我司防火墙与ciscoasa5510对接配置指导

1、1 我司防火墙配置acl number 3003rule 5 permit ip source 0 destination 0#ike proposal 1 authentication-method rsa-sig dh group2# ike peer peer1exchange-mode aggressive certificate local-filename usg2100_local.cer ike-proposal 1dn 认证undo version 2local-id-type ip/name/user-fqdn 与 cisco 对接不支持re

2、mote-name ciscoasa 对端的 CNremote-address nat traversal#ipsec proposal prop1#ipsec policy aaa 1 isakmp security acl 3003 ike-peer peer1 proposal prop1#interface Ethernet2/0/0ip address ipsec policy aaa#pki entity usg2100 common-name usg2100 fqdn ip-address email

3、usg2100#pki domain usg2100 ca identifier ca certificate request url 05/certsrv/mscep/mscep.dll certificate request entity usg2100crl scepcertificate request polling interval 2crl update-period 1crl auto-update enablecrl url 05/certsrv/mscep/mscep.dll #2 CISCO 配置2.1 设备型号Ha

4、rdware: ASA5510, 256 MB RAM, CPU Pentium 4 Celeron 1600 MHz Cisco Adaptive Security Appliance Software Version 8.4(1) 版本不同将导致配置略有差别。2.2 配置数字证书(离线方式)2.2.1 创建密钥对 ;系统有默认的 rsa 密钥对，名字为 Default-RSA-Key ；再次创建将覆盖默认密钥对 ciscoasa(config)# crypto key generate rsaWARNING: You have a RSA keypair already defined n

5、amed <Default-RSA-Key>.Do you really want to replace them? yes/no: yKeypair generation process begin. Please wait.2.2.2 申请 CA 证书创建 trustpoint-进入视图-配置主题-离线方式， 命令行输入整数ciscoasa(config)# crypto ca trustpoint ASDM_TrustPoint1 ciscoasa(config-ca-trustpoint)# subject-name CN=ciscoasa ciscoasa(config-

6、ca-trustpoint)# enrollment terminal 离线申请 ca 证书ciscoasa(config)# crypto ca authenticate ASDM_TrustPoint1 Enter the base 64 encoded CA certificate.End with the word "quit" on a line by itself BEGIN CERTIFICATE-粘贴base64格式ca证书到命令行MIIDajCCAlKgAwIBAgIQC1AA TG77kIpMGLCMyhkkjDANBgkqhkiG9w0BAQUFADA

7、RMQ8wDQYDVQQDEwZjYS1kdHQwHhcNMTIwMzA2MTkxNDM0WhcNMTcwMzA2MTkyNDA1WjARMQ8wDQYDVQQDEwZjYS1kdHQwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCHOE1I0bgaF4WfHZErjaf8Et96xHaZuQxA3DPwO6jIDbXiBdSM4z+OYY+fzz/M1zN/3M1O3az24hEiGnr1hOch4q0Ie466hjV9rB8znbcIN5NAUhBClcAbe+enFz1uWjy7e6lRQo+h8E8Z3kyciOX7qQ9km4YI1bOfVnT

8、zff87AGAOunLMkPnj3QHH852XGz87195OF6n+lc5wK2QLW6hVWoocBwlAZ0J16brXON7CXfBH+wBUn+C+gTMqzQQyDvZIe3IfHkbGm4Cbtn669BJrXg1f+y19QPeiEjOMi+8UHYPctPJE93stWvVvlhJ2CuSVvTcaXb/iycBk4EJX5HzXAgMBAAGjgb0wgbowCwYDVR0PBAQDAgGGMA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYEFFLzw1X1qS/+ZN/fjwGnX9bHwzCFMGkGA1UdHwRiMGAwXqBcoFqGKmh

9、0dHA6Ly9odWF3ZWktY2Fyb290L0NlcnRFbnJvbGwvY2EtZHR0LmNybIYsZmlsZTovL1xcaHVhd2VpLWNhcm9vdFxDZXJ0RW5yb2xsXGNhLWR0dC5jcmwwEAYJKwYBBAGCNxUBBAMCAQAwDQYJKoZIhvcNAQEFBQADggEBAIb2J/pmMW63167PznbHxqwhcNKh/9JljeYfED3o9uqkALd1U02A/Bx6gl3DxAHhatqr5Tc4sI7BJPOhKRs0cUDnveT4Oq+riED/OZ+pT4q1BUQHVTkqtdshOagvVwPXw9nIQco

