CCNA_SEC 第四天作业

发布于:2024-12-07 ⋅ 阅读:(148) ⋅ 点赞:(0)

  1. L2LVPN 

需求: 

Site1_GW与Site2_GW建立SVTI隧道VPN,两个Site通过隧道建立ospf通讯 

Site1通过ospf仅学到Site2的172.16.1.0/24网段的路由 

Site2通过ospf学到Site1的10.1.10/24和192.168.10.0/24网段的路由 

Site2网络172.16.1.0/24网络通过ospf访问Site1_DMZ_DNS服务器和Site1_DMZ_HTTP服务器,Site1的FMC上放行DNS和HTTP的流量 

配置: 

Site1_GW配置(贴关键配置,禁止贴show run) 

crypto isakmp policy 10 

encryption 3des 

authentication pre-share 

group 2 

crypto isakmp key qytang-key address 61.128.1.1 

crypto ipsec transform-set qytang-trans esp-3des esp-sha-hmac 

mode tunnel 

crypto ipsec profile qytang-ipsecprof 

set transform-set qytang-trans 

interface Tunnel0 

ip address 172.16.100.254 255.255.255.0 

ip mtu 1400 

tunnel source 202.100.1.1 

tunnel mode ipsec ipv4 

tunnel destination 61.128.1.1 

tunnel protection ipsec profile qytang-ipsecprof 

route-map s2o permit 10 

match tag 10 

ip route 192.168.10.200 255.255.255.255 192.168.1.10 tag 10 

ip route 192.168.10.202 255.255.255.255 192.168.1.10 tag 10 

router ospf 1 

redistribute static route-map s2o 

network 172.16.100.0 0.0.0.255 area 0 

Site2_GW配置

crypto isakmp policy 10 

encryption 3des 

authentication pre-share 

group 2 

crypto isakmp key qytang-key address 202.100.1.1 

crypto ipsec transform-set qytang-trans esp-3des esp-sha-hmac 

mode tunnel 

crypto ipsec profile qytang-ipsecprof 

set transform-set qytang-trans 

#  

interface Tunnel0 

ip address 172.16.100.253 255.255.255.0 

ip mtu 1400 

tunnel source 61.128.1.1 

tunnel mode ipsec ipv4 

tunnel destination 202.100.1.1 

tunnel protection ipsec profile qytang-ipsecprof 

router ospf 1 

network 172.16.1.0 0.0.0.255 area 0 

network 172.16.100.0 0.0.0.255 area 0 

测试:

 

  1. SSLVPN 

需求: 

SSLVPN_PC通过anyconnect客户端域名asa.qytangsec.com拨号到Site1_ASA 

vpn账号: ssluser 密码:Cisc0123 

anyconnect客户端地址池10.1.2.1-10.1.2.100 

FTD防火墙放行SSLVPN访问DMZ的http服务器 

anyconnect客户端拨号成功后通过域名site1.qytangsec.com访问DMZ的http服务器 

配置:(贴关键配置) 

Site1_GW配置 

Site1_GW(config)#  ip nat inside source static 192.168.1.11 202.100.1.100 

OR 

Site1_GW(config)#  ip nat inside source static tcp 192.168.1.11 443 202.100.1.1 8443 

ASA配置 

dns domain-lookup VPN 

dns server-group DefaultDNS 

 name-server 192.168.10.200 

 domain-name qytangsec.com 

FTD配置 

添加回程路由 

Client添加hosts接续 

无客户端 

webvpn 

enable Outside 

username ssluser password Cisc0123 

瘦客户端 

webvpn 

port-forward qytang-pf 2222 192.168.10.202 ssh 

group-policy qytangGroupPolicy internal 

group-policy qytangGroupPolicy attributes 

Webvpn 

  port-forward enable qytang-pf 

username ssluser attributes 

vpn-group-policy qytangGroupPolicy 

厚客户端 

ip local pool sslpool 10.1.2.1-10.1.2.100 

webvpn 

anyconnect image disk0:/anyconnect-win-4.5.05030-webdeploy-k9.pkg 1 

anyconnect enable 

group-policy qytangGroupPolicy attributes 

dns-server value 192.168.10.200 

vpn-tunnel-protocol ssl-client ssl-clientless 

split-dns value qytangsec.com 

address-pools value sslpool 

现像:(截图并标记关键操作) 

无客户端 

瘦客户端 

厚客户端 

网站公告

今日签到

点亮在社区的每一天
去签到

热门文章

最新发布