forum.opennet.ru

Составление сообщения

Исходное сообщение

"ASA5506 + anyconnect VPN"
Отправлено cr1m2, 29-Янв-19 10:24

>> AnyConnect Premium Peers
>> : 2
>>     perpetual
>> не достаточно лицензий?
> Для личного пользования должно хватать.
> Покажите конфиг и sh webvpn anyconnect
ВОт кусок конфига
ip local pool anyconnect_pool 192.168.133.10-192.168.133.60 mask 255.255.255.0
interface GigabitEthernet1/8
nameif outside
security-level 90
ip address X.X.X.X 255.255.255.192

access-list outside_access_in extended permit icmp any4 any4 unreachable
access-list outside_access_in extended permit icmp any4 any4 time-exceeded
access-list outside_access_in extended permit icmp any4 any4 echo
access-list outside_access_in extended permit icmp any4 any4 echo-reply
access-list outside_access_in extended permit icmp any4 any4 traceroute
access-list outside_access_in extended permit tcp any4 any4 eq https
access-list SPLIT_Tunnel remark To the local network
access-list SPLIT_Tunnel standard permit 192.168.0.0 255.255.0.0
access-list AnyConnect_Client_Local_Print extended deny ip any4 any4
access-list AnyConnect_Client_Local_Print extended permit tcp any4 any4 eq lpd
access-list AnyConnect_Client_Local_Print remark IPP: Internet Printing Protocol
access-list AnyConnect_Client_Local_Print extended permit tcp any4 any4 eq 631
access-list AnyConnect_Client_Local_Print remark Windows' printing port
access-list AnyConnect_Client_Local_Print extended permit tcp any4 any4 eq 9100
access-list AnyConnect_Client_Local_Print remark mDNS: multicast DNS protocol
access-list AnyConnect_Client_Local_Print extended permit udp any4 host 224.0.0.251 eq 5353
access-list AnyConnect_Client_Local_Print remark LLMNR: Link Local Multicast Name Resolution protocol
access-list AnyConnect_Client_Local_Print extended permit udp any4 host 224.0.0.252 eq 5355
access-list AnyConnect_Client_Local_Print remark TCP/NetBIOS protocol
access-list AnyConnect_Client_Local_Print extended permit tcp any4 any4 eq 137
access-list AnyConnect_Client_Local_Print extended permit udp any4 any4 eq netbios-ns
nat (inside,outside) source dynamic internet_access_via_asa interface
nat (inside,outside) source static any any destination static NETWORK_OBJ_192.168.133.0_26 NETWORK_OBJ_192.168.133.0_26 no-proxy-arp route-lookup
access-group outside_access_in in interface outside
Настройки ааа опущу, т.к. авторизация через ssh работает нормально, далее
http server enable 8443
crypto ipsec ikev2 ipsec-proposal AES256
protocol esp encryption aes-256
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES192
protocol esp encryption aes-192
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES
protocol esp encryption aes
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal 3DES
protocol esp encryption 3des
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal DES
protocol esp encryption des
protocol esp integrity sha-1 md5
crypto ipsec security-association pmtu-aging infinite
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev2 ipsec-proposal AES256 AES192 AES 3DES DES
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto map infolada_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto ca trustpoint ASDM_TrustPoint0
enrollment self
subject-name CN=ASA5506
crl configure
crypto ca trustpool policy
crypto ca certificate chain ASDM_TrustPoint0
certificate 292c585b
    <...>
    20d92d3d 279f9610 05a84344 beb322ba 0a41
  quit
crypto ikev2 policy 1
encryption aes-256
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 10
encryption aes-192
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 20
encryption aes
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 30
encryption 3des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 40
encryption des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 enable outsiede client-services port 443
crypto ikev2 remote-access trustpoint ASDM_TrustPoint0
ssl cipher default custom "AES256-SHA:AES128-SHA:DES-CBC3-SHA"
ssl cipher tlsv1 custom "AES256-SHA:AES128-SHA:DES-CBC3-SHA"
ssl cipher tlsv1.1 low
ssl cipher tlsv1.2 low
ssl cipher dtlsv1 custom "AES256-SHA:AES128-SHA:DES-CBC3-SHA"
ssl trust-point ASDM_TrustPoint0 outside
ssl certificate-authentication interface outside port 443
webvpn
enable outside
anyconnect image disk0:/anyconnect-win-3.1.05187-k9.pkg 1
anyconnect profiles Anyconnect_VPN_client_profile disk0:/Anyconnect_VPN_client_profile.xml
anyconnect enable
tunnel-group-list enable
cache
  disable
error-recovery disable
group-policy GroupPolicy_Anyconnect_VPN internal
group-policy GroupPolicy_Anyconnect_VPN attributes
wins-server none
dns-server value 192.168.1.2 192.168.1.3
vpn-tunnel-protocol ikev2 ssl-client
split-tunnel-policy tunnelspecified
split-tunnel-network-list value SPLIT_Tunnel
default-domain value corp.test.com
webvpn
  anyconnect keep-installer installed
  anyconnect dpd-interval client 20
  anyconnect profiles value Anyconnect_VPN_client_profile type user
  anyconnect ask none default anyconnect
dynamic-access-policy-record DfltAccessPolicy
tunnel-group Anyconnect_VPN type remote-access
tunnel-group Anyconnect_VPN general-attributes
address-pool anyconnect_pool
authentication-server-group actdir-srv1
default-group-policy GroupPolicy_Anyconnect_VPN
tunnel-group Anyconnect_VPN webvpn-attributes
group-alias Anyconnect_VPN enable

