Shulou(Shulou.com)06/01 Report--

one。 Overview:

The initial http access port of ACS4.x is 2002, and the subsequent ports will change randomly from 1024 to 65535 by default. There is no problem in accessing the ACS4.x in the outside area from the inside area of the ASA. However, if you access the ACS4.x in the inside area from the outside area of the ASA, it will cause problems and it is impossible to release all the TCP1024~65535 ports.

two。 Basic ideas:

a. Limit the range of ACS4.x dynamic ports

-it is worth noting that the dynamic port of ASC4.x varies according to each session. If you set the change access to only one value, for example, 2003 / 2003, only one session connection ACS4.x can be managed at the same time.

b. Configure for https access (optional)

-at first, it was thought that the port would not be dynamic after the configuration of https. The actual test found that the initial port used by https is also 2002, but the later port will change randomly.

three。 Configuration method:

a. Limit the range of ACS4.x dynamic ports

-Administration Control- > Access Policy- > HTTP Port Allocation, set the changed port range, assuming that the setting range is 2003-2004.

b. Configure for https access (optional)

Reference link: http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_server_for_windows/4.0/user/guide/sau.html#wp327487

There are many ways to configure a certificate for HTTPS. You can apply to CA or create a self-signed certificate. I tested a self-signed certificate:

① generates a self-signed certificate

-System Configuration-> ACS Certificate Setup-> Generate Self-Signed Certifcate

② restarts ACS according to the prompt

③ modifies the access policy and sets it to https access

-Administration Control- > Access Policy- > Secure Socket Layer Setup check: Use HTTPS Transport for Administration Access

c. Firewall release policy

-according to the previous dynamic port range setting, and the initial port 2002, you only need to release TCP 2002 2004, which allows two users to manage ACS4.x at the same time.

① Topology:

202.100.1.0/24 10.1.1.0/24

PC1 (.8)-Outside- (.1) ASA842 (.1)-Inside- (.100) ACS4.x

② Firewall ASA842 configuration:

1. Private network PAT is released from the public network:

Object network Inside_net

Subnet 10.1.1.0 255.255.255.0

Nat (inside,outside) dynamic interface

two。 Map port range:

Object network Inside_ACS_Host

Host 10.1.1.100

Object service ACS_Ports

Service tcp destination range 2002 2004

Nat (Outside,Inside) source static any any destination static interface Inside_ACS_Host service ACS_Ports ACS_Ports

3. Configure the policy:

Policy-map global_policy

Class inspection_default

Inspect icmp

Access-list Outside extended permit tcp host 202.100.1.8 object Inside_ACS_Host range 2002 2004

Access-group Outside in interface Outside

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.