Cisco SSL ××× 配置詳解
本文對SSL ×××配置進行介紹,請先閱讀本版中的「Cisco Web ×××配置詳解」。
一、ASA基本配置。
ciscoasa(config)# int e0/0
ciscoasa(config-if)# ip add 198.1.1.1 255.255.255.0
ciscoasa(config-if)# nameif outside
INFO: Security level for "outside" set to 0 by default.
ciscoasa(config-if)# no shut
ciscoasa(config-if)# exit
!
ciscoasa(config)# int e0/1
ciscoasa(config-if)# ip add 10.10.1.1 255.255.255.0
ciscoasa(config-if)# nameif inside
INFO: Security level for "inside" set to 100 by default.
ciscoasa(config-if)# no shut
ciscoasa(config-if)# exit
!
ciscoasa(config)# web***
ciscoasa(config-web***)# enable outside
ciscoasa(config-web***)# svc p_w_picpath disk0:/sslclient-win-1.1.2.169.pkg
ciscoasa(config-web***)# svc enable
!在外網接口上啓動Web×××,而且啓動SVC(SSL ××× Client)功能
-----------------------------------------
二、SSL ×××準備工做。
ciscoasa(config)# ip local pool ssl-user 192.168.10.1-192.168.10.99
!建立SSL ×××用戶地址池
!
ciscoasa(config)# access-list go-*** permit ip 10.10.1.0 255.255.255.0 192.168.10.0 255.255.255.0
ciscoasa(config)# nat (inside) 0 access-list go-***
!設置SSL ×××數據不做nat翻譯
-----------------------------------------
三、Web×××隧道組與策略組
ciscoasa(config)# group-policy myssl***-group-policy internal
!建立名爲myssl***-group-policy的組策略
!
ciscoasa(config)# group-policy myssl***-group-policy attributes
ciscoasa(config-group-policy)# ***-tunnel-protocol web***
ciscoasa(config-group-policy)# web***
ciscoasa(config-group-web***)# svc enable
ciscoasa(config-group-web***)# exit
ciscoasa(config-group-policy)# exit
ciscoasa(config)#
!在組策略中啓SVC
!
ciscoasa(config-web***)# username steve6307 password cisco
!建立用戶
!
ciscoasa(config)# username steve6307 attributes
ciscoasa(config-username)# ***-group-policy myssl***-group-policy
ciscoasa(config-username)# exit
!賦予用戶策略
!
ciscoasa(config)# tunnel-group myssl***-group type web***
ciscoasa(config)# tunnel-group myssl***-group general-attributes
ciscoasa(config-tunnel-general)# address-pool ssl-user
ciscoasa(config-tunnel-general)# exit
!設置SSL ×××用戶的地址池
!
ciscoasa(config)# tunnel-group myssl***-group web***-attributes
ciscoasa(config-tunnel-web***)# group-alias group2 enable
ciscoasa(config-tunnel-web***)# exit
!
ciscoasa(config)# web***
ciscoasa(config-web***)# tunnel-group-list enable
-----------------------------------------
四、配置SSL ×××隧道分離(可選)。
ciscoasa(config)# access-list split-ssl extended permit ip 10.10.1.0 255.255.255.0 any
!注意源地址爲ASA的inside網絡地址,目標地址始終爲any
!
ciscoasa(config)# group-policy myssl***-group-policy attributes
ciscoasa(config-group-policy)# split-tunnel-policy tunnelspecified
ciscoasa(config-group-policy)# split-tunnel-network-list value split-ssl
一、ASA基本配置。
ciscoasa(config)# int e0/0
ciscoasa(config-if)# ip add 198.1.1.1 255.255.255.0
ciscoasa(config-if)# nameif outside
INFO: Security level for "outside" set to 0 by default.
ciscoasa(config-if)# no shut
ciscoasa(config-if)# exit
!
