ASAsslvpnwindowCA认证配置步骤.doc

第一步：window CA搭建，配置ASA和window CA时间同步第二步：ASA安装window CA根证书，同时申请证书并安装第三步：ASA配置SSLVPN server第四步：客户端配置：客户端安装window CA根证书，同时申请证书并安装第一步：window CA搭建第二步：ASA安装window CA根证书，同时申请证书并安装1、生成rsa 密钥对sslvpngw(config)# domain-name sslvpngw(config)# crypto key generate rsa label my.ca.key modulus 1024INFO: The name for the keys will be: my.ca.keyKeypair generation process begin. Please wait.2、Defines x.500 distinguished namecrypto ca trustpoint CA1(配置可信站点) enrollment terminal（注册方式，terminal：用于手动注册；url：secp注册） fqdn subject-nameCN=,OU=network,O=link-infor,C=CH,St=ShangHai keypair my.ca.key crl configureenrollment url http:/x.x.x.x（CRL配置）crl的更新配置3、sslvpngw(config)# crypto ca enroll CA1（从CA服务器获取ID证书）% Start certificate enrollment . % The subject name in the certificate will be: CN=,OU=network,O=link-infor,C=CH,St=ShangHai% The fully-qualified domain name in the certificate will be: % Include the device serial number in the subject name? yes/no: nDisplay Certificate Request to terminal? yes/no: yCertificate Request follows:-BEGIN CERTIFICATE REQUEST-MIICIDCCAYkCAQAwgZcxETAPBgNVBAgTCFNoYW5nSGFpMQswCQYDVQQGEwJDSDETMBEGA1UEChMKbGluay1pbmZvcjEQMA4GA1UECxMHbmV0d29yazEjMCEGA1UEAxMac3NsdnBuZ3cubGluay1pbmZvci5jb20uY24xKTAnBgkqhkiG9w0BCQIWGnNzbHZwbmd3LmxpbmstaW5mb3IuY29tLmNuMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC9hpOZU4tcyyXtp1Ddb0lgPLGwSu3Ol2Q5QlhL0RdCJot1TiEWuQvoT70Y4sJ5lcXga+f6cA3yKMyx9lnloSaO6pio2fY/t8jeQvTsQJu6FuB84vpMzcFPZAEZAmFgfxvs45zxcDjVnK6GU33HwUPVR/r3tYDAU1tqwvE1fbOcwIDAQABoEgwRgYJKoZIhvcNAQkOMTkwNzAOBgNVHQ8BAf8EBAMCBaAwJQYDVR0RBB4wHIIac3NsdnBuZ3cubGluay1pbmZvci5jb20uY24wDQYJKoZIhvcNAQEFBQADgYEAW2iG+v9Ubz6tTTGiBz/4qmc+kSLUtey2FSVCG7KDXmrvZWAWKnk1YKdGIhO9uTIledsNXr4He4/A0gnI2WEl9W5ScUGA/lcaBeNUx3K/qYmWjIT0ug20L5LZyQjJ0fTnxdGqZOYAOZb6ak7Zp8t80WUes1sqgzxPHjocKufX2d8=-END CERTIFICATE REQUEST-Redisplay enrollment request? yes/no:4、申请ASA的证书此base-64编码由crypto ca enroll CA1生成的编码5、CA服务器管理员接受以上ASA的证书申请，颁发给ASA，同时下载该证书火狐浏览器无法为ASA下载证书选择Base 64编码Before you install the identity certificate, the CA certificate must be downloaded from the CA server and installed in the ASA, as shown.6、下载CA服务器根证书，并安装到ASA中()下载的根CA用记事本打开，MIIDcjCCAlqgAwIBAgIQH1N3Mx5mNYRHfVXkdKjjXjANBgkqhkiG9w0BAQUFADASMRAwDgYDVQQDEwdDQS1ST09UMB4XDTExMTAzMDAyNDUxNFoXDTE2MTAzMDAyNTQ0MFowEjEQMA4GA1UEAxMHQ0EtUk9PVDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAOR0ExcVPLKQ0mLtZZdUdivVM7gi1AScrlbhqwcHV6/jxS0FLGPRB9urtE+sGVKVaHgFlh0lTmkMz904ju0a3TIt8BVsFj0V01tE4HfHxecK+hIn5QhpyQz5Z25bp1MRAs9LkcM+