实验目的:外部电脑PC2能通过SSL×××的方式访问PC1服务器
配置:一、首先安装sslclient到总部的边界路由器R1上
二、再配置R1的SSL×××
三、PC2访问https://1.1.1.1 安装SSL××× client ,建立连接。
一、安装sslclient到R1
1、格式化 disk0 //因为我是用虚拟机做的,因此是disk0,用真实机做应该是flash:,应该省略第1步。
R1#format disk0:
2、上传sslclient软件
R1#copy tftp disk0:
Address or name of remote host []? 192.168.1.2
Source filename []? sslclient.pkg
Destination filename [sslclient.pkg]?
Accessing tftp://192.168.10.100/sslclient.pkg...
Loading sslclient.pkg from 192.168.10.100 (via FastEthernet0/0): !!
[OK - 415090 bytes]
415090 bytes copied in 12.892 secs (32197 bytes/sec)
3、安装 client 软件
R1(config)#webvpn install svc disk0:/sslclient.pkg
二、配置R1的SSL×××
R1(config)# aaa new-model
R1(config)# aaa authentication login default local //为防止控制台超时而造成无法进入Exec
R1(config))# aaa authentication login webvpn local //设置登陆为local的方式应用到webvpn上
R1(config)# ip local pool client-add 10.10.10.10 10.10.10.50 //这是分配给客户电脑的IP地址
R1(config)# username cisco password cisco //定义Web×××本地认证用户名,密码
R1(config))# webvpn gateway vpngateway //定义Web×××在哪个接口上进行监听,此时IOS会自动产生自签名证书。
R1 (config-webvpn-gateway)# ip address 1.1.1.1 port 443 //设置SSL×××服务端的地址
R1 (config-webvpn-gateway)# inservice //启用webvpn gateway配置
R1 (config)# webvpn context webcontext //定义webvpn的相关配置,相当于ASA的tunnel-group,在这里可以定义
R1 (config-webvpn-context)# gateway vpngateway // 关联服务监听地址
R1 (config-webvpn-context)# aaa authentication list webvpn //关联认证方式
R1 (config-webvpn-context)# inservice //启用webvpn context配置
R1(config-webvpn-context)# policy group sslvpn-policy //进入sslvpn策略组
R1(config-webvpn-group)# functions svc-enabled
R1(config-webvpn-group)# svc address-pool client-add //分配svc使用的地址池
R1(config-webvpn-group)# svc split include 192.168.1.0 255.255.255.0 //路由分离,如果不配置,则默认为0.0.0.0,这条命令的作用是客户端在通过SSL访问服务器的同时,也可以访问其它网络,如internet
R1(config-webvpn-group)#exit
R1(config-webvpn-context)# default-group-policy sslvpn-policy //关联策略组
最后还有一个很重要的命令哈。。
int loopback 0
ip address 10.10.10.1
no sh
如果不配置这条的话,客户端将是连不上SSL×××的,因为服务器端上面没有这个网络,因为要配置上。如果服务器端上还配置了动态路由协议的话,还应该把这个网段宣告出来。
三、在PC2上连接
输入 https://1.1.1.1
输入用户名和密码 cisco cisco
安装activex控件,即sslclient
连接建立
测试
pc2可以ping通pc1
pc2可以访问pc1的WEB
pc2可以访问pc1的FTP
配置文件:
R1#sh run
Building configuration...
Current configuration : 3280 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname R1
!
boot-start-marker
boot-end-marker
!
!
aaa new-model
!
!
aaa authentication login default local
aaa authentication login webvpn local
!
!
aaa session-id common
ip cef
!
!
!
!
!
multilink bundle-name authenticated
!
!
!
!
!
!
!
!
!
!
!
!
!
crypto pki trustpoint TP-self-signed-4294967295
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-4294967295
revocation-check none
rsakeypair TP-self-signed-4294967295
!
!
crypto pki certificate chain TP-self-signed-4294967295
certificate self-signed 01
3082023E 308201A7 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 34323934 39363732 3935301E 170D3131 30363231 31343337
32315A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D34 32393439
36373239 3530819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
8100C1DE EDDBF23B A0A17392 FE692E79 E7A90317 31295313 75C836DE 46BFA9DB
19F5B406 11221C14 A58A636F BB4E1C03 B1F89003 7A5952A7 EC364B48 C5254FDD
58CED953 31E4F700 59FE30C0 75FFD561 E615C65B F625B7A2 3438E3A7 443FE826
5D82A49A 2EE11CD6 B9EE22D8 95190CD3 8DB2E2D8 0705C63E AC21FFE4 A527FD84
99DD0203 010001A3 66306430 0F060355 1D130101 FF040530 030101FF 30110603
551D1104 0A300882 06526F75 74657230 1F060355 1D230418 30168014 F350CDD4
69BB4AAE F0A1D593 5F1DB31D 724F283A 301D0603 551D0E04 160414F3 50CDD469
BB4AAEF0 A1D5935F 1DB31D72 4F283A30 0D06092A 864886F7 0D010104 05000381
81000F86 E96FB83F BED31473 AD57F474 69C61694 5BEC9A40 EDE0820B E90621BE
0B88CD5F 61EB1FEF CCB3043B F2230E01 D66EB583 C8740D21 B4124DB9 28B0349C
432C0850 8D27E788 383BA3F6 01917591 8159302A BA11E8B9 DA1FAE7F 16A62A51
E9F42355 37A5A87B 7DC85696 1BE0EA35 83B633E1 03A6076F DAF65143 BE9069A3 88A4
quit
username cisco password 0 cisco
!
!
!
!
!
!
!
interface Loopback0
ip address 10.10.10.1 255.255.255.0
!
interface FastEthernet0/0
ip address 192.168.1.1 255.255.255.0
duplex half
!
interface Serial1/0
no ip address
shutdown
serial restart-delay 0
!
interface Serial1/1
ip address 1.1.1.1 255.255.255.0
serial restart-delay 0
!
interface Serial1/2
no ip address
shutdown
serial restart-delay 0
!
interface Serial1/3
no ip address
shutdown
serial restart-delay 0
!
interface FastEthernet2/0
no ip address
shutdown
duplex half
!
ip local pool ssl-add 10.10.10.10 10.10.10.100
ip route 0.0.0.0 0.0.0.0 Serial1/1
no ip http server
no ip http secure-server
!
!
!
logging alarm informational
!
!
!
!
!
control-plane
!
!
!
!
!
!
gatekeeper
shutdown
!
!
line con 0
stopbits 1
line aux 0
line vty 0 4
!
!
webvpn gateway vpngateway
ip address 1.1.1.1 port 443
ssl trustpoint TP-self-signed-4294967295
inservice
!
webvpn install svc disk0:/webvpn/svc.pkg
!
webvpn context vpncontex
ssl authenticate verify all
!
!
policy group sslvpn-policy
functions svc-enabled
svc address-pool "ssl-add"
svc split include 192.168.1.0 255.255.255.0
default-group-policy sslvpn-policy
aaa authentication list webvpn
gateway vpngateway
inservice
!
!
end
