天亮了说晚安's Blog

本文转自：https://www.cisco.com/c/en/us/td/docs/security/asa/asa98/configuration/vpn/asa-98-vpn-config/vpn-site2site.html Chapter: LAN-to-LAN IPsec VPNs Chapter Contents A LAN-to-LAN VPN connects networks in different geographic locations. You can create LAN-to-LAN IPsec connections with Cisco peers and with third-party peers that comply with all relevant standards. These peers can have any mix of inside and outside addresses using IPv4 and IPv6 addressing. This chapter describes how to build a LAN-to-LAN VPN connection. Summary of the ConfigurationConfigure Site-to-Site VPN in Multi-Context ModeConfigure InterfacesConfigure ISAKMP Policy and Enable ISAKMP on the Outside InterfaceCreate an IKEv1 Transform SetCreate an IKEv2 ProposalConfigure an ACLDefine a Tunnel GroupCreate a Crypto Map and Applying It To an Interface Summary of the Configuration This section provides a summary of the example LAN-to-LAN configuration this chapter describes. Later sections p......Read More

本文转自：https://www.cisco.com/c/en/us/td/docs/security/asa/asa98/configuration/vpn/asa-98-vpn-config/vpn-remote-access.html Chapter: Remote Access IPsec VPNs Chapter Contents About Remote Access IPsec VPNsLicensing Requirements for Remote Access IPsec VPNs for 3.1Restrictions for IPsec VPNConfigure Remote Access IPsec VPNsConfiguration Examples for Remote Access IPsec VPNsConfiguration Examples for Standards-Based IPSec IKEv2 Remote Access VPN in Multiple-Context ModeConfiguration Examples for AnyConnect IPSec IKEv2 Remote Access VPN in Multiple-Context ModeFeature History for Remote Access VPNs About Remote Access IPsec VPNs Remote access VPNs allow users to connect to a central site through a secure connection over a TCP/IP network. The Internet Security Association and Key Management Protocol, also called IKE, is the negotiation protocol that lets the IPsec client on the remote PC and the ASA agree on how to build an IPsec Security Association. Each ISAKMP negot......Read More

本文转自：https://www.cisco.com/c/en/us/td/docs/security/asa/asa98/configuration/vpn/asa-98-vpn-config/vpn-addresses.html Chapter: IP Addresses for VPNs Chapter Contents Configure an IP Address Assignment PolicyConfigure Local IP Address PoolsConfigure AAA AddressingConfigure DHCP Addressing Configure an IP Address Assignment Policy The ASA can use one or more of the following methods for assigning IP addresses to remote access clients. If you configure more than one address assignment method, the ASA searches each of the options until it finds an IP address. By default, all methods are enabled. aaa Retrieves addresses from an external authentication, authorization, and accounting server on a per-user basis. If you are using an authentication server that has IP addresses configured, we recommend using this method. This method is available for IPv4 and IPv6 assignment policies.dhcp Obtains IP addresses from a DHCP server. If you want to use DHCP, you must......Read More

本文转自：https://www.cisco.com/c/en/us/td/docs/security/asa/asa98/configuration/vpn/asa-98-vpn-config/vpn-groups.html Chapter: Connection Profiles, Group Policies, and Users Chapter Contents This chapter describes how to configure VPN connection profiles (formerly called “tunnel groups”), group policies, and users. This chapter includes the following sections. Overview of Connection Profiles, Group Policies, and UsersConnection ProfilesConfigure Connection ProfilesGroup PoliciesUse of a Zone Labs Integrity ServerConfigure User Attributes Overview of Connection Profiles, Group Policies, and Users Groups and users are core concepts in managing the security of virtual private networks (VPNs) and in configuring the ASA. They specify attributes that determine user access to and use of the VPN. A group is a collection of users treated as a single entity. Users get their attributes from group policies. A connection profile identifies......Read More

本文转自：https://www.cisco.com/c/en/us/td/docs/security/asa/asa98/configuration/vpn/asa-98-vpn-config/vpn-params.html Chapter: General VPN Parameters Chapter Contents The ASA implementation of virtual private networking includes useful features that do not fit neatly into categories. This chapter describes some of these features. Guidelines and LimitationsConfigure IPsec to Bypass ACLsPermitting Intra-Interface Traffic (Hairpinning)Setting Maximum Active IPsec or SSL VPN SessionsUse Client Update to Ensure Acceptable IPsec Client Revision LevelsImplement NAT-Assigned IP to Public IP ConnectionConfigure VPN Session LimitsUsing an Identify Certificate When NegotiatingConfigure the Pool of Cryptographic CoresConfigure Dynamic Split TunnelingViewing Active VPN SessionsAbout ISE Policy EnforcementConfigure Advanced SSL SettingsPersistent IPsec Tunneled Flows Guidelines and Limitations This section includes the guidelines and limitations for this feature. Context Mo......Read More

