基于GNS3的ssl配置

闲来无事,利用gns3配置了基于cisco asa的ssl链接测试,cloud-1链接本地网络,测试通过

1、配置目标:便于移动办公用户接入公司内部网络,通过内部网络访问ecs服务器
2、材料:gns3、asa、anyconnect-win、c7200、pc
3、常规网络结构如下:

说明:
1、r1路由器为边界路由器:主要配置为接入互联网和配置防火墙outside的地址映射
2、asa负责ssl的请求终结,提供inside端的nat功能
3、fortGate不在本次实验范围之内
配置:
主要是asa的接入配置:

ASA Version 9.9(2)
!
hostname ciscoasa
enable password $sha512$5000$fXJ5sJ0tyZpekqU23FSJqw==$9adIvXwEh3hZgQjRaYxCwg== pbkdf2
names

ip local pool ssluser 172.17.1.10-172.17.1.20 mask 255.255.255.0
!-- 远程用户分配地址--!
!
interface GigabitEthernet0/0
nameif outside
security-level 0
ip address 10.10.10.2 255.255.255.0
!
interface GigabitEthernet0/1
nameif inside
security-level 100
ip address 192.168.3.1 255.255.255.0
!
interface GigabitEthernet0/2
shutdown
nameif dmz
security-level 60
ip address 172.25.10.1 255.255.255.0
!
...
ftp mode passive
!--需要开启--!
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object network local
subnet 192.168.3.0 255.255.255.0
object network nat-addr
host 10.10.10.5
object network NETWORK_OBJ_192.168.3.0_24
subnet 192.168.3.0 255.255.255.0
object network ssl-addr
range 172.16.1.10 172.16.1.20
description ssl user address
object network NETWORK_OBJ_172.17.1.0_27
subnet 172.17.1.0 255.255.255.224
access-list outside_access_in extended permit icmp any any log debugging
access-list outside_access_in extended permit ip any any log debugging
access-list split-acl standard permit 192.168.3.0 255.255.255.0
access-list split-acl standard permit any4
pager lines 23
logging enable
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu dmz 1500
no failover
no monitor-interface service-module
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
arp rate-limit 8192
nat (inside,outside) source static NETWORK_OBJ_192.168.3.0_24 NETWORK_OBJ_192.168.3.0_24 destination static NETWORK_OBJ_172.17.1.0_27 NETWORK_OBJ_172.17.1.0_27 no-proxy-arp route-lookup
!
object network local
nat (inside,outside) dynamic nat-addr
object network NETWORK_OBJ_172.17.1.0_27
nat (outside,outside) dynamic 10.10.10.6
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 10.10.10.1 1
!--本地数据库验证
aaa authentication http console LOCAL
aaa authentication ssh console LOCAL
aaa authentication login-history
http server enable
http 0.0.0.0 0.0.0.0 outside
no snmp-server location
no snmp-server contact
crypto ipsec ikev2 ipsec-proposal AES256
protocol esp encryption aes-256
protocol esp integrity sha-1 md5
crypto ipsec security-association pmtu-aging infinite
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev2 ipsec-proposal AES256
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto ca trustpoint _SmartCallHome_ServerCA
no validation-usage
crl configure
crypto ca trustpoint ASDM_Launcher_Access_TrustPoint_0
enrollment self
fqdn none
subject-name CN=192.168.200.55,CN=ciscoasa
keypair ASDM_LAUNCHER
crl configure
crypto ca trustpool policy
auto-import

crypto ca certificate chain ASDM_Launcher_Access_TrustPoint_0
certificate 2bd75b5c
......
44783f1c a8d4cb06 5222721c 2fee837e 31bf194e 15e1c0fd
quit
crypto ikev2 policy 1
encryption aes-256
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 enable outside client-services port 443
crypto ikev2 remote-access trustpoint ASDM_Launcher_Access_TrustPoint_0
telnet timeout 5
ssh stricthostkeycheck
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 5
ssh version 2
ssh key-exchange group dh-group1-sha1
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ssl trust-point ASDM_Launcher_Access_TrustPoint_0
ssl trust-point ASDM_Launcher_Access_TrustPoint_0 outside

web***
enable outside
anyconnect image disk0:/anyconnect-win-4.6.00362-webdeploy-k9.pkg 1
anyconnect image disk0:/anyconnect-dart-win-2.5.3046-k9.pkg 2
anyconnect profiles cccrop_client_profile disk0:/cccrop_client_profile.xml
anyconnect enable
tunnel-group-list enable
cache
disable
error-recovery disable
group-policy DfltGrpPolicy attributes
***-tunnel-protocol ikev1 l2tp-ipsec ssl-clientless
group-policy GroupPolicy_cccrop internal
!--在此可以split路由--
!--本测试没有配置list
group-policy GroupPolicy_cccrop attributes
wins-server none
dns-server value x.x.x.x
***-tunnel-protocol ikev2 ssl-client
split-tunnel-policy tunnelspecified
split-tunnel-network-list none
default-domain none
web***
anyconnect profiles value cccrop_client_profile type user
dynamic-access-policy-record DfltAccessPolicy
username user1 password $shGmZ5Er3G2XtZWUbjqf4g==$fJtspAnifM4BGWpl7xA== pbkdf2
tunnel-group cccrop type remote-access
tunnel-group cccrop general-attributes
address-pool ssluser
default-group-policy GroupPolicy_cccrop
tunnel-group cccrop web***-attributes
group-alias cccrop enable
!
......
!
service-policy global_policy global

