转到正文

天亮了说晚安's Blog

欢迎您的光临! http://www.tllswa.com

存档

分类: 防火墙

本文转自:https://www.petenetlive.com/KB/Article/0000943 Problem Also See Cisco ASA5500 AnyConnect SSL VPN This procedure was done on Cisco ASA version 8.4, so it uses all the newer NAT commands. I’m also going to use self signed certificates so you will see this error when you attempt to connect. Solution 1. The first job is to go get the AnyConnect client package, (download it from Cisco with a current support agreement). Then copy it into the firewall via TFTP. If you are unsure how to do that see the following article. Install and Use a TFTP Server Petes-ASA(config)# copy tftp flash Address or name of remote host [10.254.254.183]? 192.168.80.1 Source filename []?anyconnect-win-3.1.05152-k9 Destination filename [anyconnect-win-3.1.05152-k9]? {Enter} Accessing tftp://192.168.80.1/anyconnect-win-3.1.05152-k9...!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!......Read More

本文转自:https://www.petenetlive.com/KB/Article/0001152 Problem When I first started doing Cisco remote VPNs, we had Server 2000/2003 and I used to use RADIUS with IAS. Then Microsoft brought out 2008/2012 and RADIUS via NAP. Because I fear and loath change I swapped to using Kerberos VPN Authentication for a while. I had to put in an ASA5512-X this weekend and the client wanted to allow AnyConnect to a particular Domain Security Group “VPN-Users”, so I thought I would use LDAP for a change. The process is to setup AAA for LDAP, then create an ‘Attribute map’ for the domain group, and then map that group to a particular ASA Tunnel Group/ASA Group Policy. Though to be honest if you have multiple groups and want to assign different levels of access (i.e. different ACLs etc.) then using a blend of LDAP and Cisco Dynamic Access Policies (DAP) is a lot simpler. I’ll post both options, and you can take your pick Solution Firstly you need to cre......Read More

本文转自:https://www.petenetlive.com/KB/Article/0001175 Problem I always forget the syntax for this, and I’ve been meaning to publish this for a while so here you go. If you have AAA setup and people can’t log in, then the ability to test authentication against a user’s username and password is a good troubleshooting step! Usually I’m on a Cisco ASA but I’ll tag on the syntax for IOS as well. Solution Cisco ASA Test AAA Authentication From Command Line You will need to know the server group and the server you are going to query, below the ASA is using LDAP, but the process is the same for RADIUS, Kerberos, TACACS+, etc. Petes-ASA# show run | begin aaa aaa-server TEST-LDAP-SERVER protocol ldap aaa-server TEST-LDAP-SERVER (inside) host 192.168.110.10 ldap-base-dn dc=TEST,dc=net ldap-scope subtree ldap-naming-attribute sAMAccountName ldap-login-password ***** ldap-login-dn cn=asa,OU=Users,OU=Test-Corp,dc=TEST,dc=net server-type auto-detect To te......Read More

本文转自: https://blog.51cto.com/yiding/1680043 结合自己在实际配置中遇到的问题,或不清楚的地方做了补充和说明。 很多公司通过ASA防火墙实现VPN用户远程访问公司内网,但默认情况下需要为每个用户分配一个VPN账号。而企业内部人员都有自己的域账号,如果能使用域账号访问VPN,这样会大大改善用户体验。以下我们通过LDAP实现ASA与AD域的集中认证。LDAP(Lightweight Directory Access Protocol),轻量级目录访问协议。它是目录访问协议一个标准,基于X.500 标准且可以根据需要定制。LDAP 目录中可以存储各种类型的数据:电子邮件地址、邮件路由信息、人力资源数据、公用密匙、联系人列表等等。在企业范围内实现LDAP 可以让几乎所有应用程序从LDAP 目录中获取信息。下面结合一个网络拓扑来看下是如何实现的公司内部域sr.com,192.168.1.0/24ASA5520集防火墙、VPN网关为一体,外部用户需要远程访问需求:远程用户可以使用域用户访问VPN 实现过程:Step1:在ASA上添加LDAP认证类型的aaa-serveraaa-server sr.com protocol ldap //指定防火墙与AD中使用的协议max-failed-attempts 2aaa-server sr.com (inside) host 192.168.1.80 //指定AAA服务器地址ldap-b......Read More

本文转自: https://ccie.lol/knowledge-base/l2tpv3/ 1、L2TP 协议之前的版本: L2TPv1 是思科私有协议,当时叫做 L2F;L2TPv2 是为远程访问设计的,只支持 PPP。 2、什么是 L2TP: L2TP(Layer 2 Tunneling Protocol)是一种工业标准的 Internet 隧道协议,功能大致和 PPTP 协议类似,比如同样可以对网络数据流进行加密。不过也有不同之处,比如 PPTP 要求网络为 IP 网络,L2TP 要求面向数据包的点对点连接;PPTP 使用单一隧道,L2TP 使用多隧道;L2TP 提供包头压缩、隧道验证,而 PPTP 不支持。 简而言之,L2TPv3 是 L2VPN 基于 IP 网络的解决方案。L2TPv3的前身是 Cisco 的私有协议 —— 通用传输协议(UTI)。 其他相关文章: 如果您想通过 MPLS 来实现 L2VPN,请看:《L2VPN传统结构》和《【实验】MPLS L2VPN下,Point-to-Point的AToM实验》。 3、L2TP 的会话: L2TPv3 的会话 如上图所示,L2TP 为两个 CE 提供 L2VPN 服务,此时有一条 L2TP 控制会话和一条 L2TP 数据会话; 如下图所示,如果 PE 要向多个 CE 提供 L2VPN 服务,那么 L2TP 数据会话将会有多条,但这个时候 L2TP 控制会话还是只有一条。 L2TPv3 为多个用户......Read More

clientless mode,无客户端模式,不需要安装客户端。仅支持的协议是http/https/ftp/cifs(共享文件),可以扩展,扩展需要有Java plugin技术 在ASA上的配置: ciscoasa(config)# webvpn ciscoasa(config-webvpn)# enable outside ciscoasa(config-webvpn)# username webuser password cisco 在server上的配置: Server(config)#ip http server Server(config)#ip http authentication local Server(config)#username sslvpn privilege 15 password cisco Read More

备案信息