實驗?zāi)康模?/p>

新平ssl適用于網(wǎng)站、小程序/APP、API接口等需要進(jìn)行數(shù)據(jù)傳輸應(yīng)用場景，ssl證書未來市場廣闊！成為創(chuàng)新互聯(lián)公司的ssl證書銷售渠道，可以享受市場價格4-6折優(yōu)惠！如果有意向歡迎電話聯(lián)系或者加微信：028-86922220（備注：SSL證書合作）期待與您的合作！

1 使用Anyconnect3.0 撥號DTLS

2 使用Anyconnect3.0 撥號IPSec ×××

3 使用ACS 給用戶下放group-policy

拓?fù)洌?/p>

ASA配置：

interface GigabitEthernet0
 nameif inside
 security-level 100
 ip address 192.168.10.254 255.255.255.0
!
interface GigabitEthernet1
 nameif outside
 security-level 0
 ip address 192.168.20.254 255.255.255.0

----------------------ASDM------------------------

asdm p_w_picpath disk0:/asdm-645-206.bin

http server enable 444
http 0.0.0.0 0.0.0.0 outside

-----------------------自簽發(fā)證書--------------------

crypto ca trustpoint ssl***ca
 enrollment self
 fqdn asa.ssl***.net
 subject-name CN=asa.ssl***.net

crypto ca enroll ssl***ca noconfirm

----------------------SSL ×××----------------

web***
 enable outside
 anyconnect p_w_picpath disk0:/anyconnect-win-3.0.0629-k9.pkg 1
 anyconnect profiles ikev2group1 disk0:/ikev2group1.xml //此命令A(yù)SDM 自動產(chǎn)生，后面會給出ASDM 的配置。
 anyconnect enable
 tunnel-group-list enable

group-policy ssl***policy internal
group-policy ssl***policy attributes
 ***-tunnel-protocol ikev2 ssl-client
 web***
  anyconnect profiles value ikev2group1 type user//此命令同上
username root password N7HlIItY8AVJppkQ encrypted privilege 15
tunnel-group ssl***tunnel type remote-access
tunnel-group ssl***tunnel general-attributes
 authentication-server-group aaa
tunnel-group ssl***tunnel web***-attributes
 group-alias hr enable

------------------IPSEC ×××----------------------

crypto ikev2 policy 10
 encryption 3des
 integrity sha
 group 2
 prf sha

crypto ikev2 enable outside client-services port 443
crypto ikev2 remote-access trustpoint ssl***ca

crypto ipsec ikev2 ipsec-proposal ikev2ipsec
 protocol esp encryption 3des
 protocol esp integrity sha-1
crypto dynamic-map dymap 100 set ikev2 ipsec-proposal ikev2ipsec
crypto map ssl***map 1000 ipsec-isakmp dynamic dymap
crypto map ssl***map interface outside

---------------ACS 下放地址池-----------------------

詳細(xì)配置可以參考我的其他文章

--------------------配置USER GROUP-POLICY---------------------------------

--------------------------用戶和組的配置------------------------

此配置很簡單在就不給出配置了。

------------------------Anyconnect和證書的安裝--------------

此配置很簡單在就不給出配置了。

-----------------------anyconnect profiles 配置-----------------

驗證：