ASA配置VPN

2024年6月13日发(作者：)

一、网络拓扑

|

|outside

|========|=========|

| |-----

|========|=========|

|inside

|

防火墙分别配置三个端口，端口名称和IP地址分配如上。VPN Client的IP Address Pool为

100.100.100.0 255.255.255.0。

二、配置过程

1、建立动态map

crypto ipsec transform-set myset esp-aes-256 esp-sha-hmac

crypto dynamic-map dymap 1 set transform-set myset

crypto dynamic-map dymap 1 set reverse-route

crypto map mymap 1 ipsec-isakmp dynamic dymap

crypto map mymap interface Internet

crypto isakmp enable Internet

crypto isakmp policy 10

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

crypto isakmp nat-traversal 20

2、建立tunnel group

tunnel-group manager type ipsec-ra

tunnel-group manager general-attributes

address-pool vpn_pool_100

authorization-required

tunnel-group manager ipsec-attributes

pre-shared-key *

3、添加access-list策略

access-list inside_nat0_outbound extended permit ip 100.100.100.0 255.255.255.

access-list split-ssl extended permit 0 100.100.100.0 255.255.255.224

4、建立group policy，除了注明的以外，其它都是采用的asdm默认设置

group-policy DfltGrpPolicy attributes

banner none

wins-server none

dns-server none

dhcp-network-scope none

vpn-access-hours none

vpn-simultaneous-logins 3

vpn-idle-timeout 10

vpn-session-timeout none

vpn-filter value inside_nat0_outbound --由access-list添加

vpn-tunnel-protocol IPSec --tunnel采用IPSec

password-storage disable

ip-comp disable

re-xauth disable

group-lock none

pfs disable

ipsec-udp disable

ipsec-udp-port 10000

split-tunnel-policy tunnelspecified --是否采用tunnel分离，如果不指定tunnel分离，拨号成功后，

客户端的网关会被修改成vpn获取的地址

split-tunnel-network-list value split-ssl --tunnel分离采用的策略，由access-list添加

default-domain none

split-dns none

intercept-dhcp 255.255.255.255 disable

secure-unit-authentication disable

user-authentication disable

user-authentication-idle-timeout 30

ip-phone-bypass disable

leap-bypass disable

nem disable

backup-servers keep-client-config

msie-proxy server none

msie-proxy method no-modify

msie-proxy except-list none

msie-proxy local-bypass disable

nac disable

nac-sq-period 300

nac-reval-period 36000

nac-default-acl none

address-pools none

smartcard-removal-disconnect enable

client-firewall none

client-access-rule none

webvpn

functions url-entry

html-content-filter none

homepage none

keep-alive-ignore 4

http-comp gzip

filter none

url-list none