天亮了说晚安's Blog

本文转自：https://www.cisco.com/c/en/us/td/docs/security/asa/asa98/configuration/vpn/asa-98-vpn-config/webvpn-overview.html Chapter: Clientless SSL VPN Overview Chapter Contents Introduction to Clientless SSL VPNPrerequisites for Clientless SSL VPNGuidelines and Limitations for Clientless SSL VPNLicensing for Clientless SSL VPN Introduction to Clientless SSL VPN Clientless SSL VPN enables end users to securely access resources on the corporate network from anywhere using an SSL-enabled Web browser. The user first authenticates with a Clientless SSL VPN gateway, which then allows the user to access pre-configured network resources. NoteSecurity contexts (also called firewall multimode) and Active/Active stateful failover are not supported when Clientless SSL VPN is enabled. Clientless SSL VPN creates a secure, remote-access VPN tunnel to an ASA using a web browser without requiring a software or hardware client. It provides secure and easy access to a broad rang......Read More

本文转自：https://www.cisco.com/c/en/us/td/docs/security/asa/asa98/configuration/vpn/asa-98-vpn-config/vpn-extserver.html Chapter: Configure an External AAA Server for VPN Chapter Contents About External AAA ServersGuidelines For Using External AAA ServersConfigure Multiple Certificate AuthenticationConfigure LDAP Authorization for VPNActive Directory/LDAP VPN Remote Access Authorization Examples About External AAA Servers This ASA can be configured to use an external LDAP, RADIUS, or TACACS+ server to support Authentication, Authorization, and Accounting (AAA) for the ASA. The external AAA server enforces configured permissions and attributes. Before you configure the ASA to use an external server, you must configure the external AAA server with the correct ASA authorization attributes and, from a subset of these attributes, assign specific permissions to individual users. Understanding Policy Enforcement of Authorization Attributes Understanding Policy Enforc......Read More

本文转自：https://www.cisco.com/c/en/us/td/docs/security/asa/asa98/configuration/vpn/asa-98-vpn-config/vpn-vti.html Chapter: Virtual Tunnel Interface Chapter Contents This chapter describes how to configure a VTI tunnel. About Virtual Tunnel InterfacesGuidelines for Virtual Tunnel InterfacesCreate a VTI Tunnel About Virtual Tunnel Interfaces The ASA supports a logical interface called Virtual Tunnel Interface (VTI). As an alternative to policy based VPN, a VPN tunnel can be created between peers with Virtual Tunnel Interfaces configured. This supports route based VPN with IPsec profiles attached to the end of each tunnel. This allows dynamic or static routes to be used. Egressing traffic from the VTI is encrypted and sent to the peer, and the associated SA decrypts the ingress traffic to the VTI. Using VTI does away with the requirement of configuring static crypto map access lists and mapping them to interfaces. You no longer have to track all remote subnets a......Read More

本文转自：https://www.cisco.com/c/en/us/td/docs/security/asa/asa98/configuration/vpn/asa-98-vpn-config/vpn-easyvpn.html Chapter: Easy VPN Chapter Contents This chapter describes how to configure any ASA as an Easy VPN Server, and the Cisco ASA with FirePOWER- 5506-X, 5506W-X, 5506H-X, and 5508-X models as an Easy VPN Remote hardware client. About Easy VPNConfigure Easy VPN RemoteConfigure Easy VPN ServerFeature History for Easy VPN About Easy VPN Cisco Ezvpn greatly simplifies configuration and deployment of VPN for remote offices and mobile workers. Cisco Easy VPN offers flexibility, scalability, and ease of use for site-to-site and remote-access VPNs. It implements the Cisco Unity Client protocol, allowing administrators to define most VPN parameters on the Easy VPN Server, simplifying the Easy VPN Remote configuration. The Cisco ASA with FirePOWER models 5506-X, 5506W-X, 5506H-X, and 5508-X support Easy VPN Remote as a hardware client that initiates the VPN ......Read More

