Cisco SSL VPN 配置实例.docx
《Cisco SSL VPN 配置实例.docx》由会员分享,可在线阅读,更多相关《Cisco SSL VPN 配置实例.docx(19页珍藏版)》请在冰点文库上搜索。
CiscoSSLVPN配置实例
CiscoSSLVPN配置实例
注意:
这里的配置是SSLVPN的隧道模式
一、网络拓扑图
二、SSLVPNServer配置
软件版本:
CiscoIOSSoftware,7200Software(C7200-ADVSECURITYK9-M),Version12.4(9)T1,RELEASESOFTWARE(fc2)
VPN客户端软件:
sslclient-win-1.1.2.169.pkg
1、格式化disk0
R1#formatdisk0:
Formatoperationmaytakeawhile.Continue?
[confirm]
Formatoperationwilldestroyalldatain"disk0:
". Continue?
[confirm]
Format:
Drivecommunication&1stSectorWriteOK...
WritingMonlibsectors.
..............................................................................................................................................
Monlibwritecomplete
Format:
Allsystemsectorswritten.OK...
Format:
Totalsectorsinformattedpartition:
8009
Format:
Totalbytesinformattedpartition:
4100608
Format:
Operationcompletedsuccessfully.
Formatofdisk0complete
2、上传软件
R1#copytftpdisk0:
Addressornameofremotehost[]?
192.168.10.100
Sourcefilename[]?
sslclient-win-1.1.2.169.pkg
Destinationfilename[sslclient-win-1.1.2.169.pkg]?
Accessingtftp:
//192.168.10.100/sslclient-win-1.1.2.169.pkg...
Loadingsslclient-win-1.1.2.169.pkgfrom192.168.10.100(viaFastEthernet0/0):
!
!
[OK-415090bytes]
415090bytescopiedin12.892secs(32197bytes/sec)
3、安装client软件
R1(config)#webvpninstallsvcdisk0:
/sslclient-win-1.1.2.169.pkg
SSLVPNPackageSSL-VPN-Client:
installedsuccessfully
4、配置SSLVPN
R1(config)#aaanew-model
R1(config)#aaaauthenticationlogindefaultlocal //为防止控制台超时而造成无法进入Exec
R1(config))#aaaauthenticationloginwebvpnlocal
R1(config)#iplocalpoolssl-add11.1.1.1011.1.1.20
R1(config)#usernameuser1password123 //定义WebVPN本地认证用户名,密码
R1(config))#webvpngatewayvpngateway//定义WebVPN在哪个接口上进行监听,此时IOS会自动产生自签名证书。
R1(config-webvpn-gateway)#ipaddress192.168.10.10port443
R1(config-webvpn-gateway)#inservice //启用webvpngateway配置
R1(config)#webvpncontextwebcontext //定义webvpn的相关配置,相当于ASA的tunnel-group,在这里可以定义
R1(config-webvpn-context)#gatewayvpngateway//将context和gateway相关联
R1(config-webvpn-context)#aaaauthenticationlistwebvpn
R1(config-webvpn-context)#inservice//启用webvpncontext配置
R1(config-webvpn-context)#policygroupsslvpn-policy//进入sslvpn策略组
R1(config-webvpn-group)#functionssvc-enabled
R1(config-webvpn-group)#svcaddress-poolssl-add//分配svc使用的地址池
R1(config-webvpn-group)#svcsplitinclude192.168.20.0255.255.255.0//定义隧道分离的目标地址,如果不配置,则默认为0.0.0.0
R1(config-webvpn-group)#exit
R1(config-webvpn-context)#default-group-policysslvpn-policy //当配置了多个policygroup后,默认使用的策略组
注意:
在IOS中,如果地址池不和内网在一个段,则需创建一个和地址池在同一网段的loopback接口作为vpn客户端的网关。
还可以在context中指定virtual-host,类似于iis中的文件头,允许多个主机映射到同一个IP地址
同时context中还可以设置web登陆框的样式,比如logo,title等
5、完整配置
R1#showrunning-config
Buildingconfiguration...
Currentconfiguration:
3223bytes
!
version12.4
servicetimestampsdebugdatetimemsec
servicetimestampslogdatetimemsec
noservicepassword-encryption
!
hostnameR1
!
boot-start-marker
boot-end-marker
!
!
aaanew-model
!
!
aaaauthenticationlogindefaultlocal
aaaauthenticationloginwebvpnlocal
!
aaasession-idcommon
!
resourcepolicy
!
ipcef
!
!
!
cryptopkitrustpointTP-self-signed-4294967295
enrollmentselfsigned
subject-namecn=IOS-Self-Signed-Certificate-4294967295
revocation-checknone
rsakeypairTP-self-signed-4294967295
!
