asa 방화벽 remote access vpn 설정

 

 

 

<wg_switch> hostname wg_switch interface Vlan1  ip address 10.1.1.10 255.255.255.0 ! <middle_switch> hostname middle_switch interface Vlan1  ip address 10.1.1.20 255.255.255.0 ! <vios> (router) hostname Router interface GigabitEthernet0/0  ip address 1.1.1.1 255.255.255.0  duplex auto  speed auto  media-type rj45 ! interface GigabitEthernet0/1  ip address dhcp  duplex auto  speed auto  media-type rj45 ! interface GigabitEthernet0/2  ip address 2.2.2.254 255.255.255.0  duplex auto  speed auto  media-type rj45 ! ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/1 192.168.100.254 ip route 10.1.1.0 255.255.255.0 GigabitEthernet0/0 1.1.1.2 ! <EXT_VPC> ip 2.2.2.1 255.255.255.0 2.2.2.254 <INTERNAL_VPC> ip 10.1.1.2 255.255.255.0 10.1.1.254 <INTERNAL_LINUX_SERVER> # nmcli conn mod eth0 ipv4.address 10.1.1.1/24 ipv4.method manual ipv4.gateway 10.1.1.254 # nmcli conn up eth0 <CLIENT VPN> window server

 

asa 설정

hostname ciscoasa //inside, outside ip 설정 interface GigabitEthernet0/0  nameif inside  security-level 100  ip address 10.1.1.254 255.255.255.0 ! interface GigabitEthernet0/1  nameif outside  security-level 0  ip address 1.1.1.2 255.255.255.0 //mgmt 설정(관리자 web 접속 위한)  interface Management0/0 management-only     // 안하면 route가 connect 우선으로 잡아 이쪽으로 가기때문에 10.1.1.0 대역이 ping이 안감  nameif management  security-level 0  ip address 192.168.100.109 255.255.255.0 //웹 접속 허용 설정 http server enable http 192.168.100.0 255.255.255.0 management http redirect outside 80 logging enable route outside 0.0.0.0 0.0.0.0 1.1.1.1 1 //icmp 허용 policy-map global_policy   class inspection_default    inspect icmp    inspect icmp error //anyconnect ssl 설정 copy tftp: flash: anyconnect-win-4.3.05017-k9.pkg 넣기 webvpn  enable outside  anyconnect image disk0:/anyconnect-win-4.3.05017-k9.pkg 1  anyconnect enable  tunnel-group-list enable http redirect outside 80 //그룹설정 ip local pool POOL_VPN 10.1.1.100-10.1.1.110 mask 255.255.255.0  access-list ACL_VPN standard permit 10.1.1.0 255.255.255.0  group-policy GP_VPN internal group-policy GP_VPN attributes  wins-server none  dns-server value 10.1.1.1  vpn-idle-timeout 88400  vpn-session-timeout 88400  vpn-tunnel-protocol ssl-client ssl-clientless  split-tunnel-policy tunnelspecified  split-tunnel-network-list value ACL_VPN  default-domain value example.com  webvpn    anyconnect mtu 1300    anyconnect ssl keepalive 20    anyconnect ask enable default anyconnect  //터널 그룹생성 및 커넥션 프로파일 생성 tunnel-group TG_POOL type remote-access  tunnel-group TG_POOL general-attributes   address-pool POOL_VPN   default-group-policy GP_VPN  tunnel-group TG_POOL webvpn-attributes   group-alias TG_POOL enable  //각 user 생성 username user1 password user1 privilege 15 username cisco password cisco privilege 15

 

Clien VPN 컴퓨터 windows 에서 접속하기

https://1.1.1.2/ annyconnect VPN 클릭하면 file 다운받음  해당 파일 실행 후 설치 외부 IP 넣고 connect 눌러 접속하기 connection anyway 누르기  앞서 설정한 username 과 password 넣고 OK 누름 connected 접속 확인 ip 할당 확인 ping test 확인

 

참고

networklessons.com/cisco/asa-firewall/cisco-asa-asdm-configuration

dl.nextadmin.net/dl/Cisco%20AnyConnect%20Secure%20Mobility%20Client/4.3.x/

www.techspacekh.com/configuring-cisco-anyconnect-remote-access-vpn-on-asa-9-x/

peemangit.tistory.com/128?category=826549