SSL ***是解決遠程用戶訪問敏感公司數據最簡單最安全的解決技術。與複雜的IPSec ***相比,SSL通過簡單易用的方法實現信息遠程連通。任何安裝瀏覽器的機器都可以使用SSL ***, 這是因爲SSL 內嵌在瀏覽器中,它不需要象傳統IPSec ***一樣必須爲每一臺客戶機安裝客戶端軟件。
試驗平臺軟件如下::
路由器IOS使用 c7200-advipservicesk9_li-mz.124-11.t.bin
SSL *** 客戶端軟件:sslclient-win-1.1.3.173.pkg (只支持XP,若需要支持XP以上請到思科下載或從最新版的SDM中提取)
客戶端:XP
拓撲圖如下:
第一步: 路由器基礎聯通配置
- R1#show ip int br
- Interface IP-Address OK? Method Status Protocol
- FastEthernet0/0 unassigned YES unset administratively down down
- FastEthernet1/0 2.2.2.1 YES manual up up
- FastEthernet1/1 unassigned YES unset administratively down down
- Loopback0 1.1.1.1 YES manual up up
- Loopback1 9.9.9.9 YES manual up up
第二步:安裝客戶端
- R1#format disk0:
- Format operation may take a while. Continue? [confirm]
- Format operation will destroy all data in "disk0:". Continue? [confirm]
- Format: Drive communication & 1st Sector Write OK...
- Writing Monlib sectors.
- .....................................................................................................................................................
- Monlib write complete
- Format: All system sectors written. OK...
- Format: Total sectors in formatted partition: 130883
- Format: Total bytes in formatted partition: 67012096
- Format: Operation completed successfully.
- Format of disk0 complete
- SSL#copy tftp disk0:
- Address or name of remote host []? 2.2.2.3
- Source filename []? sslclient-win-1.1.3.173.pkg
- Destination filename [sslclient-win-1.1.3.173.pkg]?
- Accessing tftp://2.2.2.3/sslclient-win-1.1.3.173.pkg...
- Loading sslclient-win-1.1.3.173.pkg from 2.2.2.3 (via FastEthernet0/0): !!
- [OK - 416354 bytes]
- 416354 bytes copied in 16.064 secs (25918 bytes/sec)
- SSL#dir disk0:
- Directory of disk0:/
- 1-rw- 416354 Mar 24 2010 18:45:20 +08:00 sslclient-win-1.1.3.173.pkg
- 66846720 bytes total (66428928 bytes free)
- R1(config)#web*** install svc disk0:/sslclient-win-1.1.3.173.pkg // 安裝客戶端
- SSL*** Package SSL-***-Client : installed successfully
第三步:登錄基礎配置
- interface Loopback0 //設置爲SSL***網關
- ip address 1.1.1.1 255.255.255.0
- !
- aaa new-model
- !
- aaa authentication login ssl*** local //驗證方式
- !
- ip local pool ssl***-pool 1.1.1.2 1.1.1.7 //分配地址池
- username ssl*** password 0 ssl*** //登陸用戶密碼
第四步:SSL***主要配置
- web*** gateway ssl***gateway //配置SSL***網關
- ip interface FastEthernet1/0 port 443 //監聽接口和端口
- ssl trustpoint TP-self-signed-4294967295
- inservice //使能網關
- !
- web*** install svc disk0:/web***/svc.pkg
- !
- web*** context ssl***text //配置關聯
- ssl authenticate verify all
- !
- !
- policy group ssl***-policy //創建策略
- functions svc-enabled //使能SSL
- svc address-pool "ssl***-pool" //關聯地址池
- default-group-policy ssl***-policy //默認使用策略
- aaa authentication list ssl*** //關聯驗證方式
- gateway ssl***gateway //關聯網關
- inservice //使能關聯
第五步:驗證
客戶機登錄到https://2.2.2.1
點查看證書-安裝證書-確定
輸入用戶名和密碼
成功後跳轉到以下界面並下載安裝客戶端
安裝成功後,在桌面右下方出現一把鑰匙的圖標 查看如下:成功分配到地址:
嘗試ping路由器,SSL***連接成功
查看路由器SSL***信息:
- R1#show ip local pool
- Pool Begin End Free In use
- ssl***-pool 1.1.1.2 1.1.1.7 5 1
- R1#show web*** session user ssl*** context all
- Web*** user name = ssl*** ; IP address = 2.2.2.3 ; context = ssl***text
- No of connections: 1
- Created 00:24:26, Last-used 00:10:38
- STC IP address 1.1.1.4 netmask 255.255.255.0
- CSTP Started 00:23:22, Last-recieved 00:00:37
- CSTP DPD-Request sent 0
- Client Port: 59191
- User Policy Parameters
- Group name = ssl***-policy
- Group Policy Parameters
- idle timeout = 2100 sec
- session timeout = 43200 sec
- functions =
- svc-enabled
- citrix disabled
- address pool name = "ssl***-pool"
- dpd client timeout = 300 sec
- dpd gateway timeout = 300 sec
- keep ssl*** client installed = disabled
- rekey interval = 3600 sec
- rekey method =
- lease duration = 43200 sec