Исходное сообщение
"ASA5506 + anyconnect VPN" Отправлено cr1m2, 29-Янв-19 10:24
>> AnyConnect Premium Peers >> : 2 >> perpetual >> не достаточно лицензий? > Для личного пользования должно хватать. > Покажите конфиг и sh webvpn anyconnect ВОт кусок конфига ip local pool anyconnect_pool 192.168.133.10-192.168.133.60 mask 255.255.255.0 interface GigabitEthernet1/8 nameif outside security-level 90 ip address X.X.X.X 255.255.255.192 access-list outside_access_in extended permit icmp any4 any4 unreachable access-list outside_access_in extended permit icmp any4 any4 time-exceeded access-list outside_access_in extended permit icmp any4 any4 echo access-list outside_access_in extended permit icmp any4 any4 echo-reply access-list outside_access_in extended permit icmp any4 any4 traceroute access-list outside_access_in extended permit tcp any4 any4 eq https access-list SPLIT_Tunnel remark To the local network access-list SPLIT_Tunnel standard permit 192.168.0.0 255.255.0.0 access-list AnyConnect_Client_Local_Print extended deny ip any4 any4 access-list AnyConnect_Client_Local_Print extended permit tcp any4 any4 eq lpd access-list AnyConnect_Client_Local_Print remark IPP: Internet Printing Protocol access-list AnyConnect_Client_Local_Print extended permit tcp any4 any4 eq 631 access-list AnyConnect_Client_Local_Print remark Windows' printing port access-list AnyConnect_Client_Local_Print extended permit tcp any4 any4 eq 9100 access-list AnyConnect_Client_Local_Print remark mDNS: multicast DNS protocol access-list AnyConnect_Client_Local_Print extended permit udp any4 host 224.0.0.251 eq 5353 access-list AnyConnect_Client_Local_Print remark LLMNR: Link Local Multicast Name Resolution protocol access-list AnyConnect_Client_Local_Print extended permit udp any4 host 224.0.0.252 eq 5355 access-list AnyConnect_Client_Local_Print remark TCP/NetBIOS protocol access-list AnyConnect_Client_Local_Print extended permit tcp any4 any4 eq 137 access-list AnyConnect_Client_Local_Print extended permit udp any4 any4 eq netbios-ns nat (inside,outside) source dynamic internet_access_via_asa interface nat (inside,outside) source static any any destination static NETWORK_OBJ_192.168.133.0_26 NETWORK_OBJ_192.168.133.0_26 no-proxy-arp route-lookup access-group outside_access_in in interface outside Настройки ааа опущу, т.к. авторизация через ssh работает нормально, далее http server enable 8443 crypto ipsec ikev2 ipsec-proposal AES256 protocol esp encryption aes-256 protocol esp integrity sha-1 md5 crypto ipsec ikev2 ipsec-proposal AES192 protocol esp encryption aes-192 protocol esp integrity sha-1 md5 crypto ipsec ikev2 ipsec-proposal AES protocol esp encryption aes protocol esp integrity sha-1 md5 crypto ipsec ikev2 ipsec-proposal 3DES protocol esp encryption 3des protocol esp integrity sha-1 md5 crypto ipsec ikev2 ipsec-proposal DES protocol esp encryption des protocol esp integrity sha-1 md5 crypto ipsec security-association pmtu-aging infinite crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev2 ipsec-proposal AES256 AES192 AES 3DES DES crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP crypto map outside_map interface outside crypto map infolada_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP crypto ca trustpoint ASDM_TrustPoint0 enrollment self subject-name CN=ASA5506 crl configure crypto ca trustpool policy crypto ca certificate chain ASDM_TrustPoint0 certificate 292c585b <...> 20d92d3d 279f9610 05a84344 beb322ba 0a41 quit crypto ikev2 policy 1 encryption aes-256 integrity sha group 5 2 prf sha lifetime seconds 86400 crypto ikev2 policy 10 encryption aes-192 integrity sha group 5 2 prf sha lifetime seconds 86400 crypto ikev2 policy 20 encryption aes integrity sha group 5 2 prf sha lifetime seconds 86400 crypto ikev2 policy 30 encryption 3des integrity sha group 5 2 prf sha lifetime seconds 86400 crypto ikev2 policy 40 encryption des integrity sha group 5 2 prf sha lifetime seconds 86400 crypto ikev2 enable outsiede client-services port 443 crypto ikev2 remote-access trustpoint ASDM_TrustPoint0 ssl cipher default custom "AES256-SHA:AES128-SHA:DES-CBC3-SHA" ssl cipher tlsv1 custom "AES256-SHA:AES128-SHA:DES-CBC3-SHA" ssl cipher tlsv1.1 low ssl cipher tlsv1.2 low ssl cipher dtlsv1 custom "AES256-SHA:AES128-SHA:DES-CBC3-SHA" ssl trust-point ASDM_TrustPoint0 outside ssl certificate-authentication interface outside port 443 webvpn enable outside anyconnect image disk0:/anyconnect-win-3.1.05187-k9.pkg 1 anyconnect profiles Anyconnect_VPN_client_profile disk0:/Anyconnect_VPN_client_profile.xml anyconnect enable tunnel-group-list enable cache disable error-recovery disable group-policy GroupPolicy_Anyconnect_VPN internal group-policy GroupPolicy_Anyconnect_VPN attributes wins-server none dns-server value 192.168.1.2 192.168.1.3 vpn-tunnel-protocol ikev2 ssl-client split-tunnel-policy tunnelspecified split-tunnel-network-list value SPLIT_Tunnel default-domain value corp.test.com webvpn anyconnect keep-installer installed anyconnect dpd-interval client 20 anyconnect profiles value Anyconnect_VPN_client_profile type user anyconnect ask none default anyconnect dynamic-access-policy-record DfltAccessPolicy tunnel-group Anyconnect_VPN type remote-access tunnel-group Anyconnect_VPN general-attributes address-pool anyconnect_pool authentication-server-group actdir-srv1 default-group-policy GroupPolicy_Anyconnect_VPN tunnel-group Anyconnect_VPN webvpn-attributes group-alias Anyconnect_VPN enable

