|
|
Cisco 2821 webvpn CSD 测试,分享
Building configuration...
Current configuration : 18090 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
service sequence-numbers
!
hostname ROUTE01
!
boot-start-marker
boot-end-marker
!
logging buffered 4096 debugging
enable password ROUTE
!
aaa new-model
!
!
aaa authentication login default local
##################################### 生成一个证书##
crypto pki trustpoint WEBVPN
enrollment selfsigned
subject-name CN=WEBVPN OU=cookbooks O=oreilly
revocation-check crl
rsakeypair WEBVPN 1024
!
!
crypto pki certificate chain WEBVPN
certificate self-signed 01
3082028A 308201F3 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
4F312630 24060355 0403131D 57454256 504E204F 553D636F 6F6B626F 6F6B7320
4F3D6F72 65696C6C 79312530 2306092A 864886F7 0D010902 16167379 73746563
30312E73 79737465 632E636F 6D2E636E 301E170D 30373035 31333033 35343036
5A170D32 30303130 31303030 3030305A 304F3126 30240603 55040313 1D574542
56504E20 4F553D63 6F6F6B62 6F6F6B73 204F3D6F 7265696C 6C793125 30230609
2A864886 F70D0109 02161673 79737465 6330312E 73797374 65632E63 6F6D2E63
6E30819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281 8100B9EE
403620EA DBE9ADAE 7DADB669 7A7D358E A5EA2782 AEEDB567 1E95DCF1 59104E9C
256BBBEA AD4DA3D1 BDCED580 57AEC29F C5B251CC FF4F7A2E D13DC321 1D00104F
15042194 B4899B40 8ADEDA30 CED3AB59 B9A2E0EA 3AB9741A 5DFB0261 815063F2
AE1F3394 5EE04716 BC9A79C2 E43D3373 EE89E15B 47E9F9DA D153A3BD 64C70203
010001A3 76307430 0F060355 1D130101 FF040530 030101FF 30210603 551D1104
1A301882 16737973 74656330 312E7379 73746563 2E636F6D 2E636E30 1F060355
1D230418 30168014 C5B5FEEB 0A0F1D9B 10E0F444 DFA08C39 99DC6756 301D0603
551D0E04 160414C5 B5FEEB0A 0F1D9B10 E0F444DF A08C3999 DC675630 0D06092A
864886F7 0D010104 05000381 81009A0A E61339DB 9C9DCA09 728515CC 89A0C393
C423776E FA290522 45F2C7F5 42CD9610 D94A872D 7687FC88 CC7D2E93 EB235F26
BAD10D26 3D770DF0 103FFFDE A8186ABF DD909555 604EF479 7A28E2C3 688A32C4
230DE7A7 7165ED46 36734F14 07A58260 DDA1C399 198250FD 85DCFDA2 C1A710FD
AC6B7B76 48806C84 12FE9E07 829F
quit
username test privilege 15 view root secret 5 $1$R5hB$/Ov8NvnjYYRC3YT9/33Xu/
username cnq privilege 15 secret 5 $1$ql/A$0JMuxQV8NoeApNNXaDEWN.
interface GigabitEthernet0/0
ip address 192.168.0.1 255.255.255.0
ip nat inside
interface GigabitEthernet0/1
ip address 11.11.11.86 255.255.255.0
ip nat outside
ip local pool ssl-user 192.168.0.160 192.168.0.170
ip route 0.0.0.0 0.0.0.0 11.11.11.1
control-plane
!
line con 0
line aux 0
line vty 0 4
line vty 5 15
!
#####################################建立gateway,指定监听webvpn的IP和接口,加密算法,这里我建了2个gateway##
webvpn gateway ROUTE
ip address 11.11.11.86 port 443
ssl encryption 3des-sha1
ssl trustpoint WEBVPN
inservice
!
webvpn gateway test
ip address 11.11.11.86 port 4433
ssl encryption 3des-sha1
ssl trustpoint WEBVPN
inservice
!
#####################################安装ssl和CSD##
webvpn install svc flash:/webvpn/svc.pkg
!
webvpn install csd flash:/webvpn/sdesktop.pkg
!
webvpn context Default_context
ssl authenticate verify all
!
no inservice
!
!
#####################################建立context,并和gateway关联, 指定加密算法,这里也建了2个context,分别和gateway关联##
webvpn context ROUTE
title "ROUTE"
ssl encryption 3des-sha1
ssl trustpoint WEBVPN
ssl authenticate verify all
!
!
policy group ROUTE
functions svc-enabled
svc address-pool "ssl-user"
default-group-policy ROUTE
gateway ROUTE
csd enable
inservice
!
