论坛 › Cisco › ASA-3 Remote ***和Linux下Cisco *** client配置

wangyan188 发表于 2018-7-21 10:02:31

ASA-3 Remote ***和Linux下Cisco *** client配置

　　cisco ASA 5510下Remote ***和Linux下Cisco *** client配置
一、ASA 5510配置1、建立一个地址池    远程访问客户端需要在登录期间分配一个IP地址，所以我们还需要为这些客户端建立一个DHCP地址，不过如果你有DHCP服务器，还可以使用DHCP服务器。 bjicc-eda# ip local pool ***pool 10.160.88.1-10.160.88.100 mask 255.255.255.0 2、建立IKE第一阶段bjicc-eda# isakmp policy 1bjicc-eda# authentication pre-sharebjicc-eda# encryption 3desbjicc-eda# hash sha bjicc-eda# group 2bjicc-eda# lifetime 43200bjicc-eda# exit 3、将IKE第一阶段应用在outside接口上面bjicc-eda# crypto isakmp enable outside 4、定义转换集bjicc-eda# crypto ipsec transform-set ***set esp-3des esp-sha-hmac#这里设置的转换集名字为***set 5、动态加密映射配置bjicc-eda# crypto dynamic-map outside-dyn-map 10 set transform-set ***setbjicc-eda# crypto dynamic-map outside-dyn-map 10 set reverse-route bjicc-eda# crypto dynamic-map outside-dyn-map 10 set security-association lifetime seconds 2880006、在静态加密映射中调用动态加密映射并应用在接口上面bjicc-eda# crypto map outside-map 10 ipsec-isakmp dynamic outside-dyn-mapbjicc-eda# crypto map outside-map interface outside 7、NAT穿越bjicc-eda# crypto isakmp nat-traversal 10#使用双方最终使用udp 4500端口通信，支持client,L2L 两种方式。缺省是被禁用的;缺省keepalives时间20秒 8、配置访问列表旁路 bjicc-eda# sysopt connection permit-ipsec#通过使用sysopt connect命令，我们告诉ASA准许SSL/IPsec客户端绕过接口的访问列表 9、创建与设置组策略bjicc-eda# group-policy ***client internalbjicc-eda# group-policy ***client attributes bjicc-eda# dns-server value 202.102.0.20bjicc-eda# ***-tunnel-protocol ipsec bjicc-eda# default-domain value bjicc.combjicc-eda# exit#组策略用于指定应用于所连接客户端的参数。在本文中，我们将创建一个称之为***client的组策略 10、遂道组的建立以及属性的设置bjicc-eda# tunnel-group ***client type ipsec-ra bjicc-eda# tunnel-group ***client ipsec-attributesbjicc-eda# pre-shared-key cisco123bjicc-eda# exitbjicc-eda# tunnel-group ***client general-attributesbjicc-eda# authentication-server-group LOCALbjicc-eda# default-group-policy ***clientbjicc-eda# address-pool ***poolbjicc-eda# exit#这里***client就是我们在设置组用户的用户名，域共享密钥就是我们组用户的密码 11、配置用户账户bjicc-eda# username bjicc password bjiccbjicc-eda# username bjicc attributes bjicc-eda# ***-group-policy ***clientbjicc-eda# exit#要创建一个用户并且将此用户指派给我们的远程访问*** 12、配置NAT免除bjicc-eda# access-list nonat extended permit ip 192.168.3.0 255.255.255.0 10.160.88.0 255.255.255.0bjicc-eda#nat (inside) 0 access-list nonat#告诉ASA不要对远程访问客户端和要访问的内部网络之间的通信进行网络地址转换(NAT) 13、遂道分离设置bjicc-eda# access-list ***client_splitTunnelAcl standard permit 192.168.3.0 255.255.255.0bjicc-eda# group-policy ***client attributesbjicc-eda# split-tunnel-policy tunnelspecifiedbjicc-eda# split-tunnel-network-list value ***client_splitTunnelAclbjicc-eda# end 二、***c作为Linux上*** client1、安装（在此选择***c作为linux上cisco *** client）# tar -zxvf ***c-0.5.3.tar.gz# cd ***c-0.5.3# make&&make installLC_ALL=C perl -w ./enum2debug.pl isakmp.h >***c-debug.c 2>***c-debug.hgcc -MM sysdep.c ***c-debug.c isakmp-pkt.c tunip.c config.c dh.c math_group.c supp.c decrypt-utils.c ***c.c cisco-decrypt.c -O3 -g -W -Wall -Wmissing-declarations -Wwrite-strings-DVERSION=\&quot;0.5.3\&quot;> .dependgcc -O3 -g -W -Wall -Wmissing-declarations -Wwrite-strings-DVERSION=\&quot;0.5.3\&quot;   -c -o sysdep.o sysdep.cgcc -O3 -g -W -Wall -Wmissing-declarations -Wwrite-strings-DVERSION=\&quot;0.5.3\&quot;   -c -o ***c-debug.o ***c-debug.cgcc -O3 -g -W -Wall -Wmissing-declarations -Wwrite-strings-DVERSION=\&quot;0.5.3\&quot;   -c -o isakmp-pkt.o isakmp-pkt.cgcc -O3 -g -W -Wall -Wmissing-declarations -Wwrite-strings-DVERSION=\&quot;0.5.3\&quot;   -c -o tunip.o tunip.cgcc -O3 -g -W -Wall -Wmissing-declarations -Wwrite-strings-DVERSION=\&quot;0.5.3\&quot;   -c -o config.o config.cgcc -O3 -g -W -Wall -Wmissing-declarations -Wwrite-strings-DVERSION=\&quot;0.5.3\&quot;   -c -o dh.o dh.cgcc -O3 -g -W -Wall -Wmissing-declarations -Wwrite-strings-DVERSION=\&quot;0.5.3\&quot;   -c -o math_group.o math_group.cgcc -O3 -g -W -Wall -Wmissing-declarations -Wwrite-strings-DVERSION=\&quot;0.5.3\&quot;   -c -o supp.o supp.cgcc -O3 -g -W -Wall -Wmissing-declarations -Wwrite-strings-DVERSION=\&quot;0.5.3\&quot;   -c -o decrypt-utils.o decrypt-utils.cgcc -O3 -g -W -Wall -Wmissing-declarations -Wwrite-strings-DVERSION=\&quot;0.5.3\&quot;   -c -o ***c.o ***c.cgcc -o ***c sysdep.o ***c-debug.o isakmp-pkt.o tunip.o config.o dh.o math_group.o supp.o decrypt-utils.o ***c.o -g -lgcrypt -ldl -lgpg-error gcc -O3 -g -W -Wall -Wmissing-declarations -Wwrite-strings-DVERSION=\&quot;0.5.3\&quot;   -c -o cisco-decrypt.o cisco-decrypt.cgcc -o cisco-decrypt cisco-decrypt.o decrypt-utils.o -g -lgcrypt -ldl -lgpg-error ./makeman.plsed -e 's,@''PREFIX''@,/usr/local,g' ***c-script.in > ***c-script && chmod 755 ***c-scriptinstall -d /etc/***c /usr/local/bin /usr/local/sbin /usr/local/share/man/man1 /usr/local/share/man/man8 /usr/local/share/doc/***cif [ &quot;`uname -s | cut -c-6`&quot; = &quot;CYGWIN&quot; ]; then \                install ***c-script-win /etc/***c/***c-script; \                install ***c-script-win.js /etc/***c; \      else \                install ***c-script /etc/***c; \      fiinstall -m600 ***c.conf /etc/***c/default.confinstall -m755 ***c-disconnect /usr/local/sbininstall -m755 pcf2***c /usr/local/bininstall -m644 ***c.8 /usr/local/share/man/man8install -m644 pcf2***c.1 /usr/local/share/man/man1install -m644 cisco-decrypt.1 /usr/local/share/man/man1install -m644 COPYING /usr/local/share/doc/***cinstall -m755 ***c /usr/local/sbininstall -m755 cisco-decrypt /usr/local/bin 2、配置# cd /etc/***c#cp default.conf asa5510.conf# vim asa5510.conf #Ipsec to asa5510#IPSec gateway <gateway>IPSec gateway 210.82.111.108 #IPSec>IPSec> #IPSec secret <group-psk>IPSec secret cisco123 #IKE Authmode hybridIKE Authmode psk #Xauth username <username>Xauth bjicc #Xauth password <password>Xauth bjicc #内容与ASA5510上配置相对应 3、连接测试# ***c asa5510#如果不带asa，执行运行***c，则直接执行/etc/***c/default.conf中配置# ifconfig | grep -i tun -A 1tun0      Link encap:UNSPECHWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00            inet addr:10.160.88.2P-t-P:10.160.88.2Mask:255.255.255.255#***连接建立成功并获取ip：10.160.88.2 # ping 192.168.3.1PING 192.168.3.1 (192.168.3.1) 56(84) bytes of data.64 bytes from 192.168.3.1: icmp_seq=1 ttl=63 time=2.06 ms64 bytes from 192.168.3.1: icmp_seq=2 ttl=63 time=2.46 ms#***连接畅通 # /usr/local/sbin/***c-disconnectTerminating ***c daemon (pid: 9138)#断开***连接 三、***client作为linux上*** client1、安装( 在此选择***client作为linux上cisco *** clien )# tar -zxf ***client-linux-4.8.00.0490-k9.tar.gz# cd ***client# ./***_install Cisco Systems *** Client Version 4.8.00 (0490) Linux InstallerCopyright (C) 1998-2005 Cisco Systems, Inc. All Rights Reserved. By installing this product you agree that you have read thelicense.txt file (The *** Client license) and will comply withits terms.   