我们在外部接口和端口 7443 上配置了 Cisco Anyconnect VPN SSL。
我想将此端口更改为 443(已与当前公共 IP 一起使用)但使用新的公共 IP 池。
什么是/是最好的方式来做到这一点?
这是思科 ASA-5506。
这是我的配置:
ASA Version 9.5(2)
!
hostname asa-5506-1
ip local pool Pool_VpnSSL 172.16.253.10-172.16.253.50 mask 255.255.255.0
!
interface GigabitEthernet1/1
channel-group 1 mode on
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/2
channel-group 1 mode on
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/3
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/4
channel-group 1 mode on
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/5
channel-group 1 mode on
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/6
channel-group 1 mode on
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/8
nameif outside1
security-level 50
ip address MY.PUBLIC.IP 255.255.255.224
!
interface Port-channel1
lacp max-bundle 8
no nameif
no security-level
no ip address
!
interface Port-channel1.100
vlan 100
nameif dmz
security-level 50
ip address 172.16.200.2 255.255.255.224
!
interface Port-channel1.210
vlan 210
nameif employees
security-level 99
ip address 172.16.11.254 255.255.252.0
!
interface Port-channel1.219
vlan 219
nameif servers
security-level 50
ip address 192.168.15.254 255.255.240.0
!
nve 1
encapsulation vxlan
boot system disk0:/asa952-lfbff-k8.SPA
boot system disk0:/asa942-lfbff-k8.SPA
ftp mode passive
clock timezone CEST 2
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object network network-dmz
subnet 172.16.200.0 255.255.255.224
object network network-servers
subnet 192.168.0.0 255.255.240.0
object network network-employees
subnet 172.16.8.0 255.255.252.0
object service http
service tcp source eq www
object service https
service tcp source eq https
object network host-prod-web
host 172.16.200.1
object network NETWORK_OBJ_172.16.253.0_26
subnet 172.16.253.0 255.255.255.192
object network Pool-VpnSSL
range 172.16.253.10 172.16.253.50
object network host-dhcp01
host 172.16.11.252
description DHCP
object network gateway-anyconnect
host my.public.ip.X
object-group protocol TCPUDP
protocol-object udp
protocol-object tcp
access-list outside-in extended permit udp any object network-servers eq 1194
access-list outside-in extended permit tcp any object network-dmz eq www
access-list outside-in extended permit tcp any object network-dmz eq https
access-list outside-in extended permit tcp any object network-servers eq www
access-list outside-in extended permit tcp any object network-servers eq 8080
access-list outside-in extended permit ip object Pool-VpnSSL 192.168.0.0 255.255.240.0
access-list outside-in extended deny ip any any
access-list outside-out extended permit ip object network-employees any
access-list outside-out extended permit ip object network-servers any
access-list outside-out extended permit ip object network-dmz any
access-list outside-out extended deny ip any any
access-list servers-in extended permit ip any any
access-list servers-out extended permit ip object network-employees any
access-list servers-out extended permit tcp any any eq www
access-list servers-out extended permit tcp any any eq https
access-list servers-out extended permit udp any any eq syslog
access-list servers-out extended permit udp any any eq 1194
access-list servers-out extended permit tcp any any eq 8080
access-list servers-out extended deny ip any any
access-list employees-in extended permit ip any any
access-list employees-in extended deny ip any any
access-list employees-out extended permit tcp object network-servers any eq 61043
access-list employees-out extended deny ip any any
access-list dmz-in extended permit tcp object network-dmz any eq smtp
access-list dmz-in extended permit udp object network-dmz any eq domain
access-list dmz-in extended permit tcp object network-dmz any eq www
access-list dmz-in extended permit tcp object network-dmz any eq https
access-list dmz-in extended deny ip any any
access-list dmz-out extended permit tcp any any eq ssh
access-list dmz-out extended permit tcp any any eq www
access-list dmz-out extended permit tcp any any eq https
access-list dmz-out extended deny ip any any
access-list my.lan extended permit ip 192.168.0.0 255.255.240.0 192.168.16.0 255.255.252.0
access-list my.lan extended permit ip 192.168.16.0 255.255.252.0 192.168.0.0 255.255.240.0
access-list my.lan extended permit ip 172.16.8.0 255.255.252.0 192.168.16.0 255.255.252.0
access-list my.lan extended permit ip 192.168.16.0 255.255.252.0 172.16.8.0 255.255.252.0
access-list my.lan extended permit ip 192.168.16.0 255.255.252.0 172.16.12.0 255.255.255.0