K+uKXj/NwCkFTxsRVeFm4uGKziIbjG3Se/dxIhucsrSgOgoDOQCW2NZ99hsiF39ao4e0zBMzBV4gu63ifzPEKlGPZMhaak3a8kKvwitMh7r5S17MfIC3n1xjufbqblXEJX5BMKTGFOcLSXZe5dA/TFgQca2sB5xhqEt2SsROyUWs/wMQRazCqfrbwV60LLmTPCPmIB6hTixqnt0CAwEAAaOBwzCBwDALBgNVHQ8EBAMCAYYwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQUQ9ga4ow38436ds+jxkuDl8/mwmYwbwYDVR0fBGgwZjBkoGKgYIYtaHR0cDovLzIwMDMtMjRiNzNiNWU4Yy9DZXJ0RW5yb2xsL0NBLVJPT1QuY3Jshi9maWxlOi8vXFwyMDAzLTI0YjczYjVlOGNcQ2VydEVucm9sbFxDQS1ST09ULmNybDAQBgkrBgEEAYI3FQEEAwIBADANBgkqhkiG9w0BAQUFAAOCAQEAeYbZEDHkFwhfA2140A45Yxuzw/mzxhQ7kntCzeJkC2iES5fngvuBljBbD5OZkXO8mdB3bRUc+d12TIWGXeBVfh32wtCAR/Ha4YhmyZAxkRAHxWJJ864SLOvzdZpkInO2P8/rBZzPOQ5HpjyQsBSItmOsRNwEVv4NhqBQUzS/eiP7aJV/hCDOMKPhQo5F/wIQKeO6o0j0iRCMnT0Q7YivwhyD1pFPHEYs8ecFJPq8cH+yew5AE/NcIjJwgIFMOwUZX68M/mC15d4gpzUqy6xdwv+wezEx1IW6rLzjGVf6J8UVpJBnj/3IzN/Cpg9V+ulojOklHspKCme3gYZq8agB6w=vpngw(config)# crypto ca authenticate CA1Enter the base 64 encoded CA certificate.End with the word quit on a line by itselfMIIDcjCCAlqgAwIBAgIQH1N3Mx5mNYRHfVXkdKjjXjANBgkqhkiG9w0BAQUFADASMRAwDgYDVQQDEwdDQS1ST09UMB4XDTExMTAzMDAyNDUxNFoXDTE2MTAzMDAyNTQ0MFowEjEQMA4GA1UEAxMHQ0EtUk9PVDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAOR0ExcVPLKQ0mLtZZdUdivVM7gi1AScrlbhqwcHV6/jxS0FLGPRB9urtE+sGVKVaHgFlh0lTmkMz904ju0a3TIt8BVsFj0V01tE4HfHxecK+hIn5QhpyQz5Z25bp1MRAs9LkcM+K+uKXj/NwCkFTxsRVeFm4uGKziIbjG3Se/dxIhucsrSgOgoDOQCW2NZ99hsiF39ao4e0zBMzBV4gu63ifzPEKlGPZMhaak3a8kKvwitMh7r5S17MfIC3n1xjufbqblXEJX5BMKTGFOcLSXZe5dA/TFgQca2sB5xhqEt2SsROyUWs/wMQRazCqfrbwV60LLmTPCPmIB6hTixqnt0CAwEAAaOBwzCBwDALBgNVHQ8EBAMCAYYwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQUQ9ga4ow38436ds+jxkuDl8/mwmYwbwYDVR0fBGgwZjBkoGKgYIYtaHR0cDovLzIwMDMtMjRiNzNiNWU4Yy9DZXJ0RW5yb2xsL0NBLVJPT1QuY3Jshi9maWxlOi8vXFwyMDAzLTI0YjczYjVlOGNcQ2VydEVucm9sbFxDQS1ST09ULmNybDAQBgkrBgEEAYI3FQEEAwIBADANBgkqhkiG9w0BAQUFAAOCAQEAeYbZEDHkFwhfA2140A45Yxuzw/mzxhQ7kntCzeJkC2iES5fngvuBljBbD5OZkXO8mdB3bRUc+d12TIWGXeBVfh32wtCAR/Ha4YhmyZAxkRAHxWJJ864SLOvzdZpkInO2P8/rBZzPOQ5HpjyQsBSItmOsRNwEVv4NhqBQUzS/eiP7aJV/hCDOMKPhQo5F/wIQKeO6o0j0iRCMnT0Q7YivwhyD1pFPHEYs8ecFJPq8cH+yew5AE/NcIjJwgIFMOwUZX68M/mC15d4gpzUqy6xdwv+wezEx1IW6rLzjGVf6J8UVpJBnj/3IzN/Cpg9V+ulojOklHspKCme3gYZq8agB6w=quitINFO: Certificate has the following attributes:Fingerprint: 6b92dfc8 4c0a5707 52584f4e af5166cd Do you accept this certificate? yes/no: yTrustpoint CA certificate accepted.% Certificate successfully imported7、安装ASA申请的证书vpngw(config)# crypto ca import CA1 certificate% The fully-qualified domain name in the certificate will be: Enter the base 64 encoded certificate. 