SSL&GET ×××综合实验题

1、网络拓扑

 

SSL&GET ×××综合实验题_第1张图片

2、网络需求

KS与Inside1、Inside2、DMZ2建立GET ×××,ASA对外提供SSL ×××。

3、具体配置

KS:

ip domain name yeslab.net

crypto key generate rsa modulus 1024 label get***key

crypto isakmp policy 10
 authentication pre-share
crypto isakmp key cisco address 10.1.2.1
crypto isakmp key cisco address 10.1.3.1
crypto isakmp key cisco address 10.1.4.1
crypto isakmp key cisco address 10.1.4.10

crypto ipsec transform-set cisco esp-des esp-md5-hmac

crypto ipsec profile ipsecprof
 set transform-set cisco

crypto gdoi group yeslabgroup
 identity number 666888
 server local
  rekey algorithm aes 192
  rekey retransmit 20 number 5
  rekey authentication mypubkey rsa get***key
  rekey transport unicast
  sa ipsec 1
   profile ipsecprof
   match address ipv4 get***traffic
   replay time window-size 20
  address ipv4 10.1.1.1

router ospf 1
 area 0 authentication message-digest
 network 10.1.1.0 0.0.0.255 area 0

interface FastEthernet0/0
 ip address 10.1.1.1 255.255.255.0
 ip ospf message-digest-key 1 md5 yeslab123

ip access-list extended get***traffic
 deny   udp 10.0.0.0 0.255.255.255 10.0.0.0 0.255.255.255 eq 848
 permit ip 10.0.0.0 0.255.255.255 10.0.0.0 0.255.255.255
 

ASA:

interface Ethernet0/0
 nameif outside
 security-level 0
 ip address 202.100.1.10 255.255.255.0
 ospf message-digest-key 1 md5
!
interface Ethernet0/1
 nameif DMZ1
 security-level 60
 ip address 10.1.1.10 255.255.255.0
 ospf message-digest-key 1 md5
!
interface Ethernet0/2
 nameif inside
 security-level 100
 ip address 10.1.3.10 255.255.255.0
 ospf message-digest-key 1 md5
!            
interface Ethernet0/3
 nameif DMZ2
 security-level 50
 ip address 10.1.2.10 255.255.255.0
 ospf message-digest-key 1 md5

object-group network dmz2
 network-object 10.1.3.0 255.255.255.0
 network-object 10.1.4.0 255.255.255.0
 network-object 10.10.4.0 255.255.255.0
 network-object 10.10.3.0 255.255.255.0
access-list dmz2 extended permit udp host 10.1.2.1 eq 848 host 10.1.1.1 eq 848
access-list dmz2 extended permit esp host 10.10.2.1 object-group dmz2

access-group dmz2 in interface DMZ2

router ospf 1
 network 10.1.1.0 255.255.255.0 area 0
 network 10.1.2.0 255.255.255.0 area 0
 network 10.1.3.0 255.255.255.0 area 0
 network 202.100.1.0 255.255.255.0 area 0
 area 0 authentication message-digest

web***
 enable outside
 port-forward PF 55555 10.10.2.1 telnet
group-policy for-localuser internal
group-policy for-localuser attributes
 banner value welcome yeslab
 web***
  port-forward enable PF
  hidden-shares visible
  file-entry disable
  url-entry disable
username localuser password VPMnI7Ryh0/c7eki encrypted

 

DMZ.2:

username chen password 0 cisco

crypto isakmp policy 10
 authentication pre-share
crypto isakmp key cisco address 10.1.1.1

cmap mymap 10 gdoi
set group yeslabgroup

crypto gdoi group yeslabgroup
 identity number 666888
 server address ipv4 10.1.1.1

crypto 
 match address telnet

interface Loopback0
 ip address 10.10.2.1 255.255.255.0
 ip ospf message-digest-key 1 md5 yeslab123
        
interface FastEthernet0/0
 ip address 10.1.2.1 255.255.255.0
 ip ospf message-digest-key 1 md5 yeslab123
 crypto map mymap

router ospf 1
 area 0 authentication message-digest
 network 10.1.2.0 0.0.0.255 area 0
 network 10.10.2.0 0.0.0.255 area 0

ip access-list extended telnet
 deny   tcp host 10.10.2.1 eq telnet host 10.1.2.10
 deny   ospf any any

line vty 0 15
 login local

 

Inside.1:

crypto isakmp policy 10
authentication pre-share
crypto isakmp key cisco address 10.1.1.1

cmap mymap 10 gdoi
set group yeslabgroup

crypto gdoi group yeslabgroup
identity number 666888
server address ipv4 10.1.1.1

 interface Loopback0
 ip address 10.10.3.1 255.255.255.0
 ip ospf message-digest-key 1 md5 yeslab123

interface FastEthernet0/0
 ip address 10.1.3.1 255.255.255.0
 ip ospf message-digest-key 1 md5 yeslab123
 crypto map mymap

interface FastEthernet0/1
 ip address 10.1.4.1 255.255.255.0
 ip ospf message-digest-key 1 md5 yeslab123
 crypto map mymap

router ospf 1
 area 0 authentication message-digest
 network 10.1.3.0 0.0.0.255 area 0
 network 10.1.4.0 0.0.0.255 area 0
 network 10.10.3.0 0.0.0.255 area 0

