思科ASA配置SSLVPN

在ASA配置SSL VPN过程如下，

接口和默认路由 略

创建地址池SSL-POOL

ip local pool SSL-POOL 172.17.44.2-172.17.47.254 mask 255.255.252.0

配置区域策略

same-security-traffic permit inter-interface
same-security-traffic permit intra-interface

定义下发路由SSL-SPL

access-list SSL-SPL extended permit ip 172.17.0.0 255.255.0.0 any 
access-list SSL-SPL extended permit ip 10.0.0.0 255.255.0.0 any 
access-list SSL-SPL extended permit ip 10.201.0.0 255.255.0.0 any 
access-list SSL-SPL extended permit ip 192.168.96.0 255.255.224.0 any 
access-list SSL-SPL extended permit ip 10.101.0.0 255.255.0.0 any 
access-list SSL-SPL extended permit ip 10.12.0.0 255.255.0.0 any 

定义ACL策略SSL-ACL(可选)

access-list SSL-ACL extended permit ip any any 

定义radius认证服务器SSL(可选)

aaa-server SSL protocol radius
aaa-server SSL (inside) host 172.17.40.41
 key XXXXXXXX
 authentication-port 1812
 accounting-port 1813

允许inside管理(可选)

management-access inside

指定anyconnect客户端

webvpn
 enable inside
 anyconnect image disk0:/anyconnect-win-4.4.03034-webdeploy-k9.pkg 1
 anyconnect image disk0:/anyconnect-macos-4.4.04030-webdeploy-k9.pkg 2
 anyconnect image disk0:/anyconnect-linux64-4.4.04030-webdeploy-k9.pkg 3
 anyconnect enable
 cache
  disable
 error-recovery disable

配置group策略SSL-POLICY，关联需要下发的路由SSL-SPL、访问控制SSL-ACL、地址池SSL-POOL

group-policy SSL-POLICY internal
group-policy SSL-POLICY attributes
 dns-server value 192.168.115.11 192.168.115.12
 vpn-simultaneous-logins 30
 vpn-idle-timeout 120
 #VPN过滤可选……
 vpn-filter value SSL-ACL 
 vpn-tunnel-protocol ssl-client 
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value SSL-SPL
 address-pools value SSL-POOL
 webvpn
  anyconnect ssl dtls enable
  anyconnect mtu 1200
  anyconnect keep-installer installed
  anyconnect dtls compression lzs
  anyconnect ask none default anyconnect

如果mtu太大，可能会出现“首次连接后断线，再次连接正常”的现象

默认tunnel-group关联策略，关联认证radius服务器SSL和group策略SSL-POLICY

tunnel-group DefaultWEBVPNGroup general-attributes
 authentication-server-group SSL
 accounting-server-group SSL
 default-group-policy SSL-POLICY