下载申请的ASA证书的base-64编码End with the word quit on a line by itselfEnter the base 64 encoded certificate.End with the word quit on a line by itselfMIIEFzCCAv+gAwIBAgIKYQ0m8QAAAAAAEDANBgkqhkiG9w0BAQUFADASMRAwDgYDVQQDEwdDQS1ST09UMB4XDTEyMDEwMzEyMjY0NVoXDTEzMDEwMzEyMzY0NVowbDELMAkGA1UEBhMCQ0gxETAPBgNVBAgTCFNoYW5nSGFpMRMwEQYDVQQKEwpsaW5rLWluZm9yMRAwDgYDVQQLEwduZXR3b3JrMSMwIQYDVQQDExpzc2x2cG5ndy5saW5rLWluZm9yLmNvbS5jbjCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAvYaTmVOLXMsl7adQ3W9JYDyxsErtzpdkOUJYS9EXQiaLdU4hFrkL6E+9GOLCeZXF4Gvn+nAN8ijMsfZZ5aEmjuqYqNn2P/7fI3kL07ECbuhbgfOL6TM3BT2QBGQJhYH8b7OOc8XA41ZyuhlN9x8FD1Uf697WAwFNbasLxNX2znMCAwEAAaOCAZcwggGTMA4GA1UdDwEB/wQEAwIFoDAlBgNVHREEHjAcghpzc2x2cG5ndy5saW5rLWluZm9yLmNvbS5jbjAdBgNVHQ4EFgQUrLvU0nT5ZrqMyleiacYvd17kyB8wHwYDVR0jBBgwFoAUQ9ga4ow38436ds+jxkuDl8/mwmYwbwYDVR0fBGgwZjBkoGKgYIYtaHR0cDovLzIwMDMtMjRiNzNiNWU4Yy9DZXJ0RW5yb2xsL0NBLVJPT1QuY3Jshi9maWxlOi8vXFwyMDAzLTI0YjczYjVlOGNcQ2VydEVucm9sbFxDQS1ST09ULmNybDCBqAYIKwYBBQUHAQEEgZswgZgwSQYIKwYBBQUHMAKGPWh0dHA6Ly8yMDAzLTI0YjczYjVlOGMvQ2VydEVucm9sbC8yMDAzLTI0YjczYjVlOGNfQ0EtUk9PVC5jcnQwSwYIKwYBBQUHMAKGP2ZpbGU6Ly9cXDIwMDMtMjRiNzNiNWU4Y1xDZXJ0RW5yb2xsXDIwMDMtMjRiNzNiNWU4Y19DQS1ST09ULmNydDANBgkqhkiG9w0BAQUFAAOCAQEAJHwTPkcyI9eUHnalUSvw6kKI5sI4rgt/1qXkStkOB5TaukYt8nnu47XKczIAqrhYXPimnmwb6YYqJFEsd65Ez5kpmtMAUEkXlUEfL3szAPc3pxgxV4zp8cSlvWBmOEjSDiw6BqJKjK8FH1UD29zONNrrNBQ4+mZa2wmX0PM6ZrRpGfoEpjKIr5v+xUxnIBNlydzZREYF1/HQL/t4bQHOPSQ8QUEw6c0IZ45T/UUw1BzHPwNDc12HBoW7T1g5Wwnh7kYfHLxfxSANMwyQy6ZQuzd3J5B1AbRAxaVv89ZzHujO7emEyYMrpJLWXO3D9Ju5ic4XCyaZGW9PpiZGJJZPIg=quitINFO: Certificate successfully imported第三步：ASA配置SSLVPN serverwebvpn enable outside svc image disk0:/anyconnect-dart-win-2.5.3054-k9.pkg 1 svc enable tunnel-group-list enableusername cisco password ciscotunnel-group DefaultWEBVPNGroup general-attributes authorization-server-group LOCALtunnel-group DefaultWEBVPNGroup webvpn-attributes authentication aaa certificate第四步；客户端证书申请，和下载颁发申请的证书；vpn clinet 导入根证书和申请的证书如果没有证书，则无法连接1、客户端下载安装CA的根证书2、客户端证书根证书下载和证书申请和下载3、登录成功全配置sslvpngw(config)# show run: Saved:ASA Version 8.2(2) !hostname sslvpngwdomain-name enable password 8Ry2YjIyt7RRXU24 encryptedpasswd 2KFQnbNIdI.2KYOU encryptednames!interface Vlan1 nameif inside ip add security-level 100 no ip address!interface Vlan2 nameif outside security-level 0 ip address 00 !interface Ethernet0/0 switchport access vlan 2!interface Ethernet0/1!interface Ethernet0/2!interface