本文转自：https://www.cisco.com/c/en/us/td/docs/security/asa/asa98/configuration/vpn/asa-98-vpn-config/vpn-ha.html Chapter: High Availability Options Chapter Contents High Availability OptionsVPN Load Balancing High Availability Options Load balancing and Failover are high-availability features that function differently and have different requirements. In some circumstances you may use multiple capabilities in your deployment. The following sections describe these features. Refer to the appropriate release of the ASA General Operations CLI Configuration Guide for details on Failover. Load Balancing details are included here. VPN Load BalancingFailover VPN Load Balancing VPN load balancing is a mechanism for equitably distributing remote-access VPN traffic among the devices in a VPN load-balancing group. It is based on simple distribution of traffic without taking into account throughput or other factors. A VPN load-balancing group consists of ......Read More

本文转自：https://www.cisco.com/c/en/us/td/docs/security/asa/asa98/configuration/vpn/asa-98-vpn-config/vpn-l2tp-ipsec.html Chapter: L2TP over IPsec Chapter Contents This chapter describes how to configure L2TP over IPsec/IKEv1 on the ASA. About L2TP over IPsec/IKEv1 VPNLicensing Requirements for L2TP over IPsecPrerequisites for Configuring L2TP over IPsecGuidelines and LimitationsConfiguring L2TP over Eclipse with CLIFeature History for L2TP over IPsec About L2TP over IPsec/IKEv1 VPN Layer 2 Tunneling Protocol (L2TP) is a VPN tunneling protocol that allows remote clients to use the public IP network to securely communicate with private corporate network servers. L2TP uses PPP over UDP (port 1701) to tunnel the data. L2TP protocol is based on the client/server model. The function is divided between the L2TP Network Server (LNS), and the L2TP Access Concentrator (LAC). The LNS typically runs on a network gateway such as a router, while the LAC can be a dial-up Ne......Read More

本文转自：https://www.cisco.com/c/en/us/td/docs/security/asa/asa98/configuration/vpn/asa-98-vpn-config/vpn-ike.html Chapter: IPsec and ISAKMP Chapter Contents About Tunneling, IPsec, and ISAKMPLicensing for IPsec VPNsGuidelines for IPsec VPNsConfigure IPsec About Tunneling, IPsec, and ISAKMP This topic describes the Internet Protocol Security (IPsec) and the Internet Security Association and Key Management Protocol (ISAKMP) standards used to build Virtual Private Networks (VPNs). Tunneling makes it possible to use a public TCP/IP network, such as the Internet, to create secure connections between remote users and a private corporate network. Each secure connection is called a tunnel. The ASA uses the ISAKMP and IPsec tunneling standards to build and manage tunnels. ISAKMP and IPsec accomplish the following: Negotiate tunnel parametersEstablish tunnelsAuthenticate users and dataManage security keysEncrypt and decrypt dataManage data transfer across the tunnel......Read More

本文转自：https://blog.csdn.net/u010531676/article/details/79733901 能找到这里，都是用Cisco VPN ，然后出现442错误吧。     说下我的情况，我这里本来是解决了一次，能连回公司，但昨天升到Win 10 1709时，开机看到提示说Cisco VPN不安全还是怎样，然后VPN服务被移除了。然后在控制面板修复了Cisco VPN，连接时就出现442。     先贴下可能帮你解决问题的链接：     1.https://supportforums.cisco.com/t5/vpn/reason-442-failed-to-enable-virtual-adapter-windows-7-64-bit/td-p/1782751     2.https://blog.csdn.net/gotomic/article/details/8113536     第三个是解决我的问题的原始链接，注册表的问题：Solved     解决步骤：         1.打开注册表中心 （Win + R , 输入regeidt );         2.在注册表中定位到 HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CVirtA，双击右边”DisplayName”,将”Cisco Systems VPN Adapter for 64-bit Windows&......Read More

本文转自：http://blog.sina.com.cn/s/blog_8acd55360101jm4q.html 一般的QoS配置不外乎四个步骤： 1，设置ACL匹配应用流量； 2，设置class-map匹配相应ACL或者相应端口等等，不过一般式匹配ACL； 3，设置policy-map匹配class-map，然后定一规则动作； 4，将policy-map绑定到相应的接口上。 下面使用一个比较典型的案例来说明QoS的配置步骤： 需求：路径带宽为622Mbps，四种应用流量，需要保证如下几点： 流量1，某一具体应用流量，永远优先传输，最小带宽保证为365Mbps； 流量2，某一具体应用流量，次优先传输，最小带宽保证为200Mbps； 流量3，此为业务流量，保证在1和2后的其余带宽下传输即可； 流量4，某一具体应用流量，保证在123流量外的带宽下传输即可。 具体配置如下： 第一步，定义ACL匹配应用流量： ip access-list extended tra1_acl permit tcp 1.1.1.0 0.0.0.255 1.1.2.0 0.0.0.255 eq 8818 ip access-list extended tra2_acl permit tcp 1.1.3.0 0.0.0.255 1.1.4.0 0.0.0.255 eq 901 ip access-list extended tra4_acl permit ip 1.1.5.0 0.0.0.255 1.1.6.0 0.0.0.255 第二步，定义class-map匹配相关ACL： class-map match-all tra1_cmap m......Read More