取消
显示结果 
搜索替代 
您的意思是: 
cancel
10852
查看次数
28
有帮助
14
评论
Kagamigawa
Spotlight
Spotlight
本帖最后由 zylccna2015 于 2020-12-28 21:49 编辑
CISCO URL-BASED ROUTING

1、 终端需求:
能够为LAN区域的终端及anyconnect拨号客户端下发策略,使终端设备的HTTP(包括TLS)流量能够走正确的路径
2、 中间系统需求:
采用IOS-XE设备及AX许可
3、 基础配置:
WAN口:
interfaceGigabitEthernet1
description WAN
no ip address
negotiation auto
pppoe enable group global
cdp enable
pppoe-client dial-pool-number 1
!
interfaceDialer1
description WAN
ip ddns update hostname xxx.f3322.net
ip ddns update 3322 host members.3322.net
ip address negotiated
ip nat outside
encapsulation ppp
ip tcp adjust-mss 1452
dialer pool 1
ppp pap sent-username xxx password 7 xxx
ppp ipcp dns request
ppp ipcp route default
!
LAN口配置:
interface range GigabitEthernet2-6
no ip address
negotiation auto
cdp enable
service instance 1 ethernet
encapsulation untagged
!
bridge-domain 1
member GigabitEthernet1 service-instance 1
member GigabitEthernet2 service-instance 1
member GigabitEthernet3 service-instance 1
member GigabitEthernet4 service-instance 1
member GigabitEthernet5 service-instance 1
member GigabitEthernet6 service-instance 1
bridge irb
!
interface BDI1
ipaddress 192.168.0.1 255.255.255.0
ipnbar protocol-discovery
ipnat inside
!
DHCP配置:
ip dhcp excluded-address 192.168.0.1 192.168.0.50
ip dhcp pool NAT
network 192.168.0.0255.255.255.0
dns-server 192.168.0.1
default-router 192.168.0.1
NAT配置:
ip nat inside source list 1 interfaceDialer1 overload
access-list 1 permit 192.168.0.00.0.255.255
!
VPN配置
aaa new-module
aaa authentication login sslvpn local
aaa authorization network sslvpn local
!
crypto ssl proposal sslvpn-proposal
protection rsa-3des-ede-sha1 rsa-rc4128-md5rsa-aes128-sha1 rsa-aes256-sha1
!
crypto ssl authorization policysslvpn-auth-policy
pool sslvpn
dns192.168.0.1
def-domain uq
!
crypto ssl policy sslvpn-policy
sslproposal sslvpn-proposal
pkitrustpoint SIG sign
ipinterface Dialer1 port 4443
!
crypto ssl profile sslvpn-profile
match policy sslvpn-policy
aaaauthentication user-pass list sslvpn
aaaauthorization group user-pass list sslvpn sslvpn-auth-policy
authentication remote user-pass
max-users 100
!
ip local pool sslvpn 192.168.32.100192.168.32.254
===============================================================================
4、 搭建web流量代理服务
iox
!
app-hostingappid guestshell
app-vnic gateway0 virtualportgroup 0guest-interface 0
guest-ipaddress 192.168.1.100 netmask255.255.255.0
app-default-gateway 192.168.1.1guest-interface 0

name-server0192.168.1.1

!
interface VirtualPortGroup0
ipaddress 192.168.1.1 255.255.255.0
ip nat inside
!
安装privoxy与v2ray服务和nginx
Echo “actionsfilegfwlist.action” >> /etc/privoxy/config
listen-address 0.0.0.0:8118 #监听LAN的数据
下载gfwlist.action文件到/etc/privoxy目录
启动v2ray服务
[root@guestshellguestshell]# systemctl status v2ray.service
● v2ray.service -V2Ray Service
Loaded: loaded(/etc/systemd/system/v2ray.service; enabled; vendor preset: disabled)
Active: active (running) since Fri2020-12-25 12:48:30 UTC; 3 days ago
Main PID: 34 (v2ray)
CGroup:/system.slice/libvirtd.service/system.slice/v2ray.service
└─34/usr/bin/v2ray/v2ray -config /etc/v2ray/config.json
启动nginx服务
[root@guestshellguestshell]# systemctl status v2ray.service
● v2ray.service -V2Ray Service
Loaded: loaded(/etc/systemd/system/v2ray.service; enabled; vendor preset: disabled)
Active: active (running) since Fri2020-12-25 12:48:30 UTC; 3 days ago
Main PID: 34 (v2ray)
CGroup:/system.slice/libvirtd.service/system.slice/v2ray.service
└─34/usr/bin/v2ray/v2ray -config /etc/v2ray/config.json
在nginx的根目录下创建个proxy.pac文件
[root@guestshellguestshell]# more /usr/share/nginx/html/proxy.pac
functionFindProxyForURL(url, host) {

if (isPlainHostName(host) ||
shExpMatch(host,"*.local") ||
isInNet(dnsResolve(host),"10.0.0.0", "255.0.0.0") ||
isInNet(dnsResolve(host),"172.16.0.0", "255.240.0.0") ||
isInNet(dnsResolve(host),"192.168.0.0", "255.255.0.0") ||
isInNet(dnsResolve(host),"173.37.0.0", "255.255.0.0") ||
isInNet(dnsResolve(host),"127.0.0.0", "255.255.255.0"))
return "DIRECT";

else
return "PROXY 192.168.1.100:8118";
}
5、 为LAN和anyconnect客户端下发策略
ip dhcp pool NAT
option 252 asciihttp://192.168.1.100/proxy.pac
crypto ssl authorization policy sslvpn-auth-policy
msie-proxy server192.168.1.100:8118

评论
huajiang
Level 1
Level 1
此方法有效吗
Kagamigawa
Spotlight
Spotlight
ciscohua0815 发表于 2020-12-31 11:45
此方法有效吗

我家就这么用着呢
Tiandao
Level 1
Level 1
给力啊!学习了
述沭
Level 1
Level 1
力啊!学习了
wuhao0015
Spotlight
Spotlight
好家伙,我懂的。。。
mxmtec3617967
Level 1
Level 1
privoxy,v2ray,都是部署在路由器上的?
Kagamigawa
Spotlight
Spotlight
mxmtec3617967 发表于 2021-1-9 21:41
privoxy,v2ray,都是部署在路由器上的?

是的 guestshell
mxmtec3617967
Level 1
Level 1
学习了!。。。致敬
huajiang
Level 1
Level 1
PAC配置脚本上只把内网网段剥离出来了,其他访问国内外网
Kagamigawa
Spotlight
Spotlight
ciscohua0815 发表于 2021-1-13 14:02
PAC配置脚本上只把内网网段剥离出来了,其他访问国内外网

国内外靠的是 privoxy下的 gfwlist.action文件
fortune
VIP Alumni
VIP Alumni
谢谢分享哦
tony huang
Community Member
还能再详细一点吗
niyaodong
Level 1
Level 1
高手。这就去试试看。
zeroarynas
Level 1
Level 1
这就是<翻><墙>吧,ax的license可以rtu
入门指南

使用上面的搜索栏输入关键字、短语或问题,搜索问题的答案。

我们希望您在这里的旅程尽可能顺利,因此这里有一些链接可以帮助您快速熟悉思科社区:









快捷链接