6.1 IKEv2 CLI 配置Anyconnect3.0 to ASA
来源:互联网 发布:java工程师任职要求 编辑:程序博客网 时间:2024/06/15 16:42
IKEv2.6.1 CLI 配置Anyconnect3.0 to ASA
---------------------------------------------------
.1 .10 .10 .1 .1 .10
win7-------Internet-------Center-ASA-------Inside
202.100.1.0/24 61.128.1.0/24 10.1.1.0/24
---------------------------------------------------
Win7
ip : 202.100.1.1
mask:255.255.255.0
GW: 202.100.1.10
c:/windows/system32/drivers/etc/hosts
在hosts 文件里加一个A记录:
61.128.1.1 Center-ASA.mingjiao.org
hostname Internet
interface FastEthernet 0/0
ip address 202.100.1.10 255.255.255.0
no shutdown
interface FastEthernet 1/0
ip address 61.128.1.10 255.255.255.0
no shutdown
hostname Center-ASA
interface GigabitEthernet 1
nameif Outside
security-level 0
ip address 61.128.1.1 255.255.255.0
no shutdown
interface GigabitEthernet 2
nameif Inside
security-level 100
ip address 10.1.1.1 255.255.255.0
no shutdown
route Outside 0.0.0.0 0.0.0.0 61.128.1.10
hostname Inside
interface FastEthernet 2/0
ip address 10.1.1.10 255.255.255.0
no shutdown
ip route 0.0.0.0 0.0.0.0 10.1.1.1
--------------------------------------------------
配置NTP (时间同步非常重要)
Internet 上配置:
clock timezone GMT +8
clock set 11:54:00 14 oct 2016
ntp master
Center-ASA 上配置:
clock timezone GMT +8
ntp server 61.128.1.10
---------------------------------------------------
Internet 上配置证书服务器
ip http server
ip domain name mingjiao.org
crypto pki server CA
database level complete
issuer-name cn=Internet.mingjiao.org,ou=mingjiao
grant auto
no shutdown
---------------------------------------------------
ASA:
Center-ASA 上配置 Trustpoint
1. 配置 Trustpoint
domain-name mingjiao.org
crypto key generate rsa label Center-ASA.mingjiao.org modulus 1024
crypto ca trustpoint CA
enrollment url http://61.128.1.10:80
fqdn Center-ASA.mingjiao.org
subject-name cn=Center-ASA.mingjiao.org,ou=mingjiao
keypair Center-ASA.mingjiao.org
2.认证证书服务器,获取根证书:
crypto ca authenticate CA
3.申请个人证书:
crypto ca enroll CA
配置SSL使用 “CA”颁发的证书
ssl trust-point CA
查看 Profile配置
Center-ASA#more flash:/CCIE-Profile.xml
可以通过ASDM和anyconnnect Profile-Editor产生
配置 WebVPN
webvpn
enable Outside
anyconnetct image disk0:/anyconnetct-win-3.0.0629-k9.pkg 1
anyconnetct profiles CCIE-Profile disk0:/CCIE-Profile.xml
anyconnetct enable
配置地址池
ip local pool CCIE-Pool 123.1.1.100-123.1.1.200
配置 Group-Policy
group-policy CCIE-Policy internal
group-policy CCIE-Policy attributes
vpn-tunnel-protocol ikev2 ssl-client ssl-clientless
address-pools value CCIE-Pool
webvpn
anyconnect profiles value CCIE-Profile type user
创建用户并关联 Group-Policy
username CCIEuser password cisco
username CCIEuser attributes
vpn-group-policy CCIE-Policy
配置 IKEv2
crypto ikev2 enable Outside client-services port 443
crypto ikev2 remote-access trustpoint CA
crypto ikev2 policy 10
crypto ipsec ikev2 ipsec-proposal CCIE-IKEv2-Proposal
crypto dynamic-map CCIE-Dynamp 100 set ikev2 ipsec-proposal CCIE-IKEv2-Proposal
crypto map CCIE-Map 1000 ipsec-isakmp dynamic CCIE-Dymap
crypto map CCIE-Map interface Outside
--------------------------------------------------
show webvpn
先使用www用ssl下载 anyconnect3.0 ,在使用anyconnet3.0 去连接ipsec webvpn。
--------------------------------------------
---------------------------------------------------
.1 .10 .10 .1 .1 .10
win7-------Internet-------Center-ASA-------Inside
202.100.1.0/24 61.128.1.0/24 10.1.1.0/24
---------------------------------------------------
Win7
ip : 202.100.1.1
mask:255.255.255.0
GW: 202.100.1.10
c:/windows/system32/drivers/etc/hosts
在hosts 文件里加一个A记录:
61.128.1.1 Center-ASA.mingjiao.org
hostname Internet
