本文介绍在企业生产环境下ASA 5510 配置 SSL ×××,基于微软的轻量目录访问协议(LDAP)做身份验证。需要企业有AD域环境,提前AD数据库的账号信息。
1.开启SSL ××× 并安装client模块
asa(config)#web***
asa(config-web***)#enable outside
asa(config-web***)#svc image disk0:/anyconnect-win-3.0.5.075-k9.pkg
asa(config-web***)#svc enable
asa(config-web***)#tunnel-group-list enable
asa(config-web***)#exit

2.配置自动分配给用户的地址池:
asa(config)#ip local pool ssl***_pool 10.200.197.1-10.200.197.127 mask 255.255.255.128

3.配置内部对地址池不访问策略并应用
asa(config)#access-list nat-0 per ip any 10.200.197.0 255.255.255.128
asa(config)#nat (inside) 0 access-list nat-0

4.定义隧道分离网段
asa(config)#access-list ssl_splist standard permit 10.0.0.0 255.0.0.0
asa(config)#access-list ***split extended permit ip 10.0.0.0 255.0.0.0 any

5.定义组策略属性
asa(config)#group-policy ssl*** internal
asa(config)#group-policy ssl*** attributes
asa(config-group-policy)#address-pools value ssl***_pool
asa(config-group-policy)#default-domail value XXXX.net (AD域的名称,例如:AA.net)
asa(config-group-policy)#dns-server value 10.200.193.1 10.200.193.11
asa(config-group-policy)#***-tunnel-protocol svc web***
asa(config-group-policy)#split-tunnel-policy tunnelspecified
asa(config-group-policy)#split-tunnel-network-list value ***split

6.隧道建立
asa(config)#tunnel-group ssl*** type remote-access
asa(config)#tunnel-group ssl*** general-attributes
asa(config-tunnel-general)#default-group-policy ssl***
asa(config-tunnel-general)#address-pool ssl***_pool
asa(config-tunnel-general)#authentication-server-group XXXX_AD(AD域的名称,例如AA_AD)
asa(config-tunnel-general)#tunnel-group ssl*** web***-attributes
asa(config-tunnel-web***)#group-alias XXXX enable

7.配置AD认证
asa(config)#aaa-server XXXX_AD protocol nt
asa(config)#aaa-server XXXX_AD (inside) host 10.200.193.11
asa(config-aaa-server)#timeout 5
asa(config-aaa-server)#nt-auth-domain-controller xincloud.net

8.配置asdm
asa(config)#asdm image disk0:/asdm-623.bin

9.开启 http 服务
asa(config)#http server enable
asa(config)#http 0.0.0.0 0.0.0.0 inside