Shulou(Shulou.com)06/01 Report--

Recently, I used EVE-NG to build a SSL × × experiment. Before that, I had no contact with things like × × ×, so the experiment took three days to study. The following is the topology diagram of the experiment.

The experiment shows that 1. CiscoASA 9.4 is used in SSL × × Server,Outside gateway 192.168.83.254

two。 Host ISE_ × × is used to dial in the account authentication authorization, IP Address: 172.16.100.20, which is connected to the EVE-NG experimental platform through bridging.

3. Router R2 creates two new network segments: L0: 10.133.32.0Comp24 and L1: 10.133.33.0lap24 simulated intranet.

4. Outside's two hosts, Win0210 and Win0310, simulate two Internet users, user01 and user02, respectively.

5. Internet user user01 can only prevent intranet segment 10.133.32.0 from asking questions.

6. Internet user user02 can only prevent intranet segment 10.133.33.0 from asking questions.

Basic settings of network equipment

1. Router R3 only sets the ip for three interfaces, and routing does not use settings.

Interface Ethernet0/0

Ip address 192.168.2.1 255.255.255.0

!

Interface Ethernet0/1

Ip address 192.168.83.1 255.255.255.0

!

Interface Ethernet0/2

Ip address 192.168.3.1 255.255.255.0

2.Win0210 and Win0310 set the IP, and the gateway points to the IP of their respective interfaces.

3. Router R2 not only sets interface IP, but also sets a default route

Interface Loopback0

Ip address 10.133.32.1 255.255.255.0

!

Interface Loopback1

Ip address 10.133.33.1 255.255.255.0

!

Interface Ethernet0/0

Ip address 172.16.100.254 255.255.255.0

!

Interface Ethernet0/1

Ip address 172.16.2.254 255.255.255.0

!

Interface Ethernet0/3

Ip address 10.133.83.1 255.255.255.0

!

Ip route 0.0.0.0 0.0.0.0 10.133.83.254

4. Basic Cisco ASA settings

# set the IP address pool acquired by × × users

Ip local pool ISE_POOL 10.133.83.32-10.133.83.64 mask 255.255.255.0

!

Interface GigabitEthernet0/0

Nameif inside

Security-level 100

Ip address 10.133.83.254 255.255.255.0

!

Interface GigabitEthernet0/1

Nameif outside

Security-level 0

Ip address 192.168.83.254 255.255.255.0

!

# setting routing

Route outside 0.0.0.0 0.0.0.0 192.168.83.1 1

Route inside 10.133.32.0 255.255.252.0 10.133.83.1 1

Route inside 10.133.33.0 255.255.255.0 10.133.83.1 1

Route inside 172.16.2.0 255.255.255.0 10.133.83.1 1

Route inside 172.16.100.0 255.255.255.0 10.133.83.1 1

# set AAA-SERVER attribute

Aaa-server ISE protocol radius

Interim-accounting-update periodic 3

Merge-dacl before-avpair

Dynamic-authorization

# set AAA-SERVER server IP Address

Aaa-server ISE (inside) host 172.16.100.200

Key *

User-identity default-domain LOCAL

# enable HTTP anti-question service

Http server enable

Http 0.0.0.0 0.0.0.0 outside

Http 10.133.32.0 255.255.252.0 inside

Ssh stricthostkeycheck

Ssh 172.16.100.0 255.255.255.0 inside

# enable WEB × × ×

Web***

Enable outside

Anyconnect p_w_picpath disk0:/anyconnect-win-4.2.05015-k9.pkg 1

Anyconnect enable

Tunnel-group-list enable

Error-recovery disable

Group-policy ISE_ × × internal

Group-policy ISE_ × × attributes

Dns-server value 172.16.200.1

* *-tunnel-protocol ssl-client

Dynamic-access-policy-record DfltAccessPolicy

Username admin password QCP00FvqVQRpzCZ/ encrypted privilege 15

# tunnel-group Settings

Tunnel-group ISE_AAA type remote-access

Tunnel-group ISE_AAA general-attributes

Address-pool ISE_POOL

Authentication-server-group ISE

Accounting-server-group ISE

Default-group-policy ISE_ × ×

# enable tunnel external service IP Address

Tunnel-group ISE_AAA web***-attributes

Group-alias ISE_AAA enable

Group-url https://192.168.83.254 enable

5.CiscoISE Settin

5.1 add IP Addrss for ASA

5.2 add two users and put them in different groups

5.3 add two ACL policies respectively

Add two additional authorization policies, and call the new ACL policy above

5.5 add Authentication policy

5.6 two new Authorization policies have been added

6. After the above, use the user01 account to test

User01 account logged in successfully

The following is the ISE certification record information

The record on ASA

Acquired IP Address after successful login of host Win0210

The IP of the two private network segments of the ping can be connected by ping because User01 only has the permission of anti-question 10.133.32.0lap24, and cannot ping because it does not have the permission of anti-question of 10.133.33.0lap24.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.