基于GNS3的ssl配置（gns3配置命令）

基于GNS3的ssl配置（gns3配置命令）

闲来无事，利用gns3配置了基于cisco asa的ssl链接测试，cloud-1链接本地网络，测试通过

ASA Version 9.9(2) !hostname ciscoasaenable password $sha512$5000$fXJ5sJ0tyZpekqU23FSJqw==$9adIvXwEh3hZgQjRaYxCwg== pbkdf2names

ip local pool ssluser 172.17.1.10-172.17.1.20 mask 255.255.255.0!-- 远程用户分配地址--！!interface GigabitEthernet0/0nameif outsidesecurity-level 0ip address 10.10.10.2 255.255.255.0 !interface GigabitEthernet0/1nameif insidesecurity-level 100ip address 192.168.3.1 255.255.255.0 !interface GigabitEthernet0/2shutdownnameif dmzsecurity-level 60ip address 172.25.10.1 255.255.255.0 !...ftp mode passive！--需要开启--！same-security-traffic permit inter-interfacesame-security-traffic permit intra-interfaceobject network localsubnet 192.168.3.0 255.255.255.0object network nat-addrhost 10.10.10.5object network NETWORK_OBJ_192.168.3.0_24subnet 192.168.3.0 255.255.255.0object network ssl-addrrange 172.16.1.10 172.16.1.20description ssl user addressobject network NETWORK_OBJ_172.17.1.0_27subnet 172.17.1.0 255.255.255.224access-list outside_access_in extended permit icmp any any log debugging access-list outside_access_in extended permit ip any any log debugging access-list split-acl standard permit 192.168.3.0 255.255.255.0 access-list split-acl standard permit any4 pager lines 23logging enablelogging asdm informationalmtu outside 1500mtu inside 1500mtu dmz 1500no failoverno monitor-interface service-module icmp unreachable rate-limit 1 burst-size 1no asdm history enablearp timeout 14400no arp permit-nonconnectedarp rate-limit 8192nat (inside,outside) source static NETWORK_OBJ_192.168.3.0_24 NETWORK_OBJ_192.168.3.0_24 destination static NETWORK_OBJ_172.17.1.0_27 NETWORK_OBJ_172.17.1.0_27 no-proxy-arp route-lookup!object network localnat (inside,outside) dynamic nat-addrobject network NETWORK_OBJ_172.17.1.0_27nat (outside,outside) dynamic 10.10.10.6access-group outside_access_in in interface outsideroute outside 0.0.0.0 0.0.0.0 10.10.10.1 1！--本地数据库验证aaa authentication console LOCAL aaa authentication ssh console LOCAL aaa authentication login-historyserver enable0.0.0.0 0.0.0.0 outsideno snmp-server locationno snmp-server contactcrypto ipsec ikev2 ipsec-proposal AES256protocol esp encryption aes-256protocol esp integrity sha-1 md5crypto ipsec security-association pmtu-aging infinitecrypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev2 ipsec-proposal AES256 crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAPcrypto map outside_map interface outsidecrypto ca trustpoint _SmartCallHome_ServerCAno validation-usagecrl configurecrypto ca trustpoint ASDM_Launcher_Access_TrustPoint_0enrollment selffqdn nonesubject-name CN=192.168.200.55,CN=ciscoasakeypair ASDM_LAUNCHERcrl configurecrypto ca trustpool policyauto-import

crypto ca certificate chain ASDM_Launcher_Access_TrustPoint_0certificate 2bd75b5c......44783f1c a8d4cb06 5222721c 2fee837e 31bf194e 15e1c0fdquitcrypto ikev2 policy 1encryption aes-256integrity shagroup 5 2prf shalifetime seconds 86400crypto ikev2 enable outside client-services port 443crypto ikev2 remote-access trustpoint ASDM_Launcher_Access_TrustPoint_0telnet timeout 5ssh stricthostkeycheckssh 0.0.0.0 0.0.0.0 outsidessh timeout 5ssh version 2ssh key-exchange group dh-group1-sha1console timeout 0threat-detection basic-threatthreat-detection statistics access-listno threat-detection statistics tcp-interceptssl trust-point ASDM_Launcher_Access_TrustPoint_0ssl trust-point ASDM_Launcher_Access_TrustPoint_0 outside

webvpnenable outsideanyconnect image disk0:/anyconnect-win-4.6.00362-webdeploy-k9.pkg 1anyconnect image disk0:/anyconnect-dart-win-2.5.3046-k9.pkg 2anyconnect profiles cccrop_client_profile disk0:/cccrop_client_profile.xmlanyconnect enabletunnel-group-list enablecachedisableerror-recovery disablegroup-policy DfltGrpPolicy attributesvpn-tunnel-protocol ikev1 l2tp-ipsec ssl-clientlessgroup-policy GroupPolicy_cccrop internal！--在此可以split路由--！--本测试没有配置listgroup-policy GroupPolicy_cccrop attributeswins-server nonedns-server value x.x.x.xvpn-tunnel-protocol ikev2 ssl-client split-tunnel-policy tunnelspecifiedsplit-tunnel-network-list nonedefault-domain nonewebvpnanyconnect profiles value cccrop_client_profile type userdynamic-access-policy-record DfltAccessPolicyusername user1 password $shGmZ5Er3G2XtZWUbjqf4g==$fJtspAnifM4BGWpl7xA== pbkdf2tunnel-group cccrop type remote-accesstunnel-group cccrop general-attributesaddress-pool ssluserdefault-group-policy GroupPolicy_cccroptunnel-group cccrop webvpn-attributesgroup-alias cccrop enable!......!service-policy global_policy global

Cryptochecksum:e8a82b90a84e0f3125f6ae12ffc3d1fc: end

版权声明：本文内容由网络用户投稿，版权归原作者所有，本站不拥有其著作权，亦不承担相应法律责任。如果您发现本站中有涉嫌抄袭或描述失实的内容，请联系我们jiasou666@gmail.com 处理，核实后本网站将在24小时内删除侵权内容。