Ethernet0/3!interface Ethernet0/4!interface Ethernet0/5!interface Ethernet0/6!interface Ethernet0/7!ftp mode passiveclock timezone CST 8dns server-group DefaultDNS domain-name pager lines 24logging asdm informationalmtu outside 1500mtu inside 1500no failovericmp unreachable rate-limit 1 burst-size 1no asdm history enablearp timeout 14400timeout xlate 3:00:00timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolutetimeout tcp-proxy-reassembly 0:01:00dynamic-access-policy-record DfltAccessPolicyhttp server enable 4433no snmp-server locationno snmp-server contactsnmp-server enable traps snmp authentication linkup linkdown coldstartcrypto ipsec security-association lifetime seconds 28800crypto ipsec security-association lifetime kilobytes 4608000crypto ca trustpoint CA1 enrollment terminal fqdn subject-name CN=,OU=network,O=link-infor,C=CH,St=ShangHai keypair my.ca.key crl configurecrypto ca certificate chain CA1 certificate 610d26f1000000000010 30820417 308202ff a0030201 02020a61 0d26f100 00000000 10300d06 092a8648 86f70d01 01050500 30123110 300e0603 55040313 0743412d 524f4f54 301e170d 31323031 30333132 32363435 5a170d31 33303130 33313233 3634355a 306c310b 30090603 55040613 02434831 11300f06 03550408 13085368 616e6748 61693113 30110603 55040a13 0a6c696e 6b2d696e 666f7231 10300e06 0355040b 13076e65 74776f72 6b312330 21060355 0403131a 73736c76 706e6777 2e6c696e 6b2d696e 666f722e 636f6d2e 636e3081 9f300d06 092a8648 86f70d01 01010500 03818d00 30818902 818100bd 86939953 8b5ccb25 eda750dd 6f49603c b1b04aed ce976439 42584bd1 1742268b 754e2116 b90be84f bd18e2c2 7995c5e0 6be7fa70 0df228cc b1f659e5 a1268eea 98a8d9f6 3ffedf23 790bd3b1 026ee85b 81f38be9 3337053d 90046409 8581fc6f b38e73c5 c0e35672 ba194df7 1f050f55 1febded6 03014d6d ab0bc4d5 f6ce7302 03010001 a3820197 30820193 300e0603 551d0f01 01ff0404 030205a0 30250603 551d1104 1e301c82 1a73736c 76706e67 772e6c69 6e6b2d69 6e666f72 2e636f6d 2e636e30 1d060355 1d0e0416 0414acbb d4d274f9 66ba8cca 57a269c6 2f775ee4 c81f301f 0603551d 23041830 16801443 d81ae28c 37f38dfa 76cfa3c6 4b8397cf e6c26630 6f060355 1d1f0468 30663064 a062a060 862d6874 74703a2f 2f323030 332d3234 62373362 35653863 2f436572 74456e72 6f6c6c2f 43412d52 4f4f542e 63726c86 2f66696c 653a2f2f 5c5c3230 30332d32 34623733 62356538 635c4365 7274456e 726f6c6c 5c43412d 524f4f54 2e63726c 3081a806 082b0601 05050701 0104819b 30819830 4906082b 06010505 07300286 3d687474 703a2f2f 32303033 2d323462 37336235 6538632f 43657274 456e726f 6c6c2f32 3030332d 32346237 33623565 38635f43 412d524f 