目标
把ASA设置为一个VPN接入点,挂在现有的网关路由器下面,让AnyConnect连入的客户端能够正常访问本地内网和公网。防火墙设为全部放通。
示例中使用以下配置:
- 现有的内网:10.0.0.0/24
- 网关:10.0.0.1
- ASA:10.0.0.2
- AnyConnect客户端地址池:10.0.253.0/24, fd00::/64
配置
硬件
- 如果想要装齐桌面平台的AnyConnect包,那么需要升级SD卡到至少1G
- 如果想要CSD或者Hostscan功能,那么需要升级内存到1G
- AnyConnect以及下面会用到的trunking功能需要特定的软件授权
基础配置
- 主机名
- VLAN
- IP地址和默认路由
- DNS
- NTP
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 |
hostname vpngw domain-name local clock timezone HKST 8 ntp server 10.0.0.1 source inside prefer ! interface Ethernet0/0 switchport mode trunk switchport trunk allowed vlan 1 switchport trunk native vlan 1 ! interface Vlan1 nameif inside security-level 100 ip address 10.0.0.2 255.255.255.0 ipv6 nd suppress-ra ! dns domain-lookup inside dns server-group DefaultDNS name-server 10.0.0.1 domain-name local route inside 0.0.0.0 0.0.0.0 10.0.0.1 |
远程管理
启用ASDM和SSH。因为AnyConnect也会需要http server功能,这里一并打开。(AnyConnect服务不受HTTP的IP白名单影响,白名单只给管理网启用即可。)
|
1 2 3 4 5 |
asdm image disk0:/asdm-7121.bin http server enable http 10.0.0.0 255.255.255.0 inside ssh 10.0.0.0 255.255.255.0 inside ssh version 2 |
基础安全设定
- 允许相同security level的端口之间转发流量
- 创建enable password
- 创建一个用户
- 设置各种登录的鉴权
- 关掉不必要的服务
为了简化配置,这里不添加外部认证方式,之后的AnyConnect也会用本地用户数据库作为唯一鉴权方式。
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 |
same-security-traffic permit inter-interface same-security-traffic permit intra-interface enable password 114514 username admin password 114514 privilege 15 user-identity default-domain LOCAL aaa authentication http console LOCAL aaa authentication serial console LOCAL aaa authentication ssh console LOCAL aaa authentication telnet console LOCAL telnet timeout 30 ssh timeout 30 console timeout 30 no call-home reporting anonymous |
为AnyConnect客户端地址段添加路由
静态路由方式
在出口路由器上添加到AnyConnect客户端的地址段路由指向ASA的IP地址即可。
动态路由方式
之前我在《Cisco ASA做AnyConnect服务器时的动态路由协议和NAT规则设置》一文中讲过,AnyConnect客户端连接时ASA添加的动态路由重分发到动态路由协议很容易出bug。这边采用新建一个VLAN配置整个地址池为connected路由的方法来绕过这一bug。
以OSPF为例:
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 |
interface Ethernet0/0 switchport trunk allowed vlan 1,999 interface Vlan1 ospf priority 0 interface Vlan999 nameif vpn-virtual security-level 100 ip address 10.0.253.1 255.255.255.0 router ospf 1 router-id 10.0.0.2 network 10.0.0.0 255.255.255.0 area 0 network 10.0.253.1 255.255.255.0 area 0 log-adj-changes |
导入一个TLS证书
自签
|
1 2 3 4 5 6 7 8 |
crypto ca trustpoint ASDM_Launcher_Access_TrustPoint_0 enrollment self fqdn none subject-name CN=10.0.0.2,CN=vpngw keypair ASDM_LAUNCHER crl configure crypto ca trustpool policy crypto ca enroll ASDM_Launcher_Access_TrustPoint_0 |
导入外部签发的证书
参考之前的文章《向ASA导入证书》。
创建AnyConnect客户端地址池
IPv4
|
1 |
ip local pool AnyConnectV4 10.0.253.20-10.0.253.254 mask 255.255.255.0 |
IPv6
|
1 |
ipv6 local pool AnyConnectV6 fd00::2/64 254 |
设置AnyConnect客户端IP段的proxy-arp(可选)
这样设置以后客户端就没法traceroute了。我也不知道为什么要这么做,但是ASDM的AnyConnect向导会默认创建这条规则,因此写在这里以供参考。
|
1 2 3 4 5 6 7 8 9 |
