天亮了说晚安's Blog

原文作者: Mansur 原文链接: http://nbma.info/getvpn/ Group Encrypted Transport VPN，思科私有技术用于内网（全局可路由）加密的VPN，不是互联网VPN（peer无法直接路由）目前的场景是用于加密MPLS VPN，因为MPLS本身只是加标签，并没有加密 封装格式 copy原始IP头部，然后内部用ESP加密IP数据报文，不影响QoS 123+———-—+———-+————–+| 原始IP头部 | esp头部 | 加密原始IP报文 |+———–+——–+————–+ 原理 组成员Group Member向密钥服务器Key Server注册，KS上配置策略，产生一个ipsec sa，向同一组的GM推送sa和感兴趣流。组内成员可以实现any-to-any通讯，支持单播和组播 KS：验证组成员，管理安全策略，产生组密钥，分发策略和密钥，并不能加解密数据GM：加密设备，组播参与者，在安全和不安全区域执行路由。GETVPN最好有组播环境，这样KS只向一个组播地址分发即可。GDOI: Group Domain of Interpretation 公有协议，用于KS和GM之间通讯，和其他厂商兼容，UDP848 KSCP: Cooperative Protocol 协......Read More

原文作者: Mansur 原文链接: http://nbma.info/ipsec-pptp-l2tp/ 写的有点乱 动态map和静态map 使用场景：hub固定IP，另一端没有固定IP。适用于思科和其他厂商对接。两端都是思科可以使用EZVPNpeer端直接普通的静态map配置hub端使用动态map 123crypto dynamic-map DY-MAP 10set transform-set TRANScrypto map STATIC-MAP 10000 ipsec-isakmp dynamic DY-MAP ikev2的SVTI 待补充 NAT穿越问题 ike 1-2包同时判断对方是否支持NAT-T3-4包发送NAT-D 第三个包hash自己的源目IP将值发送给B，然后对端收到后用收到的源目IP进行hash，如果不一致则后续5-6等包全都启用udp4500封装。 远程拨号VPN 1，vpdn：pptp, l2tp over ipsec2，EzVPN3，SSL VPN pptp 协商过程：TCP 1723PPP封装内层，外层是GRE，本身并不加密IPSEC只能用来加密IP流量，而PPTP还支持非IP,如IPX等在ASA上需要inspect pptp解决穿越问题 l2tp over ipsec L2TP:UDP1701PPP封装内层，外层是UDP，本身并不加密配合ipsec之后在PPP之外加上esp，对esp内部加密 平常不需要使用以下技术，直接使用GRE over IPSec或者SVTI直接跑动态即可 RRI反向路由注入 多个......Read More

原文作者: Mansur 原文链接: http://nbma.info/cisco-nat-nvi-back/ 困扰已久的路由器映射的回流问题终于解决了。 回流，简单的说就是内网终端通过映射后的公网地址访问内网服务。通常配置的inside-outside模式的nat是无法实现回流的， Cisco的domainless NAT Domainless就是说不再区分inside和outside，只是单纯地做NAT，用一个叫做NAT Virtual Interface的虚拟接口来实现，这样有什么好处呢？说实话，从界面上看不出来，但是从其实现角度，就可以通过路由的方式将带有ip nat enable配置的接口进来的包全部导入这个虚拟接口NVI0中。然后用数据包的源地址和目标地址分别查询SNAT表和DNAT表，根据结果进行NAT操作，随后进入真正的路由查询。 不管方向，不管路由，只要数据包进入了一块带有ip nat enable配置的物理网卡，就会进行NAT匹配以及匹配成功后的操作，不管是SNAT和DNAT都在这里进行。这个实现虽然很豪放，但是却解决了所有问题。 数据包在进入真正的路由查询前，NAT就已经完成了，在路由器看来，NAT操作被藏起来了，就好像数据包本来就是那个样子一样。当然Domainless的NAT也不再和任何其它操作关联，ACL，VPN感兴趣流匹配，policy rou......Read More

本文转自：https://blog.51cto.com/cisco130/1228744 在2块HWIC-4ESW之间,一定要用一根网线连接起来，否则,VLAN无法使用，切记！ 这次在一台路由器上配备了两块HWIC-4ESW，开始时没有注意，根本没法用这两块以太网交换模块，搞得自己很紧张，以为碰到不良总代，出了O货，后来到官网上查了一下，原来还有这么一说，算是思科的一个小小硬伤吧，为什么不在机框总线里把这个问题处理好，却一定要在外面飞线呢？ 看来思科每次在嘲笑华为时，应该摸下自己的脸是否有点红了。 思科官方的文档：Configuring StackingStacking is the connection of two switch modules resident in the same chassis so that they behave as a single switch. When a chassis is populated with two switch modules, the user must configure both of them to operate in stacked mode. This is done by selecting one port from each switch module and configuring it to be a stacking partner. The user must then connect with a cable the stacking partners from each switch module to physically stack the switch modules. Any one port in a switch module can be d......Read More

