(ASA) Cisco SSL ××× 配置详解 [三部曲之二]
本文对SSL ×××配置进行介绍,请先阅读本版中的“Cisco Web ×××配置详解”。
![]() ![]() 1、ASA基本配置。 ciscoasa(config)# int e0/0 ciscoasa(config-if)# ip add 198.1.1.1 255.255.255.0 ciscoasa(config-if)# nameif outside INFO: Security level for "outside" set to 0 by default. ciscoasa(config-if)# no shut ciscoasa(config-if)# exit ! ciscoasa(config)# int e0/1 ciscoasa(config-if)# ip add 10.10.1.1 255.255.255.0 ciscoasa(config-if)# nameif inside INFO: Security level for "inside" set to 100 by default. ciscoasa(config-if)# no shut ciscoasa(config-if)# exit ! ciscoasa(config)# web*** ciscoasa(config-web***)# enable outside ciscoasa(config-web***)# svc p_w_picpath disk0:/sslclient-win-1.1.2.169.pkg ciscoasa(config-web***)# svc enable !在外网接口上启动Web×××,并且启动SVC(SSL ××× Client)功能 ----------------------------------------- 2、SSL ×××准备工作。 ciscoasa(config)# ip local pool ssl-user 192.168.10.1-192.168.10.99 !创建SSL ×××用户地址池 ! ciscoasa(config)# access-list go-*** permit ip 10.10.1.0 255.255.255.0 192.168.10.0 255.255.255.0 ciscoasa(config)# nat (inside) 0 access-list go-*** !设置SSL ×××数据不作nat翻译 ----------------------------------------- 3、Web×××隧道组与策略组 ciscoasa(config)# group-policy myssl***-group-policy internal !创建名为myssl***-group-policy的组策略 ! ciscoasa(config)# group-policy myssl***-group-policy attributes ciscoasa(config-group-policy)# ***-tunnel-protocol web*** ciscoasa(config-group-policy)# web*** ciscoasa(config-group-web***)# svc enable ciscoasa(config-group-web***)# exit ciscoasa(config-group-policy)# exit ciscoasa(config)# !在组策略中启SVC ! ciscoasa(config-web***)# username steve6307 password cisco !创建用户 ! ciscoasa(config)# username steve6307 attributes ciscoasa(config-username)# ***-group-policy myssl***-group-policy ciscoasa(config-username)# exit !赋予用户策略 ! ciscoasa(config)# tunnel-group myssl***-group type web*** ciscoasa(config)# tunnel-group myssl***-group general-attributes ciscoasa(config-tunnel-general)# address-pool ssl-user ciscoasa(config-tunnel-general)# exit !设置SSL ×××用户的地址池 ! ciscoasa(config)# tunnel-group myssl***-group web***-attributes ciscoasa(config-tunnel-web***)# group-alias group2 enable ciscoasa(config-tunnel-web***)# exit ! ciscoasa(config)# web*** ciscoasa(config-web***)# tunnel-group-list enable ----------------------------------------- 4、配置SSL ×××隧道分离(可选)。 ciscoasa(config)# access-list split-ssl extended permit ip 10.10.1.0 255.255.255.0 any !注意源地址为ASA的inside网络地址,目标地址始终为any ! ciscoasa(config)# group-policy myssl***-group-policy attributes ciscoasa(config-group-policy)# split-tunnel-policy tunnelspecified ciscoasa(config-group-policy)# split-tunnel-network-list value split-ssl 测试
在浏览器中输入[url]https://198.1.1.1[/url]访问Web×××。
![]() ![]() 登陆后,Web×××直接启动SSL Client安装程序。 ![]() ![]() ![]() ![]() ![]() ![]() SSL ×××建立成功! ![]() ![]() 看看SVC的状态信息。 ![]() ![]() 看看SVC的版权信息(Cisco的一堆废话,呵呵)。 ![]() ![]() SSL连接建立成功以后,ASA上将自动创建指向客户的路由。 ------------------------------------------------ ciscoasa(config)# sh route Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2 E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area * - candidate default, U - per-user static route, o - ODR P - periodic downloaded static route Gateway of last resort is not set S 192.168.10.1 255.255.255.255 [1/0] via 198.1.1.2, outside C 10.10.1.0 255.255.255.0 is directly connected, inside C 198.1.1.0 255.255.255.0 is directly connected, outside ------------------------------------------------ 注:此例中外网用户的地址为198.1.1.2,ASA将该静态路由直接指向外网用户的公网地址。
忘了给show run,呵呵,再续一下!
ciscoasa# show run : Saved : ASA Version 7.2(1)24 ! hostname ciscoasa enable password 8Ry2YjIyt7RRXU24 encrypted names ! interface Ethernet0/0 nameif outside security-level 0 ip address 198.1.1.1 255.255.255.0 ! interface Ethernet0/1 nameif inside security-level 100 ip address 10.10.1.1 255.255.255.0 ! interface Ethernet0/2 shutdown no nameif no security-level no ip address ! interface Management0/0 shutdown no nameif no security-level no ip address management-only ! passwd 2KFQnbNIdI.2KYOU encrypted ftp mode passive access-list go-*** extended permit ip 10.10.1.0 255.255.255.0 192.168.10.0 255.255.255.0 access-list split-ssl extended permit ip 10.10.1.0 255.255.255.0 any pager lines 24 mtu outside 1500 mtu inside 1500 ip local pool ssl-user 192.168.10.1-192.168.10.99 no asdm history enable arp timeout 14400 nat (inside) 0 access-list go-*** timeout xlate 3:00:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02 timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00 timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00 timeout uauth 0:05:00 absolute group-policy myssl***-group-policy internal group-policy myssl***-group-policy attributes ***-tunnel-protocol web*** split-tunnel-policy tunnelspecified split-tunnel-network-list value split-ssl web*** svc enable username steve6307 password Dt4qNrv3ojM/D.Cn encrypted username steve6307 attributes ***-group-policy myssl***-group-policy no snmp-server location no snmp-server contact snmp-server enable traps snmp authentication linkup linkdown coldstart tunnel-group myssl***-group type web*** tunnel-group myssl***-group general-attributes address-pool ssl-user tunnel-group myssl***-group web***-attributes group-alias group2 enable telnet timeout 5 ssh timeout 5 console timeout 0 ! ! web*** enable outside svc p_w_picpath disk0:/sslclient-win-1.1.2.169.pkg 1 svc enable tunnel-group-list enable prompt hostname context Cryptochecksum:00000000000000000000000000000000 : end |
转载于:https://blog.51cto.com/shijie/68077