我司防火墙与cisco asa 5510对接配置指导.doc

1 我司防火墙配置 acl number 3003 rule 5 permit ip source 1.1.1.1 0 destination 2.2.2.2 0 # ike proposal 1 authentication-method rsa-sig dh group2 # ike peer peer1 exchange-mode aggressive certificate local-filename usg2100_local.cer ike-proposal 1 undo version 2 local-id-type ip/name/user-fqdn ----------与cisco对接不支持dn认证 remote-name ciscoasa -----------对端的CN remote-address 10.0.0.2 nat traversal # ipsec proposal prop1 # ipsec policy aaa 1 isakmp security acl 3003 ike-peer peer1 proposal prop1 # interface Ethernet2/0/0 ip address 10.0.0.1 255.255.255.0 ipsec policy aaa # # pki entity usg2100 common-name usg2100 fqdn ip-address 10.0.0.1 email usg2100@ # pki domain usg2100 ca identifier ca certificate request url http://2.2.10.105/certsrv/mscep/mscep.dll certificate request entity usg2100 crl scep certificate request polling interval 2 crl update-period 1 crl auto-update enable crl url http://2.2.10.105/certsrv/mscep/mscep.dll # 2 CISCO配置 2.1 设备型号 Hardware: ASA5510, 256 MB RAM, CPU Pentium 4 Celeron 1600 MHz Cisco Adaptive Security Appliance Software Version 8.4(1) 版本不同将导致配置略有差别。 2.2 配置数字证书（离线方式） 2.2.1 创建密钥对; 系统有默认的rsa密钥对，名字为Default-RSA-Key；再次创建将覆盖默认密钥对 ciscoasa(config)# crypto key generate rsa WARNING: You have a RSA keypair already defined named <Default-RSA-Key>. Do you really want to replace them? [yes/no]: y Keypair generation process begin. Please wait... 2.2.2 申请CA证书 创建trustpoint ciscoasa(config)# crypto ca trustpoint ASDM_TrustPoint1 --进入视图 ciscoasa(config-ca-trustpoint)# subject-name CN=ciscoasa --配置主题 ciscoasa(config-ca-trustpoint)# enrollment terminal --离线方式，命令行输入整数 离线申请ca证书 ciscoasa(config)# crypto ca authenticate ASDM_TrustPoint1 Enter the base 64 encoded CA certificate. End with the word "quit" on a line by itself ---粘贴base64格式ca证书到命令行 -----BEGIN CERTIFICATE----- MIIDajCCAlKgAwIBAgIQC1AATG77kIpMGLCMyhkkjDANBgkqhkiG9w0BAQUFADAR MQ8wDQYDVQQDEwZjYS1kdHQwHhcNMTIwMzA2MTkxNDM0WhcNMTcwMzA2MTkyNDA1 WjARMQ8wDQYDVQQDEwZjYS1kdHQwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK AoIBAQCHOE1I0bgaF4WfHZErjaf8Et96xHaZuQxA3DPwO6jIDbXiBdSM4z+OYY+f zz/M1zN/3M1O3az24hEiGnr1hOch4q0Ie466hjV9rB8znbcIN5NAUhBClcAbe+en Fz1uWjy7e6lRQo+h8E8Z3kyciOX7qQ9km4YI1bOfVnTzff87AGAOunLMkPnj3QHH 852XGz87195OF6n+lc5wK2QLW6hVWoocBwlAZ0J16brXON7CXfBH+wBUn+C+gTMq zQQyDvZIe3IfHkbGm4Cbtn669BJrXg1f+y19QPeiEjOMi+8UHYPctPJE93stWvVv lhJ2CuSVvTcaXb/iycBk4EJX5HzXAgMBAAGjgb0wgbowCwYDVR0PBAQDAgGGMA8G A1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYEFFLzw1X1qS/+ZN/fjwGnX9bHwzCFMGkG A1UdHwRiMGAwXqBcoFqGKmh0dHA6Ly9odWF3ZWktY2Fyb290L0NlcnRFbnJvbGwv Y2EtZHR0LmNybIYsZmlsZTovL1xcaHVhd2VpLWNhcm9vdFxDZXJ0RW5yb2xsXGNh LWR0dC5jcmwwEAYJKwYBBAGCNxUBBAMCAQAwDQYJKoZIhvcNAQEFBQADggEBAIb2 J/pmMW63167PznbHxqwhcNKh/9JljeYfED3o9uqkALd1U02A/Bx6gl3DxAHhatqr 5Tc4sI7BJPOhKRs0cUDnveT4Oq+riED/OZ+pT4q1BUQHVTkqtdshOagvVwPXw9nI QcoduaJ7gSDX3tEpxMhGXi4vBvR8h4PL9ZqVCqJlQoiB/aj0ZIkqAGolIlfFW+iP Ees61qj4sRv19Wt0RHFwQmX1l3ECfM4j3c2g7VZYU7CudIQkoUUtZf2tEWvrzJ6k eFcl2zbXL833RrD6aBdQttfB989juvsorSO9tjf066s6ljzyZB/HEFeczC/tyKzU IzcNfkOqXIId5+jc7K8= -----END CERTIFICATE----- quit INFO: Certificate has the following attributes: Fingerprint: 2ba54dac 447a907b 933e1208 d00e1415 Do you accept this certificate? [yes/no]: y Trustpoint CA certificate accepted. % Certificate successfully imported 注：离线方式时，如果是证书链方式，创建新的trustpoint，逐级导入CA证书。