Current location - Quotes Website - Personality signature - After configuring SSL VPN, cisco ASA 5520 can only access the same network segment as the internal network port, but cannot access other network segments of the internal network?
After configuring SSL VPN, cisco ASA 5520 can only access the same network segment as the internal network port, but cannot access other network segments of the internal network?
Tunnel separation should be configured. I hope it will be helpful and give you a configuration example for your reference.

C7206 (configuration) # int fa0/0

C7206 (configuration -if)# ip address198.1.1.1255.255.0

C7206 (Configuration -if)# No shutdown

C7206 (Configuration -if)# Exit

!

C7206 (configuration) # int fa2/0

C7206 (configuration -if)# ip address10.10.1.1255.255.0

C7206 (Configuration -if)# No shutdown

C7206 (Configuration -if)# Exit

!

C7206 (Configuration) # aaa New Model

C7206 (Configuration) # aaa Authentication Login Default Local

! In order to prevent the console from entering Exec due to timeout, a default authentication method is set, which has nothing to do with WebVPN.

!

C7206 (Configuration) # aaa Authentication Login aaa-webvpn Local

C7206 (Configuration) # User name steve6307 Password cisco

! Define WebVPN authentication method.

!

C7206 (Configuration) # webvpn Gateway mygateway

C7206 (Configuration -web VPN- Gateway) # ip address 198. 1. 1 port 443.

C7206 (Configuration -web VPN- Gateway) # Running

! Define the interface that WebVPN listens to, and then IOS will automatically generate a self-signed certificate.

!

C7206 (configuration) # webvpn context mywebvpn-context 1

C7206 (config-webvpn-context) # gatewaymygateway domain group 1

C7206 (Configuration -web VPN- Context) # aaa Authentication List aaa-webvpn

C7206 (Configuration -web VPN- Context) # In service

! In IOS, the context of WebVPN is equivalent to ASA's tunnel-group.

! In IOS, domain is equivalent to ASA's group name.

-

2. Configure SSLVPN.

Format disk 0: of 7206.

C7206# Format Disk 0:

-

Copy SVC to disk0:(flash) of 7200.

Note: If you use the dynamips emulator, it is best to copy the file through ftp!

C7206 (Configuration) # ip ftp User Name cisco

C7206 (Configuration) # ip ftp Password cisco

!

C7206# copy ftp disk 0:

Address or name of the remote host []? 202. 195.30.66

Source file name []? SSL client-win- 1. 1.2 . 169 . pkg

Target file name [sslclient-win-1.1.2.169.pkg]?

Visiting FTP://202.195.30.66/sslclient-win-1.1.2.169.pkg. ...

Loading SSL client-win-1.1.2.169.pkg! !

[OK-4 15090/4096 bytes]

4 15090 bytes (18 126 bytes/sec) were copied in 22.900 seconds.

-

Install SVC.

C7206 (configuration) # webvpn installs svc disk 0:/sslclient-win-1.1.2.169.pkg.

SSLVPN package SSL-VPN-Client: installed successfully.

-

C7206 (configuration) # int loopback0

C7206 (configuration -if)# ip address192.168.10.254 255.255.0.

C7206 (Configuration -if)# Exit

! In IOS, if the address pool is not on the same network segment as the intranet, you need to create a loopback interface.

!

C7206 (configuration) # ip local pool SSL- user192.168.10.192.168.

!

C7206 (configuration) # webvpn context mywebvpn-context 1

C7206(config-webvpn-context)# policy group context 1- policy

The c7206 (configuration -web VPN- group) # function supports svc.

C7206 (Configuration -web VPN- Group) # svc Address Pool SSL- User

C7206 (Configuration -web VPN- Group) # Exit

! Allow users to conduct SSL VPN.

!

C7206 (config-webvpn-context) # default-group policy context 1- policy

-

3. Configure SSL VPN tunnel separation (optional).

C7206 (configuration) # webvpn context mywebvpn-context 1

C7206(config-webvpn-context)# policy group context 1- policy

C7206(config-webvpn-group)# svc split includes10.10 255.255.0.

trouble-free