Ваше сообщение
Имя*:
EMail:	Для отправки новых сообщений в текущей нити на email укажите знак ! перед адресом, например, !user@host.ru (!! - не показывать email). Более тонкая настройка отправки ответов производится в профиле зарегистрированного участника форума.
Заголовок*:
Сообщение*:	>>> AnyConnect Premium Peers >>> : 2 >>> perpetual >>> не достаточно лицензий? >> Для личного пользования должно хватать. >> Покажите конфиг и sh webvpn anyconnect > ВОт кусок конфига > ip local pool anyconnect_pool 192.168.133.10-192.168.133.60 mask 255.255.255.0 > interface GigabitEthernet1/8 > nameif outside > security-level 90 > ip address X.X.X.X 255.255.255.192 > access-list outside_access_in extended permit icmp any4 any4 unreachable > access-list outside_access_in extended permit icmp any4 any4 time-exceeded > access-list outside_access_in extended permit icmp any4 any4 echo > access-list outside_access_in extended permit icmp any4 any4 echo-reply > access-list outside_access_in extended permit icmp any4 any4 traceroute > access-list outside_access_in extended permit tcp any4 any4 eq https > access-list SPLIT_Tunnel remark To the local network > access-list SPLIT_Tunnel standard permit 192.168.0.0 255.255.0.0 > access-list AnyConnect_Client_Local_Print extended deny ip any4 any4 > access-list AnyConnect_Client_Local_Print extended permit tcp any4 any4 eq lpd > access-list AnyConnect_Client_Local_Print remark IPP: Internet Printing Protocol > access-list AnyConnect_Client_Local_Print extended permit tcp any4 any4 eq 631 > access-list AnyConnect_Client_Local_Print remark Windows' printing port > access-list AnyConnect_Client_Local_Print extended permit tcp any4 any4 eq 9100 > access-list AnyConnect_Client_Local_Print remark mDNS: multicast DNS protocol > access-list AnyConnect_Client_Local_Print extended permit udp any4 host 224.0.0.251 > eq 5353 > access-list AnyConnect_Client_Local_Print remark LLMNR: Link Local Multicast Name Resolution > protocol > access-list AnyConnect_Client_Local_Print extended permit udp any4 host 224.0.0.252 > eq 5355 > access-list AnyConnect_Client_Local_Print remark TCP/NetBIOS protocol > access-list AnyConnect_Client_Local_Print extended permit tcp any4 any4 eq 137 > access-list AnyConnect_Client_Local_Print extended permit udp any4 any4 eq netbios-ns > nat (inside,outside) source dynamic internet_access_via_asa interface > nat (inside,outside) source static any any destination static NETWORK_OBJ_192.168.133.0_26 > NETWORK_OBJ_192.168.133.0_26 no-proxy-arp route-lookup > access-group outside_access_in in interface outside > Настройки ааа опущу, т.к. авторизация через ssh работает нормально, далее > http server enable 8443 > crypto ipsec ikev2 ipsec-proposal AES256 > protocol esp encryption aes-256 > protocol esp integrity sha-1 md5 > crypto ipsec ikev2 ipsec-proposal AES192 > protocol esp encryption aes-192 > protocol esp integrity sha-1 md5 > crypto ipsec ikev2 ipsec-proposal AES > protocol esp encryption aes > protocol esp integrity sha-1 md5 > crypto ipsec ikev2 ipsec-proposal 3DES > protocol esp encryption 3des > protocol esp integrity sha-1 md5 > crypto ipsec ikev2 ipsec-proposal DES > protocol esp encryption des > protocol esp integrity sha-1 md5 > crypto ipsec security-association