IT从业人员经常通过win7系统来管理CISCO ASA (ASDM、SSL ***)
问题描述
我们可以开LOGGING,来看下原因
szhskj(config)#logging buffered debugging 开启debug级别的log记录
szhskj(config)#logging buffer-size 1048576 把log的buffer调大,要不寄存器会被冲刷
szhskj(config)#logging on
这个时候我们重新用win7的ie访问ASA首页,然后在ASA敲show logging
%ASA-7-609002: Teardown local-host outside:10.1.1.1 duration 0:01:05
%ASA-7-609002: Teardown local-host identity:10.1.1.10 duration 0:01:05
%ASA-6-725007: SSL session with client outside:10.1.1.1/1084 terminated.
%ASA-7-609001: Built local-host outside:10.1.1.2
%ASA-7-609001: Built local-host identity:10.1.1.10
%ASA-6-302013: Built inbound TCP connection 14 for outside:10.1.1.2/49177 (10.1.1.2/49177) to identity:10.1.1.10/443 (10.1.1.10/443)
%ASA-6-725001: Starting SSL handshake with client outside:10.1.1.2/49177 for TLSv1 session.
%ASA-7-725010: Device supports the following 1 cipher(s).
%ASA-7-725011: Cipher[1] : DES-CBC-SHA
%ASA-7-725008: SSL client outside:10.1.1.2/49177 proposes the following 8 cipher(s).
%ASA-7-725011: Cipher[1] : AES128-SHA
%ASA-7-725011: Cipher[2] : AES256-SHA
%ASA-7-725011: Cipher[3] : RC4-SHA
%ASA-7-725011: Cipher[4] : DES-CBC3-SHA
%ASA-7-725011: Cipher[5] : DHE-DSS-AES128-SHA
%ASA-7-725011: Cipher[6] : DHE-DSS-AES256-SHA
%ASA-7-725011: Cipher[7] : EDH-DSS-DES-CBC3-SHA
%ASA-7-725011: Cipher[8] : RC4-MD5
%ASA-7-725014: SSL lib error. Function: SSL3_GET_CLIENT_HELLO Reason: no shared cipher
%ASA-6-302014: Teardown TCP connection 14 for outside:10.1.1.2/49177 to identity:10.1.1.10/443 duration 0:00:00 bytes 7 TCP Reset by appliance
%ASA-7-609002: Teardown local-host outside:10.1.1.2 duration 0:00:00
%ASA-7-609002: Teardown local-host identity:10.1.1.10 duration 0:00:00
标红部分显示双方的sll加密方法不匹配
可以查看当前ASA支持什么加密算法
szhskj(config)#show ssl
Accept connections using SSLv2, SSLv3 or TLSv1 and negotiate to SSLv3 or TLSv1
Start connections using SSLv3 and negotiate to SSLv3 or TLSv1
Enabled cipher order: des-sha1
Disabled ciphers: 3des-sha1 rc4-md5 rc4-sha1 aes128-sha1 aes256-sha1 null-sha1
No SSL trust-points configured
Certificate authentication is not enabled
看到了吧,ASA只开启了des-sha1算法,不多说,接下来开启其他算法
szhskj(config)# ssl encryption 3des-sha1 aes128-sha1 aes256-sha1 rc4-md5 rc4-sha1
如果当你敲完上面的命令
cisco(config)#show version
Licensed features for this platform:
Maximum Physical Interfaces
Maximum VLANs
Inside Hosts
Failover
***-DES
***-3DES-AES
Security Contexts
GTP/GPRS
AnyConnect Premium Peers
AnyConnect Essentials
Other *** Peers
Total *** Peers
Shared License
AnyConnect for Mobile
AnyConnect for Cisco *** Phone
Advanced Endpoint Assessment
UC Phone Proxy Sessions
Total UC Proxy Sessions
Botnet Traffic Filter
Intercompany Media Engine
没有3des的license,咋办?点下面的连接申请个3des的license,免费的
https://tools.cisco.com/SWIFT/LicensingUI/loadDemoLicensee?FormId=139
通过show Version来查看ASA的序列号(SN)号。
把序列号填进去,思科就给你邮箱发邮件了,如下图邮件内容:
把邮件里的key在ASA上激活
ciscoasa(config)# activation-key 0f37f47e 44f47d72 94726194 b3e0308c 4835338f
激活之后,再来配置ASA加密算法
szhskj(config)# ssl encryption 3des-sha1 aes128-sha1 aes256-sha1 rc4-md5 rc4-sha1
好了,现在再去试试吧。