interface FastEthernet 0/0
ip address 202.100.1.10 255.255.255.0
no shutdown
interface FastEthernet 1/0
ip address 61.128.1.10 255.255.255.0
no shutdown
hostname Center-ASA
interface GigabitEthernet 1
nameif Outside
security-level 0
ip address 61.128.1.1 255.255.255.0
no shutdown
interface GigabitEthernet 2
nameif Inside
security-level 100
ip address 10.1.1.1 255.255.255.0
no shutdown
route Outside 0.0.0.0 0.0.0.0 61.128.1.10
hostname Inside
interface FastEthernet 2/0
ip address 10.1.1.10 255.255.255.0
no shutdown
ip route 0.0.0.0 0.0.0.0 10.1.1.1
--------------------------------------------------
配置NTP (时间同步非常重要)
Internet 上配置:
clock timezone GMT +8
clock set 11:54:00 14 oct 2016
ntp master
Center-ASA 上配置:
clock timezone GMT +8
ntp server 61.128.1.10
---------------------------------------------------
Internet 上配置证书服务器
ip http server
ip domain name mingjiao.org
crypto pki server CA
database level complete
issuer-name cn=Internet.mingjiao.org,ou=mingjiao
grant auto
no shutdown
---------------------------------------------------
ASA:
Center-ASA 上配置 Trustpoint
1. 配置 Trustpoint
domain-name mingjiao.org
crypto key generate rsa label Center-ASA.mingjiao.org modulus 1024
crypto ca trustpoint CA
enrollment url http://61.128.1.10:80
fqdn Center-ASA.mingjiao.org
subject-name cn=Center-ASA.mingjiao.org,ou=mingjiao
keypair Center-ASA.mingjiao.org
2.认证证书服务器,获取根证书:
crypto ca authenticate CA
3.申请个人证书:
crypto ca enroll CA
配置SSL使用 “CA”颁发的证书
ssl trust-point CA
查看 Profile配置
Center-ASA#more flash:/CCIE-Profile.xml
可以通过ASDM和anyconnnect Profile-Editor产生
配置 WebVPN
webvpn
enable Outside
anyconnetct image disk0:/anyconnetct-win-3.0.0629-k9.pkg 1
anyconnetct profiles CCIE-Profile disk0:/CCIE-Profile.xml
anyconnetct enable
配置地址池
ip local pool CCIE-Pool 123.1.1.100-123.1.1.200
配置 Group-Policy
group-policy CCIE-Policy internal
group-policy CCIE-Policy attributes
vpn-tunnel-protocol ikev2 ssl-client ssl-clientless
address-pools value CCIE-Pool
webvpn
anyconnect profiles value CCIE-Profile type user
创建用户并关联 Group-Policy
username CCIEuser password cisco
username CCIEuser attributes
vpn-group-policy CCIE-Policy
配置 IKEv2
crypto ikev2 enable Outside client-services port 443
crypto ikev2 remote-access trustpoint CA
crypto ikev2 policy 10
crypto ipsec ikev2 ipsec-proposal CCIE-IKEv2-Proposal
crypto dynamic-map CCIE-Dynamp 100 set ikev2 ipsec-proposal CCIE-IKEv2-Proposal
crypto map CCIE-Map 1000 ipsec-isakmp dynamic CCIE-Dymap
crypto map CCIE-Map interface Outside
--------------------------------------------------
show webvpn
先使用www用ssl下载 anyconnect3.0 ,在使用anyconnet3.0 去连接ipsec webvpn。
--------------------------------------------
0 0
- 6.1 IKEv2 CLI 配置Anyconnect3.0 to ASA
- ikev2 配置
- 2.1 IKEv2 标准 IOS vs ASA Crypto Map
- 5.1 IKEv2 spoke to spoke FlexVPN
- ASA Failover配置实例
- asa SSL-VPN配置
- ASA-5510 上网配置
- ASA配置命令
- ASA时间配置
- GNS3 配置ASA模拟器
- ASA policy-map配置
- ASA防火墙配置注意事项
- strongswan 配置ikev2 for iOS and Android
- cisco ASA 5505 配置实例
- Cisco ASA在线配置手册
- 配置Cisco ASA 5500 系統日誌
- 思科ASA防火墙VPN配置
- Cisco ASA 5520配置笔记
- WPF: RenderTransform特效
- Android中获取正在运行的应用程序-----ActivityManager.RunningAppProcessInfo类详解
- Android M Launcher3启动与工作流程源码浅析
- 106. Construct Binary Tree from Inorder and Postorder Traversal
- 替代网盘——花生壳全线私有云存储方案
- 6.1 IKEv2 CLI 配置Anyconnect3.0 to ASA
- 一个.java源文件中可以有多个类吗?(内部类除外)有什么条件?
- Android 不开WiFi获取Mac地址 夜未央
- HDMI编码器E300
- 【Swift-Objc】选择排序
- 安卓指令和命令学习总结
- 一文看懂深度学习与计算机视觉(下)
- 【Android】Universal Image Loader图片加载框架无法加载https图片问题解决方法
- Android中获取正在运行的服务-------ActivityManager.RunningServiceInfo的使用