中文字幕av专区_日韩电影在线播放_精品国产精品久久一区免费式_av在线免费观看网站

溫馨提示×

溫馨提示×

您好,登錄后才能下訂單哦!

密碼登錄×
登錄注冊×
其他方式登錄
點擊 登錄注冊 即表示同意《億速云用戶服務條款》

基于GNS3的ssl配置

發布時間:2020-07-18 19:40:53 來源:網絡 閱讀:457 作者:Cisco712 欄目:安全技術

閑來無事,利用gns3配置了基于cisco asa的ssl鏈接測試,cloud-1鏈接本地網絡,測試通過

1、配置目標:便于移動辦公用戶接入公司內部網絡,通過內部網絡訪問ecs服務器
2、材料:gns3、asa、anyconnect-win、c7200、pc
3、常規網絡結構如下:
基于GNS3的ssl配置
說明:
1、r1路由器為邊界路由器:主要配置為接入互聯網和配置防火墻outside的地址映射
2、asa負責ssl的請求終結,提供inside端的nat功能
3、fortGate不在本次實驗范圍之內
配置:
主要是asa的接入配置:

ASA Version 9.9(2)
!
hostname ciscoasa
enable password $sha512$5000$fXJ5sJ0tyZpekqU23FSJqw==$9adIvXwEh4hZgQjRaYxCwg== pbkdf2
names

ip local pool ssluser 172.17.1.10-172.17.1.20 mask 255.255.255.0
!-- 遠程用戶分配地址--!
!
interface GigabitEthernet0/0
nameif outside
security-level 0
ip address 10.10.10.2 255.255.255.0
!
interface GigabitEthernet0/1
nameif inside
security-level 100
ip address 192.168.3.1 255.255.255.0
!
interface GigabitEthernet0/2
shutdown
nameif dmz
security-level 60
ip address 172.25.10.1 255.255.255.0
!
...
ftp mode passive
!--需要開啟--!
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object network local
subnet 192.168.3.0 255.255.255.0
object network nat-addr
host 10.10.10.5
object network NETWORK_OBJ_192.168.3.0_24
subnet 192.168.3.0 255.255.255.0
object network ssl-addr
range 172.16.1.10 172.16.1.20
description ssl user address
object network NETWORK_OBJ_172.17.1.0_27
subnet 172.17.1.0 255.255.255.224
access-list outside_access_in extended permit icmp any any log debugging
access-list outside_access_in extended permit ip any any log debugging
access-list split-acl standard permit 192.168.3.0 255.255.255.0
access-list split-acl standard permit any4
pager lines 23
logging enable
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu dmz 1500
no failover
no monitor-interface service-module
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
arp rate-limit 8192
nat (inside,outside) source static NETWORK_OBJ_192.168.3.0_24 NETWORK_OBJ_192.168.3.0_24 destination static NETWORK_OBJ_172.17.1.0_27 NETWORK_OBJ_172.17.1.0_27 no-proxy-arp route-lookup
!
object network local
nat (inside,outside) dynamic nat-addr
object network NETWORK_OBJ_172.17.1.0_27
nat (outside,outside) dynamic 10.10.10.6
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 10.10.10.1 1
!--本地數據庫驗證
aaa authentication http console LOCAL
aaa authentication ssh console LOCAL
aaa authentication login-history
http server enable
http 0.0.0.0 0.0.0.0 outside
no snmp-server location
no snmp-server contact
crypto ipsec ikev2 ipsec-proposal AES256
protocol esp encryption aes-256
protocol esp integrity sha-1 md5
crypto ipsec security-association pmtu-aging infinite
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev2 ipsec-proposal AES256
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto ca trustpoint _SmartCallHome_ServerCA
no validation-usage
crl configure
crypto ca trustpoint ASDM_Launcher_Access_TrustPoint_0
enrollment self
fqdn none
subject-name CN=192.168.200.55,CN=ciscoasa
keypair ASDM_LAUNCHER
crl configure
crypto ca trustpool policy
auto-import

crypto ca certificate chain ASDM_Launcher_Access_TrustPoint_0
certificate 2bd75b5c
......
44783f1c a8d4cb06 5222721c 2fee837e 31bf194e 15e1c0fd
quit
crypto ikev2 policy 1
encryption aes-256
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 enable outside client-services port 443
crypto ikev2 remote-access trustpoint ASDM_Launcher_Access_TrustPoint_0
telnet timeout 5
ssh stricthostkeycheck
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 5
ssh version 2
ssh key-exchange group dh-group1-sha1
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ssl trust-point ASDM_Launcher_Access_TrustPoint_0
ssl trust-point ASDM_Launcher_Access_TrustPoint_0 outside

web***
enable outside
anyconnect image disk0:/anyconnect-win-4.6.00362-webdeploy-k9.pkg 1
anyconnect image disk0:/anyconnect-dart-win-2.5.3046-k9.pkg 2
anyconnect profiles cccrop_client_profile disk0:/cccrop_client_profile.xml
anyconnect enable
tunnel-group-list enable
cache
disable
error-recovery disable
group-policy DfltGrpPolicy attributes
***-tunnel-protocol ikev1 l2tp-ipsec ssl-clientless
group-policy GroupPolicy_cccrop internal
!--在此可以split路由--
!--本測試沒有配置list
group-policy GroupPolicy_cccrop attributes
wins-server none
dns-server value x.x.x.x
***-tunnel-protocol ikev2 ssl-client
split-tunnel-policy tunnelspecified
split-tunnel-network-list none
default-domain none
web***
anyconnect profiles value cccrop_client_profile type user
dynamic-access-policy-record DfltAccessPolicy
username user1 password $shGmZ5Er3G2XtZWUbjqf4g==$fJtspAnifM4BGWpl7xA== pbkdf2
tunnel-group cccrop type remote-access
tunnel-group cccrop general-attributes
address-pool ssluser
default-group-policy GroupPolicy_cccrop
tunnel-group cccrop web***-attributes
group-alias cccrop enable
!
......
!
service-policy global_policy global

Cryptochecksum:e8a82b90a84e0f3125f6ae12ffc3d1fc
: end

向AI問一下細節

免責聲明:本站發布的內容(圖片、視頻和文字)以原創、轉載和分享為主,文章觀點不代表本網站立場,如果涉及侵權請聯系站長郵箱:is@yisu.com進行舉報,并提供相關證據,一經查實,將立刻刪除涉嫌侵權內容。

AI

皮山县| 千阳县| 临澧县| 沭阳县| 楚雄市| 凤城市| 邳州市| 平潭县| 哈巴河县| 桂林市| 樟树市| 达尔| 甘泉县| 尚义县| 桃源县| 张北县| 北碚区| 理塘县| 广安市| 克拉玛依市| 平谷区| 阿拉善左旗| 海丰县| 青州市| 长葛市| 雷州市| 六盘水市| 百色市| 原平市| 黄骅市| 六安市| 自治县| 嘉峪关市| 疏勒县| 阿勒泰市| 灵宝市| 大丰市| 西宁市| 扶绥县| 呼和浩特市| 铁岭市|