access-list my.lan extended permit ip 172.16.12.0 255.255.255.0 192.168.16.0 255.255.252.0
access-list VPNSSL extended permit ip object Pool-VpnSSL 192.168.0.0 255.255.240.0 log disable
access-list Split_network_Server standard permit 192.168.0.0 255.255.240.0
pager lines 24
logging enable
logging trap alerts
logging asdm informational
logging host servers 192.168.10.56
mtu outside1 1500
mtu dmz 1500
mtu employees 1500
mtu servers 1500
no failover
no monitor-interface service-module
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-751-90.bin
asdm history enable
arp timeout 14400
no arp permit-nonconnected
nat (dmz,outside1) source static host-prod-web interface service http http
nat (dmz,outside1) source static host-prod-web interface service https https
nat (any,outside1) source dynamic any interface
nat (any,outside1) source static any any destination static NETWORK_OBJ_172.16.253.0_26 NETWORK_OBJ_172.16.253.0_26 no-proxy-arp route-lookup
access-group outside-in in interface outside1
access-group outside-out out interface outside1
access-group dmz-in in interface dmz
access-group dmz-out out interface dmz
access-group employees-in in interface employees
access-group employees-out out interface employees
access-group serversin in interface servers
access-group serversout out interface servers
route outside1 0.0.0.0 0.0.0.0 MY.PUBLIC.IP.X 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 sctp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
aaa-server MY.LAN protocol radius
aaa-server MY.LAN (servers-) host 192.168.9.14
key *****
user-identity default-domain LOCAL
aaa authentication enable console my.LAN LOCAL
aaa authentication ssh console my.LAN LOCAL
aaa authentication http console my.LAN LOCAL
aaa authentication secure-http-client
http server enable 8443
http 172.16.8.0 255.255.252.0 employees
no snmp-server location
no snmp-server contact
snmp-server community *****
sysopt noproxyarp outside2
sysopt noproxyarp outside1
sla monitor 1
type echo protocol ipIcmpEcho 192.168.15.254 interface outside1
num-packets 3
frequency 10
sla monitor schedule 1 life forever start-time now
service sw-reset-button
crypto ipsec ikev1 transform-set eurotunnel-set esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set my.lan-set esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set test esp-null esp-none
crypto ipsec security-association pmtu-aging infinite
crypto dynamic-map dynmap 1 match address my.lan
crypto dynamic-map dynmap 1 set ikev1 transform-set my.lan-set
crypto dynamic-map dynmap 1 set security-association lifetime seconds 86400
crypto map my.lan-map 1 ipsec-isakmp dynamic dynmap
crypto map my.lan-map interface outside1
crypto ca trustpoint ASDM_TrustPoint0
keypair ASDM_TrustPoint0
crl configure
crypto ca trustpool policy
crypto ca certificate chain ASDM_TrustPoint0
certificate 108aefd63320fad1986731f8
...
quit
crypto isakmp identity address
crypto isakmp nat-traversal 10
crypto isakmp disconnect-notify
crypto ikev2 remote-access trustpoint ASDM_TrustPoint0
crypto ikev1 enable outside1
crypto ikev1 policy 1
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400
!
track 1 rtr 1 reachability
telnet timeout 5
no ssh stricthostkeycheck
ssh 0.0.0.0 0.0.0.0 employees
ssh timeout 60
ssh version 2
ssh key-exchange group dh-group1-sha1
console timeout 5
!
dhcprelay server 192.168.9.1 servers
dhcprelay setroute employees
dhcprelay timeout 90
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ntp server 192.168.9.1 prefer
ssl trust-point ASDM_TrustPoint0 outside1
webvpn
port 7443
enable outside1
dtls port 7443
anyconnect image disk0:/anyconnect-win-3.1.14018-k9.pkg 1
anyconnect enable
tunnel-group-list enable
cache
disable
error-recovery disable
group-policy DfltGrpPolicy attributes
group-policy GroupPolicy_VPNSSL internal
group-policy GroupPolicy_VPNSSL attributes
wins-server none
dns-server value 192.168.9.1
vpn-tunnel-protocol ssl-client
split-tunnel-policy tunnelspecified
split-tunnel-network-list value Split_network_Server
default-domain value my.lan
dynamic-access-policy-record DfltAccessPolicy
username netadmin password zz1GrwawHuLEvLaB encrypted privilege 15
tunnel-group VPNSSL type remote-access
tunnel-group VPNSSL general-attributes
address-pool Pool_VpnSSL
authentication-server-group my.LAN
accounting-server-group my.LAN
default-group-policy GroupPolicy_VPNSSL
tunnel-group VPNSSL webvpn-attributes
group-alias VPNSSL enable
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
inspect pptp
inspect icmp
class class-default
user-statistics accounting
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
: end