4f542e63 7274304b 06082b06 01050507 3002863f 66696c65 3a2f2f5c 5c323030 332d3234 62373362 35653863 5c436572 74456e72 6f6c6c5c 32303033 2d323462 37336235 6538635f 43412d52 4f4f542e 63727430 0d06092a 864886f7 0d010105 05000382 01010024 7c133e47 3223d794 1e76a551 2bf0ea42 88e6c238 ae0b7fd6 a5e44ad9 0e0794da ba462df2 79eee3b5 ca733200 aab8585c f8a69e6c 1be9862a 24512c77 ae44cf99 299ad300 50491795 411f2f7b 3300f737 a7183157 8ce9f1c4 a5bd6066 3848d20e 2c3a06a2 4a8caf05 1f5503db dcce34da eb341438 fa665adb 0997d0f3 3a66b469 19fa04a6 3288af9b fec54c67 201365c9 dcd94446 05d7f1d0 2ffb786d 01ce3d24 3c414130 e9cd0867 8e53fd45 30d41cc7 3f034373 5d870685 bb4f5839 5b09e1ee 461f1cbc 5fc5200d 330c90cb a650bb37 77279075 01b440c5 a56ff3d6 731ee8ce ede984c9 832ba492 d65cedc3 f49bb989 ce170b26 99196f4f a6264624 964f22 quit certificate ca 1f5377331e663584477d55e474a8e35e 30820372 3082025a a0030201 0202101f 5377331e 66358447 7d55e474 a8e35e30 0d06092a 864886f7 0d010105 05003012 3110300e 06035504 03130743 412d524f 4f54301e 170d3131 31303330 30323435 31345a17 0d313631 30333030 32353434 305a3012 3110300e 06035504 03130743 412d524f 4f543082 0122300d 06092a86 4886f70d 01010105 00038201 0f003082 010a0282 010100e4 74131715 3cb290d2 62ed6597 54762bd5 33b822d4 049cae56 e1ab0707 57afe3c5 2d052c63 d107dbab b44fac19 52956878 05961d25 4e690ccf dd388eed 1add322d f0156c16 3d15d35b 44e077c7 c5e70afa 1227e508 69c90cf9 676e5ba7 531102cf 4b91c33e 2beb8a5e 3fcdc029 054f1b11 55e166e2 e18ace22 1b8c6dd2 7bf77122 1b9cb2b4 a03a0a03 390096d8 d67df61b 22177f5a a387b4cc 1333055e 20bbade2 7f33c42a 518f64c8 5a6a4dda f242afc2 2b4c87ba f94b5ecc 7c80b79f 5c63b9f6 ea6e55c4 257e4130 a4c614e7 0b49765e e5d03f4c 581071ad ac079c61 a84b764a c44ec945 acff0310 45acc2a9 fadbc15e b42cb993 3c23e620 1ea14e2c 6a9edd02 03010001 a381c330 81c0300b 0603551d 0f040403 02018630 0f060355 1d130101 ff040530 030101ff 301d0603 551d0e04 16041443 d81ae28c 37f38dfa 76cfa3c6 4b8397cf e6c26630 6f060355 1d1f0468 30663064 a062a060 862d6874 74703a2f 2f323030 332d3234 62373362 35653863 2f436572 74456e72 6f6c6c2f 43412d52 4f4f542e 63726c86 2f66696c 653a2f2f 5c5c3230 30332d32 34623733 62356538 635c4365 7274456e 726f6c6c 5c43412d 524f4f54 2e63726c 30100609 2b060104 01823715 01040302 0100300d 06092a86 4886f70d 01010505 00038201 01007986 d91031e4 17085f03 6d78d00e 39631bb3 c3f9b3c6 143b927b 42cde264 0b68844b 97e782fb 8196305b 0f939991 73bc99d0 776d151c f9dd764c 85865de0 557e1df6 c2d08047 f1dae188 66c99031 911007c5 6249f3ae 122cebf3 759a6422 73b63fcf eb059cc