实验目的:
1 使用AAA 验证,允许用户hruser 访问内网的WEB
2 使用本地验证,拒绝用户gcuser 访问内网的WEB
3 自签发证书
拓扑:
配置:
ciscoasa# show run
: Saved
:
ASA Version 8.4(2)
!
hostname ciscoasa
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface GigabitEthernet0
nameif inside
security-level 100
ip address 192.168.10.254 255.255.255.0
!
interface GigabitEthernet1
nameif outside
security-level 0
ip address 192.168.20.254 255.255.255.0
!
interface GigabitEthernet2
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet3
shutdown
no nameif
no security-level
no ip address
!
ftp mode passive
clock timezone GMT 8
access-list gcacl extended deny tcp any host 192.168.10.1
access-list gcacl extended deny tcp any host 192.168.10.1 eq www
pager lines 24
mtu inside 1500
mtu outside 1500
ip local pool gcpool 192.168.200.100-192.168.200.200 mask 255.255.255.0
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-645-206.bin
no asdm history enable
arp timeout 14400
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
aaa-server aaa protocol radius
aaa-server aaa (inside) host 192.168.10.1
key *****
http server enable 444
http 192.168.20.0 255.255.255.0 outside
no snmp-server location
no snmp-server contact
crypto ca trustpoint ssl***ca
enrollment self
fqdn www.ssl***.com
subject-name CN=www.ssl***.com
keypair ssl***ca
crl configure
crypto ca certificate chain ssl***ca
certificate 9bfe6450
308201e7 30820150 a0030201 0202049b fe645030 0d06092a 864886f7 0d010105
05003038 31173015 06035504 03130e77 77772e73 736c7670 6e2e636f 6d311d30
1b06092a 864886f7 0d010902 160e7777 772e7373 6c76706e 2e636f6d 301e170d
31323039 32383032 31343435 5a170d32 32303932 36303231 3434355a 30383117
30150603 55040313 0e777777 2e73736c 76706e2e 636f6d31 1d301b06 092a8648
86f70d01 0902160e 7777772e 73736c76 706e2e63 6f6d3081 9f300d06 092a8648
86f70d01 01010500 03818d00 30818902 818100ed 54332c7b b92d6e1d 8536171a
94c81477 0dad7292 384a58d4 3ab4b208 ae0c14c7 a9025d46 06ec83c6 9156a6c4
1c4278f5 53a2d9ab b9daf8b3 8920f3a4 7e065fab a5492d71 2ed539b1 bce7b2e9
b993fb44 49ae69b1 e87dd130 befefcff ba9e6b72 cf4c2ba6 13c448e1 729e8bf2
bc2bcc47 e323ad4d 1a04e2fc ba1420bc 7654a302 03010001 300d0609 2a864886
f70d0101 05050003 8181003d be0e59f4 dd52e1b4 dc2e1790 60079073 c1ac4812
515019bd aacd56f3 1e359dc5 9757eeeb bb724666 0d7f4290 2871ac7a 2c952ebe
62f13304 b4ce6dc0 f98a1cc4 17ef0a38 b5620649 978f8009 b373c0c8 2f095de3
51b3cd7c adb3dd03 36bd71ad 6c2ee30a 4f74fa35 235276b3 11b2053a ff13df44
9f55f5dd 1a8d0d2a 542d32
quit
telnet timeout 5
ssh timeout 5
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ssl trust-point ssl***ca outside
web***
enable outside
anyconnect image disk0:/anyconnect-win-3.0.0629-k9.pkg 1
anyconnect enable
tunnel-group-list enable
group-policy gc internal
group-policy gc attributes
***-filter value gcacl
***-tunnel-protocol ssl-client
group-lock value gcgroup
address-pools value gcpool
web***
anyconnect ask enable default web***
group-policy hr internal
group-policy hr attributes
***-tunnel-protocol ssl-client
group-lock value hrgroup
web***
anyconnect ask enable default web***
username gcuser password cOaM9IcVVY8ymrp8 encrypted
username gcuser attributes
***-group-policy gc
username cisco password 3USUcOPFUiMCO4Jk encrypted privilege 15
tunnel-group hrgroup type remote-access
tunnel-group hrgroup general-attributes
authentication-server-group aaa
default-group-policy hr
tunnel-group hrgroup web***-attributes
group-alias hrgroup enable
tunnel-group gcgroup type remote-access
tunnel-group gcgroup web***-attributes
group-alias gcgroup enable
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
!
service-policy global_policy global
prompt hostname context
call-home reporting anonymous prompt 2
crashinfo save disable
Cryptochecksum:e2ae825a97327f63fed4b90c92e0dfa0
: end
2 新建用户hruser
3 为了管理方便新建组织单位HR
配置AAA服务器(使用RADIUS协议授权):
1 配置外部数据库(AD数据库)
配置ACL
配置AAA客户端:
配置地址池:
配置客户端证书:
参见我另一篇问题"ASA ssl *** 自发证书不受信任的解决方法"
验证:
从上图可以看出hruser允许访问内部WEB
从上图可以看出gcuser拒绝访问内部WEB
下面以HR 用户登录GC
从上面可以看出
hruser是无法登录GC的
从上面看已经达到我们的实验目的
5887
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
