本次实验基于CISCO CSR1000V的虚拟路由器进行
实验拓扑
实验配置
hostname csr1kv
!
aaa new-model
!
aaa authentication suppress null-username
aaa authentication login sslvpn local
aaa authorization network sslvpn local
!
no ip domain lookup
!
crypto pki trustpoint csr1kv.local
enrollment selfsigned
subject-name cn=csr1kv.local
revocation-check none
rsakeypair csr1kv.local
!
!
crypto pki certificate chain csr1kv.local
certificate self-signed 01
B84230DF 77267A70 ADBEF775 3791C3CF EF45FF13 637343C9 9589D487 E0F4D050
3E1A1CEE CEFCC9F8 168F91A2 D62EE440 A1674943 D20F8EDB DB465130 109147BE
99C342C5 921D3DBD 910CBECB 5638
quit
#此处为自签名证书,具体的生成过程略。
!
username admin privilege 15 secret 5 $1$bVLV$u0lFX9bJ3IFSF7M6R7UFe.
username cisco password 7 060506324F41
!
!
crypto ssl proposal sslvpn-proposal
protection rsa-3des-ede-sha1 rsa-rc4128-md5 rsa-aes128-sha1 rsa-aes256-sha1
#SSL的加密策略
!
crypto ssl authorization policy sslvpn-auth-policy
pool sslvpn
dns 10.1.1.100
def-domain iteachs.com
route set access-list sslvpn-tunnel
#SSL的授权策略
!
crypto ssl policy sslvpn-policy
ssl proposal sslvpn-proposal
pki trustpoint csr1kv.local sign
ip address local 202.100.1.100 port 443
!
crypto ssl profile sslvpn-profile
match policy sslvpn-policy
aaa authentication user-pass list sslvpn
aaa authorization group user-pass list sslvpn sslvpn-auth-policy
authentication remote user-pass
max-users 100
!
!
crypto vpn anyconnect bootflash:/anyconnect-win-4.6.03049-webdeploy-k9.pkg sequence 1
!
interface Loopback0
ip address 10.1.1.1 255.255.255.0
!
interface GigabitEthernet1
ip address 202.100.1.100 255.255.255.0
negotiation auto
!
ip local pool sslvpn 172.16.1.1 172.16.1.100
ip route 192.168.100.0 255.255.255.0 202.100.1.1
ip access-list standard sslvpn-tunnel
permit 10.1.1.0 0.0.0.255
!
相关查看
csr1kv#show version
Cisco IOS XE Software, Version 03.16.06.S - Extended Support Release
Cisco IOS Software, CSR1000V Software (X86_64_LINUX_IOSD-UNIVERSALK9-M), Version 15.5(3)S6, RELEASE SOFTWARE (fc3)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2017 by Cisco Systems, Inc.
Compiled Mon 24-Jul-17 20:01 by mcpre
Cisco IOS-XE software, Copyright (c) 2005-2017 by cisco Systems, Inc.
All rights reserved. Certain components of Cisco IOS-XE software are
licensed under the GNU General Public License ("GPL") Version 2.0. The
software code licensed under GPL Version 2.0 is free software that comes
with ABSOLUTELY NO WARRANTY. You can redistribute and/or modify such
GPL code under the terms of GPL Version 2.0. For more details, see the
documentation or "License Notice" file accompanying the IOS-XE software,
or the applicable URL provided on the flyer accompanying the IOS-XE
software.
ROM: IOS-XE ROMMON
csr1kv uptime is 39 minutes
Uptime for this control processor is 40 minutes
System returned to ROM by reload
System image file is "bootflash:packages.conf"
Last reload reason: Unknown reason
This product contains cryptographic features and is subject to United
States and local country laws governing import, export, transfer and
use. Delivery of Cisco cryptographic products does not imply
third-party authority to import, export, distribute or use encryption.
Importers, exporters, distributors and users are responsible for
compliance with U.S. and local country laws. By using this product you
agree to comply with applicable laws and regulations. If you are unable
to comply with U.S. and local laws, return this product immediately.