Inside.2:

crypto isakmp policy 10
authentication pre-share
crypto isakmp key cisco address 10.1.1.1

cmap mymap 10 gdoi
set group yeslabgroup

crypto gdoi group yeslabgroup
identity number 666888
server address ipv4 10.1.1.1

interface Loopback0
 ip address 10.10.4.1 255.255.255.0
 ip ospf message-digest-key 1 md5 yeslab123

interface FastEthernet0/0
 ip address 10.1.4.10 255.255.255.0
 ip ospf message-digest-key 1 md5 yeslab123
 crypto map mymap

router ospf 1
 area 0 authentication message-digest
 network 10.1.4.0 0.0.0.255 area 0
 network 10.10.4.0 0.0.0.255 area 0

 

4、 结果验证

 KS#show crypto gdoi
GROUP INFORMATION

    Group Name               : yeslabgroup (Unicast)
    Group Identity           : 666888
    Group Members            : 3
    IPSec SA Direction       : Both
    Active Group Server      : Local
    Group Rekey Lifetime     : 86400 secs
    Group Rekey
        Remaining Lifetime   : 85691 secs
    Rekey Retransmit Period  : 20 secs
    Rekey Retransmit Attempts: 5
    Group Retransmit
        Remaining Lifetime   : 0 secs

      IPSec SA Number        : 1
      IPSec SA Rekey Lifetime: 3600 secs
      Profile Name           : ipsecprof
      Replay method          : Time Based
      Replay Window Size     : 20
      SA Rekey
         Remaining Lifetime  : 2892 secs
      ACL Configured         : access-list get***traffic

    Group Server list        : Local

 

KS# show crypto gdoi group yeslabgroup
    Group Name               : yeslabgroup (Unicast)
    Group Identity           : 666888
    Group Members            : 3
    IPSec SA Direction       : Both
    Active Group Server      : Local
    Group Rekey Lifetime     : 86400 secs
    Group Rekey
        Remaining Lifetime   : 85319 secs
    Rekey Retransmit Period  : 20 secs
    Rekey Retransmit Attempts: 5
    Group Retransmit
        Remaining Lifetime   : 0 secs

      IPSec SA Number        : 1
      IPSec SA Rekey Lifetime: 3600 secs
      Profile Name           : ipsecprof
      Replay method          : Time Based
      Replay Window Size     : 20
      SA Rekey
         Remaining Lifetime  : 2520 secs
      ACL Configured         : access-list get***traffic

    Group Server list        : Local

DMZ.2#sh crypto gdoi
GROUP INFORMATION

    Group Name               : yeslabgroup
    Group Identity           : 666888
    Rekeys received          : 1
    IPSec SA Direction       : Both
    Active Group Server      : 10.1.1.1
    Group Server list        : 10.1.1.1
                              
    GM Reregisters in        : 2425 secs
    Rekey Received(hh:mm:ss) : 00:18:36


    Rekeys received         
         Cumulative          : 1
         After registration  : 1
    Rekey Acks sent          : 1

 ACL Downloaded From KS 10.1.1.1:
   access-list  deny udp 10.0.0.0 0.255.255.255 10.0.0.0 0.255.255.255 port = 848
   access-list  permit ip 10.0.0.0 0.255.255.255 10.0.0.0 0.255.255.255

KEK POLICY:
    Rekey Transport Type     : Unicast
    Lifetime (secs)          : 86399
    Encrypt Algorithm        : AES
    Key Size                 : 192    
    Sig Hash Algorithm       : HMAC_AUTH_SHA
    Sig Key Length (bits)    : 1024   

TEK POLICY:
  FastEthernet0/0:
    IPsec SA:
        sa direction:inbound
        spi: 0x6A08A4C6(1778951366)
        transform: esp-des esp-md5-hmac
        sa timing:remaining key lifetime (sec): (2441)
        Anti-Replay(Time Based) : 20 sec interval

    IPsec SA:
        sa direction:outbound
        spi: 0x6A08A4C6(1778951366)
        transform: esp-des esp-md5-hmac
        sa timing:remaining key lifetime (sec): (2441)
        Anti-Replay(Time Based) : 20 sec interval

    IPsec SA:
        sa direction:inbound
        spi: 0xE34224AE(3812762798)
        transform: esp-des esp-md5-hmac
        sa timing:remaining key lifetime (sec): (2481)
        Anti-Replay(Time Based) : 20 sec interval

    IPsec SA:
        sa direction:outbound
        spi: 0xE34224AE(3812762798)
        transform: esp-des esp-md5-hmac
        sa timing:remaining key lifetime (sec): (2481)
        Anti-Replay(Time Based) : 20 sec interval

 

 

SSL&GET ×××综合实验题_第2张图片

 

注:思路大概如此,其中不乏错误,请大家在敲命令时有所注意,勿尽信!