(ASA) Cisco SSL ××× 配置详解 [三部曲之二]

(ASA) Cisco SSL ××× 配置详解 [三部曲之二]

 

本文对SSL ×××配置进行介绍，请先阅读本版中的“Cisco Web ×××配置详解”。 sslweb.jpg (42.91 KB) 06-11-23 19:35 1、ASA基本配置。 ciscoasa(config)# int e0/0     ciscoasa(config-if)# ip add 198.1.1.1 255.255.255.0 ciscoasa(config-if)# nameif outside INFO: Security level for "outside" set to 0 by default. ciscoasa(config-if)# no shut ciscoasa(config-if)# exit ! ciscoasa(config)# int e0/1 ciscoasa(config-if)# ip add 10.10.1.1 255.255.255.0 ciscoasa(config-if)# nameif inside INFO: Security level for "inside" set to 100 by default. ciscoasa(config-if)# no shut ciscoasa(config-if)# exit ! ciscoasa(config)# web*** ciscoasa(config-web***)# enable outside ciscoasa(config-web***)# svc p_w_picpath disk0:/sslclient-win-1.1.2.169.pkg ciscoasa(config-web***)# svc enable !在外网接口上启动Web×××，并且启动SVC(SSL ××× Client)功能 －－－－－－－－－－－－－－－－－－－－－－－－－－－－－－－－－－－－－－－－－ 2、SSL ×××准备工作。 ciscoasa(config)# ip local pool ssl-user 192.168.10.1-192.168.10.99 !创建SSL ×××用户地址池 ! ciscoasa(config)# access-list go-*** permit ip 10.10.1.0 255.255.255.0 192.168.10.0 255.255.255.0 ciscoasa(config)# nat (inside) 0 access-list go-*** !设置SSL ×××数据不作nat翻译 －－－－－－－－－－－－－－－－－－－－－－－－－－－－－－－－－－－－－－－－－ 3、Web×××隧道组与策略组 ciscoasa(config)# group-policy myssl***-group-policy internal !创建名为myssl***-group-policy的组策略 ! ciscoasa(config)# group-policy myssl***-group-policy attributes ciscoasa(config-group-policy)# ***-tunnel-protocol web*** ciscoasa(config-group-policy)# web*** ciscoasa(config-group-web***)# svc enable ciscoasa(config-group-web***)# exit ciscoasa(config-group-policy)# exit ciscoasa(config)# !在组策略中启SVC ! ciscoasa(config-web***)# username steve6307 password cisco !创建用户 ! ciscoasa(config)# username steve6307 attributes ciscoasa(config-username)# ***-group-policy myssl***-group-policy ciscoasa(config-username)# exit !赋予用户策略 ! ciscoasa(config)# tunnel-group myssl***-group type web*** ciscoasa(config)# tunnel-group myssl***-group general-attributes ciscoasa(config-tunnel-general)# address-pool ssl-user ciscoasa(config-tunnel-general)# exit !设置SSL ×××用户的地址池 ! ciscoasa(config)# tunnel-group myssl***-group web***-attributes ciscoasa(config-tunnel-web***)# group-alias group2 enable   ciscoasa(config-tunnel-web***)# exit ! ciscoasa(config)# web*** ciscoasa(config-web***)# tunnel-group-list enable －－－－－－－－－－－－－－－－－－－－－－－－－－－－－－－－－－－－－－－－－ 4、配置SSL ×××隧道分离（可选）。 ciscoasa(config)# access-list split-ssl extended permit ip 10.10.1.0 255.255.255.0 any !注意源地址为ASA的inside网络地址，目标地址始终为any ! ciscoasa(config)# group-policy myssl***-group-policy attributes ciscoasa(config-group-policy)# split-tunnel-policy tunnelspecified ciscoasa(config-group-policy)# split-tunnel-network-list value split-ssl 测试 在浏览器中输入[url]https://198.1.1.1[/url]访问Web×××。 s1.gif (31.74 KB) 06-11-23 20:29 登陆后，Web×××直接启动SSL Client安装程序。 s2.gif (43.6 KB) 06-11-23 20:29 s3.gif (4.03 KB) 06-11-23 20:29 s4.gif (3.69 KB) 06-11-23 20:29 SSL ×××建立成功！ s5.gif (6.71 KB) 06-11-23 20:29 看看SVC的状态信息。 s7.gif (13.57 KB) 06-11-23 20:29 看看SVC的版权信息（Cisco的一堆废话，呵呵）。 s8.gif (17.59 KB) 06-11-23 20:29 SSL连接建立成功以后，ASA上将自动创建指向客户的路由。 －－－－－－－－－－－－－－－－－－－－－－－－－－－－－－－－－－－－－－－－－－－－－－－－ ciscoasa(config)# sh route Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP         D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area         N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2         E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP         i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area         * - candidate default, U - per-user static route, o - ODR         P - periodic downloaded static route Gateway of last resort is not set S     192.168.10.1 255.255.255.255 [1/0] via 198.1.1.2, outside C     10.10.1.0 255.255.255.0 is directly connected, inside C     198.1.1.0 255.255.255.0 is directly connected, outside －－－－－－－－－－－－－－－－－－－－－－－－－－－－－－－－－－－－－－－－－－－－－－－－ 注：此例中外网用户的地址为198.1.1.2，ASA将该静态路由直接指向外网用户的公网地址。 忘了给show run，呵呵，再续一下！ ciscoasa# show run : Saved : ASA Version 7.2(1)24 ! hostname ciscoasa enable password 8Ry2YjIyt7RRXU24 encrypted names ! interface Ethernet0/0 nameif outside security-level 0 ip address 198.1.1.1 255.255.255.0 ! interface Ethernet0/1 nameif inside security-level 100 ip address 10.10.1.1 255.255.255.0 ! interface Ethernet0/2 shutdown no nameif no security-level no ip address ! interface Management0/0 shutdown      no nameif no security-level no ip address management-only ! passwd 2KFQnbNIdI.2KYOU encrypted ftp mode passive access-list go-*** extended permit ip 10.10.1.0 255.255.255.0 192.168.10.0 255.255.255.0 access-list split-ssl extended permit ip 10.10.1.0 255.255.255.0 any pager lines 24 mtu outside 1500 mtu inside 1500 ip local pool ssl-user 192.168.10.1-192.168.10.99 no asdm history enable arp timeout 14400 nat (inside) 0 access-list go-*** timeout xlate 3:00:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02 timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00 timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00 timeout uauth 0:05:00 absolute group-policy myssl***-group-policy internal group-policy myssl***-group-policy attributes ***-tunnel-protocol web*** split-tunnel-policy tunnelspecified split-tunnel-network-list value split-ssl web***    svc enable username steve6307 password Dt4qNrv3ojM/D.Cn encrypted username steve6307 attributes ***-group-policy myssl***-group-policy no snmp-server location no snmp-server contact snmp-server enable traps snmp authentication linkup linkdown coldstart tunnel-group myssl***-group type web*** tunnel-group myssl***-group general-attributes address-pool ssl-user tunnel-group myssl***-group web***-attributes group-alias group2 enable telnet timeout 5 ssh timeout 5 console timeout 0 ! ! web*** enable outside svc p_w_picpath disk0:/sslclient-win-1.1.2.169.pkg 1 svc enable    tunnel-group-list enable prompt hostname context Cryptochecksum:00000000000000000000000000000000 : end

转载于:https://blog.51cto.com/shijie/68077