pmtu-aging infinite > crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev2 ipsec-proposal AES256 AES192 > AES 3DES DES > crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP > crypto map outside_map interface outside > crypto map infolada_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP > crypto ca trustpoint ASDM_TrustPoint0 > enrollment self > subject-name CN=ASA5506 > crl configure > crypto ca trustpool policy > crypto ca certificate chain ASDM_TrustPoint0 > certificate 292c585b > <...> > 20d92d3d 279f9610 05a84344 beb322ba 0a41 > quit > crypto ikev2 policy 1 > encryption aes-256 > integrity sha > group 5 2 > prf sha > lifetime seconds 86400 > crypto ikev2 policy 10 > encryption aes-192 > integrity sha > group 5 2 > prf sha > lifetime seconds 86400 > crypto ikev2 policy 20 > encryption aes > integrity sha > group 5 2 > prf sha > lifetime seconds 86400 > crypto ikev2 policy 30 > encryption 3des > integrity sha > group 5 2 > prf sha > lifetime seconds 86400 > crypto ikev2 policy 40 > encryption des > integrity sha > group 5 2 > prf sha > lifetime seconds 86400 > crypto ikev2 enable outsiede client-services port 443 > crypto ikev2 remote-access trustpoint ASDM_TrustPoint0 > ssl cipher default custom "AES256-SHA:AES128-SHA:DES-CBC3-SHA" > ssl cipher tlsv1 custom "AES256-SHA:AES128-SHA:DES-CBC3-SHA" > ssl cipher tlsv1.1 low > ssl cipher tlsv1.2 low > ssl cipher dtlsv1 custom "AES256-SHA:AES128-SHA:DES-CBC3-SHA" > ssl trust-point ASDM_TrustPoint0 outside > ssl certificate-authentication interface outside port 443 > webvpn > enable outside > anyconnect image disk0:/anyconnect-win-3.1.05187-k9.pkg 1 > anyconnect profiles Anyconnect_VPN_client_profile disk0:/Anyconnect_VPN_client_profile.xml > anyconnect enable > tunnel-group-list enable > cache > disable > error-recovery disable > group-policy GroupPolicy_Anyconnect_VPN internal > group-policy GroupPolicy_Anyconnect_VPN attributes > wins-server none > dns-server value 192.168.1.2 192.168.1.3 > vpn-tunnel-protocol ikev2 ssl-client > split-tunnel-policy tunnelspecified > split-tunnel-network-list value SPLIT_Tunnel > default-domain value corp.test.com > webvpn > anyconnect keep-installer installed > anyconnect dpd-interval client 20 > anyconnect profiles value Anyconnect_VPN_client_profile type user > anyconnect ask none default anyconnect > dynamic-access-policy-record DfltAccessPolicy > tunnel-group Anyconnect_VPN type remote-access > tunnel-group Anyconnect_VPN general-attributes > address-pool anyconnect_pool > authentication-server-group actdir-srv1 > default-group-policy GroupPolicy_Anyconnect_VPN > tunnel-group Anyconnect_VPN webvpn-attributes > group-alias Anyconnect_VPN enable
	Введите код, изображенный на картинке:

При общении не допускается: неуважительное отношение к собеседнику, хамство, унизительное обращение, ненормативная лексика, переход на личности, агрессивное поведение, обесценивание собеседника, провоцирование флейма голословными и заведомо ложными заявлениями. Не отвечайте на сообщения, явно нарушающие правила - удаляются не только сами нарушения, но и все ответы на них. Лог модерирования.

Партнёры:

Хостинг:

Закладки на сайте
Проследить за страницей

Created 1996-2024 by Maxim Chirkov
Добавить, Поддержать, Вебмастеру