基于ASA防火墙的SSL ×××配置
基于ASA防火墻的SSL?×××配置
?
實驗拓撲圖?
?
實驗目的,PC2通過SSL×××能夠訪問到PC1
SSL×××服務端配置全在ASA上面,下面為配置步驟:
?
第一步:建立RSA密鑰證書,名稱為ssl***keypair
crypto?key?generate?rsa?label?ssl***keypair
第二步:建立自我信任點CA,名稱為localtrust。加載RSA密鑰證書
crypto?ca?trustpoint?localtrust
enrollment?self
fqdn?ssl***.luotao.com
subject-name?CN=ssl***.luotao.com
keypair?ssl***keypair
crypto?ca?enroll?localtrust?noconfirm
exit
第三步:將CA信任點localtrust應用到OUTSIDE口
ssl?trust-point?localtrust?outside
第四步:將客戶端上傳到ASA并安裝,開啟SVC在outside口。
copy?tftp?disk0:
web***?
svc?p_w_picpath?disk0:/sslclient.pkg?1
svc?outside?
svc?enable
exit
第五步:建立clientpool,給客戶端分配IP
ip?local?pool?sslclientpool?10.10.10.10-10.10.10.50?mask?255.255.255.0
第六步:創建組策略名為sslclientpolicy,設置類型;組策略屬性包括設置DNS,指定隧道協議SVC,設置域名,加載客戶端pool
group-policy?sslclientpolicy?internal
group-policy?sslclientpolicy?attributes
dns-server?value?202.96.134.133
***-tunnel-protocol?svc?
default-domain?value?luotao.com
address-pools?value?sslclientpool
exit
第七步:設計訪問列表旁路,×××流量不受outside口ACL限制。
sysopt?connection?permit-***?
第八步:創建tunnel-group隧道組sslclientprofile,組屬性包括加載組策略sslclientpolicy,以及設置登陸時看到的組名稱ssl***client
tunnel-group?sslclientprofile?type?remote-access
tunnel-group?sslclientprofile?general-attributes
default-group-policy?sslclientpolicy
tunnel-group?sslclientprofile?web***-attributes
group-alias?ssl***client?enable
exit
第九步:開啟tunnel-group列表功能,開啟則在SSL客戶端顯示GROUP名稱,否則不顯示。
web***
tunnel-group-list?enable
exit
第十步:配置NAT免除,不讓SSL×××的流量經過NAT
access-list?nat0?extended?permit?ip?192.168.1.0?255.255.255.0?10.10.10.0?255.255.255.0?
nat?(inside)?0?access-list?nat0
第十一步:建立本地用戶,供SSLCLIENT登陸時使用。
username?cisco?password?cisco
username?cisco?attributes
service-type?remote-access
exit
第十二步:配置隧道分離,用ACL匹配流量,應用到組策略中。作用是在訪問SSL×××的同時,還可以訪問internet與其它網絡。
access-list?splitssltunnel?standard?permit?192.168.1.0?255.255.255.0?
group-policy?sslclientpolicy?attributes
split-tunnel-policy?tunnelspecified
split-tunnel-network-list?value?splitssltunnel
exit
第十三步:保存配置
save
?
在PC2上輸入?https://1.1.1.1?按照步驟配置客戶端
客戶端狀態
隧道分離
測試:
ping?192.168.1.2?OK
訪問PC1上的FTP?OK
最后上全部配置文件:
ciscoasa(config)#?sh?run
:?Saved
:
ASA?Version?8.0(2)?
!
hostname?ciscoasa
enable?password?8Ry2YjIyt7RRXU24?encrypted
names
!
interface?Ethernet0/0
nameif?inside
security-level?100
ip?address?192.168.1.1?255.255.255.0?
!
interface?Ethernet0/1
nameif?outside
security-level?0
ip?address?1.1.1.1?255.255.255.0?
!
interface?Ethernet0/2
shutdown
no?nameif
no?security-level
no?ip?address
!
interface?Ethernet0/3
shutdown?
no?nameif
no?security-level
no?ip?address
!
interface?Ethernet0/4
shutdown
no?nameif
no?security-level
no?ip?address
!
interface?Ethernet0/5
shutdown
no?nameif
no?security-level
no?ip?address
!
passwd?2KFQnbNIdI.2KYOU?encrypted
ftp?mode?passive
access-list?nat0?extended?permit?ip?192.168.1.0?255.255.255.0?10.10.10.0?255.255.255.0?
access-list?splitssltunnel?standard?permit?192.168.1.0?255.255.255.0?