Cryptochecksum:e8a82b90a84e0f3125f6ae12ffc3d1fc
: end

原文地址:http://blog.51cto.com/hzg2011/2350821

时间: 2024-09-30 21:11:19

基于GNS3的ssl配置的相关文章

小菜鸟学习SPRING BOOT -- ssl配置

菜鸟新来,大神勿喷,些许醍醐,感激涕零.因为 我总是装幽默,是因为我想让自己快乐. ssl协议位于tcp/ip协议与各种应用协议之间,为数据通信提供安全支持. ssl协议分为两层: ssl记录协议,它建立在可靠传输协议之上,为高层协议提供数据封装.压缩.加密等基本功能支持. ssl握手协议,它建立在ssl记录协议之上,用于实际数据传输开始前,通信双方进行身份认证.协商加密算法.交换加密密钥等 基于B/S的web应用,是通过https来实现ssl的.https是http的安全版,即在http下加入

gitlab haproxy ssl 配置

现在网上的gitlab都是基于nginx代理gitlabsocket的访问方式   配置基于nginx的https无需多说,配置只基于haproxy的https    后端选择代理   gitlab的Unicorn 需要修改的配置有  /home/git/gitlab/config/unicorn.rb /home/git/gitlab/config/gitlab.config 此处host修改为  FQDN  也就是你的ip或者address port修改为 443 https 修改为true

Tomcat SSL配置及Tomcat CA证书安装

Tomcat既可以作为独立的Servlet容器,也可以作为其他HTTP服务器附加的Servlet容器.如果Tomcat在非独立模式下工作, 通常不必配置SSL,由它从属的HTTP服务器来实现和客户的SSL通信.Tomcat和HTTP服务器之间的通信无须采用加密机制,HTTP服务器将解 密后的数据传给Tomcat,并把Tomcat发来的数据加密后传给客户. 如果Tomcat作为独立的Java Web服务器,则可以根据安全需要,为Tomcat配置SSL,它包含以下两个步骤: (1) 准备安全证书.

SSL 通信原理及Tomcat SSL 配置

SSL 通信原理及Tomcat SSL 双向配置 目录1 参考资料 .................................................................................................................................. 12 SSL(Server Socket Layer)简介 .......................................................

基于GNS3思科路由器实现的静态路由

实验拓扑: 实验说明:R1和R2之间的网段为24位的12.1.1.0直连网段,若没有配置路由协议,R1和R2之间的环回接口是不能相互ping通的,本实验是基于GNS3思科模拟路由器部署静态路由(两种配置方法)实现环回接口间的互通.实验步骤:1. 为各路由器配置IP地址,并保证其直连的连通性:在R1配置IP地址:在R2配置IP地址:在R1上验证两台路由器的连通性(保证前提两台路由器直连是连通的):2. 在R1和R2上分别部署静态路由(两种配置方法):在R1上配置的静态路由为下一跳的IP地址:在R2

基于GNS3的ASA 5520虚拟防火墙功能测试

目的:测试基于GNS3的ASA 8.4(2)的部分功能配置:1 内网客户端访问外网;2 外网访问内网服务器;3 Lan-to-Lan IPSEC ×××; ####################################################################################实验拓扑: ##################################################################################

基于VirtualBox 安装和配置Fuel OpenStack(V6.1)

1.环境准备 准备一台内存较大的主机,12G以上 下载安装VirtualBox及其匹配的扩展包 virtualbox: http://download.virtualbox.org/virtualbox/4.3.28/VirtualBox-4.3.28-100309-Win.exe 扩展包(extension):(扩展包的版本与virtualbox要一致) http://download.virtualbox.org/virtualbox/4.3.28/Oracle_VM_VirtualBox_

基于注解的bean配置

基于注解的bean配置,主要是进行applicationContext.xml配置.DAO层类注解.Service层类注解. 1.在applicationContext.xml文件中配置信息如下 <!--定义服务层代码存放的包扫描路径--> <context:component-scan base-package="org.mainstudio.com.service,org.mainstudio.com.dao" /> 其中base-package包括了要进行

Struts2基于注解的Action配置

使用注解来配置Action的最大优点就是能够实现零配置,可是事务都是有利有弊的.使用方便.维护起来就没那么方便了. 要使用注解方式,我们必须加入一个额外包:struts2-convention-plugin-2.x.x.jar. 虽说是零配置的,但struts.xml还是少不了的,配置例如以下: <? xml version="1.0" encoding="UTF-8" ?> <!DOCTYPE struts PUBLIC "-//Apa