天亮了说晚安's Blog

本文转自：https://www.cisco.com/c/en/us/td/docs/security/asa/asa98/configuration/vpn/asa-98-vpn-config/webvpn-configure-policy-groups.html Chapter: Policy Groups Chapter Contents Create and Apply Clientless SSL VPN Policies for Accessing ResourcesConnection Profile Attributes for Clientless SSL VPNGroup Policy and User Attributes for Clientless SSL VPNSmart Tunnel AccessClientless SSL VPN Capture ToolConfigure Portal Access RulesOptimize Clientless SSL VPN Performance Create and Apply Clientless SSL VPN Policies for Accessing Resources Creating and applying policies for Clientless SSL VPN that govern access to resources at an internal server requires you to assign group policies. Assigning users to group policies simplifies the configuration by letting you apply policies to many users. You can use an internal authentication server on the ASA or an external RADIUS or LDAP server to assign users to group policies. See Chapter 4, “Connection Profiles, Group Policies......Read More

本文转自：https://www.cisco.com/c/en/us/td/docs/security/asa/asa98/configuration/vpn/asa-98-vpn-config/webvpn-configure-resources.html Chapter: Advanced Clientless SSL VPN Configuration Chapter Contents Microsoft Kerberos Constrained Delegation SolutionConfigure Application Profile Customization FrameworkEncodingUse Email over Clientless SSL VPN Microsoft Kerberos Constrained Delegation Solution Many organizations want to authenticate their Clientless VPN users and extend their authentication credentials seamlessly to web-based resources using authentication methods beyond what the ASA SSO feature can offer today. With the growing demand to authenticate remote access users with smart cards and One-time Passwords (OTPs), the SSO feature falls short in meeting that demand, because it forwards only conventional user credentials, such as static username and password, to clientless web-based resources when authentication is required. For example, neither certificate- n......Read More

本文转自：https://www.cisco.com/c/en/us/td/docs/security/asa/asa98/configuration/vpn/asa-98-vpn-config/webvpn-configure-gateway.html Chapter: Basic Clientless SSL VPN Configuration Chapter Contents Rewrite Each URLSwitch Off URL Entry on the Portal PageTrusted Certificate PoolsConfigure Browser Access to Plug-insConfigure Port ForwardingConfigure File AccessEnsure Clock Accuracy for SharePoint AccessVirtual Desktop Infrastructure (VDI)Use SSL to Access Internal ServersConfigure Browser Access to Client-Server Plug-ins Rewrite Each URL By default, the ASA allows all portal traffic to all Web resources (for example HTTPS, CIFS, RDP, and plug-ins). Clientless SSL VPN rewrites each URL to one that is meaningful only to the ASA. The user cannot use this URL to confirm that they are connected to the website they requested. To avoid placing users at risk from phishing websites, assign a Web ACL to the policies configured for clientless access—group policies, dynamic access......Read More

本文转自：https://www.cisco.com/c/en/us/td/docs/security/asa/asa98/configuration/vpn/asa-98-vpn-config/webvpn-overview.html Chapter: Clientless SSL VPN Overview Chapter Contents Introduction to Clientless SSL VPNPrerequisites for Clientless SSL VPNGuidelines and Limitations for Clientless SSL VPNLicensing for Clientless SSL VPN Introduction to Clientless SSL VPN Clientless SSL VPN enables end users to securely access resources on the corporate network from anywhere using an SSL-enabled Web browser. The user first authenticates with a Clientless SSL VPN gateway, which then allows the user to access pre-configured network resources. NoteSecurity contexts (also called firewall multimode) and Active/Active stateful failover are not supported when Clientless SSL VPN is enabled. Clientless SSL VPN creates a secure, remote-access VPN tunnel to an ASA using a web browser without requiring a software or hardware client. It provides secure and easy access to a broad rang......Read More

本文转自：https://www.cisco.com/c/en/us/td/docs/security/asa/asa98/configuration/vpn/asa-98-vpn-config/vpn-extserver.html Chapter: Configure an External AAA Server for VPN Chapter Contents About External AAA ServersGuidelines For Using External AAA ServersConfigure Multiple Certificate AuthenticationConfigure LDAP Authorization for VPNActive Directory/LDAP VPN Remote Access Authorization Examples About External AAA Servers This ASA can be configured to use an external LDAP, RADIUS, or TACACS+ server to support Authentication, Authorization, and Accounting (AAA) for the ASA. The external AAA server enforces configured permissions and attributes. Before you configure the ASA to use an external server, you must configure the external AAA server with the correct ASA authorization attributes and, from a subset of these attributes, assign specific permissions to individual users. Understanding Policy Enforcement of Authorization Attributes Understanding Policy Enforc......Read More