Directory where binaries will be installed #安装目录 Automatically start the *** service at boot time In order to build the *** kernel module, you must have thekernel headers for the version of the kernel you are running.Directory containing linux kernel source code #linux内核版本，要求对应 * Binaries will be installed in &quot;/usr/local/bin&quot;.* Modules will be installed in &quot;/lib/modules/2.6.18-53.el5/Cisco***&quot;.* The *** service will be started AUTOMATICALLY at boot time.* Kernel source from &quot;/lib/modules/2.6.18-53.el5/build&quot; will be used to build the module. Is the above correct y Making modulemake -C /lib/modules/2.6.18-53.el5/build SUBDIRS=/root/***client modulesmake: Entering directory `/usr/src/kernels/2.6.18-53.el5-i686'CC /root/***client/linuxcniapi.oIn file included from /root/***client/linuxcniapi.c:12:include/linux/config.h:6:2: warning: #warning Including config.h is deprecated.CC /root/***client/frag.oIn file included from /root/***client/frag.c:1:include/linux/config.h:6:2: warning: #warning Including config.h is deprecated.CC /root/***client/IPSecDrvOS_linux.oIn file included from /root/***client/IPSecDrvOS_linux.c:14:include/linux/config.h:6:2: warning: #warning Including config.h is deprecated.CC /root/***client/interceptor.oIn file included from /root/***client/interceptor.c:11:include/linux/config.h:6:2: warning: #warning Including config.h is deprecated./root/***client/interceptor.c: In function ‘handle_***up’:/root/***client/interceptor.c:310: warning: assignment from incompatible pointer type/root/***client/interceptor.c:334: warning: assignment from incompatible pointer type/root/***client/interceptor.c:335: warning: assignment from incompatible pointer type/root/***client/interceptor.c: In function ‘do_cleanup’:/root/***client/interceptor.c:378: warning: assignment from incompatible pointer typeCC /root/***client/linuxkernelapi.oLD /root/***client/cisco_ipsec.oBuilding modules, stage 2.MODPOSTWARNING: /root/***client/cisco_ipsec.o - Section mismatch: reference to .init.text: from .data between 'interceptor_dev' (at offset 0xb4) and 'interceptor_notifier'WARNING: could not find /root/***client/.libdriver.so.cmd for /root/***client/libdriver.soCC      /root/***client/cisco_ipsec.mod.oLD /root/***client/cisco_ipsec.komake: Leaving directory `/usr/src/kernels/2.6.18-53.el5-i686'Copying module to directory &quot;/lib/modules/2.6.18-53.el5/Cisco***&quot;.Already have group 'bin' Creating start/stop script &quot;/etc/init.d/***client_init&quot;.    /etc/init.d/***client_initEnabling start/stop script for run level 3,4 and 5.Creating global config /etc/opt/cisco-***client Installing license.txt (*** Client license) in &quot;/opt/cisco-***client/&quot;: Installing bundled user profiles in &quot;/etc/opt/cisco-***client/Profiles/&quot;:* New Profiles   : sampleCopying binaries to directory &quot;/opt/cisco-***client/bin&quot;.Adding symlinks to &quot;/usr/local/bin&quot;.    /opt/cisco-***client/bin/***client    /opt/cisco-***client/bin/cisco_cert_mgr    /opt/cisco-***client/bin/ipseclogCopying setuid binaries to directory &quot;/opt/cisco-***client/bin&quot;.    /opt/cisco-***client/bin/c***dCopying libraries to directory &quot;/opt/cisco-***client/lib&quot;.    /opt/cisco-***client/lib/lib***api.soCopying header files to directory &quot;/opt/cisco-***client/include&quot;.    /opt/cisco-***client/include/***api.h Setting permissions.    /opt/cisco-***client/bin/c***d (setuid root)    /opt/cisco-***client (group bin readable)    /etc/opt/cisco-***client (group bin readable)    /etc/opt/cisco-***client/Profiles (group bin readable)    /etc/opt/cisco-***client/Certificates (group bin readable)* You may wish to change these permissions to restrict access to root.* You must run &quot;/etc/init.d/***client_init start&quot; before using the client.* This script will be run AUTOMATICALLY every time you reboot your computer. 2、启动初始化服务# /etc/init.d/***client_init startStarting /opt/cisco-***client/bin/***client: Done 3、配置# cd /etc/opt/cisco-***client/Profiles/# cp sample.pcf asa5510.pcf# vim asa5510.pcfDescription=ASA5510Host=210.82.111.108AuthType=1GroupName=***clientEnableISPConnect=0ISPConnectType=0ISPConnect=ISPCommand=Username=bjiccSaveUserPassword=1EnableBackup=0BackupServer=EnableNat=1CertStore=0CertName=CertPath=CertSubjectName=CertSerialHash=00000000000000000000000000000000DHGroup=2 4、连接测试# ***client connect asa5510Cisco Systems *** Client Version 4.8.00 (0490)Copyright (C) 1998-2005 Cisco Systems, Inc. All Rights Reserved.Client Type(s): LinuxRunning on: Linux 2.6.18-53.el5 #1 SMP Wed Oct 10 16:34:02 EDT 2007 i686Config file directory: /etc/opt/cisco-***client Enter a group password: Initializing the *** connection.Contacting the gateway at 210.82.111.108User Authentication for asa5510... The server has requested the following information to complete the user authentication: Username : Password []: Authenticating user.Negotiating security policies.Securing communication channel. Your *** connection is secure. *** tunnel information.Client address: 10.160.88.2Server address: 210.82.111.108Encryption: 168-bit 3-DESAuthentication: HMAC-SHAIP Compression: NoneNAT passthrough is inactiveLocal LAN Access is disabled#安装要求输入用户名密码，连接成功 # ifconfig | grep -A 5 -i ipseccipsec0   Link encap:EthernetHWaddr 00:0B:FC:F8:01:8F            inet addr:10.160.88.2Mask:255.255.255.0          inet6 addr: fe80::20b:fcff:fef8:18f/64 Scope:Link          UP RUNNING NOARPMTU:1356Metric:1          RX packets:0 errors:0 dropped:1 overruns:0 frame:0          TX packets:0 errors:0 dropped:1 overruns:0 carrier:0#成功建立连接，并获取IP # ***client disconnectCisco Systems *** Client Version 4.8.00 (0490)Copyright (C) 1998-2005 Cisco Systems, Inc. All Rights Reserved.Client Type(s): LinuxRunning on: Linux 2.6.18-53.el5 #1 SMP Wed Oct 10 16:34:02 EDT 2007 i686Config file directory: /etc/opt/cisco-***client Disconnecting the *** connection.Your *** connection has been terminated.#断开***连接

查看完整版本: ASA-3 Remote ***和Linux下Cisco *** client配置