每个trustpoint对应一个CA证书。 2.2.3 申请本地证书 ciscoasa(config)# crypto ca enroll ASDM_TrustPoint1 % Start certificate enrollment .. % The subject name in the certificate will be: CN=ciscoasa % The fully-qualified domain name in the certificate will be: ciscoasa % Include the device serial number in the subject name? [yes/no]: yes % The serial number in the certificate will be: JMX1350L0F5 Display Certificate Request to terminal? [yes/no]: yes Certificate Request follows: -----BEGIN CERTIFICATE REQUEST----- MIIBtjCCAR8CAQAwQDERMA8GA1UEAxMIY2lzY29hc2ExKzASBgNVBAUTC0pNWDEz NTBMMEY1MBUGCSqGSIb3DQEJAhYIY2lzY29hc2EwgZ8wDQYJKoZIhvcNAQEBBQAD gY0AMIGJAoGBAKhPgtFx1JRLaBxniWbmNH0iyiKyop+qSIIreAzIeDeDYjmaHxzv fXEa4nJ/ph1xSzdOUpIdoKvMmKrOim1bUOEMLrZKQv4zrnX1xDHpUgSqNoZ0lpxi g9vI+Pt/HY2LXPYoMQwPiRqKvVhAajbRuJ1PN3mPMHlLyPMgL3jXS0fBAgMBAAGg NjA0BgkqhkiG9w0BCQ4xJzAlMA4GA1UdDwEB/wQEAwIFoDATBgNVHREEDDAKgghj aXNjb2FzYTANBgkqhkiG9w0BAQUFAAOBgQBMXsz51KzQpI8AERyRBfeU3o7QOip+ Fe7+s/h4y0KcC//6q6HYBNgZ0/1K6v/CdDVLH+Ukjv6jwz/+1cNx76eAurRMWcm1 JC0mCMQm+dWz4DAgmN1MffVsOuySv89xYalmu9DZoWEx4CKG/MaN2dx4s/J7zuSQ Ht8UWbd1EFCV2A== -----END CERTIFICATE REQUEST----- Redisplay enrollment request? [yes/no]: n 2.2.4 导入本地证书 ciscoasa(config)# crypto ca import ASDM_TrustPoint1 certificate % The fully-qualified domain name in the certificate will be: ciscoasa Enter the base 64 encoded certificate. End with the word "quit" on a line by itself -----BEGIN CERTIFICATE----- MIIDyjCCArKgAwIBAgIKYSkadgAAAAAADzANBgkqhkiG9w0BAQUFADARMQ8wDQYD VQQDEwZjYS1kdHQwHhcNMTIwMzI5MTgzMzI3WhcNMTMwMzI5MTg0MzI3WjBCMRQw EgYDVQQFEwtKTVgxMzUwTDBGNTEXMBUGCSqGSIb3DQEJAhMIY2lzY29hc2ExETAP BgNVBAMTCGNpc2NvYXNhMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCoT4LR cdSUS2gcZ4lm5jR9IsoisqKfqkiCK3gMyHg3g2I5mh8c731xGuJyf6YdcUs3TlKS HaCrzJiqzoptW1DhDC62SkL+M6519cQx6VIEqjaGdJacYoPbyPj7fx2Ni1z2KDEM D4kair1YQGo20bidTzd5jzB5S8jzIC9410tHwQIDAQABo4IBdTCCAXEwDgYDVR0P AQH/BAQDAgWgMBMGA1UdEQQMMAqCCGNpc2NvYXNhMB0GA1UdDgQWBBQj50rOJtog z/oY4KCGMfLHjgM1LzAfBgNVHSMEGDAWgBRS88NV9akv/mTf348Bp1/Wx8MwhTBp BgNVHR8EYjBgMF6gXKBahipodHRwOi8vaHVhd2VpLWNhcm9vdC9DZXJ0RW5yb2xs L2NhLWR0dC5jcmyGLGZpbGU6Ly9cXGh1YXdlaS1jYXJvb3RcQ2VydEVucm9sbFxj YS1kdHQuY3JsMIGeBggrBgEFBQcBAQSBkTCBjjBEBggrBgEFBQcwAoY4aHR0cDov L2h1YXdlaS1jYXJvb3QvQ2VydEVucm9sbC9odWF3ZWktY2Fyb290X2NhLWR0dC5j cnQwRgYIKwYBBQUHMAKGOmZpbGU6Ly9cXGh1YXdlaS1jYXJvb3RcQ2VydEVucm9s bFxodWF3ZWktY2Fyb290X2NhLWR0dC5jcnQwDQYJKoZIhvcNAQEFBQADggEBAHuX xz3X7fcwx1dNHnONNt+GvO6ccjgJGNP7sMMRiOqTxqaVlqKNluxyzmZVHKJwuaxM