10、duaJ7gSDX3tEpxMhGXi4vBvR8h4PL9ZqVCqJlQoiB/aj0ZIkqAGolIlfFW+iPEes61qj4sRv19Wt0RHFwQmX1l3ECfM4j3c2g7VZYU7CudIQkoUUtZf2tEWvrzJ6keFcl2zbXL833RrD6aBdQttfB989juvsorSO9tjf066s6ljzyZB/HEFeczC/tyKzUIzcNfkOqXIId5+jc7K8=END CERTIFICATE quitINFO: Certificate has the following attributes:Fingerprint:2ba54dac 447

11、a907b 933e1208 d00e1415Do you accept this certificate? yes/no: yTrustpoint CA certificate accepted.% Certificate successfully imported注：离线方式时， 如果是证书链方式， 创建新的 trustpoint ，逐级导入 CA 证书。每个 trustpoint 对应一个 CA 证书。2.2.3 申请本地证书ciscoasa(config)# crypto ca enroll ASDM_TrustPoint1% Start certificate enrollment

12、.% The subject name in the certificate will be: CN=ciscoasa% The fully-qualified domain name in the certificate will be: ciscoasa% Include the device serial number in the subject name? yes/no: yes% The serial number in the certificate will be: JMX1350L0F5Display Certificate Request to terminal? yes/

13、no: yesCertificate Request follows:BEGIN CERTIFICATE REQUESTMIIBtjCCAR8CAQAwQDERMA8GA1UEAxMIY2lzY29hc2ExKzASBgNVBAUTC0pNWDEzNTBMMEY1MBUGCSqGSIb3DQEJAhYIY2lzY29hc2EwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAKhPgtFx1JRLaBxniWbmNH0iyiKyop+qSIIreAzIeDeDYjmaHxzvfXEa4nJ/ph1xSzdOUpIdoKvMmKrOim1bUOEMLrZKQv4zrnX1

14、xDHpUgSqNoZ0lpxig9vI+Pt/HY2LXPYoMQwPiRqKvVhAajbRuJ1PN3mPMHlLyPMgL3jXS0fBAgMBAAGgNjA0BgkqhkiG9w0BCQ4xJzAlMA4GA1UdDwEB/wQEAwIFoDATBgNVHREEDDAKgghjaXNjb2FzYTANBgkqhkiG9w0BAQUFAAOBgQBMXsz51KzQpI8AERyRBfeU3o7QOip+Fe7+s/h4y0KcC/6q6HYBNgZ0/1K6v/CdDVLH+Ukjv6jwz/+1cNx76eAurRMWcm1JC0mCMQm+dWz4DAgmN1MffVsOuySv

15、89xYalmu9DZoWEx4CKG/MaN2dx4s/J7zuSQHt8UWbd1EFCV2A=END CERTIFICATE REQUESTRedisplay enrollment reques t? yes/no: n2.2.4 导入本地证书ciscoasa(config)# crypto ca import ASDM_TrustPoint1 certificate% The fully-qualified domain name in the certificate will be: ciscoasaEnter the base 64 encoded certificate.End

16、with the word "quit" on a line by itselfBEGIN CERTIFICATEMIIDyjCCArKgAwIBAgIKYSkadgAAAAAADzANBgkqhkiG9w0BAQUFADARMQ8wDQYDVQQDEwZjYS1kdHQwHhcNMTIwMzI5MTgzMzI3WhcNMTMwMzI5MTg0MzI3WjBCMRQ wEgYDVQQFEwtKTVgxMzUwTDBGNTEXMBUGCSqGSIb3DQEJAhMIY2lzY29hc2ExETAPBgNVBAMTCGNpc2NvYXNhMIGfMA0GCSqGSIb3DQEB

17、AQUAA4GNADCBiQKBgQCoT4LRcdSUS2gcZ4lm5jR9IsoisqKfqkiCK3gMyHg3g2I5mh8c731xGuJyf6YdcUs3TlKSHaCrzJiqzoptW1DhDC62SkL+M6519cQx6VIEqjaGdJacYoPbyPj7fx2Ni1z2KDEMD4kair1YQGo20bidTzd5jzB5S8jzIC9410tHwQIDAQABo4IBdTCCAXEwDgYDVR0PAQH/BAQDAgWgMBMGA1UdEQQMMAqCCGNpc2NvYXNhMB0GA1UdDgQWBBQj50rOJtogz/oY4KCGMfLHjgM1LzAf

