Cisco SSL ××× 配置详解
本文对SSL ×××配置进行介绍,请先阅读本版中的“Cisco Web ×××配置详解”。
一、ASA基本配置。
ciscoasa(config)# int e0/0
ciscoasa(config-if)# ip add 198.1.1.1 255.255.255.0
ciscoasa(config-if)# nameif outside
INFO: Security level for "outside" set to 0 by default.
ciscoasa(config-if)# no shut
ciscoasa(config-if)# exit
!
ciscoasa(config)# int e0/1
ciscoasa(config-if)# ip add 10.10.1.1 255.255.255.0
ciscoasa(config-if)# nameif inside
INFO: Security level for "inside" set to 100 by default.
ciscoasa(config-if)# no shut
ciscoasa(config-if)# exit
!
ciscoasa(config)# web***
ciscoasa(config-web***)# enable outside
ciscoasa(config-web***)# svc p_w_picpath disk0:/sslclient-win-1.1.2.169.pkg
ciscoasa(config-web***)# svc enable
!在外网接口上启动Web×××,而且启动SVC(SSL ××× Client)功能
-----------------------------------------
二、SSL ×××准备工做。
ciscoasa(config)# ip local pool ssl-user 192.168.10.1-192.168.10.99
!建立SSL ×××用户地址池
!
ciscoasa(config)# access-list go-*** permit ip 10.10.1.0 255.255.255.0 192.168.10.0 255.255.255.0
ciscoasa(config)# nat (inside) 0 access-list go-***
!设置SSL ×××数据不做nat翻译
-----------------------------------------
三、Web×××隧道组与策略组
ciscoasa(config)# group-policy myssl***-group-policy internal
!建立名为myssl***-group-policy的组策略
!
ciscoasa(config)# group-policy myssl***-group-policy attributes
ciscoasa(config-group-policy)# ***-tunnel-protocol web***
ciscoasa(config-group-policy)# web***
ciscoasa(config-group-web***)# svc enable
ciscoasa(config-group-web***)# exit
ciscoasa(config-group-policy)# exit
ciscoasa(config)#
!在组策略中启SVC
!
ciscoasa(config-web***)# username steve6307 password cisco
!建立用户
!
ciscoasa(config)# username steve6307 attributes
ciscoasa(config-username)# ***-group-policy myssl***-group-policy
ciscoasa(config-username)# exit
!赋予用户策略
!
ciscoasa(config)# tunnel-group myssl***-group type web***
ciscoasa(config)# tunnel-group myssl***-group general-attributes
ciscoasa(config-tunnel-general)# address-pool ssl-user
ciscoasa(config-tunnel-general)# exit
!设置SSL ×××用户的地址池
!
ciscoasa(config)# tunnel-group myssl***-group web***-attributes
ciscoasa(config-tunnel-web***)# group-alias group2 enable
ciscoasa(config-tunnel-web***)# exit
!
ciscoasa(config)# web***
ciscoasa(config-web***)# tunnel-group-list enable
-----------------------------------------
四、配置SSL ×××隧道分离(可选)。
ciscoasa(config)# access-list split-ssl extended permit ip 10.10.1.0 255.255.255.0 any
!注意源地址为ASA的inside网络地址,目标地址始终为any
!
ciscoasa(config)# group-policy myssl***-group-policy attributes
ciscoasa(config-group-policy)# split-tunnel-policy tunnelspecified
ciscoasa(config-group-policy)# split-tunnel-network-list value split-ssl
一、ASA基本配置。
ciscoasa(config)# int e0/0
ciscoasa(config-if)# ip add 198.1.1.1 255.255.255.0
ciscoasa(config-if)# nameif outside
INFO: Security level for "outside" set to 0 by default.
ciscoasa(config-if)# no shut
ciscoasa(config-if)# exit
!
ciscoasa(config)# int e0/1
ciscoasa(config-if)# ip add 10.10.1.1 255.255.255.0
ciscoasa(config-if)# nameif inside
INFO: Security level for "inside" set to 100 by default.
ciscoasa(config-if)# no shut
ciscoasa(config-if)# exit
!
ciscoasa(config)# web***
ciscoasa(config-web***)# enable outside
ciscoasa(config-web***)# svc p_w_picpath disk0:/sslclient-win-1.1.2.169.pkg
ciscoasa(config-web***)# svc enable
!在外网接口上启动Web×××,而且启动SVC(SSL ××× Client)功能
-----------------------------------------
二、SSL ×××准备工做。
ciscoasa(config)# ip local pool ssl-user 192.168.10.1-192.168.10.99
!建立SSL ×××用户地址池
!
ciscoasa(config)# access-list go-*** permit ip 10.10.1.0 255.255.255.0 192.168.10.0 255.255.255.0
ciscoasa(config)# nat (inside) 0 access-list go-***
!设置SSL ×××数据不做nat翻译
-----------------------------------------
三、Web×××隧道组与策略组
ciscoasa(config)# group-policy myssl***-group-policy internal
!建立名为myssl***-group-policy的组策略
!
ciscoasa(config)# group-policy myssl***-group-policy attributes
ciscoasa(config-group-policy)# ***-tunnel-protocol web***
ciscoasa(config-group-policy)# web***
ciscoasa(config-group-web***)# svc enable
ciscoasa(config-group-web***)# exit
ciscoasa(config-group-policy)# exit
ciscoasa(config)#
!在组策略中启SVC
!
ciscoasa(config-web***)# username steve6307 password cisco
!建立用户
!
ciscoasa(config)# username steve6307 attributes
ciscoasa(config-username)# ***-group-policy myssl***-group-policy
ciscoasa(config-username)# exit
!赋予用户策略
!
