IPSEC ×××实验六:ASA SSL ×××
拓樸圖
?
?實驗目的,PC2通過SSL×××能夠訪問到PC1
SSL×××服務端配置全在ASA上面,下面為配置步驟:
?
第一步:建立RSA密鑰證書,名稱為ssl***keypair
crypto key generate rsa label ssl***keypair
第二步:建立自我信任點CA,名稱為localtrust。加載RSA密鑰證書
crypto ca trustpoint localtrust
? enrollment self
??fqdn ssl***.luotao.com
??subject-name CN=ssl***.luotao.com
??keypair ssl***keypair
??crypto ca enroll localtrust noconfirm
? exit
第三步:將CA信任點localtrust應用到OUTSIDE口
ssl trust-point localtrust outside
第四步:將客戶端上傳到ASA并安裝,開啟SVC在outside口。
copy tftp disk0:
web***?
?svc p_w_picpath disk0:/sslclient.pkg 1
?svc outside
?svc enable
?exit
第五步:建立clientpool,給客戶端分配IP
ip local pool sslclientpool 10.10.10.10-10.10.10.50 mask 255.255.255.0
第六步:創建組策略名為sslclientpolicy,設置類型;組策略屬性包括設置DNS,指定隧道協議SVC,設置域名,加載客戶端pool
group-policy sslclientpolicy internal
group-policy sslclientpolicy attributes
?dns-server value 202.96.134.133
?***-tunnel-protocol svc
?default-domain value luotao.com
?address-pools value sslclientpool
?exit
第七步:設計訪問列表旁路,×××流量不受outside口ACL限制。
sysopt connection permit-***
第八步:創建tunnel-group隧道組sslclientprofile,組屬性包括加載組策略sslclientpolicy,以及設置登陸時看到的組名稱ssl***client
tunnel-group sslclientprofile type remote-access
tunnel-group sslclientprofile general-attributes
?default-group-policy sslclientpolicy
tunnel-group sslclientprofile web***-attributes
?group-alias ssl***client enable
?exit
第九步:開啟tunnel-group列表功能,開啟則在SSL客戶端顯示GROUP名稱,否則不顯示。
web***
?tunnel-group-list enable
?exit
第十步:配置NAT免除,不讓SSL×××的流量經過NAT
access-list nat0 extended permit ip 192.168.1.0 255.255.255.0 10.10.10.0 255.255.255.0
nat (inside) 0 access-list nat0
第十一步:建立本地用戶,供SSLCLIENT登陸時使用。
username cisco password cisco
username cisco attributes
?service-type remote-access
?exit
第十二步:配置隧道分離,用ACL匹配流量,應用到組策略中。作用是在訪問SSL×××的同時,還可以訪問internet與其它網絡。
access-list splitssltunnel standard permit 192.168.1.0 255.255.255.0
group-policy sslclientpolicy attributes
?split-tunnel-policy tunnelspecified
?split-tunnel-network-list value splitssltunnel
?exit
第十三步:保存配置
save
?
在PC2上輸入? https://1.1.1.1? 按照步驟配置客戶端
客戶端狀態
隧道分離
?
測試:
ping 192.168.1.2??? OK
訪問PC1上的FTP????? OK
?
最后上全部配置文件:
ciscoasa(config)# sh run
: Saved
:
ASA Version 8.0(2)
!
hostname ciscoasa
enable password 8Ry2YjIyt7RRXU24 encrypted
names
!
interface Ethernet0/0
?nameif inside
?security-level 100
?ip address 192.168.1.1 255.255.255.0
!
interface Ethernet0/1
?nameif outside
?security-level 0
?ip address 1.1.1.1 255.255.255.0
!
interface Ethernet0/2
?shutdown
?no nameif
?no security-level
?no ip address
!
interface Ethernet0/3
?shutdown????
