image.png

SSL VPN 无客户端模式

  • 基于浏览器实现,所有内容都承载到浏览器上。
  • 访问ASA身后网络,采用与身后网络相连接口地址。

image.png

  1. webvpn
  2.  enable inside
  3. username ccie password ccie encrypted privilege 15

默认配置

  1. tunnel-group DefaultWEBVPNGroup type remote-access
  2. tunnel-group DefaultWEBVPNGroup general-attributes
  3.  no address-pool
  4.  no ipv6-address-pool
  5.  authentication-server-group LOCAL
  6.  secondary-authentication-server-group none
  7.  no accounting-server-group
  8.  default-group-policy DfltGrpPolicy
  9.  no dhcp-server
  10.  no strip-realm
  11.  no nat-assigned-to-public-ip
  12.  no scep-enrollment enable
  13.  no password-management
  14.  no strip-group
  15.  no authorization-required
  16.  username-from-certificate CN OU
  17.  secondary-username-from-certificate CN OU
  18.  authentication-attr-from-server primary
  19.  authenticated-session-username primary
  20. tunnel-group DefaultWEBVPNGroup webvpn-attributes
  21.  customization DfltCustomization
  22.  authentication aaa
  23.  no override-svc-download
  24.  no radius-reject-message
  25.  no proxy-auth sdi
  26.  no pre-fill-username ssl-client
  27.  no pre-fill-username clientless
  28.  no secondary-pre-fill-username ssl-client
  29.  no secondary-pre-fill-username clientless
  30.  dns-group DefaultDNS
  31.  no without-csd
  34.  ciscoasa/sec/act# show run all group-policy
  35. group-policy DfltGrpPolicy internal
  36. group-policy DfltGrpPolicy attributes
  37.  banner none
  38.  wins-server none
  39.  dns-server none
  40.  dhcp-network-scope none
  41.  vpn-access-hours none
  42.  vpn-simultaneous-logins 3
  43.  vpn-idle-timeout 30
  44.  vpn-idle-timeout alert-interval 1
  45.  vpn-session-timeout none
  46.  vpn-session-timeout alert-interval 1
  47.  vpn-filter none
  48.  ipv6-vpn-filter none
  49.  vpn-tunnel-protocol ikev1 ikev2 l2tp-ipsec ssl-clientless
  50.  password-storage disable
  51.  ip-comp disable
  52.  re-xauth disable
  53.  group-lock none
  54.  pfs disable
  55.  ipsec-udp disable
  56.  ipsec-udp-port 10000
  57.  split-tunnel-policy tunnelall
  58.  ipv6-split-tunnel-policy tunnelall
  59.  split-tunnel-network-list none
  60.  default-domain none
  61.  split-dns none
  62.  split-tunnel-all-dns disable
  63.  intercept-dhcp 255.255.255.255 disable
  64.  secure-unit-authentication disable
  65.  user-authentication disable
  66.  user-authentication-idle-timeout 30
  67.  ip-phone-bypass disable
  68.  client-bypass-protocol disable
  69.  gateway-fqdn none
  70.  leap-bypass disable
  71.  nem disable
  72.  backup-servers keep-client-config
  73.  msie-proxy server none
  74.  msie-proxy method no-modify
  75.  msie-proxy except-list none
  76.  msie-proxy local-bypass disable
  77.  msie-proxy pac-url none
  78.  msie-proxy lockdown enable
  79.  vlan none
  80.  address-pools none
  81.  ipv6-address-pools none
  82.  smartcard-removal-disconnect enable
  83.  scep-forwarding-url none
  84.  security-group-tag none
  85.  periodic-authentication certificate none
  86.  client-firewall none
  87.  client-access-rule none
  88.  webvpn
  89.   url-list none
  90.   filter none
  91.   homepage none
  92.   html-content-filter none
  93.   port-forward name Application Access
  94.   port-forward disable
  95.   http-proxy disable
  96.   anyconnect ssl dtls enable
  97.   anyconnect mtu 1406
  98.   anyconnect firewall-rule client-interface private none
  99.   anyconnect firewall-rule client-interface public none
  100.   anyconnect keep-installer installed
  101.   anyconnect ssl keepalive 20
  102.   anyconnect ssl rekey time none
  103.   anyconnect ssl rekey method none
  104.   anyconnect dpd-interval client 30
  105.   anyconnect dpd-interval gateway 30
  106.   anyconnect ssl compression none
  107.   anyconnect dtls compression none
  108.   anyconnect modules none
  109.   anyconnect profiles none
  110.   anyconnect ask none
  111.   customization none
  112.   keep-alive-ignore 4
  113.   http-comp gzip
  114.   download-max-size 2147483647
  115.   upload-max-size 2147483647
  116.   post-max-size 2147483647
  117.   user-storage none
  118.   storage-objects value cookies,credentials
  119.   storage-key none
  120.   hidden-shares none
  121.   smart-tunnel disable
  122.   activex-relay enable
  123.   unix-auth-uid 65534
  124.   unix-auth-gid 65534
  125.   file-entry enable
  126.   file-browsing enable
  127.   url-entry enable
  128.   deny-message value Login was successful, but because certain criteria have not been met or due to some specific group policy, you do not have permission to use any of the VPN features. Contact your IT administrator for more information
  129.   smart-tunnel auto-signon disable
  130.   anyconnect ssl df-bit-ignore disable
  131.   anyconnect routing-filtering-ignore disable
  132.   smart-tunnel tunnel-policy tunnelall
  133.   always-on-vpn profile-setting

image.png

image.png
image.png
image.png

错误原因总结

image.png

  • ASA 没有对应路由,找不到对应设备,检查路由。
  • ASA 有对应路由,但是该设备不提供访问,检查对端设备是否开放对应服务。

image.png

  • 要求提供15等级账号,账号错误或者等级不够。
  • 需要配置认证方式,本地、aaa、域等方式。

SSL

  • SSL 位于传输层之上,应用层之下
  • 提供私密性,完整性,身份验证机制

image.png

SSL VPN 三种工作模式

Clientless Mode

  • 无客户端模式
  • 提供安全的web资源和基于WEB内容访问
  • 提供CIFS提供远程文件共享
  • 受限于Web平台可提供的能力

Thin Client Mode

  • 瘦客户端模式,也称为端口转发
  • 提供客户端TCP服务的远程访问
    • POP3
    • SMTP
    • IMAP
    • Telnet
    • SSH
  • 瘦客户端是在SSLVPN会话建立的通过java程序方式进行下载
  • 增强了网页浏览器的加密功能
  • PF支持所有单一信道,客户服务器模型的TCP运用

Thick Client Mode

  • 厚客户端模式,也叫做Tunnel Mode、Full Tunnel
  • 提供更广的应用程序支持,支持所有使用IP协议的应用
  • Cisco 提供Cisco anyconnect VPN 软件进行拨号,使用TCP 443端口号