In addition to Weibo, there is also WeChat
Please pay attention
WeChat public account
Shulou
2025-03-29 Update From: SLTechnology News&Howtos shulou NAV: SLTechnology News&Howtos > Network Security >
Share
Shulou(Shulou.com)06/01 Report--
Nothing to do, use gns3 configuration based on cisco asa ssl link test, cloud-1 link local network, test pass
1. Configuration goal: it is convenient for mobile office users to access the company's internal network and access the ecs server through the internal network.
2. Material: gns3, asa, anyconnect-win, c7200, pc
3. The conventional network structure is as follows:
Description:
1. R1 router is a border router: mainly configured to access the Internet and configure the address mapping outside the firewall.
2. ASA is responsible for terminating ssl requests and providing inside NAT functions.
FortGate is not within the scope of this experiment.
Configuration:
Mainly asa access configuration:
ASA Version 9.9(2)
!
hostname ciscoasa
enable password $sha512$5000$fXJ5sJ0tyZpekqU23FSJqw==$9adIvXwEh4hZgQjRaYxCwg== pbkdf2
names
ip local pool ssluser 172.17.1.10-172.17.1.20 mask 255.255.255.0
!-- Remote user assignment address--!
!
interface GigabitEthernet0/0
nameif outside
security-level 0
ip address 10.10.10.2 255.255.255.0
!
interface GigabitEthernet0/1
nameif inside
security-level 100
ip address 192.168.3.1 255.255.255.0
!
interface GigabitEthernet0/2
shutdown
nameif dmz
security-level 60
ip address 172.25.10.1 255.255.255.0
!
...
ftp mode passive
!-- Need to open--!
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object network local
subnet 192.168.3.0 255.255.255.0
object network nat-addr
host 10.10.10.5
object network NETWORK_OBJ_192.168.3.0_24
subnet 192.168.3.0 255.255.255.0
object network ssl-addr
range 172.16.1.10 172.16.1.20
description ssl user address
object network NETWORK_OBJ_172.17.1.0_27
subnet 172.17.1.0 255.255.255.224
access-list outside_access_in extended permit icmp any any log debugging
access-list outside_access_in extended permit ip any any log debugging
access-list split-acl standard permit 192.168.3.0 255.255.255.0
access-list split-acl standard permit any4
pager lines 23
logging enable
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu dmz 1500
no failover
no monitor-interface service-module
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
arp rate-limit 8192
nat (inside,outside) source static NETWORK_OBJ_192.168.3.0_24 NETWORK_OBJ_192.168.3.0_24 destination static NETWORK_OBJ_172.17.1.0_27 NETWORK_OBJ_172.17.1.0_27 no-proxy-arp route-lookup
!
object network local
nat (inside,outside) dynamic nat-addr
object network NETWORK_OBJ_172.17.1.0_27
nat (outside,outside) dynamic 10.10.10.6
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 10.10.10.1 1
!-- Local database validation
aaa authentication http console LOCAL
aaa authentication ssh console LOCAL
aaa authentication login-history
http server enable
http 0.0.0.0 0.0.0.0 outside
no snmp-server location
no snmp-server contact
crypto ipsec ikev2 ipsec-proposal AES256
protocol esp encryption aes-256
protocol esp integrity sha-1 md5
crypto ipsec security-association pmtu-aging infinite
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev2 ipsec-proposal AES256
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto ca trustpoint _SmartCallHome_ServerCA
no validation-usage
crl configure
crypto ca trustpoint ASDM_Launcher_Access_TrustPoint_0
enrollment self
fqdn none
subject-name CN=192.168.200.55,CN=ciscoasa
keypair ASDM_LAUNCHER
crl configure
crypto ca trustpool policy
auto-import
crypto ca certificate chain ASDM_Launcher_Access_TrustPoint_0
certificate 2bd75b5c
......
44783f1c a8d4cb06 5222721c 2fee837e 31bf194e 15e1c0fd
quit
crypto ikev2 policy 1
encryption aes-256
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 enable outside client-services port 443
crypto ikev2 remote-access trustpoint ASDM_Launcher_Access_TrustPoint_0
telnet timeout 5
ssh stricthostkeycheck
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 5
ssh version 2
ssh key-exchange group dh-group1-sha1
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ssl trust-point ASDM_Launcher_Access_TrustPoint_0
ssl trust-point ASDM_Launcher_Access_TrustPoint_0 outside
web***
enable outside
anyconnect image disk0:/anyconnect-win-4.6.00362-webdeploy-k9.pkg 1
anyconnect image disk0:/anyconnect-dart-win-2.5.3046-k9.pkg 2
anyconnect profiles cccrop_client_profile disk0:/cccrop_client_profile.xml
anyconnect enable
tunnel-group-list enable
cache
disable
error-recovery disable
group-policy DfltGrpPolicy attributes
***-tunnel-protocol ikev1 l2tp-ipsec ssl-clientless
group-policy GroupPolicy_cccrop internal
!-- Here you can split the route--
!-- This test has no configuration list
group-policy GroupPolicy_cccrop attributes
wins-server none
dns-server value x.x.x.x
***-tunnel-protocol ikev2 ssl-client
split-tunnel-policy tunnelspecified
split-tunnel-network-list none
default-domain none
web***
anyconnect profiles value cccrop_client_profile type user
dynamic-access-policy-record DfltAccessPolicy
username user1 password $shGmZ5Er3G2XtZWUbjqf4g==$fJtspAnifM4BGWpl7xA== pbkdf2
tunnel-group cccrop type remote-access
tunnel-group cccrop general-attributes
address-pool ssluser
default-group-policy GroupPolicy_cccrop
tunnel-group cccrop web***-attributes
group-alias cccrop enable
!
......
!
service-policy global_policy global
Cryptochecksum:e8a82b90a84e0f3125f6ae12ffc3d1fc
: end
Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.
Views: 0
*The comments in the above article only represent the author's personal views and do not represent the views and positions of this website. If you have more insights, please feel free to contribute and share.
Continue with the installation of the previous hadoop.First, install zookooper1. Decompress zookoope
"Every 5-10 years, there's a rare product, a really special, very unusual product that's the most un
© 2024 shulou.com SLNews company. All rights reserved.