?no nameif
?no security-level
?no ip address
!
interface Ethernet0/4
?shutdown
?no nameif
?no security-level
?no ip address
!
interface Ethernet0/5
?shutdown
?no nameif
?no security-level
?no ip address
!
passwd 2KFQnbNIdI.2KYOU encrypted
ftp mode passive
access-list nat0 extended permit ip 192.168.1.0 255.255.255.0 10.10.10.0 255.255.255.0
access-list splitssltunnel standard permit 192.168.1.0 255.255.255.0
pager lines 24
mtu inside 1500
mtu outside 1500
ip local pool sslclientpool 10.10.10.10-10.10.10.50 mask 255.255.255.0
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
nat (inside) 0 access-list nat0
route outside 0.0.0.0 0.0.0.0 1.1.1.2 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ca trustpoint localtrust
?enrollment self
?fqdn ssl***.luotao.com
?subject-name CN=ssl***.luotao.com
?keypair ssl***keypair
?crl configure
crypto ca certificate chain localtrust
?certificate 31
??? 308201f0 30820159 a0030201 02020131 300d0609 2a864886 f70d0101 04050030
??? 3e311a30 18060355 04031311 73736c76 706e2e6c 756f7461 6f2e636f 6d312030
??? 1e06092a 864886f7 0d010902 16117373 6c76706e 2e6c756f 74616f2e 636f6d30
??? 1e170d39 39313133 30303030 3630375a 170d3039 31313237 30303036 30375a30
??? 3e311a30 18060355 04031311 73736c76 706e2e6c 756f7461 6f2e636f 6d312030
??? 1e06092a 864886f7 0d010902 16117373 6c76706e 2e6c756f 74616f2e 636f6d30
??? 819f300d 06092a86 4886f70d 01010105 0003818d 00308189 02818100 89432e7b
??? bde8efe4 c6bff55e 19dd1827 35004897 100afd21 dd0a975c 2c909111 1aca7622
??? d384dca2 ee5634de 40809693 d62c0b91 c5992176 791dd02e 33bbd56f d09ccb4c
??? b39f8d74 1edff436 51f9f759 2c01cb26 b2a70592 a7bbc4c2 793c2132 24d21e2d
??? 94c87c76 487b8c76 c4c02696 f63a2758 abece6ff 47e9c4a5 d194e9cf 02030100
??? 01300d06 092a8648 86f70d01 01040500 03818100 57296309 1982e43e 45185e2e
??? 33768095 a30c414c ae6ad9d6 45f16bbc 728b0fd0 60185281 15a3226e 654ca746
??? d810ded1 5727fb17 808ef178 afa72a99 a1ed4863 99cf1356 a65574c7 3eecef34
??? 6c99d087 04233074 26517e3d 48b838c6 9f0cb782 06d740cd 794aaa32 124f910f
??? 095cdab1 66f1b848 f0285f1f 5a08b012 fb2f3815
? quit
no crypto isakmp nat-traversal
telnet timeout 5
ssh timeout 5
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
!
class-map inspection_default
?match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
?parameters
? message-length maximum 512
policy-map global_policy
?class inspection_default
? inspect dns preset_dns_map
? inspect ftp
? inspect h323 h225
? inspect h323 ras
? inspect netbios
? inspect rsh
? inspect rtsp
? inspect skinny?
? inspect esmtp
? inspect sqlnet
? inspect sunrpc
? inspect tftp
? inspect sip?
? inspect xdmcp
!
service-policy global_policy global
ssl trust-point localtrust outside
web***
?enable outside
?svc p_w_picpath disk0:/sslclient.pkg 1
?svc enable
?tunnel-group-list enable
group-policy sslclientpolicy internal
group-policy sslclientpolicy attributes
?dns-server value 202.96.134.133
?***-tunnel-protocol svc
?split-tunnel-policy tunnelspecified
?split-tunnel-network-list value splitssltunnel
?default-domain value luotao.com
?address-pools value sslclientpool
username cisco password 3USUcOPFUiMCO4Jk encrypted
username cisco attributes
?service-type remote-access
tunnel-group sslclientprofile type remote-access
tunnel-group sslclientprofile general-attributes
?default-group-policy sslclientpolicy
tunnel-group sslclientprofile web***-attributes
?group-alias ssl***client enable
prompt hostname context
Cryptochecksum:3aee551f153ae30800bfb0ef4362cac8
: end?
轉載于:https://blog.51cto.com/windows1009/698557
總結
以上是生活随笔為你收集整理的IPSEC ×××实验六:ASA SSL ×××的全部內容,希望文章能夠幫你解決所遇到的問題。
- 上一篇: DevExpress 11.1.6 重编
- 下一篇: 刷新系统托盘(清除死掉的图标)修正版