转到正文

天亮了说晚安's Blog

欢迎您的光临! http://www.tllswa.com

存档

分类: 防火墙

本文转自:https://blog.swineson.me/dynamic-routing-and-nat-rules-for-anyconnect-server-on-cisco-asa/ 从ASA的设计来看,AnyConnect隧道不像是一个传统的Point-to-Point或Site-to-Site VPN隧道,而更像是一个IPSec Transform规则。每个客户端建立起隧道以后,ASA会为其动态生成一条路由,该路由具有如下特征: 类型为静态(STATIC)CIDR为/32接口为用户连入流量的来源接口,例如用户从公网访问则为outsite网关地址为接口对应的网关 动态路由协议 ASA和另一台路由器之间有一个BGP会话,现在想让另一台路由器能访问ASA上的AnyConnect客户端。那么有两种实现方法: 为每一个客户端宣告一条路由 这样很简单,BGP重分发静态路由即可。但是经过实验,ASA对动态生成的静态路由的重分发并不是十分靠谱:延迟严重,有的时候甚至根本不向BGP邻居推送更新消息。所以不是很建议使用这种方法。 至于大量/32条目污染路由表的问题,可以用auto-summary来解决。 预先宣告整个AnyConnect IP池 创建一条metric为254的静态路由,然后加入BGP的宣告列表即可。(注意ASA的metric 255等效于blackhole) 1234route outside 192.168.1.1 255.255.255.0 8.8.8.8......Read More

本文转自:https://blog.51cto.com/hujizhou/1854608 ASA 8.3 以后,NAT 算是发生了很大的改变,之前也看过8.4 的ASA,改变的还有×××,加入了Ikev2 。MPF 方法加入了新的东西,QOS 和策略都加强了,这算是Cisco 把CCSP 的课程改为CCNP Security 的改革吧! 拓扑图就是上面的,基本配置都是一样,地址每个路由器上一条默认路由指向ASA。  基本通信没问题,关于8.3 以后推出了两个概念,一个是network object 它可以代表一个主机或者子网的访问。另外一个是service object,代表服务。 1、地址池的形式的NAT 配置 老版本代表一个12.1.1.0 的地址池转换成200.200.200.3-200.200.200.254 一对一的转换 nat (inside) 1 12.1.1.0 255.255.255.0global (outside) 1 200.200.200.3-200.200.200.254 新版本(Network object NAT) ciscoasa(config)# object network insideciscoasa(config-network-object)# subnet 12.1.1.0 255.255.255.0ciscoasa(config-network-object)# exitciscoasa(config)# object network outside-poolciscoasa(config-network-object)# range 200.200.200.3 200.200.200.254ciscoasa(config-network-object)......Read More

本文转自:http://blog.sina.com.cn/s/blog_a70750300101h5s0.html 拓扑 :这个拓扑比较的简单这里不需要解释: pix1的完整配置: interface Ethernet0 description LAN Failover Interface!interface Ethernet1 nameif inside security-level 100 ip address 192.168.1.1 255.255.255.0 standby 192.168.1.2!interface Ethernet2 nameif outside security-level 0 ip address 192.168.2.1 255.255.255.0 standby 192.168.2.2!interface Ethernet3 description STATE Failover Interface failover lan unit primaryfailover lan interface wangjie Ethernet0failover key 123 failover link state Ethernet3failover interface ip wangjie 192.168.100.1 255.255.255.0 standby 192.168.100.2failover interface ip state 192.168.200.1 255.255.255.0 standby 192.168.200.2 failover lan enablefailover pix2的配置: failover lan unit secondaryfailover lan interface wangjie Ethernet0failover key 123 failover link state Ethernet3failover interface ip wangjie 192.168.100.1 255.2......Read More

本文转自:https://www.cisco.com/c/en/us/td/docs/security/asa/asa98/configuration/vpn/asa-98-vpn-config/webvpn-troubleshooting.html Chapter: Clientless SSL VPN Troubleshooting Chapter Contents Recover from Hosts File Errors When Using Application AccessWebVPN Conditional DebuggingCapture DataProtect Clientless SSL VPN Session Cookies Recover from Hosts File Errors When Using Application Access To prevent hosts file errors that can interfere with Application Access, close the Application Access window properly when you finish using Application Access. To do so, click the close icon. When Application Access terminates abnormally, the hosts file remains in a Clientless SSL VPN-customized state. Clientless SSL VPN checks the state the next time you start Application Access by searching for a hosts.webvpn file. If it finds one, a Backup HOSTS File Found error message appears, and Application Access is temporarily switched off. If Application Acces......Read More

本文转自:https://www.cisco.com/c/en/us/td/docs/security/asa/asa98/configuration/vpn/asa-98-vpn-config/webvpn-customizing.html Chapter: Customizing Clientless SSL VPN Chapter Contents Clientless SSL VPN End User SetupCustomize Bookmark Help Clientless SSL VPN End User Setup This section is for the system administrator who sets up Clientless SSL VPN for end users. It describes how to customize the end-user interface and summarizes configuration requirements and tasks for a remote system. It specifies information to communicate to users to get them started using Clientless SSL VPN. Define the End User InterfaceCustomize Clientless SSL VPN PagesInformation About CustomizationExport a Customization TemplateEdit the Customization TemplateImport a Customization ObjectApply Customizations to Connection Profiles, Group Policies, and UsersLogin Screen Advanced CustomizationModify Your HTML File Define the End User Interface The Clientless SSL VPN end user interface c......Read More