object network AnyConnectV4 subnet 10.0.253.0 255.255.255.0 object network AnyConnectV6 subnet fd00::/64 object-group network AnyConnect_client_pool network-object object AnyConnectV4 network-object object AnyConnectV6 nat (inside,inside) source static any any destination static AnyConnect_client_pool AnyConnect_client_pool no-proxy-arp route-lookup |
添加AnyConnect安装包
每个桌面平台都必须添加webdeploy包才能连接。移动端倒是只要下载了相应的应用程序就可以。
|
1 2 3 4 |
webvpn anyconnect image disk0:/anyconnect-win-4.8.01090-webdeploy-k9.pkg 1 anyconnect image disk0:/anyconnect-macos-4.8.01090-webdeploy-k9.pkg 2 anyconnect image disk0:/anyconnect-linux64-4.8.01090-webdeploy-k9.pkg 3 |
设置AnyConnect端口
设置端口需要暂时禁用AnyConnect服务器,所以在下一步之前完成。
|
1 2 3 4 |
crypto ikev2 enable inside client-services port 5443 webvpn port 5443 dtls port 5443 |
确定了端口以后,在网关上设置一下source NAT把相应端口转发到ASA的IP上。
配置AnyConnect服务器
仅SSLVPN,仅IPv4
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 |
webvpn enable inside no anyconnect-essentials anyconnect enable tunnel-group-list enable group-policy GroupPolicy_DfltAnyConnectProfile internal group-policy GroupPolicy_DfltAnyConnectProfile attributes wins-server none dns-server value 10.0.0.1 vpn-tunnel-protocol ssl-client default-domain value local tunnel-group DfltAnyConnectProfile type remote-access tunnel-group DfltAnyConnectProfile general-attributes address-pool AnyConnectV4 default-group-policy GroupPolicy_DfltAnyConnectProfile tunnel-group DfltAnyConnectProfile webvpn-attributes group-alias DfltAnyConnectProfile enable |
添加IPv6(可选)
|
1 2 |
tunnel-group DfltAnyConnectProfile2 general-attributes ipv6-address-pool AnyConnectV6 |
添加IPSec VPN(可选)
注意IPSec VPN一定要有个客户端配置文件,在配置之前要先把这个客户端配置文件传上去或者通过ASDM创建出来。
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 |
crypto ipsec ikev2 ipsec-proposal DES protocol esp encryption des protocol esp integrity sha-1 md5 crypto ipsec ikev2 ipsec-proposal 3DES protocol esp encryption 3des protocol esp integrity sha-1 md5 crypto ipsec ikev2 ipsec-proposal AES protocol esp encryption aes protocol esp integrity sha-1 md5 crypto ipsec ikev2 ipsec-proposal AES192 protocol esp encryption aes-192 protocol esp integrity sha-1 md5 crypto ipsec ikev2 ipsec-proposal AES256 protocol esp encryption aes-256 protocol esp integrity sha-1 md5 crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev2 ipsec-proposal AES256 AES192 AES 3DES DES crypto map inside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP crypto map inside_map interface inside crypto ikev2 policy 1 encryption aes-256 integrity sha group 5 2 prf sha lifetime seconds 86400 crypto ikev2 policy 10 encryption aes-192 integrity sha group 5 2 prf sha lifetime seconds 86400 crypto ikev2 policy 20 encryption aes integrity sha group 5 2 prf sha lifetime seconds 86400 crypto ikev2 policy 30 encryption 3des integrity sha group 5 2 prf sha lifetime seconds 86400 crypto ikev2 policy 40 encryption des integrity sha group 5 2 prf sha lifetime seconds 86400 crypto ikev2 enable inside client-services port 443 crypto ikev2 remote-access trustpoint ASDM_Launcher_Access_TrustPoint_0 webvpn anyconnect profiles DfltAnyConnectProfile_client_profile disk0:/DfltAnyConnectProfile_client_profile.xml group-policy GroupPolicy_DfltAnyConnectProfile attributes vpn-tunnel-protocol ikev2 ssl-client webvpn anyconnect profiles value DfltAnyConnectProfile_client_profile type user |
