我司防火墙与cisco asa 5510对接配置指导.doc

1 我司防火墙配置 acl number 3003 rule 5 permit ip source 0 destination 0 # ike proposal 1 authentication-method rsa-sig dh group2 # ike peer peer1 exchange-mode aggressive certificate local-filename usg2100_local.cer ike-proposal 1 undo version 2 local-id-type ip/name/user-fqdn -与cisco对接不支持dn认证 remote-name ciscoasa -对端的CN remote-address nat traversal # ipsec proposal prop1 # ipsec policy aaa 1 isakmp security acl 3003 ike-peer peer1 proposal prop1 # interface Ethernet2/0/0 ip address ipsec policy aaa # # pki entity usg2100 common-name usg2100 fqdn ip-address email # pki domain usg2100 ca identifier ca certificate request url 05/certsrv/mscep/mscep.dll certificate request entity usg2100 crl scep certificate request polling interval 2 crl update-period 1 crl auto-update enable crl url 05/certsrv/mscep/mscep.dll # 2 CISCO配置2.1 设备型号Hardware: ASA5510, 256 MB RAM, CPU Pentium 4 Celeron 1600 MHzCisco Adaptive Security Appliance Software Version 8.4(1)版本不同将导致配置略有差别。 2.2 配置数字证书（离线方式）2.2.1 创建密钥对;系统有默认的rsa密钥对，名字为Default-RSA-Key；再次创建将覆盖默认密钥对ciscoasa(config)# crypto key generate rsa WARNING: You have a RSA keypair already defined named . Do you really want to replace them? yes/no: y Keypair generation process begin. Please wait. 2.2.2 申请CA证书创建trustpointciscoasa(config)# crypto ca trustpoint ASDM_TrustPoint1 -进入视图 ciscoasa(config-ca-trustpoint)# subject-name CN=ciscoasa -配置主题ciscoasa(config-ca-trustpoint)# enrollment terminal -离线方式，命令行输入整数离线申请ca证书ciscoasa(config)# crypto ca authenticate ASDM_TrustPoint1 Enter the base 64 encoded CA certificate. End with the word quit on a line by itself -粘贴base64格式ca证书到命令行 -BEGIN CERTIFICATE- MIIDajCCAlKgAwIBAgIQC1AATG77kIpMGLCMyhkkjDANBgkqhkiG9w0BAQUFADAR MQ8wDQYDVQQDEwZjYS1kdHQwHhcNMTIwMzA2MTkxNDM0WhcNMTcwMzA2MTkyNDA1 WjARMQ8wDQYDVQQDEwZjYS1kdHQwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK AoIBAQCHOE1I0bgaF4WfHZErjaf8Et96xHaZuQxA3DPwO6jIDbXiBdSM4z+OYY+f zz/M1zN/3M1O3az24hEiGnr1hOch4q0Ie466hjV9rB8znbcIN5NAUhBClcAbe+en Fz1uWjy7e6lRQo+h8E8Z3kyciOX7qQ9km4YI1bOfVnTzff87AGAOunLMkPnj3QHH 852XGz87195OF6n+lc5wK2QLW6hVWoocBwlAZ0J16brXON7CXfBH+wBUn+C+gTMq zQQyDvZIe3IfHkbGm4Cbtn669BJrXg1f+y19QPeiEjOMi+8UHYPctPJE93stWvVv lhJ2CuSVvTcaXb/iycBk4EJX5HzXAgMBAAGjgb0wgbowCwYDVR0PBAQDAgGGMA8G A1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYEFFLzw1X1qS/+ZN/fjwGnX9bHwzCFMGkG A1UdHwRiMGAwXqBcoFqGKmh0dHA6Ly9odWF3ZWktY2Fyb290L0NlcnRFbnJvbGwv