ciscoasa(config)# int e0/1
ciscoasa(config-if)# ip add 10.10.1.1 255.255.255.0
ciscoasa(config-if)# nameif inside
INFO: Security level for "inside" set to 100 by default.
ciscoasa(config-if)# no shut
ciscoasa(config-if)# exit
!
ciscoasa(config)# web***
ciscoasa(config-web***)# enable outside
ciscoasa(config-web***)# svc p_w_picpath disk0:/sslclient-win-1.1.2.169.pkg
ciscoasa(config-web***)# svc enable
!在外網接口上啓動Web×××,而且啓動SVC(SSL ××× Client)功能
-----------------------------------------
二、SSL ×××準備工做。
ciscoasa(config)# ip local pool ssl-user 192.168.10.1-192.168.10.99
!建立SSL ×××用戶地址池
!
ciscoasa(config)# access-list go-*** permit ip 10.10.1.0 255.255.255.0 192.168.10.0 255.255.255.0
ciscoasa(config)# nat (inside) 0 access-list go-***
!設置SSL ×××數據不做nat翻譯
-----------------------------------------
三、Web×××隧道組與策略組
ciscoasa(config)# group-policy myssl***-group-policy internal
!建立名爲myssl***-group-policy的組策略
!
ciscoasa(config)# group-policy myssl***-group-policy attributes
ciscoasa(config-group-policy)# ***-tunnel-protocol web***
ciscoasa(config-group-policy)# web***
ciscoasa(config-group-web***)# svc enable
ciscoasa(config-group-web***)# exit
ciscoasa(config-group-policy)# exit
ciscoasa(config)#
!在組策略中啓SVC
!
ciscoasa(config-web***)# username steve6307 password cisco
!建立用戶
!
ciscoasa(config)# username steve6307 attributes
ciscoasa(config-username)# ***-group-policy myssl***-group-policy
ciscoasa(config-username)# exit
!賦予用戶策略
!
ciscoasa(config)# tunnel-group myssl***-group type web***
ciscoasa(config)# tunnel-group myssl***-group general-attributes
ciscoasa(config-tunnel-general)# address-pool ssl-user
ciscoasa(config-tunnel-general)# exit
!設置SSL ×××用戶的地址池
!
ciscoasa(config)# tunnel-group myssl***-group web***-attributes
ciscoasa(config-tunnel-web***)# group-alias group2 enable
ciscoasa(config-tunnel-web***)# exit
!
ciscoasa(config)# web***
ciscoasa(config-web***)# tunnel-group-list enable
-----------------------------------------
四、配置SSL ×××隧道分離(可選)。
ciscoasa(config)# access-list split-ssl extended permit ip 10.10.1.0 255.255.255.0 any
!注意源地址爲ASA的inside網絡地址,目標地址始終爲any
!
ciscoasa(config)# group-policy myssl***-group-policy attributes
ciscoasa(config-group-policy)# split-tunnel-policy tunnelspecified
ciscoasa(config-group-policy)# split-tunnel-network-list value split-ssl
測試
在瀏覽器中輸入[url]https://198.1.1.1[/url]訪問Web×××。
登錄後,Web×××直接啓動SSL Client安裝程序。
SSL ×××創建成功!
看看SVC的狀態信息。
看看SVC的版權信息(Cisco的一堆廢話,呵呵)。
SSL鏈接創建成功之後,ASA上將自動建立指向客戶的路由。
------------------------------------------------
ciscoasa(config)# sh route
Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
* - candidate default, U - per-user static route, o - ODR
P - periodic downloaded static route
Gateway of last resort is not set
S 192.168.10.1 255.255.255.255 [1/0] via 198.1.1.2, outside
C 10.10.1.0 255.255.255.0 is directly connected, inside
C 198.1.1.0 255.255.255.0 is directly connected, outside
------------------------------------------------
注:此例中外網用戶的地址爲198.1.1.2,ASA將該靜態路由直接指向外網用戶的公網地址。
登錄後,Web×××直接啓動SSL Client安裝程序。
SSL ×××創建成功!