本文转自：https://www.cisco.com/c/en/us/td/docs/security/asa/asa98/configuration/vpn/asa-98-vpn-config/vpn-vti.html Chapter: Virtual Tunnel Interface Chapter Contents This chapter describes how to configure a VTI tunnel. About Virtual Tunnel InterfacesGuidelines for Virtual Tunnel InterfacesCreate a VTI Tunnel About Virtual Tunnel Interfaces The ASA supports a logical interface called Virtual Tunnel Interface (VTI). As an alternative to policy based VPN, a VPN tunnel can be created between peers with Virtual Tunnel Interfaces configured. This supports route based VPN with IPsec profiles attached to the end of each tunnel. This allows dynamic or static routes to be used. Egressing traffic from the VTI is encrypted and sent to the peer, and the associated SA decrypts the ingress traffic to the VTI. Using VTI does away with the requirement of configuring static crypto map access lists and mapping them to interfaces. You no longer have to track all remote subnets a......Read More

本文转自：https://www.cisco.com/c/en/us/td/docs/security/asa/asa98/configuration/vpn/asa-98-vpn-config/vpn-easyvpn.html Chapter: Easy VPN Chapter Contents This chapter describes how to configure any ASA as an Easy VPN Server, and the Cisco ASA with FirePOWER- 5506-X, 5506W-X, 5506H-X, and 5508-X models as an Easy VPN Remote hardware client. About Easy VPNConfigure Easy VPN RemoteConfigure Easy VPN ServerFeature History for Easy VPN About Easy VPN Cisco Ezvpn greatly simplifies configuration and deployment of VPN for remote offices and mobile workers. Cisco Easy VPN offers flexibility, scalability, and ease of use for site-to-site and remote-access VPNs. It implements the Cisco Unity Client protocol, allowing administrators to define most VPN parameters on the Easy VPN Server, simplifying the Easy VPN Remote configuration. The Cisco ASA with FirePOWER models 5506-X, 5506W-X, 5506H-X, and 5508-X support Easy VPN Remote as a hardware client that initiates the VPN ......Read More

本文转自：https://www.cisco.com/c/en/us/td/docs/security/asa/asa98/configuration/vpn/asa-98-vpn-config/vpn-hostscan.html Chapter: AnyConnect HostScan Chapter Contents The AnyConnect Posture Module provides the AnyConnect Secure Mobility Client the ability to identify the operating system, anti-malware and firewall software installed on the host. The HostScan application gathers this information. Posture assessment requires HostScan to be installed on the host. Prerequisites for HostScanLicensing for HostScanHostScan PackagingInstall or Upgrade HostScanEnable or Disable HostScanView the HostScan Version Enabled on the ASAUninstall HostScanAssign AnyConnect Feature Modules to Group PoliciesHostScan Related Documentation Prerequisites for HostScan The AnyConnect Secure Mobility Client with the posture module requires these minimum ASA components: ASA 8.4ASDM 6.4 These AnyConnect features require that you install the posture module. SCEP authenticationAnyConn......Read More

本文转自：https://www.cisco.com/c/en/us/td/docs/security/asa/asa98/configuration/vpn/asa-98-vpn-config/vpn-anyconnect.html Chapter: AnyConnect VPN Client Connections Chapter Contents This section describes how to configure AnyConnect VPN Client Connections. About the AnyConnect VPN ClientLicensing Requirements for AnyConnectConfigure AnyConnect ConnectionsMonitor AnyConnect ConnectionsLog Off AnyConnect VPN SessionsFeature History for AnyConnect Connections About the AnyConnect VPN Client The Cisco AnyConnect Secure Mobility Client provides secure SSL and IPsec/IKEv2 connections to the ASA for remote users. Without a previously-installed client, remote users enter the IP address in their browser of an interface configured to accept SSL or IPsec/IKEv2 VPN connections. Unless the ASA is configured to redirect http:// requests to https://, users must enter the URL in the form https://<address>. After entering the URL, the browser connects to that interface a......Read More

本文转自：https://www.cisco.com/c/en/us/td/docs/security/asa/asa98/configuration/vpn/asa-98-vpn-config/vpn-site2site.html Chapter: LAN-to-LAN IPsec VPNs Chapter Contents A LAN-to-LAN VPN connects networks in different geographic locations. You can create LAN-to-LAN IPsec connections with Cisco peers and with third-party peers that comply with all relevant standards. These peers can have any mix of inside and outside addresses using IPv4 and IPv6 addressing. This chapter describes how to build a LAN-to-LAN VPN connection. Summary of the ConfigurationConfigure Site-to-Site VPN in Multi-Context ModeConfigure InterfacesConfigure ISAKMP Policy and Enable ISAKMP on the Outside InterfaceCreate an IKEv1 Transform SetCreate an IKEv2 ProposalConfigure an ACLDefine a Tunnel GroupCreate a Crypto Map and Applying It To an Interface Summary of the Configuration This section provides a summary of the example LAN-to-LAN configuration this chapter describes. Later sections p......Read More