Y2EtZHR0LmNybIYsZmlsZTovL1xcaHVhd2VpLWNhcm9vdFxDZXJ0RW5yb2xsXGNh LWR0dC5jcmwwEAYJKwYBBAGCNxUBBAMCAQAwDQYJKoZIhvcNAQEFBQADggEBAIb2 J/pmMW63167PznbHxqwhcNKh/9JljeYfED3o9uqkALd1U02A/Bx6gl3DxAHhatqr 5Tc4sI7BJPOhKRs0cUDnveT4Oq+riED/OZ+pT4q1BUQHVTkqtdshOagvVwPXw9nI QcoduaJ7gSDX3tEpxMhGXi4vBvR8h4PL9ZqVCqJlQoiB/aj0ZIkqAGolIlfFW+iP Ees61qj4sRv19Wt0RHFwQmX1l3ECfM4j3c2g7VZYU7CudIQkoUUtZf2tEWvrzJ6k eFcl2zbXL833RrD6aBdQttfB989juvsorSO9tjf066s6ljzyZB/HEFeczC/tyKzU IzcNfkOqXIId5+jc7K8= -END CERTIFICATE- quit INFO: Certificate has the following attributes: Fingerprint: 2ba54dac 447a907b 933e1208 d00e1415 Do you accept this certificate? yes/no: y Trustpoint CA certificate accepted. % Certificate successfully imported 注：离线方式时，如果是证书链方式，创建新的trustpoint，逐级导入CA证书。每个trustpoint对应一个CA证书。2.2.3 申请本地证书ciscoasa(config)# crypto ca enroll ASDM_TrustPoint1 % Start certificate enrollment . % The subject name in the certificate will be: CN=ciscoasa % The fully-qualified domain name in the certificate will be: ciscoasa % Include the device serial number in the subject name? yes/no: yes % The serial number in the certificate will be: JMX1350L0F5 Display Certificate Request to terminal? yes/no: yes Certificate Request follows: -BEGIN CERTIFICATE REQUEST- MIIBtjCCAR8CAQAwQDERMA8GA1UEAxMIY2lzY29hc2ExKzASBgNVBAUTC0pNWDEz NTBMMEY1MBUGCSqGSIb3DQEJAhYIY2lzY29hc2EwgZ8wDQYJKoZIhvcNAQEBBQAD gY0AMIGJAoGBAKhPgtFx1JRLaBxniWbmNH0iyiKyop+qSIIreAzIeDeDYjmaHxzv fXEa4nJ/ph1xSzdOUpIdoKvMmKrOim1bUOEMLrZKQv4zrnX1xDHpUgSqNoZ0lpxi g9vI+Pt/HY2LXPYoMQwPiRqKvVhAajbRuJ1PN3mPMHlLyPMgL3jXS0fBAgMBAAGg NjA0BgkqhkiG9w0BCQ4xJzAlMA4GA1UdDwEB/wQEAwIFoDATBgNVHREEDDAKgghj aXNjb2FzYTANBgkqhkiG9w0BAQUFAAOBgQBMXsz51KzQpI8AERyRBfeU3o7QOip+ Fe7+s/h4y0KcC/6q6HYBNgZ0/1K6v/CdDVLH+Ukjv6jwz/+1cNx76eAurRMWcm1 JC0mCMQm+dWz4DAgmN1MffVsOuySv89xYalmu9DZoWEx4CKG/MaN2dx4s/J7zuSQ Ht8UWbd1EFCV2A= -END CERTIFICATE REQUEST- Redisplay enrollment request? yes/no: n 2.2.4 导入本地证书ciscoasa(config)# crypto ca import ASDM_TrustPoint1 certificate % The fully-qualified domain name in the certificate will be: ciscoasa Enter the base 64 encoded certificate. End with the word quit on a line by itself -BEGIN CERTIFICATE- MIIDyjCCArKgAwIBAgIKYSkadgAAAAAADzANBgkqhkiG9w0BAQUFADARMQ8wDQYD VQQDEwZjYS1kdHQwHhcNMTIwMzI5MTgzMzI3WhcNMTMwMzI5MTg0MzI3WjBCMRQw EgYDVQQFEwtKTVgxMzUwTDBGNTEXMBUGCSqGSIb3DQEJAhMIY2lzY29hc2ExETAP