pager?lines?24
mtu?inside?1500
mtu?outside?1500
ip?local?pool?sslclientpool?10.10.10.10-10.10.10.50?mask?255.255.255.0
no?failover
icmp?unreachable?rate-limit?1?burst-size?1
no?asdm?history?enable
arp?timeout?14400
nat?(inside)?0?access-list?nat0
route?outside?0.0.0.0?0.0.0.0?1.1.1.2?1
timeout?xlate?3:00:00
timeout?conn?1:00:00?half-closed?0:10:00?udp?0:02:00?icmp?0:00:02
timeout?sunrpc?0:10:00?h323?0:05:00?h225?1:00:00?mgcp?0:05:00?mgcp-pat?0:05:00
timeout?sip?0:30:00?sip_media?0:02:00?sip-invite?0:03:00?sip-disconnect?0:02:00
timeout?uauth?0:05:00?absolute
dynamic-access-policy-record?DfltAccessPolicy
no?snmp-server?location
no?snmp-server?contact
snmp-server?enable?traps?snmp?authentication?linkup?linkdown?coldstart
crypto?ca?trustpoint?localtrust
enrollment?self
fqdn?ssl***.luotao.com
subject-name?CN=ssl***.luotao.com
keypair?ssl***keypair
crl?configure
crypto?ca?certificate?chain?localtrust
certificate?31
308201f0?30820159?a0030201?02020131?300d0609?2a864886?f70d0101?04050030?
3e311a30?18060355?04031311?73736c76?706e2e6c?756f7461?6f2e636f?6d312030?
1e06092a?864886f7?0d010902?16117373?6c76706e?2e6c756f?74616f2e?636f6d30?
1e170d39?39313133?30303030?3630375a?170d3039?31313237?30303036?30375a30?
3e311a30?18060355?04031311?73736c76?706e2e6c?756f7461?6f2e636f?6d312030?
1e06092a?864886f7?0d010902?16117373?6c76706e?2e6c756f?74616f2e?636f6d30?
819f300d?06092a86?4886f70d?01010105?0003818d?00308189?02818100?89432e7b?
bde8efe4?c6bff55e?19dd1827?35004897?100afd21?dd0a975c?2c909111?1aca7622?
d384dca2?ee5634de?40809693?d62c0b91?c5992176?791dd02e?33bbd56f?d09ccb4c?
b39f8d74?1edff436?51f9f759?2c01cb26?b2a70592?a7bbc4c2?793c2132?24d21e2d?
94c87c76?487b8c76?c4c02696?f63a2758?abece6ff?47e9c4a5?d194e9cf?02030100?
01300d06?092a8648?86f70d01?01040500?03818100?57296309?1982e43e?45185e2e?
33768095?a30c414c?ae6ad9d6?45f16bbc?728b0fd0?60185281?15a3226e?654ca746?
d810ded1?5727fb17?808ef178?afa72a99?a1ed4863?99cf1356?a65574c7?3eecef34?
6c99d087?04233074?26517e3d?48b838c6?9f0cb782?06d740cd?794aaa32?124f910f?
095cdab1?66f1b848?f0285f1f?5a08b012?fb2f3815
quit
no?crypto?isakmp?nat-traversal
telnet?timeout?5
ssh?timeout?5
console?timeout?0
threat-detection?basic-threat
threat-detection?statistics?access-list
!
class-map?inspection_default
match?default-inspection-traffic
!
!
policy-map?type?inspect?dns?preset_dns_map
parameters
message-length?maximum?512
policy-map?global_policy
class?inspection_default
inspect?dns?preset_dns_map?
inspect?ftp?
inspect?h323?h225?
inspect?h323?ras?
inspect?netbios?
inspect?rsh?
inspect?rtsp?
inspect?skinny?
inspect?esmtp?
inspect?sqlnet?
inspect?sunrpc?
inspect?tftp?
inspect?sip?
inspect?xdmcp?
!
service-policy?global_policy?global
ssl?trust-point?localtrust?outside
web***
enable?outside
svc?p_w_picpath?disk0:/sslclient.pkg?1
svc?enable
tunnel-group-list?enable
group-policy?sslclientpolicy?internal
group-policy?sslclientpolicy?attributes
dns-server?value?202.96.134.133
***-tunnel-protocol?svc?
split-tunnel-policy?tunnelspecified
split-tunnel-network-list?value?splitssltunnel
default-domain?value?luotao.com
address-pools?value?sslclientpool
username?cisco?password?3USUcOPFUiMCO4Jk?encrypted
username?cisco?attributes
service-type?remote-access
tunnel-group?sslclientprofile?type?remote-access
tunnel-group?sslclientprofile?general-attributes
default-group-policy?sslclientpolicy
tunnel-group?sslclientprofile?web***-attributes
group-alias?ssl***client?enable
prompt?hostname?context?
Cryptochecksum:3aee551f153ae30800bfb0ef4362cac8
:?end?
?
轉載于:https://blog.51cto.com/ljl2013/1346678
總結
以上是生活随笔為你收集整理的基于ASA防火墙的SSL ×××配置的全部內容,希望文章能夠幫你解決所遇到的問題。
- 上一篇: [面试题]事件循环经典面试题解析
- 下一篇: Linux--文件结构体struct f