Vpn

向外部網路公開 AnyConnect HTTPS 服務

  • November 13, 2012

我們有一個帶有韌體 ASA9.0(1) 和 ASDM 7.0(2) 的 Cisco ASA 5505。它配置了公共 IP 地址,當嘗試通過 HTTPS 從外部訪問 AnyConnect VPN 時,我們得到以下日誌輸出:

6   Nov 12 2012 07:01:40        <client-ip> 51000   <asa-ip>    443 Built inbound TCP connection 2889 for outside:<client-ip>/51000 (<client-ip>/51000) to identity:<asa-ip>/443 (<asa-ip>/443)
6   Nov 12 2012 07:01:40        <client-ip> 50999   <asa-ip>    443 Built inbound TCP connection 2890 for outside:<client-ip>/50999 (<client-ip>/50999) to identity:<asa-ip>/443 (<asa-ip>/443)
6   Nov 12 2012 07:01:40        <client-ip> 51000   <asa-ip>    443 Teardown TCP connection 2889 for outside:<client-ip>/51000 to identity:<asa-ip>/443 duration 0:00:00 bytes 0 No valid adjacency
6   Nov 12 2012 07:01:40        <client-ip> 50999   <asa-ip>    443 Teardown TCP connection 2890 for outside:<client-ip>/50999 to identity:<asa-ip>/443 duration 0:00:00 bytes 0 No valid adjacency

我們完成了啟動嚮導和 anyconnect vpn 嚮導,這是生成的配置:

Cryptochecksum: 12262d68 23b0d136 bb55644a 9c08f86b 
: Saved
: Written by enable_15 at 07:08:30.519 UTC Mon Nov 12 2012
!
ASA Version 9.0(1) 
!
hostname vpn
domain-name office.<redacted>.com
enable password <redacted> encrypted
passwd <redacted> encrypted
names
ip local pool vpn-pool 192.168.67.2-192.168.67.253 mask 255.255.255.0
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.68.250 255.255.255.0 
!
interface Vlan2
nameif outside
security-level 0
ip address <redacted> 255.255.255.248 
!
ftp mode passive
dns server-group DefaultDNS
domain-name office.<redacted>.com
object network obj_any
subnet 0.0.0.0 0.0.0.0
pager lines 24
logging enable
logging asdm informational
mtu outside 1500
mtu inside 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
!
object network obj_any
nat (inside,outside) dynamic interface
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
http server enable
http 192.168.68.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
crypto ipsec ikev2 ipsec-proposal DES
protocol esp encryption des
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal 3DES
protocol esp encryption 3des
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES
protocol esp encryption aes
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES192
protocol esp encryption aes-192
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES256
protocol esp encryption aes-256
protocol esp integrity sha-1 md5
crypto ipsec security-association pmtu-aging infinite
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev2 ipsec-proposal AES256 AES192 AES 3DES DES
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto map inside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map inside_map interface inside
crypto ca trustpoint _SmartCallHome_ServerCA
crl configure
crypto ca trustpoint ASDM_TrustPoint0
enrollment self
subject-name CN=vpn
proxy-ldc-issuer
crl configure
crypto ca trustpool policy
crypto ca certificate chain _SmartCallHome_ServerCA
certificate ca 6ecc7aa5a7032009b8cebcf4e952d491
   <redacted>
 quit
crypto ca certificate chain ASDM_TrustPoint0
certificate f678a050
   <redacted>
 quit
crypto ikev2 policy 1
encryption aes-256
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 10
encryption aes-192
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 20
encryption aes
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 30
encryption 3des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 40
encryption des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 enable outside client-services port 443
crypto ikev2 remote-access trustpoint ASDM_TrustPoint0
telnet timeout 5
ssh 192.168.68.0 255.255.255.0 inside
ssh timeout 5
console timeout 0
vpn-addr-assign local reuse-delay 60

dhcpd auto_config outside
!
dhcpd address 192.168.68.254-192.168.68.254 inside
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ssl trust-point ASDM_TrustPoint0 inside
ssl trust-point ASDM_TrustPoint0 outside
webvpn
enable outside
enable inside
anyconnect image disk0:/anyconnect-win-3.1.01065-k9.pkg 1
anyconnect image disk0:/anyconnect-linux-3.1.01065-k9.pkg 2
anyconnect image disk0:/anyconnect-macosx-i386-3.1.01065-k9.pkg 3
anyconnect profiles GM-AnyConnect_client_profile disk0:/GM-AnyConnect_client_profile.xml
anyconnect enable
tunnel-group-list enable
group-policy GroupPolicy_GM-AnyConnect internal
group-policy GroupPolicy_GM-AnyConnect attributes
wins-server none
dns-server value 192.168.68.254
vpn-tunnel-protocol ikev2 ssl-client 
default-domain value office.<redacted>.com
webvpn
 anyconnect profiles value GM-AnyConnect_client_profile type user
username <redacted> password <redacted> encrypted
tunnel-group GM-AnyConnect type remote-access
tunnel-group GM-AnyConnect general-attributes
address-pool vpn-pool
default-group-policy GroupPolicy_GM-AnyConnect
tunnel-group GM-AnyConnect webvpn-attributes
group-alias GM-AnyConnect enable
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
 message-length maximum client auto
 message-length maximum 512
policy-map global_policy
class inspection_default
 inspect dns preset_dns_map 
 inspect ftp 
 inspect h323 h225 
 inspect h323 ras 
 inspect rsh 
 inspect rtsp 
 inspect esmtp 
 inspect sqlnet 
 inspect skinny  
 inspect sunrpc 
 inspect xdmcp 
 inspect sip  
 inspect netbios 
 inspect tftp 
 inspect ip-options 
!
service-policy global_policy global
prompt hostname context 
call-home reporting anonymous
Cryptochecksum:12262d6823b0d136bb55644a9c08f86b
: end

顯然我們遺漏了一些東西,但問題是,什麼?

您似乎沒有返回訪問 VPN 的遠端主機的路由。您需要將所有流量的靜態路由添加回提供者網關地址:

ip route 0.0.0.0 0.0.0.0 <your default internet gateway>

這將導致日誌中出現“無有效鄰接”消息。希望對您有所幫助,讓我知道您的進展情況。

NAT?並且不要忘記將 VPN 池排除在 NAT 之外,因為 IPSEC 需要完整的 IP 地址,否則它會混淆要加密的流量,因此什麼也不做。

引用自:https://serverfault.com/questions/447896