BgNVBAMTCGNpc2NvYXNhMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCoT4LR cdSUS2gcZ4lm5jR9IsoisqKfqkiCK3gMyHg3g2I5mh8c731xGuJyf6YdcUs3TlKS HaCrzJiqzoptW1DhDC62SkL+M6519cQx6VIEqjaGdJacYoPbyPj7fx2Ni1z2KDEM D4kair1YQGo20bidTzd5jzB5S8jzIC9410tHwQIDAQABo4IBdTCCAXEwDgYDVR0P AQH/BAQDAgWgMBMGA1UdEQQMMAqCCGNpc2NvYXNhMB0GA1UdDgQWBBQj50rOJtog z/oY4KCGMfLHjgM1LzAfBgNVHSMEGDAWgBRS88NV9akv/mTf348Bp1/Wx8MwhTBp BgNVHR8EYjBgMF6gXKBahipodHRwOi8vaHVhd2VpLWNhcm9vdC9DZXJ0RW5yb2xs L2NhLWR0dC5jcmyGLGZpbGU6Ly9cXGh1YXdlaS1jYXJvb3RcQ2VydEVucm9sbFxj YS1kdHQuY3JsMIGeBggrBgEFBQcBAQSBkTCBjjBEBggrBgEFBQcwAoY4aHR0cDov L2h1YXdlaS1jYXJvb3QvQ2VydEVucm9sbC9odWF3ZWktY2Fyb290X2NhLWR0dC5j cnQwRgYIKwYBBQUHMAKGOmZpbGU6Ly9cXGh1YXdlaS1jYXJvb3RcQ2VydEVucm9s bFxodWF3ZWktY2Fyb290X2NhLWR0dC5jcnQwDQYJKoZIhvcNAQEFBQADggEBAHuX xz3X7fcwx1dNHnONNt+GvO6ccjgJGNP7sMMRiOqTxqaVlqKNluxyzmZVHKJwuaxM KNB3fgLgguOLug0f7YxsLlzGePIIpJf/GqqQKYYAPDY7Vg0xvUWRp/SD1ikekXAf 5BB99d8MUibLTzcmlQ2xzbJ/Zth63lo52VE0xPQDGzirszNVZfgBh8pTwz4ax+0I taClOXX99/TcLM/Ek3Ig7W5LQ12RSPuttp/R9T6cRixQCAkzxUBqH10HzFWCzK6A QkxouEHX7AEbNC+zRnS5+qVPWysiSk/z05goamUmd1HFdwXA9P0kpmYBn+FjhNyI uM5kNiA6o/uJjIF2ey0= -END CERTIFICATE- quit ERROR: Certificate already exists in the trustpoint ASDM_TrustPoint1 ERROR: Failed to parse or verify imported certificate ciscoasa(config)# CRYPTO_PKI: status = 1795: failed to verify or insert the cert into storage -导入会提示错不，不过可以协商（没理解错误原因） ciscoasa(config)# write memory -保存配置 ciscoasa(config)# show crypto ca certificates -可以看到导入成功的两个证书（ca证书和本地证书）2.3 ipsec/ike 配置(基于证书认证)此章节基本配置基于证书认证，如果使用预共享密钥方式，只需要修改ike 认证方法和tunnel group，具体请参见2.5节配置ike proposalIkev1：crypto ikev1 policy 111 -配置ike proposal authentication rsa-sig -认证方法选择证书（预共享密钥时选pre-share） encryption des hash sha group 2 lifetime 86400 ikev2：crypto ikev2 policy 111 encryption des integrity sha group 2 prf sha lifetime seconds 86400 配置认证方式crypto isakmp identity auto -认证对端方式为auto，自适应证书和预共享密钥 接口使能ikev1crypto ikev1 enable if_e0/0 配置aclaccess-list if_e0/0_cryptomap_1 extended permit ip host host 配置ipsec proposalcrypto ipsec ikev1 transform-set 111 esp-des esp-md5-hmac 配置ipsec policy 组crypto map if_e0/0_map 1 match address if_e0/0_cryptomap_1 -acl绑定策略crypto map if_e0/0_map 1 set peer -设置对端ipcrypto map if_e0/0_map 1 set ikev1 phase1-mode aggressive -野蛮模式 crypto map if_e0/0_map 1 set ikev1 transform-set 111 -引用ipsec proposal crypto map if_e0/0_map 1 set trustpoint ASDM_TrustPoint1 -引用