ASA的ssl web,ipsec ,radius,隧道分离配置实例

代码: ASA(config)# show startup-config

: Saved

: Written by enable_15 at 00:14:28.859 UTC Thu Dec 2 1999

!

ASA Version 8.0(2)

!

hostname ASA

enable password 8Ry2YjIyt7RRXU24 encrypted

names

!

interface Ethernet0/0

nameif outside

security-level 0

ip address 10.67.6.251 255.255.255.0

!

interface Ethernet0/1

nameif inside

security-level 100

ip address 192.168.1.254 255.255.255.0

!

interface Ethernet0/2

shutdown

no nameif

no security-level

no ip address

!

interface Ethernet0/3

shutdown

no nameif

no security-level

no ip address

!

interface Ethernet0/4

shutdown

no nameif

no security-level

no ip address

!

interface Ethernet0/5

shutdown

no nameif

no security-level

no ip address

!

passwd 2KFQnbNIdI.2KYOU encrypted

boot config disk0:/.private/startup-config

ftp mode passive

access-list 10 standard permit any

access-list split standard permit 192.168.1.0 255.255.255.0 ;定义需要分离的数据流

access-list ipsec extended permit ip 192.168.1.0 255.255.255.0 any

pager lines 24

mtu outside 1500

mtu inside 1500

ip local pool _pool 172.16.0.1-172.16.0.254 mask 255.255.255.0 ;定义的地址池

no failover

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-603.bin

no asdm history enable

arp timeout 14400

route outside 0.0.0.0 0.0.0.0 10.67.6.254 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout uauth 0:05:00 absolute

dynamic-access-policy-record DfltAccessPolicy

aaa-server radiusgp protocol radius ;定义认证协议为radius

aaa-server radiusgp (outside) host 10.67.10.4 ;定义radius服务器地址

key www.sierraatlantic.com ;定义radius服务器的key

http server enable

http 0.0.0.0 0.0.0.0 outside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac ;定义加密认证等参数

crypto dynamic-map dynmap 1 set transform-set ESP-3DES-MD5

crypto map map 10 ipsec-isakmp dynamic dynmap

crypto map map interface outside ;将加密图应用到外部接口

crypto isakmp enable outside

crypto isakmp policy 10 ；IKE策略

authentication pre-share

encryption 3des

hash md5

group 2

lifetime 800

no crypto isakmp nat-traversal

telnet 0.0.0.0 0.0.0.0 outside

telnet timeout 5

ssh 0.0.0.0 0.0.0.0 outside

ssh timeout 5

console timeout 0

threat-detection basic-threat

threat-detection statistics access-list

!

!

web ；web启用

port 10443

enable outside

svc image disk0:/sslclient-Win-1.1.3.173.pkg 1

svc enable

tunnel-group-list enable ;启用登陆界面的用户组列表

group-policy internal ；定义组策略

group-policy attributes

dns-server value 10.67.6.1

-tunnel-protocol IPSec l2tp-ipsec svc web ；定义允许的协议

split-tunnel-policy tunnelspecified ；定义隧倒策略为指定隧道

split-tunnel-network-list value split ；设置隧道分离，split为前面的感兴趣流

address-pools value _pool ；设置地址池

username admin password f3UhLvUj1QsXsuK7 encrypted privilege 15

username cisco password 3USUcOPFUiMCO4Jk encrypted

username cisco attributes

-group-policy

tunnel-group DefaultWEBVPNGroup general-attributes ；定义web的属性

address-pool _pool

authentication-server-group radiusgp ；web用radius认证

default-group-policy

tunnel-group DefaultWEBVPNGroup web-attributes

group-alias Default enable

tunnel-group gp type remote-access ；ipsec的类型为remote-access

tunnel-group gp general-attributes ；ipsec的属性

authentication-server-group (outside) radiusgp ；radius认证

default-group-policy

tunnel-group gp ipsec-attributes ；隧道组属性

pre-shared-key www.sierraatlantic.com

prompt hostname context

Cryptochecksum:50520ca6ccbd4de9d55ebd6502fac6

ASA(config)#

ASA# show -sessiondb summary

Active Session Summary

Sessions:

Active : Cumulative : Peak Concurrent

SSL VPN : 2 : 5 : Clientless only : 1 : 3 : With client : 1 : 2 : Email Proxy : 0 : 0 : IPsec LAN-to-LAN : 0 : 0 : IPsec Remote Access : 0 : 0 : VPN Load Balancing : 0 : 0 : Totals : 2 : 5

License Information:

IPsec : 5000 Configured : 5000 Active : 2

0

0

0

0

0 Load : 2

2

0%

SSL VPN : 2500 Configured : 2500 Active : 2 Load : 0%

Total : 7500 Configured : 7500 Active : 2 Load : 0%

Active : Cumulative : Peak Concurrent

IPsec : 0 : 0 : 0

SSL VPN : 2 : 5 : 2

Totals : 2 : 5

Tunnels:

Active : Cumulative : Peak Concurrent

Clientless : 2 : 5 : 2

SSL-Tunnel : 1 : 2 : 2

Totals : 3 : 7

Active NAC Sessions:

No NAC sessions to display

Active VLAN Mapping Sessions:

No VLAN Mapping sessions to display

ASA#