本文转自：https://www.cisco.com/c/en/us/td/docs/security/asa/asa98/configuration/vpn/asa-98-vpn-config/webvpn-troubleshooting.html Chapter: Clientless SSL VPN Troubleshooting Chapter Contents Recover from Hosts File Errors When Using Application AccessWebVPN Conditional DebuggingCapture DataProtect Clientless SSL VPN Session Cookies Recover from Hosts File Errors When Using Application Access To prevent hosts file errors that can interfere with Application Access, close the Application Access window properly when you finish using Application Access. To do so, click the close icon. When Application Access terminates abnormally, the hosts file remains in a Clientless SSL VPN-customized state. Clientless SSL VPN checks the state the next time you start Application Access by searching for a hosts.webvpn file. If it finds one, a Backup HOSTS File Found error message appears, and Application Access is temporarily switched off. If Application Acces......Read More

本文转自：https://www.cisco.com/c/en/us/td/docs/security/asa/asa98/configuration/vpn/asa-98-vpn-config/webvpn-customizing.html Chapter: Customizing Clientless SSL VPN Chapter Contents Clientless SSL VPN End User SetupCustomize Bookmark Help Clientless SSL VPN End User Setup This section is for the system administrator who sets up Clientless SSL VPN for end users. It describes how to customize the end-user interface and summarizes configuration requirements and tasks for a remote system. It specifies information to communicate to users to get them started using Clientless SSL VPN. Define the End User InterfaceCustomize Clientless SSL VPN PagesInformation About CustomizationExport a Customization TemplateEdit the Customization TemplateImport a Customization ObjectApply Customizations to Connection Profiles, Group Policies, and UsersLogin Screen Advanced CustomizationModify Your HTML File Define the End User Interface The Clientless SSL VPN end user interface c......Read More

本文转自：https://www.cisco.com/c/en/us/td/docs/security/asa/asa98/configuration/vpn/asa-98-vpn-config/webvpn-mobile-devices.html Chapter: Clientless SSL VPN with Mobile Devices Chapter Contents Use Clientless SSL VPN with Mobile Devices Use Clientless SSL VPN with Mobile Devices You can access Clientless SSL VPN from your Pocket PC or other certified mobile device. Neither the ASA administrator nor the Clientless SSL VPN user need do anything special to use Clientless SSL VPN with a certified mobile device. Cisco has certified the following mobile device platforms: HP iPaq H4150Pocket PC 2003Windows CE 4.20.0, build 14053Pocket Internet Explorer (PIE)ROM version 1.10.03ENGROM Date: 7/16/2004 Some differences in the mobile device version of Clientless SSL VPN exist: A banner Web page replaces the popup Clientless SSL VPN window.An icon bar replaces the standard Clientless SSL VPN floating toolbar. This bar displays the Go, Home and Logout buttons.The Show......Read More

本文转自：https://www.cisco.com/c/en/us/td/docs/security/asa/asa98/configuration/vpn/asa-98-vpn-config/webvpn-configure-users.html Chapter: Clientless SSL VPN Users Chapter Contents Manage PasswordsUse Single Sign-On with Clientless SSL VPNUsername and Password RequirementsCommunicate Security TipsConfigure Remote Systems to Use Clientless SSL VPN Features Manage Passwords Optionally, you can configure the ASA to warn end users when their passwords are about to expire. The ASA supports password management for the RADIUS and LDAP protocols. It supports the “password-expire-in-days” option for LDAP only. You can configure password management for IPsec remote access and SSL VPN tunnel-groups. When you configure password management, the ASA notifies the remote user at login that the user’s current password is about to expire or has expired. The ASA then offers the user the opportunity to change the password. If the current password has not yet expired, the us......Read More

本文转自：https://www.cisco.com/c/en/us/td/docs/security/asa/asa98/configuration/vpn/asa-98-vpn-config/webvpn-remote-user-guide.html Chapter: Clientless SSL VPN Remote Users Chapter Contents This chapter summarizes configuration requirements and tasks for the user remote system. It also helps users get started with Clientless SSL VPN. It includes the following sections: NoteMake sure that the ASA has been configured for Clientless SSL VPN. Clientless SSL VPN Remote UsersUsernames and PasswordsCommunicate Security TipsConfigure Remote Systems to Use Clientless SSL VPN FeaturesCapture Clientless SSL VPN Data Clientless SSL VPN Remote Users This chapter summarizes configuration requirements and tasks for the user remote system. It also helps users get started with Clientless SSL VPN. It includes the following sections: NoteMake sure that the ASA has been configured for Clientless SSL VPN. Usernames and Passwords Depending on your network, during a remote ......Read More