Mục đích Lab: giúp người quản lí hệ thống cấu hình thiết bị ASA cho người dùng từ xa truy cập vào mạng nội công ty (chỉ cần người dùng có đường truyền Internet có user người dùng có quyền cài đặt phần mềm) ASA [CODE] ciscoasa# sh flash: # length -date/time path 4096 Dec 17 2009 15:45:18 log 4096 Dec 17 2009 15:45:32 crypto_archive 66 14524416 Dec 17 2009 15:47:22 asa802-k8.bin 67 6889764 Dec 17 2009 15:47:52 asdm-602.bin 69 1858 Jan 05 2010 09:59:58 old_running.cfg 70 1220 Jan 05 2010 09:59:58 admin.cfg 71 1660 Dec 29 2009 09:51:50 CT01.cfg 72 2306 Dec 29 2009 11:19:00 CT02.cfg 73 1572 Jan 05 2010 10:39:48 B.cfg 74 1647 Jan 05 2010 13:01:50 A.cfg 75 2635714 Feb 02 2010 10:25:35 anyconnect-win-2.0.0343-k9.pkg Building configuration Cryptochecksum: 0962399f 6fe097fb df79686a c2777580 2859 bytes copied in 3.400 secs (953 bytes/sec) [OK] ciscoasa# SH RUN : Saved : ASA Version 8.0(2) ! hostname ciscoasa enable password 8Ry2YjIyt7RRXU24 encrypted names ! interface Ethernet0/0 nameif outside security-level ip address 101.0.0.2 255.0.0.0 ! interface Ethernet0/1 nameif inside security-level 100 ip address 192.168.1.10 255.255.255.0 ! interface Ethernet0/2 shutdown no nameif no security-level no ip address ! interface Ethernet0/3 shutdown no nameif no security-level no ip address ! interface Management0/0 nameif management security-level 100 no ip address management-only ! passwd 2KFQnbNIdI.2KYOU encrypted ftp mode passive access-list SPLIT-TUNNEL extended permit ip 192.168.1.0 255.255.255.0 172.16.1.0 255.255.255.0 pager lines 24 logging asdm informational mtu outside 1500 mtu inside 1500 mtu management 1500 ip local pool MYPOOL 172.16.1.10-172.16.1.20 mask 255.255.255.0 no failover icmp unreachable rate-limit burst-size no asdm history enable arp timeout 14400 timeout xlate 3:00:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02 timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00 timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00 timeout uauth 0:05:00 absolute dynamic-access-policy-record DfltAccessPolicy http server enable http 192.168.1.0 255.255.255.0 management no snmp-server location no snmp-server contact snmp-server enable traps snmp authentication linkup linkdown coldstart no crypto isakmp nat-traversal telnet timeout ssh timeout console timeout threat-detection basic-threat threat-detection statistics access-list ! class-map inspection_default match default-inspection-traffic ! ! policy-map type inspect dns preset_dns_map parameters message-length maximum 512 policy-map global_policy class inspection_default inspect dns preset_dns_map inspect ftp inspect h323 h225 inspect h323 ras inspect rsh inspect rtsp inspect esmtp inspect sqlnet inspect skinny inspect sunrpc inspect xdmcp inspect sip inspect netbios inspect tftp ! service-policy global_policy global webvpn enable outside svc image disk0:/anyconnect-win-2.0.0343-k9.pkg svc enable tunnel-group-list enable < - More -> group-policy WEBVPN internal group-policy WEBVPN attributes vpn-tunnel-protocol svc split-tunnel-policy tunnelspecified split-tunnel-network-list value SPLIT-TUNNEL address-pools value MYPOOL webvpn svc keep-installer installed username cisco password 3USUcOPFUiMCO4Jk encrypted username cisco attributes vpn-group-policy WEBVPN tunnel-group WEBVPN type remote-access tunnel-group WEBVPN general-attributes default-group-policy WEBVPN tunnel-group WEBVPN webvpn-attributes group-alias WEBVPN enable prompt hostname context Cryptochecksum:0962399f6fe097fbdf79686ac2777580 : end ISP Code: ISP#sh ip route Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type E1 - OSPF external type 1, E2 - OSPF external type i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2 ia - IS-IS inter area, * - candidate default, U - per-user static route o - ODR, P - periodic downloaded static route Gateway of last resort is not set C 102.0.0.0/8 is directly connected, FastEthernet0/1 C 101.0.0.0/8 is directly connected, FastEthernet0/0 ISP# show run interface FastEthernet0/0 ip address 101.0.0.1 255.0.0.0 duplex auto speed auto ! interface FastEthernet0/1 ip address 102.0.0.1 255.0.0.0 Kiểm tra Code: Link http://www.4shared.com/file/21342508 nect_VPN_.html