18、BgNVHSMEGDAWgBRS88NV9akv/mTf348Bp1/Wx8MwhTBpBgNVHR8EYjBgMF6gXKBahipodHRwOi8vaHVhd2VpLWNhcm9vdC9DZXJ0RW5yb2xsL2NhLWR0dC5jcmyGLGZpbGU6Ly9cXGh1YXdlaS1jYXJvb3RcQ2VydEVucm9sbFxjYS1kdHQuY3JsMIGeBggrBgEFBQcBAQSBkTCBjjBEBggrBgEFBQcwAoY4aHR0cDovL2h1YXdlaS1jYXJvb3QvQ2VydEVucm9sbC9odWF3ZWktY2Fyb290X2NhLWR0dC5j

19、cnQwRgYIKwYBBQUHMAKGOmZpbGU6Ly9cXGh1YXdlaS1jYXJvb3RcQ2VydEVucm9sbFxodWF3ZWktY2Fyb290X2NhLWR0dC5jcnQwDQYJKoZIhvcNAQEFBQADggEBAHuXxz3X7fcwx1dNHnONNt+GvO6ccjgJGNP7sMMRiOqTxqaVlqKNluxyzmZVHKJwuaxMKNB3fgLgguOLug0f7YxsLlzGePIIpJf/GqqQKYY APDY7Vg0xvUWRp/SD1ikekXAf5BB99d8MUibLTzcmlQ2xzbJ/Zth63lo52VE0xPQDGzi

20、rszNVZfgBh8pTwz4ax+0I taClOXX99/TcLM/Ek3Ig7W5LQ12RSPuttp/R9T6cRixQCAkzxUBqH10HzFWCzK6AQkxouEHX7AEbNC+zRnS5+qVPWysiSk/z05goamUmd1HFdwXA9P0kpmYBn+FjhNyI uM5kNiA6o/uJjIF2ey0=END CERTIFICATEquitERROR: Certificate already exists in the trustpoint ASDM_TrustPoint1ERROR: Failed to parse or verify imported

21、certificate ciscoasa（config）#CRYPTO_PKI: status = 1795: failed to verify or insert the cert into storage 导入会提示错不，不过可以协商（没理解错误原因）ciscoasa（config）# write memory- 保存配置ciscoasa（config）# show crypto ca certificates 可以看到导入成功的两个证书 （ca 证书和本地证书）2.3 ipsec/ike 配置 （ 基于证书认证 ）此章节基本配置基于证书认证， 如果使用预共享密钥方式， 只需要修改 ike

22、 认证方法和 tunnel group，具体请参见 2.5节配置 ike proposalIkev1 ：crypto ikev1 policy 111 配置 ike proposalauthentication rsa-sig 认证方法选择证书（预共享密钥时选pre-share）encryption des hash shagroup 2lifetime 86400ikev2 ：crypto ikev2 policy 111encryption desintegrity shagroup 2prf shalifetime seconds 86400配置认证方式crypto isakmp ide

23、ntity auto认证对端方式为auto，自适应证书和预共享密钥接口使能 ikev1crypto ikev1 enable if_e0/0配置 aclaccess-list if_e0/0_cryptomap_1 extended permit ip host host 配置 ipsec proposalcrypto ipsec ikev1 transform-set 111 esp-des esp-md5-hmac配置 ipsec policy 组crypto map if_e0/0_map 1 match address if_e0/0_cryptomap_

24、1-acl 绑定策略crypto map if_e0/0_map 1 set peer 设置对端 ipcrypto map if_e0/0_map 1 set ikev1 phase1-mode aggressive 野蛮模式crypto map if_e0/0_map 1 set ikev1 transform-set 111 引用 ipsec proposalcrypto map if_e0/0_map 1 set trustpoint ASDM_TrustPoint1 引用证书crypto map if_e0/0_map interface if_e0/0 绑定接口 配

25、置 tunnel grouptunnel-group type ipsec-l2l 配置 tunnel group ，名字为对端 ip 地址tunnel-group ipsec-attributesikev1 trust-point ASDM_TrustPoint1 引用本地证书配置注：使用名字为 ip 地址的 tunnel group ，可以接收对端是 ip/name/user-fqdn 方式的认证 使用名字为非 ip 地址的 tunnel group ，只能接收对端为非 ip 地址方式的认证， 且名字必 须为对端的 ID. 、2.4 使用 ikev2 配置如果需要同时支持 ikev2 ，只需在上面配置基础上 增加如下配置（即同时支持 V1V2 ），如果 只支持 ikev2 ，把其中相似的配置 替换 成如下配置创建 ike proposalcrypto ikev2 policy 1encryption desint