本文转自:https://www.cisco.com/c/en/us/td/docs/security/asa/asa98/configuration/vpn/asa-98-vpn-config/webvpn-mobile-devices.html Chapter: Clientless SSL VPN with Mobile Devices Chapter Contents Use Clientless SSL VPN with Mobile Devices Use Clientless SSL VPN with Mobile Devices You can access Clientless SSL VPN from your Pocket PC or other certified mobile device. Neither the ASA administrator nor the Clientless SSL VPN user need do anything special to use Clientless SSL VPN with a certified mobile device. Cisco has certified the following mobile device platforms: HP iPaq H4150Pocket PC 2003Windows CE 4.20.0, build 14053Pocket Internet Explorer (PIE)ROM version 1.10.03ENGROM Date: 7/16/2004 Some differences in the mobile device version of Clientless SSL VPN exist: A banner Web page replaces the popup Clientless SSL VPN window.An icon bar replaces the standard Clientless SSL VPN floating toolbar. This bar displays the Go, Home and Logout buttons.The Show......Read More

本文转自:https://www.cisco.com/c/en/us/td/docs/security/asa/asa98/configuration/vpn/asa-98-vpn-config/webvpn-configure-users.html Chapter: Clientless SSL VPN Users Chapter Contents Manage PasswordsUse Single Sign-On with Clientless SSL VPNUsername and Password RequirementsCommunicate Security TipsConfigure Remote Systems to Use Clientless SSL VPN Features Manage Passwords Optionally, you can configure the ASA to warn end users when their passwords are about to expire. The ASA supports password management for the RADIUS and LDAP protocols. It supports the “password-expire-in-days” option for LDAP only. You can configure password management for IPsec remote access and SSL VPN tunnel-groups. When you configure password management, the ASA notifies the remote user at login that the user’s current password is about to expire or has expired. The ASA then offers the user the opportunity to change the password. If the current password has not yet expired, the us......Read More

本文转自:https://www.cisco.com/c/en/us/td/docs/security/asa/asa98/configuration/vpn/asa-98-vpn-config/webvpn-remote-user-guide.html Chapter: Clientless SSL VPN Remote Users Chapter Contents This chapter summarizes configuration requirements and tasks for the user remote system. It also helps users get started with Clientless SSL VPN. It includes the following sections: NoteMake sure that the ASA has been configured for Clientless SSL VPN. Clientless SSL VPN Remote UsersUsernames and PasswordsCommunicate Security TipsConfigure Remote Systems to Use Clientless SSL VPN FeaturesCapture Clientless SSL VPN Data Clientless SSL VPN Remote Users This chapter summarizes configuration requirements and tasks for the user remote system. It also helps users get started with Clientless SSL VPN. It includes the following sections: NoteMake sure that the ASA has been configured for Clientless SSL VPN. Usernames and Passwords Depending on your network, during a remote ......Read More

本文转自:https://www.cisco.com/c/en/us/td/docs/security/asa/asa98/configuration/vpn/asa-98-vpn-config/webvpn-configure-policy-groups.html Chapter: Policy Groups Chapter Contents Create and Apply Clientless SSL VPN Policies for Accessing ResourcesConnection Profile Attributes for Clientless SSL VPNGroup Policy and User Attributes for Clientless SSL VPNSmart Tunnel AccessClientless SSL VPN Capture ToolConfigure Portal Access RulesOptimize Clientless SSL VPN Performance Create and Apply Clientless SSL VPN Policies for Accessing Resources Creating and applying policies for Clientless SSL VPN that govern access to resources at an internal server requires you to assign group policies. Assigning users to group policies simplifies the configuration by letting you apply policies to many users. You can use an internal authentication server on the ASA or an external RADIUS or LDAP server to assign users to group policies. See Chapter 4, “Connection Profiles, Group Policies......Read More

本文转自:https://www.cisco.com/c/en/us/td/docs/security/asa/asa98/configuration/vpn/asa-98-vpn-config/webvpn-configure-resources.html Chapter: Advanced Clientless SSL VPN Configuration Chapter Contents Microsoft Kerberos Constrained Delegation SolutionConfigure Application Profile Customization FrameworkEncodingUse Email over Clientless SSL VPN Microsoft Kerberos Constrained Delegation Solution Many organizations want to authenticate their Clientless VPN users and extend their authentication credentials seamlessly to web-based resources using authentication methods beyond what the ASA SSO feature can offer today. With the growing demand to authenticate remote access users with smart cards and One-time Passwords (OTPs), the SSO feature falls short in meeting that demand, because it forwards only conventional user credentials, such as static username and password, to clientless web-based resources when authentication is required. For example, neither certificate- n......Read More

备案信息