实验环境:
GNS3 0.6
模拟CISCO 7200 ,IOS使用 c7200-advipservicesk9_li-mz.124-11.t.bin
××× 客户端软件:sslclient-win- 1.1.3 .173.pkg
R0的F0/0连接cloud0,F1/0连接cloud1
Cloud0桥接到物理网卡,cloud1桥接到loopback网卡
VPC虚拟两台客户端client1,client2分别桥接到物理网卡和loopback网卡上
R 0 F 0/0: 10.10.10 .10/ 24 F 1/0:172.16.1.1/24
Client1: 10.10.10 .100/24 default gateway:10.10.10.10
Client2:172.16.1.100/24 default gateway:172.16.1.1
R0上配置:
Connected to Dynamips VM "R0" (ID 0, type c7200) - Console port
% Please answer 'yes' or 'no'.
Would you like to enter the initial configuration dialog? [yes/no]: n
Press RETURN to get started!
Router>en
Router#conf t
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)#int f0/0
Router(config-if)#ip add 10.10.10 .10 255.255.255.0
Router(config-if)#no shut
Router(config-if)#
*May 14 19:52:22.575: %LINK-3-UPDOWN: Interface FastEthernet0/0, changed state to up
*May 14 19:52:22.579: %ENTITY_ALARM-6-INFO: CLEAR INFO Fa0/0 Physical Port Administrative State Down
*May 14 19:52:23.575: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/0, changed state to up
Router(config-if)#int f1/0
Router(config-if)#ip add 172.16.1.1 255.255.255.0
Router(config-if)#no shut
Router(config-if)#
*May 14 19:52:49.939: %LINK-3-UPDOWN: Interface FastEthernet1/0, changed state to up
*May 14 19:52:49.943: %ENTITY_ALARM-6-INFO: CLEAR INFO Fa1/0 Physical Port Administrative State Down
*May 14 19:52:50.939: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet1/0, changed state to up
Router(config-if)#exit
Router(config)#no ip domain-lookup
Router(config)#do ping 10.10.10 .100
Translating " 10.10.10 .100"
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.10.10 .100, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 12/74/124 ms
Router(config)#clock timezone beijing 8
Router(config)#
*May 14 19:55:57.727: %SYS-6-CLOCKUPDATE: System clock has been updated from 19:55:57 UTC Thu May 14 2009 to 03:55:57 beijing Fri May 15 2009, configured from console by console.
Router(config)#exit
Router#
*May 14 19:56:07.787: %SYS-5-CONFIG_I: Configured from console by console
Router#clock set 19:59:00 14 may 2009
Router#
*May 14 11:59:00.003: %SYS-6-CLOCKUPDATE: System clock has been updated from 03:59:01 beijing Fri May 15 2009 to 19:59:00 beijing Thu May 14 2009, configured from console by console.
Router#format disk0:
Format operation may take a while. Continue? [confirm]
Format operation will destroy all data in "disk0:". Continue? [confirm]
Format: Drive communication & 1st Sector Write OK...
Writing Monlib sectors.
.....................................................................................................................................................
Monlib write complete
Format: All system sectors written. OK...
Format: Total sectors in formatted partition: 130883
Format: Total bytes in formatted partition: 67012096
Format: Operation completed successfully.
Format of disk0 complete
Router#copy tftp disk0:
Address or name of remote host []? 10.10.10 .100
Source filename []? sslclient-win- 1.1.3 .173.pkg
Destination filename [sslclient-win- 1.1.3 .173.pkg]?
Accessing tftp:// 10.10.10 .100/sslclient-win-1.1.3.173.pkg...
Loading sslclient-win- 1.1.3 .173.pkg from 10.10.10.100 (via FastEthernet0/0): !!
[OK - 416354 bytes]
416354 bytes copied in 57.896 secs (7191 bytes/sec)
Router#dir disk0:
Directory of disk0:/
1 -rw- 416354 May 14 2009 20:04:42 +08:00 sslclient-win- 1.1.3 .173.pkg
66846720 bytes total (66428928 bytes free)
Router#conf t
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)#web*** install svc disk0:/sslclient-win- 1.1.3 .173.pkg
SSL××× Package SSL-×××-Client : installed successfully
Router(config)#do dir disk0:
Directory of disk0:/
1 drw- 0 May 14 2009 20:06:48 +08:00 web***
66846720 bytes total (66424832 bytes free)
Router(config)#aaa new-model
Router(config)#aaa authentication login web*** local
Router(config)#int loopback0
Router(config-if)#
May 14 12:24:38.399: %LINEPROTO-5-UPDOWN: Line protocol on Interface Loopback0, changed state to up
Router(config-if)#ip add 192.168.1.254 255.255.255.0
Router(config-if)#exit
Router(config)#ip local pool ssl-add 192.168.1.100 192.168.1.200
Router(config)#username cisco password cisco
Router(config)#web*** gateway ***gateway
% Generating 1024 bit RSA keys, keys will be non-exportable...[OK]
Router(config-web***-gateway)#
May 14 12:26:47.963: %SSH-5-ENABLED: SSH 1.99 has been enabled
May 14 12:26:48.419: %PKI-4-NOAUTOSAVE: Configuration was modified. Issue "write memory" to save new certificate
Router(config-web***-gateway)#ip add 10.10.10 .10 port 443
Router(config-web***-gateway)#inservice
Router(config-web***-gateway)#exit
Router(config)#web*** context webcontext
Router(config-web***-context)#gateway ***gateway
Router(config-web***-context)#aaa authentication list web***
Router(config-web***-context)#inservice
Router(config-web***-context)#
May 14 12:28:31.235: %SSL×××-5-UPDOWN: ssl*** context : webcontext changed state to UP
Router(config-web***-context)#policy group ssl***-policy
Router(config-web***-group)#functions svc-enable
Router(config-web***-group)#svc address-pool ssl-add
Router(config-web***-group)#svc split include 172.16.1.0 255.255.255.0
Router(config-web***-group)#exit
Router(config-web***-context)#default-group-policy ssl***-policy
Router(config-web***-context)#exit
Router(config)#exit
Router#
May 14 12:30:16.363: %SYS-5-CONFIG_I: Configured from console by console
Router#write memory
Building configuration...
[OK]
Router#
Client1
上配置:
测试×××连接:
连接成功。
实验中需要注意的几点:
1. 如果×××地址池不和内网在同一网段,则需要创建一个和地址池在同一网段的loopback接口作为***客户端的网关,否则×××不能连接成功。
2. 注意时间同步,模拟器中ntp server好象是不起作用,所以我手动设置了时间和时区。
实验中需要注意的几点:
1. 如果×××地址池不和内网在同一网段,则需要创建一个和地址池在同一网段的loopback接口作为***客户端的网关,否则×××不能连接成功。
2. 注意时间同步,模拟器中ntp server好象是不起作用,所以我手动设置了时间和时区。