为客户端连入的公网接口(在这里只有一个可能性是inside)
  • IP地址为客户端地址池

否则会无法match到流量或者导致公网连接断开。

组策略继承

所有的组策略都会继承DfltGrpPolicy,所以可以在DfltGrpPolicy里面指定一些常用配置。示例:

group-policy DfltGrpPolicy attributes
 dns-server value 1.1.1.1 1.0.0.1
 vpn-simultaneous-logins 10
 vpn-idle-timeout none
 vpn-tunnel-protocol ikev1 ikev2 l2tp-ipsec ssl-client ssl-clientless
 password-storage enable
 ip-comp enable
 pfs enable
 ipsec-udp enable
 default-domain value local
 split-tunnel-all-dns enable
 client-bypass-protocol enable
 nem enable
 address-pools value AnyConnectV4
 ipv6-address-pools value AnyConnectV6
 smartcard-removal-disconnect disable
 webvpn
  url-list value Common
  http-proxy enable
  anyconnect ssl rekey time 5
  anyconnect ssl rekey method ssl
  anyconnect ssl compression deflate
  anyconnect dtls compression lzs
  anyconnect profiles value Default_v6 type user
  anyconnect ask enable default anyconnect
  customization value RouterOS
  anyconnect ssl df-bit-ignore enable

禁用DTLS

SSLVPN默认会启用DTLS(TLS over UDP);如果你的运营商对UDP有限速,那么你可能需要禁用DTLS。

webvpn
 enable inside tls-only

Split route设置

演示一下路由白名单和黑名单的配置。

access-list Local standard permit 0.0.0.0 255.0.0.0
access-list Local standard permit 10.0.0.0 255.0.0.0
access-list Local standard permit 100.64.0.0 255.192.0.0
access-list Local standard permit 127.0.0.0 255.0.0.0
access-list Local standard permit 172.16.0.0 255.240.0.0
access-list Local standard permit 192.0.0.0 255.255.255.0
access-list Local standard permit 192.0.2.0 255.255.255.0
access-list Local standard permit 192.88.99.0 255.255.255.0
access-list Local standard permit 192.168.0.0 255.255.0.0
access-list Local standard permit 198.18.0.0 255.254.0.0
access-list Local standard permit 198.51.100.0 255.255.255.0
access-list Local standard permit 203.0.113.0 255.255.255.0
access-list Local standard permit 224.0.0.0 240.0.0.0
access-list Local standard permit 240.0.0.0 240.0.0.0
access-list Local standard permit host 255.255.255.255

group-policy "AnyConnect Split Tunnel LAN only" attributes
 vpn-tunnel-protocol ikev2 ssl-client
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value LAN

group-policy "AnyConnect Split Tunnel excl. LAN" attributes
 vpn-tunnel-protocol ikev2 ssl-client
 split-tunnel-policy excludespecified
 ipv6-split-tunnel-policy excludespecified
 split-tunnel-network-list value Local

下发客户端配置

  • Group Policy -> Advanced -> AnyConnect Client里面需要选择下载该Profile
  • Client Profile要assign给相应的Group Policy
  • Connection Profile要引用相应的Group Policy

让ASA出现在traceroute结果中

ASA默认不减TTL(藏跳),非常不便于debug。如果要让它出现在traceroute结果中,可以这样设置:

icmp unreachable rate-limit 10 burst-size 5
policy-map global_policy
class class-default
set connection decrement-ttl

参考:

发表评论

电子邮件地址不会被公开。 必填项已用*标注

此站点使用Akismet来减少垃圾评论。了解我们如何处理您的评论数据