Anyconnect images bereitstellen

Identifzieren

• ciscoasa# dir any*

Directory of disk0:/any*

109    -rwx  2672571      12:58:22 Feb 16 2016  anyconnect-win-2.3.2016-k9.pkg
112    -rwx  4293149      12:59:07 Feb 16 2016  anyconnect-linux-2.3.2016-k9.pkg
113    -rwx  4246430      13:05:44 Feb 16 2016  anyconnect-macosx-i386-2.3.2016-k9.pkg

127111168 bytes total (6127616 bytes free)

Zuordnen

• ciscoasa# configure terminal
• ciscoasa(config)# webvpn
• ciscoasa(config-webvpn)# anyconnect image anyconnect-win-2.3.2016-k9.pkg 1
• ciscoasa(config-webvpn)# anyconnect image anyconnect-macosx-i386-2.3.2016-k9.pkg 2
• ciscoasa(config-webvpn)# anyconnect image anyconnect-linux-2.3.2016-k9.pkg 3

Interface aktivieren

• ciscoasa(config-webvpn)# enable if-outside

INFO: WebVPN and DTLS are enabled on 'if-outside'.

Anyconnect aktivieren

• ciscoasa(config-webvpn)# anyconnect enable
• ciscoasa(config-webvpn)# exit

IP Pool anlegen

• ciscoasa(config)# ip local pool anyconnect-pool 172.29.29.11-172.29.29.20 mask 255.255.255.0

Tunnelgruppe bestimmen

• ciscoasa(config)# tunnel-group anyconnect-tunnel-group type remote-access
• ciscoasa(config)# tunnel-group anyconnect-tunnel-group general-attributes
• ciscoasa(config-tunnel-general)# address-pool anyconnect-pool

keine ahnung wozu?

• ciscoasa(config)# group-policy sales internal
• hostname(config)# group-policy sales attributes
• hostname(config-group-policy)# webvpn
• hostname(config-group-policy)# anyconnect keep-installer installed

Assigns a default group policy to the tunnel group.

• ciscoasa(config)# tunnel-group anyconnect-tunnel-group general-attributes
• ciscoasa(config-tunnel-general)# default-group-policy sales

Enables the display of the tunnel-group

• ciscoasa(config)# tunnel-group anyconnect-tunnel-group webvpn-attributes
• ciscoasa(config-tunnel-webvpn)# group-alias sales_department enable

Specifies the AnyConnect client as a permitted VPN tunneling protocol for the group or user

• ciscoasa(config)# webvpn
• ciscoasa(config-webvpn)# tunnel-group-list enable

vpn-tunnel-protocol

• ciscoasa(config)# group-policy sales attributes
• ciscoasa(config-group-policy)# vpn-tunnel-protocol ikev1

Anyconnect von der ASDM

ip local pool xinux-address-pool 192.168.68.11-192.168.68.20 mask 255.255.255.0

object network NETWORK_OBJ_192.168.68.0_27
 subnet 192.168.68.0 255.255.255.224
nat (if-inside,if-outside) source static any any destination static NETWORK_OBJ_192.168.68.0_27 NETWORK_OBJ_192.168.68.0_27 no-proxy-arp route-lookup
webvpn        
 enable if-outside
 anyconnect image disk0:/anyconnect-win-2.3.2016-k9.pkg 1
 anyconnect image disk0:/anyconnect-macosx-i386-2.3.2016-k9.pkg 2
 anyconnect image disk0:/anyconnect-linux-2.3.2016-k9.pkg 3
 anyconnect enable
 tunnel-group-list enable
group-policy GroupPolicy_xinux-anyconnect-profile internal
group-policy GroupPolicy_xinux-anyconnect-profile attributes
 wins-server none
 dns-server value 192.168.240.200
 vpn-tunnel-protocol ssl-client 
 default-domain value xinux.org
username david password 0Br2FOp1w3TflBlH encrypted
username admin password 06booZwyTnK6xj53 encrypted privilege 15
username thomas password LVVNDGiRI9EzFf1b encrypted
tunnel-group xinux-anyconnect-profile type remote-access
tunnel-group xinux-anyconnect-profile general-attributes
 address-pool xinux-address-pool
 default-group-policy GroupPolicy_xinux-anyconnect-profile
tunnel-group xinux-anyconnect-profile webvpn-attributes
 group-alias xinux-anyconnect-profile enable

Links

• http://www.cisco.com/c/en/us/td/docs/security/asa/asa84/configuration/guide/asa_84_cli_config/vpn_anyconnect.html
• http://www.cisco.com/c/en/us/support/docs/security/adaptive-security-device-manager/118842-technote-asdm-00.html