其它设置
访问控制
这里因为AnyConnect客户端进出流量走的同一个interface,所以防火墙默认规则为放通。如果设备上配置了其它interface并且希望AnyConnect客户端能访问,就需要配置放行规则。
如果要对AnyConnect客户端的流量设置防火墙,需要同时设置:
- 接口为客户端连入的公网接口(在这里只有一个可能性是inside)
- IP地址为客户端地址池
否则会无法match到流量或者导致公网连接断开。
组策略继承
所有的组策略都会继承DfltGrpPolicy,所以可以在DfltGrpPolicy里面指定一些常用配置。示例:
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 |
group-policy DfltGrpPolicy attributes dns-server value 1.1.1.1 1.0.0.1 vpn-simultaneous-logins 10 vpn-idle-timeout none vpn-tunnel-protocol ikev1 ikev2 l2tp-ipsec ssl-client ssl-clientless password-storage enable ip-comp enable pfs enable ipsec-udp enable default-domain value local split-tunnel-all-dns enable client-bypass-protocol enable nem enable address-pools value AnyConnectV4 ipv6-address-pools value AnyConnectV6 smartcard-removal-disconnect disable webvpn url-list value Common http-proxy enable anyconnect ssl rekey time 5 anyconnect ssl rekey method ssl anyconnect ssl compression deflate anyconnect dtls compression lzs anyconnect profiles value Default_v6 type user anyconnect ask enable default anyconnect customization value RouterOS anyconnect ssl df-bit-ignore enable |
禁用DTLS
SSLVPN默认会启用DTLS(TLS over UDP);如果你的运营商对UDP有限速,那么你可能需要禁用DTLS。
|
1 2 |
webvpn enable inside tls-only |
Split route设置
演示一下路由白名单和黑名单的配置。
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 |
access-list Local standard permit 0.0.0.0 255.0.0.0 access-list Local standard permit 10.0.0.0 255.0.0.0 access-list Local standard permit 100.64.0.0 255.192.0.0 access-list Local standard permit 127.0.0.0 255.0.0.0 access-list Local standard permit 172.16.0.0 255.240.0.0 access-list Local standard permit 192.0.0.0 255.255.255.0 access-list Local standard permit 192.0.2.0 255.255.255.0 access-list Local standard permit 192.88.99.0 255.255.255.0 access-list Local standard permit 192.168.0.0 255.255.0.0 access-list Local standard permit 198.18.0.0 255.254.0.0 access-list Local standard permit 198.51.100.0 255.255.255.0 access-list Local standard permit 203.0.113.0 255.255.255.0 access-list Local standard permit 224.0.0.0 240.0.0.0 access-list Local standard permit 240.0.0.0 240.0.0.0 access-list Local standard permit host 255.255.255.255 group-policy "AnyConnect Split Tunnel LAN only" attributes vpn-tunnel-protocol ikev2 ssl-client split-tunnel-policy tunnelspecified split-tunnel-network-list value LAN group-policy "AnyConnect Split Tunnel excl. LAN" attributes vpn-tunnel-protocol ikev2 ssl-client split-tunnel-policy excludespecified ipv6-split-tunnel-policy excludespecified split-tunnel-network-list value Local |
下发客户端配置
- Group Policy -> Advanced -> AnyConnect Client里面需要选择下载该Profile
- Client Profile要assign给相应的Group Policy
- Connection Profile要引用相应的Group Policy
让ASA出现在traceroute结果中
ASA默认不减TTL(藏跳),非常不便于debug。如果要让它出现在traceroute结果中,可以这样设置:
|
1 2 3 4 |
icmp unreachable rate-limit 10 burst-size 5 policy-map global_policy class class-default set connection decrement-ttl |
参考: