请选择 进入手机版 | 继续访问电脑版

设为首页 收藏本站
思科社区 关注
思科社区

搜索
热搜: 邮件服务器
查看: 643|回复: 11

【原创】CISCO URL-BASED ROUTING

[复制链接]
发表于 2020-12-28 21:47:43 | 显示全部楼层 |阅读模式
本帖最后由 zylccna2015 于 2020-12-28 21:49 编辑

CISCO URL-BASED ROUTING

1、  终端需求:
能够为LAN区域的终端及anyconnect拨号客户端下发策略,使终端设备的HTTP(包括TLS)流量能够走正确的路径
2、  中间系统需求:
采用IOS-XE设备及AX许可
3、  基础配置:
WAN口:
interfaceGigabitEthernet1
description WAN
no ip address
negotiation auto
pppoe enable group global
cdp enable
pppoe-client dial-pool-number 1
!
interfaceDialer1
description WAN
ip ddns update hostname xxx.f3322.net
ip ddns update 3322 host members.3322.net
ip address negotiated
ip nat outside
encapsulation ppp
ip tcp adjust-mss 1452
dialer pool 1
ppp pap sent-username xxx password 7 xxx
ppp ipcp dns request
ppp ipcp route default
!
LAN口配置:
interface range GigabitEthernet2-6
no ip address
negotiation auto
cdp enable
service instance 1 ethernet
  encapsulation untagged
!
bridge-domain 1
member GigabitEthernet1 service-instance 1
member GigabitEthernet2 service-instance 1
member GigabitEthernet3 service-instance 1
member GigabitEthernet4 service-instance 1
member GigabitEthernet5 service-instance 1
member GigabitEthernet6 service-instance 1
bridge irb
!
interface BDI1
ipaddress 192.168.0.1 255.255.255.0
ipnbar protocol-discovery
ipnat inside
!
DHCP配置:
ip dhcp excluded-address 192.168.0.1 192.168.0.50
ip dhcp pool NAT
network 192.168.0.0255.255.255.0
dns-server 192.168.0.1
default-router 192.168.0.1
NAT配置:
ip nat inside source list 1 interfaceDialer1 overload
access-list 1 permit 192.168.0.00.0.255.255
!
VPN配置
aaa new-module
aaa authentication login sslvpn local
aaa authorization network sslvpn local
!
crypto ssl proposal sslvpn-proposal
protection rsa-3des-ede-sha1 rsa-rc4128-md5rsa-aes128-sha1 rsa-aes256-sha1
!
crypto ssl authorization policysslvpn-auth-policy
pool sslvpn
dns192.168.0.1
def-domain uq
!
crypto ssl policy sslvpn-policy
sslproposal sslvpn-proposal
pkitrustpoint SIG sign
ipinterface Dialer1 port 4443
!
crypto ssl profile sslvpn-profile
match policy sslvpn-policy
aaaauthentication user-pass list sslvpn
aaaauthorization group user-pass list sslvpn sslvpn-auth-policy
authentication remote user-pass
max-users 100
!
ip local pool sslvpn 192.168.32.100192.168.32.254
===============================================================================
4、  搭建web流量代理服务
iox
!
app-hostingappid guestshell
app-vnic gateway0 virtualportgroup 0guest-interface 0
  guest-ipaddress 192.168.1.100 netmask255.255.255.0
app-default-gateway 192.168.1.1guest-interface 0

name-server0192.168.1.1

!
interface VirtualPortGroup0
ipaddress 192.168.1.1 255.255.255.0
ip nat inside
!
安装privoxy与v2ray服务和nginx
Echo “actionsfilegfwlist.action” >> /etc/privoxy/config
listen-address  0.0.0.0:8118  #监听LAN的数据
下载gfwlist.action文件到/etc/privoxy目录
启动v2ray服务
[root@guestshellguestshell]# systemctl status v2ray.service
● v2ray.service -V2Ray Service
   Loaded: loaded(/etc/systemd/system/v2ray.service; enabled; vendor preset: disabled)
   Active: active (running) since Fri2020-12-25 12:48:30 UTC; 3 days ago
Main PID: 34 (v2ray)
   CGroup:/system.slice/libvirtd.service/system.slice/v2ray.service
           └─34/usr/bin/v2ray/v2ray -config /etc/v2ray/config.json
启动nginx服务
[root@guestshellguestshell]# systemctl status v2ray.service
● v2ray.service -V2Ray Service
   Loaded: loaded(/etc/systemd/system/v2ray.service; enabled; vendor preset: disabled)
   Active: active (running) since Fri2020-12-25 12:48:30 UTC; 3 days ago
Main PID: 34 (v2ray)
   CGroup:/system.slice/libvirtd.service/system.slice/v2ray.service
           └─34/usr/bin/v2ray/v2ray -config /etc/v2ray/config.json
在nginx的根目录下创建个proxy.pac文件
[root@guestshellguestshell]# more /usr/share/nginx/html/proxy.pac
functionFindProxyForURL(url, host) {

        if (isPlainHostName(host) ||
                shExpMatch(host,"*.local") ||
                isInNet(dnsResolve(host),"10.0.0.0", "255.0.0.0") ||
                isInNet(dnsResolve(host),"172.16.0.0", "255.240.0.0") ||
                isInNet(dnsResolve(host),"192.168.0.0", "255.255.0.0") ||
                isInNet(dnsResolve(host),"173.37.0.0", "255.255.0.0") ||
                isInNet(dnsResolve(host),"127.0.0.0", "255.255.255.0"))
                return "DIRECT";

        else
                return "PROXY 192.168.1.100:8118";
}
5、  为LAN和anyconnect客户端下发策略
ip dhcp pool NAT
option 252 asciihttp://192.168.1.100/proxy.pac
crypto ssl authorization policy sslvpn-auth-policy
msie-proxy server192.168.1.100:8118

  • 1
  • 2
  • 3
  • 4
  • 5
  • 1
  • 2
  • 3
  • 4
  • 5
平均得分0 (0 评价)
发表于 2020-12-31 11:45:48 | 显示全部楼层
此方法有效吗
  • 1
  • 2
  • 3
  • 4
  • 5
  • 1
  • 2
  • 3
  • 4
  • 5
平均得分0 (0 评价)
 楼主| 发表于 2020-12-31 22:00:50 | 显示全部楼层

我家就这么用着呢
  • 1
  • 2
  • 3
  • 4
  • 5
  • 1
  • 2
  • 3
  • 4
  • 5
平均得分0 (0 评价)
发表于 2021-1-2 14:18:08 | 显示全部楼层
给力啊!学习了
  • 1
  • 2
  • 3
  • 4
  • 5
  • 1
  • 2
  • 3
  • 4
  • 5
平均得分0 (0 评价)
发表于 2021-1-4 14:45:20 | 显示全部楼层
力啊!学习了
  • 1
  • 2
  • 3
  • 4
  • 5
  • 1
  • 2
  • 3
  • 4
  • 5
平均得分0 (0 评价)
发表于 2021-1-4 14:58:54 | 显示全部楼层
好家伙,我懂的。。。
  • 1
  • 2
  • 3
  • 4
  • 5
  • 1
  • 2
  • 3
  • 4
  • 5
平均得分0 (0 评价)
发表于 2021-1-9 21:41:42 | 显示全部楼层
privoxy,v2ray,都是部署在路由器上的?
  • 1
  • 2
  • 3
  • 4
  • 5
  • 1
  • 2
  • 3
  • 4
  • 5
平均得分0 (0 评价)
 楼主| 发表于 2021-1-11 09:36:39 | 显示全部楼层
mxmtec3617967 发表于 2021-1-9 21:41
privoxy,v2ray,都是部署在路由器上的?

是的 guestshell
  • 1
  • 2
  • 3
  • 4
  • 5
  • 1
  • 2
  • 3
  • 4
  • 5
平均得分0 (0 评价)
发表于 2021-1-11 15:20:01 | 显示全部楼层
学习了!。。。致敬
  • 1
  • 2
  • 3
  • 4
  • 5
  • 1
  • 2
  • 3
  • 4
  • 5
平均得分0 (0 评价)
发表于 6 天前 | 显示全部楼层
PAC配置脚本上只把内网网段剥离出来了,其他访问国内外网
  • 1
  • 2
  • 3
  • 4
  • 5
  • 1
  • 2
  • 3
  • 4
  • 5
平均得分0 (0 评价)
您需要登录后才可以回帖 思科 CCO 登录 | 思科 CCO 注册   

本版积分规则

Archiver | 思科社区  

GMT+8, 2021-1-19 06:35 , Processed in 0.082341 second(s), 55 queries .

京ICP备11014401号-17

© 2020 思科系统.版权所有 重要声明 | 保密声明 | 隐私权政策 | 商标 |

快速回复 返回顶部 返回列表