看看SVC的狀態信息。
看看SVC的版權信息(Cisco的一堆廢話,呵呵)。
SSL鏈接創建成功之後,ASA上將自動建立指向客戶的路由。
------------------------------------------------
ciscoasa(config)# sh route
Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
* - candidate default, U - per-user static route, o - ODR
P - periodic downloaded static route
Gateway of last resort is not set
S 192.168.10.1 255.255.255.255 [1/0] via 198.1.1.2, outside
C 10.10.1.0 255.255.255.0 is directly connected, inside
C 198.1.1.0 255.255.255.0 is directly connected, outside
------------------------------------------------
注:此例中外網用戶的地址爲198.1.1.2,ASA將該靜態路由直接指向外網用戶的公網地址。
忘了給show run,呵呵,再續一下! ciscoasa# show run : Saved : ASA Version 7.2(1)24 ! hostname ciscoasa enable password 8Ry2YjIyt7RRXU24 encrypted names ! interface Ethernet0/0 nameif outside security-level 0 ip address 198.1.1.1 255.255.255.0 ! interface Ethernet0/1 nameif inside security-level 100 ip address 10.10.1.1 255.255.255.0 ! interface Ethernet0/2 shutdown no nameif no security-level no ip address ! interface Management0/0 shutdown no nameif no security-level no ip address management-only ! passwd 2KFQnbNIdI.2KYOU encrypted ftp mode passive access-list go-*** extended permit ip 10.10.1.0 255.255.255.0 192.168.10.0 255.255.255.0 access-list split-ssl extended permit ip 10.10.1.0 255.255.255.0 any pager lines 24 mtu outside 1500 mtu inside 1500 ip local pool ssl-user 192.168.10.1-192.168.10.99 no asdm history enable arp timeout 14400 nat (inside) 0 access-list go-*** timeout xlate 3:00:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02 timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00 timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00 timeout uauth 0:05:00 absolute group-policy myssl***-group-policy internal group-policy myssl***-group-policy attributes ***-tunnel-protocol web*** split-tunnel-policy tunnelspecified split-tunnel-network-list value split-ssl web*** svc enable username steve6307 password Dt4qNrv3ojM/D.Cn encrypted username steve6307 attributes ***-group-policy myssl***-group-policy no snmp-server location no snmp-server contact snmp-server enable traps snmp authentication linkup linkdown coldstart tunnel-group myssl***-group type web*** tunnel-group myssl***-group general-attributes address-pool ssl-user tunnel-group myssl***-group web***-attributes group-alias group2 enable telnet timeout 5 ssh timeout 5 console timeout 0 ! ! web*** enable outside svc p_w_picpath disk0:/sslclient-win-1.1.2.169.pkg 1 svc enable tunnel-group-list enable prompt hostname context Cryptochecksum:00000000000000000000000000000000 : end
相關文章
- 1. Cisco SSL ××× 配置詳解
- 2. cisco asa Easy ××× 配置詳解
- 3. 怎麼去配置Cisco SSL ×××?
- 4. Cisco SSL ×××配置實例
- 5. CISCO ACL配置詳解
- 6. Apache SSL服務器配置SSL詳解
- 7. 思科CISCO ACL配置詳解
- 8. Cisco Packet Tracer---VLAN配置詳解
- 9. CISCO 雙線接入MAP配置詳解
- 10. Cisco GRE 基礎配置詳解
- 更多相關文章...
- • MyBatis配置文件詳解 - MyBatis教程
- • Eclipse Debug 配置 - Eclipse 教程
- • IntelliJ IDEA 代碼格式化配置和快捷鍵
- • IDEA下SpringBoot工程配置文件沒有提示
相關標籤/搜索
每日一句
-
每一个你不满意的现在,都有一个你没有努力的曾经。
歡迎關注本站公眾號,獲取更多信息
