ASA SSL-×××配置

本例是在前面所配置的ASA5510防火墙remote ipsec ***配置 的基础上配置ssl-***，两种×××可同时使用。

 

一、基本配置

asa(config)# web***
asa(config-web***)# enable outside
asa(config-web***)# svc p_w_picpath disk0:/sslclient-win-1.1.3.173.pkg

//sslclient-win-1.1.3.173.pkg 见附件
asa(config-web***)# svc enable 
//上述配置是在外网口上启动WEB×××，并同时启动SSL ×××功能

二、SSL ×××配置准备工作

//创建SSL ×××用户地址池(这里是与IPSEC REMOTE ×××使用同一地址池)
asa(config)# ip local pool ***-pool 172.16.100.1-172.16.100.100 mask 255.255.255.0

//配置SSL ×××数据流不做NAT翻译
asa(config)# access-list no-nat extended permit ip 192.168.222.0 255.255.255.0 172.16.100.0 255.255.255.0
Archasa(config)# nat (inside) 0 access-list no-nat

三、WEB ×××隧道组与策略组的配置
//创建名为myssl***-group-policy的组策略
asa(config)# group-policy myssl***-group-policy internal
asa(config)# group-policy myssl***-group-policy attributes
asa(config-group-policy)# ***-tunnel-protocol web***
asa(config-group-policy)# web***
 
//在组策略中启用SSL ×××
asa(config-group-web***)# svc enable
asa(config-group-web***)# exit
asa(config-group-policy)# exit 
 
//创建SSL ×××用户
asa(config-web***)# username web*** password web***

//把myssl***-group-plicy策略赋予用户web***
asa(config)# username test attributes
asa(config-username)# ***-group-policy myssl***-group-policy
asa(config-username)# exit
asa(config)# tunnel-group myssl***-group type web***
asa(config)# tunnel-group myssl***-group general-attributes

//使用用户地址池
asa(config-tunnel-general)# address-pool ***-pool
asa(config-tunnel-general)# exit
asa(config)# tunnel-group myssl***-group web***-attributes
asa(config-tunnel-web***)# group-alias group3 enable  
asa(config-tunnel-web***)# exit
asa(config)# web***
asa(config-web***)# tunnel-group-list enable

四、配置SSL ×××隧道分离
//SSL ×××隧道分离是可选取的，可根据实际需求来做。
//这里的源地址是ASA的INSIDE地址，目标地址始终是ANY
asa(config)# access-list split-ssl extended permit ip 10.10.1.0 255.255.255.0 any 
asa(config)# group-policy myssl***-group-policy attributes
asa(config-group-policy)# split-tunnel-policy tunnelspecified
asa(config-group-policy)# split-tunnel-network-list value ***split

 

五、详细配置清单

ASA Version 8.0(2)
!
hostname test
domain-name test.net
enable password 2KFQnbNIdI.2KYOU encrypted
names
!
interface Ethernet0/0
 nameif outside
 security-level 0
 ip address 10.63.128.50 255.255.255.0
!
interface Ethernet0/1
 nameif inside
 security-level 100
 ip address 192.168.222.1 255.255.255.0
!
interface Ethernet0/2
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Ethernet0/3
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Management0/0
 shutdown
 no nameif
 no security-level
 no ip address
!
passwd 2KFQnbNIdI.2KYOU encrypted
ftp mode passive
dns server-group DefaultDNS
 domain-name test.net
access-list 101 extended permit icmp any any
access-list no-nat extended permit ip 192.168.222.0 255.255.255.0 172.16.100.0 255.255.255.0
access-list ***split standard permit 192.168.222.0 255.255.255.0
pager lines 24
mtu outside 1500
mtu inside 1500
ip local pool ***-pool 172.16.100.1-172.16.100.100 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 1 10.63.128.51 netmask 255.255.255.0
nat (inside) 0 access-list no-nat
nat (inside) 1 0.0.0.0 0.0.0.0
access-group 101 in interface outside
route outside 0.0.0.0 0.0.0.0 10.65.156.27 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
http 192.168.0.1 255.255.255.255 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ***set esp-des esp-md5-hmac
crypto dynamic-map dymap 10 set transform-set ***set
crypto dynamic-map dymap 10 set reverse-route
crypto map ***map 10 ipsec-isakmp dynamic dymap
crypto map ***map interface outside
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 10
 authentication pre-share
 encryption des
 hash md5
 group 2
 lifetime 86400
telnet 192.168.222.0 255.255.255.0 inside
telnet timeout 5
ssh 10.0.0.0 255.0.0.0 outside
ssh 0.0.0.0 0.0.0.0 inside
ssh timeout 60
ssh version 1
console timeout 0
management-access inside
threat-detection basic-threat
threat-detection statistics access-list
!
!
web***
 enable outside
 svc p_w_picpath disk0:/sslclient-win-1.1.3.173.pkg 1
 svc enable
 tunnel-group-list enable
group-policy myssl***-group-policy internal
group-policy myssl***-group-policy attributes
 ***-tunnel-protocol svc web***
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value ***split
 web***
  svc ask enable
group-policy whjt internal
group-policy whjt attributes
 ***-idle-timeout 3600000
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value ***split
username test password P4ttSyrm33SV8TYp encrypted
username web*** password yLRmYA5FRKBhsE1j encrypted
username web*** attributes
 ***-group-policy myssl***-group-policy
username sunrc password 7KrF6bCIHvpfFNSo encrypted
tunnel-group whjt type remote-access
tunnel-group whjt general-attributes
 address-pool ***-pool
 default-group-policy whjt
tunnel-group whjt ipsec-attributes
 pre-shared-key *
 isakmp keepalive threshold 20 retry 2
tunnel-group myssl***-group type remote-access
tunnel-group myssl***-group general-attributes
 address-pool ***-pool
tunnel-group myssl***-group web***-attributes
 group-alias group3 enable
prompt hostname context
Cryptochecksum:6bb5b6e91c7b59e2fd00ab99d00b34f0
: end

转载于:https://blog.51cto.com/sunrc/255934