本文转自：https://www.cisco.com/c/en/us/td/docs/security/asa/asa98/configuration/vpn/asa-98-vpn-config/vpn-hostscan.html Chapter: AnyConnect HostScan Chapter Contents The AnyConnect Posture Module provides the AnyConnect Secure Mobility Client the ability to identify the operating system, anti-malware and firewall software installed on the host. The HostScan application gathers this information. Posture assessment requires HostScan to be installed on the host. Prerequisites for HostScanLicensing for HostScanHostScan PackagingInstall or Upgrade HostScanEnable or Disable HostScanView the HostScan Version Enabled on the ASAUninstall HostScanAssign AnyConnect Feature Modules to Group PoliciesHostScan Related Documentation Prerequisites for HostScan The AnyConnect Secure Mobility Client with the posture module requires these minimum ASA components: ASA 8.4ASDM 6.4 These AnyConnect features require that you install the posture module. SCEP authenticationAnyConn......Read More

本文转自：https://www.cisco.com/c/en/us/td/docs/security/asa/asa98/configuration/vpn/asa-98-vpn-config/vpn-anyconnect.html Chapter: AnyConnect VPN Client Connections Chapter Contents This section describes how to configure AnyConnect VPN Client Connections. About the AnyConnect VPN ClientLicensing Requirements for AnyConnectConfigure AnyConnect ConnectionsMonitor AnyConnect ConnectionsLog Off AnyConnect VPN SessionsFeature History for AnyConnect Connections About the AnyConnect VPN Client The Cisco AnyConnect Secure Mobility Client provides secure SSL and IPsec/IKEv2 connections to the ASA for remote users. Without a previously-installed client, remote users enter the IP address in their browser of an interface configured to accept SSL or IPsec/IKEv2 VPN connections. Unless the ASA is configured to redirect http:// requests to https://, users must enter the URL in the form https://<address>. After entering the URL, the browser connects to that interface a......Read More

本文转自：https://www.cisco.com/c/en/us/td/docs/security/asa/asa98/configuration/vpn/asa-98-vpn-config/vpn-site2site.html Chapter: LAN-to-LAN IPsec VPNs Chapter Contents A LAN-to-LAN VPN connects networks in different geographic locations. You can create LAN-to-LAN IPsec connections with Cisco peers and with third-party peers that comply with all relevant standards. These peers can have any mix of inside and outside addresses using IPv4 and IPv6 addressing. This chapter describes how to build a LAN-to-LAN VPN connection. Summary of the ConfigurationConfigure Site-to-Site VPN in Multi-Context ModeConfigure InterfacesConfigure ISAKMP Policy and Enable ISAKMP on the Outside InterfaceCreate an IKEv1 Transform SetCreate an IKEv2 ProposalConfigure an ACLDefine a Tunnel GroupCreate a Crypto Map and Applying It To an Interface Summary of the Configuration This section provides a summary of the example LAN-to-LAN configuration this chapter describes. Later sections p......Read More

本文转自：https://www.cisco.com/c/en/us/td/docs/security/asa/asa98/configuration/vpn/asa-98-vpn-config/vpn-remote-access.html Chapter: Remote Access IPsec VPNs Chapter Contents About Remote Access IPsec VPNsLicensing Requirements for Remote Access IPsec VPNs for 3.1Restrictions for IPsec VPNConfigure Remote Access IPsec VPNsConfiguration Examples for Remote Access IPsec VPNsConfiguration Examples for Standards-Based IPSec IKEv2 Remote Access VPN in Multiple-Context ModeConfiguration Examples for AnyConnect IPSec IKEv2 Remote Access VPN in Multiple-Context ModeFeature History for Remote Access VPNs About Remote Access IPsec VPNs Remote access VPNs allow users to connect to a central site through a secure connection over a TCP/IP network. The Internet Security Association and Key Management Protocol, also called IKE, is the negotiation protocol that lets the IPsec client on the remote PC and the ASA agree on how to build an IPsec Security Association. Each ISAKMP negot......Read More

本文转自：https://www.cisco.com/c/en/us/td/docs/security/asa/asa98/configuration/vpn/asa-98-vpn-config/vpn-addresses.html Chapter: IP Addresses for VPNs Chapter Contents Configure an IP Address Assignment PolicyConfigure Local IP Address PoolsConfigure AAA AddressingConfigure DHCP Addressing Configure an IP Address Assignment Policy The ASA can use one or more of the following methods for assigning IP addresses to remote access clients. If you configure more than one address assignment method, the ASA searches each of the options until it finds an IP address. By default, all methods are enabled. aaa Retrieves addresses from an external authentication, authorization, and accounting server on a per-user basis. If you are using an authentication server that has IP addresses configured, we recommend using this method. This method is available for IPv4 and IPv6 assignment policies.dhcp Obtains IP addresses from a DHCP server. If you want to use DHCP, you must......Read More