ve #669999;font-size:larger;vertical-align:middle;text-align:left;font-weight:bold
tunnel-group-list enable
注:也可通过ASDM图形界面进行配置
登录后,可访问内部资源,如下例:(客户端首先要安装Java插件jre-1_5_0-windows-i586.exe,并打开浏览器的ActiveX)
1) https://sslvpn.test.com.cn 输入用户名和密码
2) 出现工具条
3) 在Enter Web Address内输入192.168.40.8即可访问内部网站
4)在browse network输入192.168.40.8即可访问共享文件
5)点击application access,即可查看端口转发设置,如使用putty访问本机的2023端口,则即可通过ssh登录192.168.40.8
8. 远程拨入VPN
相关的ASA配置命令如下:
access-list inside_access_in extended permit ip object-group remotegroup any
access-list inside_access_in extended permit icmp object-group remotegroup any
access-list remotevpn_splitTunnelAcl standard permit 192.168.100.0 255.255.255.0
access-list vpnclient_splitTunnelAcl standard permit 192.168.100.0 255.255.255.0
ip local pool dialuserIP 192.168.101.1-192.168.101.254 mask 255.255.255.0
group-policy remotevpn attributes
dns-server value 202.96.128.68 192.168.40.16
default-domain value test.com.cn
username jiang password Csmep3VzvPQPCbkx encrypted privilege 15
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto dynamic-map outside_dyn_map 20 set pfs
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 20 set reverse-route
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
tunnel-group remotevpn type ipsec-ra
tunnel-group remotevpn general-attributes
address-pool dialuserIP
default-group-policy remotevpn
tunnel-group remotevpn ipsec-attributes
pre-shared-key *
客户端设置如下:
9. 日志服务器配置
logging enable
logging timestamp
logging emblem
logging trap informational
logging asdm warnings
logging host inside 192.168.40.115 format emblem
logging permit-hostdown
vpn-simultaneous-logins 3
10. Snmp网管配置
snmp-server host inside 192.168.40.47 community testsnmp
snmp-server location DG-GTEST
snmp-server contact jiangdaoyou:6162
snmp-server community testsnmp
snmp-server enable traps snmp authentication linkup linkdown coldstart
注:指定主机后,192.168.40.47才可能进行管理11. ACS配置
安装后管理:http://ip:2002 通过ACS可以进行授权、认证等等很多功能
因内容太多,暂省略
12. AAA配置
Aaa服务器配置:
aaa-server radius_dg host dc03.xxxx.com
key dfdfdfdf146**U
authentication-port 1812
accounting-port 1813
radius-common-pw dfdfdfdf146**U
对于拨入vpn的配置
tunnel-group vg_testerp general-attributes
address-pool ciscovpnuser
authentication-server-group radius_dg
default-group-policy vg_testerp
13. 升级IOS
copy tftp://192.168.40.180/asa/asa721-k8.bin disk0:/asa721-k8.bin
boot system disk0:/asa721-k8.bin (多个Image时使用)
14. 疑难杂症
1) 在远程子网不能ping通过对方的网关,如在无锡格兰不能ping 192.168.40.251
输入命令:management-access inside (通过ASDM不能设置这一项)
2) NAT有时不能快速启作用
使用命令:clear xlate即可
文章整理:西部数码--专业提供域名注册、虚拟主机服务
http://www.west263.com
以上信息与文章正文是不可分割的一部分,如果您要转载本文章,请保留以上信息,谢谢!