A summary of U.S. laws governing Cisco cryptographic products may be found at:
http://www.cisco.com/wwl/export/crypto/tool/stqrg.html
If you require further assistance please contact us by sending email to
export@cisco.com.
License Level: ax
License Type: Default. No valid license found.
Next reload license Level: ax
cisco CSR1000V (VXE) processor (revision VXE) with 1090313K/6147K bytes of memory.
Processor board ID 9ZMT9E7R1HJ
4 Gigabit Ethernet interfaces
32768K bytes of non-volatile configuration memory.
3022272K bytes of physical memory.
7774207K bytes of virtual hard disk at bootflash:.
Configuration register is 0x2102
csr1kv#
csr1kv#show crypto ssl session
SSL profile name: sslvpn-profile
Client_Login_Name Client_IP_Address No_of_Connections Created Last_Used
cisco 192.168.100.100 1 00:00:49 00:00:29
csr1kv#show crypto ssl session user cisco
Interface : SSLVPN-VIF0
Session Type : Full Tunnel
Client User-Agent : AnyConnect Windows 4.6.03049
Username : cisco Num Connection : 1
Public IP : 192.168.100.100
Profile : sslvpn-profile
Policy : sslvpn-policy
Last-Used : 00:00:36 Created : *08:24:52.328 UTC Thu Dec 6 2018
Tunnel IP : 172.16.1.1 Netmask : 0.0.0.0
Rx IP Packets : 2 Tx IP Packets : 28
csr1kv#
csr1kv#
csr1kv#
csr1kv#show crypto ssl session user cisco detail
Interface : SSLVPN-VIF0
Session Type : Full Tunnel
Client User-Agent : AnyConnect Windows 4.6.03049
Username : cisco Num Connection : 1
Public IP : 192.168.100.100
Profile : sslvpn-profile
Policy : sslvpn-policy
Last-Used : 00:00:00 Created : *08:24:52.328 UTC Thu Dec 6 2018
Session Timeout : 43200 Idle Timeout : 1800
DNS primary : 10.1.1.100 WINS primary : None
DNS secondary : None WINS secondary : None
IP6 DNS primary : None
IP6 DNS secondary : None
DPD GW Timeout : 300 DPD CL Timeout : 300
Address Pool : sslvpn
MTU Size : 1406
Disconnect Time : 0
Rekey Time : 3600
Lease Duration : 43200 Keepalive : 30
Tunnel IP : 172.16.1.1 Netmask : 0.0.0.0
Rx IP Packets : 2 Tx IP Packets : 34
CSTP Started : 00:01:32 Last-Received : 00:00:00
CSTP DPD-Req sent : 0
Msie-ProxyServer : None
Msie-PxyOption : Disabled
Msie-Exception : None
Split DNS : None
ACL : sslvpn-tunnel
Default Domain : iteachs.com
Client Ports : 49190
Detail Session Statistics for User:: cisco
----------------------------------
CSTP Statistics::
Rx CSTP Frames : 36 Tx CSTP Frames : 0
Rx CSTP Bytes : 2537 Tx CSTP Bytes : 120
Rx CSTP Data Fr : 34 Tx CSTP Data Fr : 2
Rx CSTP CNTL Fr : 2 Tx CSTP CNTL Fr : 0
Rx CSTP DPD Req : 0 Tx CSTP DPD Req : 0
Rx CSTP DPD Res : 0 Tx CSTP DPD Res : 0
Rx Addr Renew Req : 0 Tx Address Renew : 0
Rx Dropped Frames : 0 Tx Dropped Frame : 0
Rx IP Packets : 2 Tx IP Packets : 34
Rx IP Bytes : 120 Tx IP Bytes : 2249
Rx IP6 Packets : 0 Tx IP6 Packets : 0
Rx IP6 Bytes : 0 Tx IP6 Bytes : 0
CEF Statistics::
Rx CSTP Data Fr : 0 Tx CSTP Data Fr : 0
Rx CSTP Bytes : 0 Tx CSTP Bytes : 0
csr1kv#
csr1kv#
实验完,转载说明。