!
cryptopkicertificatechainTP-self-signed-4294967295
certificateself-signed01
3082023A308201A3A003020102020101300D06092A864886F70D010104050030
31312F302D06035504031326494F532D53656C662D5369676E65642D43657274
696669636174652D34323934393637323935301E170D30383132313531393039
30335A170D3230303130313030303030305A3031312F302D0603550403132649
4F532D53656C662D5369676E65642D43657274696669636174652D3432393439
363732393530819F300D06092A864886F70D010101050003818D003081890281
8100C6F2B499879D1CEB3638BA59B459A72167BBFDD2CD733E3E6FB6
D1347E43
8CC21C65BAC01E285001349771CF8062C54F254CA6DB2D5ACDDB864D
CFF71A50
F3C205661405E49B18CE2DAB469C58E85B4A1FD659DCBCA512A34543
4F6842B6
24B9A7BDCE36E98AA5463EB32D2C5BC0FAA247C1E44DB4554537465F
18895A14
66D10203010001A3623060300F0603551D130101FF040530030101FF300D0603
551D110406300482025231301F0603551D230418301680149F7F1B46F6903BC5
803F4AD72433EBD05813E29D301D0603551D0E041604149F7F1B46F6
903BC580
3F4AD72433EBD05813E29D300D06092A864886F70D01010405000381
81002516
3F75E2AA335441139A9179DBDFED2529DF5A972FC2BFDE0E0279D1F5
8D30CAC7
59BE79C685825281AB2D0B082CA84D0185A4DB198977BC829E59F764
ADE75E22
9A7FF37A9D83819A2287BE75773FAA32D38DD3C22C0DF23F7D45D7A3
E8006C1A
6B9E0540124832416EEAA0FFB31240F394044BCB75210037FEF5AD15F49B
quit
usernameuser1password0123
!
!
!
!
!
!
interfaceLoopback0
ipaddress11.1.1.1255.255.255.0
!
interfaceFastEthernet0/0
ipaddress192.168.10.10255.255.255.0
duplexhalf
!
interfaceSerial1/0
ipaddress10.1.1.1255.255.255.0
serialrestart-delay0
!
interfaceSerial1/1
noipaddress
shutdown
serialrestart-delay0
!
interfaceSerial1/2
noipaddress
shutdown
serialrestart-delay0
!
interfaceSerial1/3
noipaddress
shutdown
serialrestart-delay0
!
routerrip
version2
network10.0.0.0
network11.0.0.0
network192.168.10.0
noauto-summary
!
iplocalpoolssl-add11.1.1.1011.1.1.20
noiphttpserver
noiphttpsecure-server
!
!
!
loggingalarminformational
!
!
!
!
!
control-plane
!
!
linecon0
exec-timeout00
stopbits1
lineaux0
stopbits1
linevty04
!
!
webvpngatewayvpngateway
ipaddress192.168.10.10port443
ssltrustpointTP-self-signed-4294967295
inservice
!
webvpninstallsvcdisk0:
/webvpn/svc.pkg
!
webvpncontextwebcontext
sslauthenticateverifyall
!
!
policygroupsslvpn-policy
functionssvc-enabled
svcaddress-pool"ssl-add"
svcsplitinclude192.168.20.0255.255.255.0
default-group-policysslvpn-policy
aaaauthenticationlistwebvpn
gatewayvpngatewaydomainsshvpn
inservice
!
!
end
R2#showrunning-config
Buildingconfiguration...
Currentconfiguration:
973bytes
!
version12.4
servicetimestampsdebugdatetimemsec
servicetimestampslogdatetimemsec
noservicepassword-encryption
!
hostnameR2
!
boot-start-marker
boot-end-marker
!
!
noaaanew-model
!
resourcepolicy
!
ipcef
!
!
!
!
!
!
interfaceLoopback1
ipaddress22.1.1.1255.255.255.0
!
interfaceFastEthernet0/0
ipaddress192.168.20.10255.255.255.0
duplexhalf
!
interfaceSerial1/0
ipaddress10.1.1.2255.255.255.252
serialrestart-delay0
!
interfaceSerial1/1
noipaddress
shutdown
serialrestart-delay0
!
interfaceSerial1/2
noipaddress
shutdown
serialrestart-delay0
!
interfaceSerial1/3
noipaddress
shutdown
serialrestart-delay0
!
routerrip
version2
network10.0.0.0
network22.0.0.0
network192.168.20.0
noauto-summary
!
noiphttpserver
noiphttpsecure-server
!
!
!
loggingalarminformational
!
!
!
!
!
control-plane
!
!
linecon0
exec-timeout00
stopbits1
lineaux0
stopbits1
linevty04
!
!
end
三、客户端配置
在浏览器中输入https:
//192.168.10.10/访问WebVPN,这时会弹出提示信息,点击“确定”
需要安装证书,点击“是”,这里第一个感叹号是因为这个证书只路由器自签发的,没有经过验证,而第二个感叹号是因为配置WebVPN时应该注意证书颁发后的证书的有效期,往往颁发证书时的有有效期限时间会比当前时间晚一二天
这时会弹出网页,输入用户和密码,点击login
这时会自动安装SSLVPNClient软件
需要点击允许安装ACTIVE控件,会弹出安装界面,点击安装
正在进行SSLVPNClient
点击安装证书
安装证书之后,这样VPN连接就建立起来,在屏幕的右下部会显示出黄色的小钥匙的标志
四、验证配置
在客户端上可以查看VPN的状态。
可以查看VPN隧道的分离子网。
使用ipconfig命令可以查看到获得的地址。
查看路由表,可以看到一条指向192.168.20.0的路由条目
升级会员 