取消
显示结果 
搜索替代 
您的意思是: 
cancel
7733
查看次数
0
有帮助
4
评论
Kagamigawa
Spotlight
Spotlight
本帖最后由 zylccna2015 于 2020-2-19 10:42 编辑
1. 准备文件
下载anyconnect三个平台对应版本的文件(https://software.cisco.com/download/home/286281283/type/282364313/release/4.8.01090?i=!pp),拷贝到路由器的bootflash:/webvpn目录下
Directory of bootflash:/webvpn/
2204034 -rw- 74680647 Jan 27 2020 21:40:48 +08:00 anyconnect-win-4.8.01090-webdeploy-k9.pkg
2204035 -rw- 47900927 Jan 27 2020 21:41:04 +08:00 anyconnect-macos-4.8.01090-webdeploy-k9.pkg
2204036 -rw- 40935499 Feb 3 2020 11:14:54 +08:00 anyconnect-linux64-4.8.01090-webdeploy-k9.pkg
2. 检查RSA密钥与PKI trustpoint
理论上IOS-XE系统会在首次启动时通过自签生成用于加密和SSH连接的密钥。
Gateway#show crypto key mypubkey rsa
% Key pair was generated at: 22:55:59 CST Jan 23 2020
Key name: TP-self-signed-3031926611
Key type: RSA KEYS
Storage Device: private-config
Usage: General Purpose Key
Key is not exportable. Redundancy enabled.
Key Data:
。。。
% Key pair was generated at: 12:25:09 CST Feb 10 2020
Key name: TP-self-signed-3031926611.server
Key type: RSA KEYS
Temporary key
Usage: Encryption Key
Key is not exportable.
Key Data:
。。。
!
Gateway#sh run | sec crypto pki
crypto pki trustpoint TP-self-signed-3031926611
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-3031926611
revocation-check none
rsakeypair TP-self-signed-3031926611
crypto pki certificate chain TP-self-signed-3031926611
certificate self-signed 01
。。。
quit
crypto pki certificate pool
cabundle nvram:ios_core.p7b
3. 设置SSH证书认证登录
因为SSL-VPN的账户我们需要在本地建立,但是又不希望这个账号能管理路由器,所以路由器的管理认证方式选择使用证书登录
Gateway#sh run | sec aaa|ssh|line vty 0 4
aaa new-model
aaa authentication login default local
aaa authentication enable default none
!
ip ssh version 2
ip ssh pubkey-chain
username root
key-hash ssh-rsa E4DE90405411EEEDEB6E273E61114806
ip ssh server algorithm authentication publickey !只允许证书认证
!
line vty 0 4
logging synchronous
transport input ssh
4. 配置SSL-VPN
第一步,开AAA设置登录认证方式本地,授权方式本地,建账户

aaa new-model
aaa authentication login sslvpn local
aaa authorization network sslvpn local
!
username tql password 7 XXXX41A
username jiamingrui password 7 1XXXXF507F7D
username sdb password 7 091XXXX5041
username zyl password 7 122XXXX3787079
username sq password 7 XXXXXX81B5F
第二步,设置用于外部连入的域名,同时避开本地HTTP/HTTPS服务占用端口
clock timezone CST 8 0
!
ntp master 1
ntp server cn.pool.ntp.org
!
ip ddns update method 3322
HTTP
add http://xxx:xxx@/nic/update?system=dyndns&hostname=&myip=
interval maximum 0 0 1 0
interval minimum 0 0 1 0
!
interface Dialer1
ip ddns update hostname kagamigawa.f3322.net
ip ddns update 3322 host members.3322.net
!
ip http server
ip http authentication local
ip http secure-server
ip http secure-port 4430
第三步,配置SS...







http://192.168.0.250/file
pool sslvpn
dns 192.168.0.1
banner This is my personal server and the web traffic you requested is cached on the proxy server. Click to accept or disconnect !写banner
def-domain home.lab
route set access-list 1 !这里直接调用你的PAT使用的ACL即可
!
crypto ssl policy sslvpn-policy
ssl proposal sslvpn-proposal
pki trustpoint TP-self-signed-3031926611 sign
ip interface Dialer1 port 4443 !广域网使用4443端口
!
crypto ssl profile sslvpn-profile
match policy sslvpn-policy
aaa authentication user-pass list sslvpn
aaa authorization group user-pass list sslvpn sslvpn-auth-policy
authentication remote user-pass
max-users 100
!
crypto vpn anyconnect bootflash:/webvpn/anyconnect-win-4.8.01090-webdeploy-k9.pkg sequence 1
crypto vpn anyconnect bootflash:/webvpn/anyconnect-macos-4.8.01090-webdeploy-k9.pkg sequence 2
crypto vpn anyconnect bootflash:/webvpn/anyconnect-linux64-4.8.01090-webdeploy-k9.pkg sequence 3
第四步,测试一下哈
125714pu707nuw0yzlyyly.jpg125715pc8ue8geiteldeu0.jpg125715ftgbhmjvqghbmiy8.jpg125715jb90569a0n6f04a6.jpg
5. 配置SSL-VPN导航页
进入路由器的guestshell中将deply.zip guetshell.tar install.sh 三个文件上传到/bootflash位置后使用root账户运行install.sh即可
010527vxgxpu1g5a1onbea.png010738ixg5d7zdzmgg588y.png
125915cngn76l6ni009e07.png010054ns72zzxg7vx8sisl.png010055hpadqxqmpizy6ff9.png
配置静态NAT
ip nat inside source static tcp 192.168.0.250 80 interface Dialer1 8000
ip nat inside source static tcp 192.168.0.250 5000 interface Dialer1 5000
6. 效果演示
http://kagamigawa.f3322.net:8000
评论
wuhao0015
Spotlight
Spotlight
支持下,给自建SSL和有私有云的人提供方便。。。
Kagamigawa
Spotlight
Spotlight
wuhao0015 发表于 2020-2-12 14:44
支持下,给自建SSL和有私有云的人提供方便。。。

尴尬的一批 单机论坛
wuhao0015
Spotlight
Spotlight
zylccna2015 发表于 2020-2-12 14:58
尴尬的一批 单机论坛

自己弄给自己玩挺好的。注意网络安全。
likuo
Spotlight
Spotlight
要好好学习。
入门指南

使用上面的搜索栏输入关键字、短语或问题,搜索问题的答案。

我们希望您在这里的旅程尽可能顺利,因此这里有一些链接可以帮助您快速熟悉思科社区:









快捷链接