Конфигурация aaa аналогична IPSEC VPN
Сам anyconnect в настройке сильно проще классического IPSEC-base клиента.
(применимо к 8.2.x)
10.20.30.0/24 - dmz
10.10.0.0/16 - inside
10.50.50.0/24 - pool vpn
access-list nonat extended permit ip 10.10.0.0 255.255.0.0 10.50.50.0 255.255.255.0.
access-list nonat_dmz extended permit ip 10.20.30.0 255.255.255.0 10.50.50.0 255.255.255.0.
ip local pool anyconad_pool 10.50.50.1-10.50.50.254 mask 255.255.255.0
ldap attribute-map AnyConnectAD2VPNMap
map-name memberOf IETF-Radius-Class
map-value memberOf CN=RA_AnyConnect,OU=ASA,OU=suborg,DC=domain,DC=ru anyconad_policy
aaa-server AD_AnyConMain protocol ldap
reactivation-mode timed
aaa-server AD_AnyConMain (inside) host 10.10.1.42
ldap-base-dn OU=suborg,DC=domain,DC=ru
ldap-group-base-dn OU=suborg,DC=domain,DC=ru
ldap-scope subtree
ldap-login-password SecurePassword
ldap-login-dn cn=User,OU=ASA,OU=suborg,DC=domain,DC=ru
server-type microsoft
ldap-attribute-map AnyConnectAD2VPNMap
aaa-server AD_AnyConMain (inside) host 10.10.1.58
ldap-base-dn OU=suborg,DC=domain,DC=ru
ldap-group-base-dn OU=suborg,DC=domain,DC=ru
ldap-scope subtree
ldap-login-password SecurePassword
ldap-login-dn cn=User,OU=ASA,OU=suborg,DC=domain,DC=ru
server-type microsoft
ldap-attribute-map AnyConnectAD2VPNMap
group-policy NoAccessAnyCon internal
group-policy NoAccessAnyCon attributes
vpn-simultaneous-logins 0
vpn-tunnel-protocol svc.
address-pools none
group-policy anyconad_policy internal
group-policy anyconad_policy attributes
dns-server value 10.20.30.20 10.20.30.25
vpn-simultaneous-logins 15
vpn-tunnel-protocol svc
password-storage enable
default-domain value domain.ru
tunnel-group anyconad_tgroup type remote-access
tunnel-group anyconad_tgroup general-attributes
address-pool anyconad_pool
authentication-server-group AD_AnyConMain
default-group-policy NoAccessAnyCon
authorization-required
tunnel-group anyconad_tgroup webvpn-attributes
group-alias "MegaCorp Co. Ltd" enable
Сам anyconnect в настройке сильно проще классического IPSEC-base клиента.
(применимо к 8.2.x)
10.20.30.0/24 - dmz
10.10.0.0/16 - inside
10.50.50.0/24 - pool vpn
access-list nonat extended permit ip 10.10.0.0 255.255.0.0 10.50.50.0 255.255.255.0.
access-list nonat_dmz extended permit ip 10.20.30.0 255.255.255.0 10.50.50.0 255.255.255.0.
ip local pool anyconad_pool 10.50.50.1-10.50.50.254 mask 255.255.255.0
ldap attribute-map AnyConnectAD2VPNMap
map-name memberOf IETF-Radius-Class
map-value memberOf CN=RA_AnyConnect,OU=ASA,OU=suborg,DC=domain,DC=ru anyconad_policy
aaa-server AD_AnyConMain protocol ldap
reactivation-mode timed
aaa-server AD_AnyConMain (inside) host 10.10.1.42
ldap-base-dn OU=suborg,DC=domain,DC=ru
ldap-group-base-dn OU=suborg,DC=domain,DC=ru
ldap-scope subtree
ldap-login-password SecurePassword
ldap-login-dn cn=User,OU=ASA,OU=suborg,DC=domain,DC=ru
server-type microsoft
ldap-attribute-map AnyConnectAD2VPNMap
aaa-server AD_AnyConMain (inside) host 10.10.1.58
ldap-base-dn OU=suborg,DC=domain,DC=ru
ldap-group-base-dn OU=suborg,DC=domain,DC=ru
ldap-scope subtree
ldap-login-password SecurePassword
ldap-login-dn cn=User,OU=ASA,OU=suborg,DC=domain,DC=ru
server-type microsoft
ldap-attribute-map AnyConnectAD2VPNMap
group-policy NoAccessAnyCon internal
group-policy NoAccessAnyCon attributes
vpn-simultaneous-logins 0
vpn-tunnel-protocol svc.
address-pools none
group-policy anyconad_policy internal
group-policy anyconad_policy attributes
dns-server value 10.20.30.20 10.20.30.25
vpn-simultaneous-logins 15
vpn-tunnel-protocol svc
password-storage enable
default-domain value domain.ru
tunnel-group anyconad_tgroup type remote-access
tunnel-group anyconad_tgroup general-attributes
address-pool anyconad_pool
authentication-server-group AD_AnyConMain
default-group-policy NoAccessAnyCon
authorization-required
tunnel-group anyconad_tgroup webvpn-attributes
group-alias "MegaCorp Co. Ltd" enable
Комментариев нет:
Отправить комментарий