ASA配置笔记 (2)

2008-02-23 04:55:53来源:互联网 阅读 ()

新老客户大回馈,云服务器低至5折


ve #669999;font-size:larger;vertical-align:middle;text-align:left;font-weight:bold


tunnel-group-list enable

注:也可通过ASDM图形界面进行配置

登录后,可访问内部资源,如下例:(客户端首先要安装Java插件jre-1_5_0-windows-i586.exe,并打开浏览器的ActiveX)


1) https://sslvpn.test.com.cn 输入用户名和密码


2) 出现工具条


3) 在Enter Web Address内输入192.168.40.8即可访问内部网站


4)在browse network输入192.168.40.8即可访问共享文件


5)点击application access,即可查看端口转发设置,如使用putty访问本机的2023端口,则即可通过ssh登录192.168.40.8


8. 远程拨入VPN
相关的ASA配置命令如下:


access-list inside_access_in extended permit ip object-group remotegroup any


access-list inside_access_in extended permit icmp object-group remotegroup any


access-list remotevpn_splitTunnelAcl standard permit 192.168.100.0 255.255.255.0


access-list vpnclient_splitTunnelAcl standard permit 192.168.100.0 255.255.255.0


ip local pool dialuserIP 192.168.101.1-192.168.101.254 mask 255.255.255.0


group-policy remotevpn attributes


dns-server value 202.96.128.68 192.168.40.16


default-domain value test.com.cn


username jiang password Csmep3VzvPQPCbkx encrypted privilege 15


crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac


crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac


crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac


crypto dynamic-map outside_dyn_map 20 set pfs


crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA


crypto dynamic-map outside_dyn_map 20 set reverse-route

crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map


crypto map outside_map interface outside

tunnel-group remotevpn type ipsec-ra


tunnel-group remotevpn general-attributes


address-pool dialuserIP


default-group-policy remotevpn


tunnel-group remotevpn ipsec-attributes


pre-shared-key *

客户端设置如下:

9. 日志服务器配置
logging enable


logging timestamp


logging emblem


logging trap informational


logging asdm warnings


logging host inside 192.168.40.115 format emblem


logging permit-hostdown


vpn-simultaneous-logins 3

10. Snmp网管配置
snmp-server host inside 192.168.40.47 community testsnmp


snmp-server location DG-GTEST


snmp-server contact jiangdaoyou:6162


snmp-server community testsnmp


snmp-server enable traps snmp authentication linkup linkdown coldstart


注:指定主机后,192.168.40.47才可能进行管理11. ACS配置
安装后管理:http://ip:2002 通过ACS可以进行授权、认证等等很多功能


因内容太多,暂省略


12. AAA配置
Aaa服务器配置:


aaa-server radius_dg host dc03.xxxx.com


key dfdfdfdf146**U


authentication-port 1812


accounting-port 1813


radius-common-pw dfdfdfdf146**U


对于拨入vpn的配置


tunnel-group vg_testerp general-attributes


address-pool ciscovpnuser


authentication-server-group radius_dg


default-group-policy vg_testerp


13. 升级IOS
copy tftp://192.168.40.180/asa/asa721-k8.bin disk0:/asa721-k8.bin


boot system disk0:/asa721-k8.bin (多个Image时使用)


14. 疑难杂症
1) 在远程子网不能ping通过对方的网关,如在无锡格兰不能ping 192.168.40.251

输入命令:management-access inside (通过ASDM不能设置这一项)

2) NAT有时不能快速启作用

使用命令:clear xlate即可

标签:

版权申明:本站文章部分自网络,如有侵权,请联系:west999com@outlook.com
特别注意:本站所有转载文章言论不代表本站观点,本站所提供的摄影照片,插画,设计作品,如需使用,请与原作者联系,版权归原作者所有

上一篇:IPSec VPN(对不同的数据流进行不同的加密和认证)

下一篇:EzVPN Client 完整配置