ciscoasa(config)# tunnel-group myssl***-group type web***
ciscoasa(config)# tunnel-group myssl***-group general-attributes
ciscoasa(config-tunnel-general)# address-pool ssl-user
ciscoasa(config-tunnel-general)# exit
!设置SSL ×××用户的地址池
!
ciscoasa(config)# tunnel-group myssl***-group web***-attributes
ciscoasa(config-tunnel-web***)# group-alias group2 enable
ciscoasa(config-tunnel-web***)# exit
!
ciscoasa(config)# web***
ciscoasa(config-web***)# tunnel-group-list enable
-----------------------------------------
四、配置SSL ×××隧道分离(可选)。
ciscoasa(config)# access-list split-ssl extended permit ip 10.10.1.0 255.255.255.0 any
!注意源地址为ASA的inside网络地址,目标地址始终为any
!
ciscoasa(config)# group-policy myssl***-group-policy attributes
ciscoasa(config-group-policy)# split-tunnel-policy tunnelspecified
ciscoasa(config-group-policy)# split-tunnel-network-list value split-ssl
测试
在浏览器中输入[url]https://198.1.1.1[/url]访问Web×××。
登录后,Web×××直接启动SSL Client安装程序。
SSL ×××创建成功!
看看SVC的状态信息。
看看SVC的版权信息(Cisco的一堆废话,呵呵)。
SSL链接创建成功之后,ASA上将自动建立指向客户的路由。
------------------------------------------------
ciscoasa(config)# sh route
Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
* - candidate default, U - per-user static route, o - ODR
P - periodic downloaded static route
Gateway of last resort is not set
S 192.168.10.1 255.255.255.255 [1/0] via 198.1.1.2, outside
C 10.10.1.0 255.255.255.0 is directly connected, inside
C 198.1.1.0 255.255.255.0 is directly connected, outside
------------------------------------------------
注:此例中外网用户的地址为198.1.1.2,ASA将该静态路由直接指向外网用户的公网地址。
登录后,Web×××直接启动SSL Client安装程序。
SSL ×××创建成功!
看看SVC的状态信息。
看看SVC的版权信息(Cisco的一堆废话,呵呵)。
SSL链接创建成功之后,ASA上将自动建立指向客户的路由。
------------------------------------------------
ciscoasa(config)# sh route
Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
* - candidate default, U - per-user static route, o - ODR
P - periodic downloaded static route
Gateway of last resort is not set
S 192.168.10.1 255.255.255.255 [1/0] via 198.1.1.2, outside
C 10.10.1.0 255.255.255.0 is directly connected, inside
C 198.1.1.0 255.255.255.0 is directly connected, outside
------------------------------------------------
注:此例中外网用户的地址为198.1.1.2,ASA将该静态路由直接指向外网用户的公网地址。
忘了给show run,呵呵,再续一下! ciscoasa# show run : Saved : ASA Version 7.2(1)24 ! hostname ciscoasa enable password 8Ry2YjIyt7RRXU24 encrypted names ! interface Ethernet0/0 nameif outside security-level 0 ip address 198.1.1.1 255.255.255.0 ! interface Ethernet0/1 nameif inside security-level 100 ip address 10.10.1.1 255.255.255.0 ! interface Ethernet0/2 shutdown no nameif no security-level no ip address ! interface Management0/0 shutdown no nameif no security-level no ip address management-only ! passwd 2KFQnbNIdI.2KYOU encrypted ftp mode passive access-list go-*** extended permit ip 10.10.1.0 255.255.255.0 192.168.10.0 255.255.255.0 access-list split-ssl extended permit ip 10.10.1.0 255.255.255.0 any pager lines 24 mtu outside 1500 mtu inside 1500 ip local pool ssl-user 192.168.10.1-192.168.10.99 no asdm history enable arp timeout 14400 nat (inside) 0 access-list go-*** timeout xlate 3:00:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02 timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00 timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00 timeout uauth 0:05:00 absolute group-policy myssl***-group-policy internal group-policy myssl***-group-policy attributes ***-tunnel-protocol web*** split-tunnel-policy tunnelspecified split-tunnel-network-list value split-ssl web*** svc enable username steve6307 password Dt4qNrv3ojM/D.Cn encrypted username steve6307 attributes ***-group-policy myssl***-group-policy no snmp-server location no snmp-server contact snmp-server enable traps snmp authentication linkup linkdown coldstart tunnel-group myssl***-group type web*** tunnel-group myssl***-group general-attributes address-pool ssl-user tunnel-group myssl***-group web***-attributes group-alias group2 enable telnet timeout 5 ssh timeout 5 console timeout 0 ! ! web*** enable outside svc p_w_picpath disk0:/sslclient-win-1.1.2.169.pkg 1 svc enable tunnel-group-list enable prompt hostname context Cryptochecksum:00000000000000000000000000000000 : end
相关文章
- 1. Cisco SSL ××× 配置详解
- 2. cisco asa Easy ××× 配置详解
- 3. 怎么去配置Cisco SSL ×××?
- 4. Cisco SSL ×××配置实例
- 5. CISCO ACL配置详解
- 6. Apache SSL服务器配置SSL详解
- 7. 思科CISCO ACL配置详解
- 8. Cisco Packet Tracer---VLAN配置详解
- 9. CISCO 双线接入MAP配置详解
- 10. Cisco GRE 基础配置详解
- 更多相关文章...
- • MyBatis配置文件详解 - MyBatis教程
- • Eclipse Debug 配置 - Eclipse 教程
- • IntelliJ IDEA 代码格式化配置和快捷键
- • IDEA下SpringBoot工程配置文件没有提示
相关标签/搜索
每日一句
-
每一个你不满意的现在,都有一个你没有努力的曾经。
欢迎关注本站公众号,获取更多信息