!
webvpn context test
title "test"
ssl encryption 3des-sha1
ssl trustpoint WEBVPN
ssl authenticate verify all
!
url-list "printer"
url-text "printer" url-value "http://192.168.0.254"
!
nbns-list ROUTEftp
nbns-server 192.168.0.254
!
port-forward "test"
local-port 2323 remote-server "192.168.0.2" remote-port 23 description "teslnet"
!
policy group test
url-list "printer"
port-forward "test"
nbns-list "ROUTEftp"
functions file-access
functions file-browse
functions file-entry
default-group-policy test
gateway test
inservice
!
!
end
#####################################一些show 的输出结果##
ROUTE01#show webvpn context
Codes: AS - Admin Status, OS - Operation Status
VHost - Virtual Host
Context Name Gateway Domain/VHost VRF AS OS
------------ ------- ------------ ------- ---- --------
Default_context n/a n/a n/a down down
ROUTE ROUTE - - up up
test test - - up up
ROUTE01#show webvpn context ROUTE
Admin Status: up
Operation Status: up
CSD Status: Enabled
Certificate authentication type: All attributes (like CRL) are verified
AAA Authentication List not configured
AAA Authentication Domain not configured
Default Group Policy: ROUTE
Associated WebVPN Gateway: ROUTE
Domain Name and Virtual Host not configured
Maximum Users Allowed: 10000 (default)
NAT Address not configured
VRF Name not configured
ROUTE01#show webvpn context test
Admin Status: up
Operation Status: up
CSD Status: Disabled
Certificate authentication type: All attributes (like CRL) are verified
AAA Authentication List not configured
AAA Authentication Domain not configured
Default Group Policy: test
Associated WebVPN Gateway: test
Domain Name and Virtual Host not configured
Maximum Users Allowed: 10000 (default)
NAT Address not configured
VRF Name not configured
ROUTE01#show webvpn gateway ROUTE
Admin Status: up
Operation Status: up
IP: 11.11.11.86, port: 443
SSL Trustpoint: WEBVPN
ROUTE01#show webvpn gateway test
Admin Status: up
Operation Status: up
IP: 11.11.11.86, port: 4433
SSL Trustpoint: WEBVPN
ROUTE01#show webvpn gateway
Gateway Name Admin Operation
------------ ----- ---------
ROUTE up up
test up up
ROUTE01#show webvpn install status svc
SSLVPN Package SSL-VPN-Client version installed:
CISCO STC win2k+ 1.0.0
1,1,2,169
Wed 09/13/2006 14:53:38.43 ^D
ROUTE01#show webvpn install status csd
SSLVPN Package Cisco-Secure-Desktop version installed:
CISCO CSD IOS
3,1,1,27
Wed 02/15/2006 12:51:25.57 T
ROUTE01#
ROUTE01#
ROUTE01#
ROUTE01# show ve
Cisco IOS Software, 2800 Software (C2800NM-ADVENTERPRISEK9-M), Version 12.4(6)T, RELEASE SOFTWARE (fc1)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2006 by Cisco Systems, Inc.
Compiled Wed 22-Feb-06 22:54 by ccai
ROM: System Bootstrap, Version 12.3(8r)T7, RELEASE SOFTWARE (fc1)
ROUTE01 uptime is 3 days, 6 hours, 15 minutes
System returned to ROM by error - a Software forced crash, PC 0x4008D9FC at 09:37:54 GMT Thu May 10 2007
System image file is "flash:c2800nm-adventerprisek9-mz.124-6.T.bin"
This product contains cryptographic features and is subject to United
States and local country laws governing import, export, transfer and
use. Delivery of Cisco cryptographic products does not imply
third-party authority to import, export, distribute or use encryption.
Importers, exporters, distributors and users are responsible for
compliance with U.S. and local country laws. By using this product you
agree to comply with applicable laws and regulations. If you are unable
to comply with U.S. and local laws, return this product immediately.
A summary of U.S. laws governing Cisco cryptographic products may be found at:
http://www.cisco.com/wwl/export/crypto/tool/stqrg.html
If you require further assistance please contact us by sending email to
export@cisco.com.
Cisco 2821 (revision 53.51) with 237568K/24576K bytes of memory.
Processor board ID FHK0928F0K2
2 Gigabit Ethernet interfaces
1 Virtual Private Network (VPN) Module
DRAM configuration is 64 bits wide with parity enabled.
239K bytes of non-volatile configuration memory.
62592K bytes of ATA CompactFlash (Read/Write)
Configuration register is 0x2102
如果建立ssl vpn后,原来的443就占用了,这时如果想要再使用SDM,只剩80端口了,没有了加密,其实还有一个办法把443端口转换一下,做个NAT,
先建一个loopback接口,然后再做NAT,把loopback的443静态转换成公网的一个其它端口,这是用SDM的时候,学到的。
interface loopback1
ip address 192.168.2.1 255.255.255.255
ip nat inside source static tcp 192.168.2.1 80 218.20.56.86 4443 |
|
IP卡
狗仔卡
发表于 2007-12-31 07:59:34
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