Cisco CSD 配置实例

一、网络拓扑

二、SSL VPN Server配置 软件版本：

R1#format disk0:

Format operation may take a while. Continue? [confirm]

Format operation will destroy all data in \"disk0:\". Continue? [confirm] Format: Drive communication & 1st Sector Write OK... Writing Monlib sectors.

.............................................................................................................................................. Monlib write complete

Format: All system sectors written. OK...

Format: Total sectors in formatted partition: 8009 Format: Total bytes in formatted partition: 4100608 Format: Operation completed successfully.

Format of disk0 complete

2、上传SSL客户端软件

R1#copy tftp disk0:

Address or name of remote host []? 192.168.10.100 Source filename []? sslclient-win-1.1.2.169.pkg

Destination filename [sslclient-win-1.1.2.169.pkg]?

Accessing tftp://192.168.10.100/sslclient-win-1.1.2.169.pkg...

制作：张Cisco IOS Software, 7200 Software (C7200-ADVSECURITYK9-M), Version 12.4(9)T1, RELEASE SOFTWARE (fc2)

VPN 客户端软件：sslclient-win-1.1.2.169.pkg

Cisco CSD软件：securedesktop-ios-3.1.1.45-k9.pkg

1、格式化disk0

选波R1(config)#enable password 123 R1(config)# aaa new-model

R1(config)# aaa authentication login default local R1(config))# aaa authentication login webvpn local R1(config)# username user1 password 123 R1(config))# webvpn gateway vpngateway

R1 (config-webvpn-gateway)# ip address 192.168.10.10 port 443 R1 (config-webvpn-gateway)# inservice R1 (config)# webvpn context webcontext

R1 (config-webvpn-context)# gateway vpngateway domain sshvpn R1 (config-webvpn-context)# aaa authentication list webvpn R1 (config-webvpn-context)# inservice

R1(config)# ip local pool ssl-add 11.1.1.10 11.1.1.20 R1(config)# webvpn context webcontext

制

6、配置SSL VPN

作：张R1(config)#webvpn install svc disk0:/sslclient-win-1.1.2.169.pkg SSLVPN Package SSL-VPN-Client : installed successfully

5、安装Cisco CSD软件

R1(config)#webvpn install csd disk0:/securedesktop-ios-3.1.1.45-k9.pkg SSLVPN Package Cisco-Secure-Desktop : installed successfully

注意：如果使用TFTP无法上传的时候，可以采用cisco router and security device manager进行安装或使用ftp服务

选Loading sslclient-win-1.1.2.169.pkg from 192.168.10.100 (via FastEthernet0/0): !! [OK - 415090 bytes]

415090 bytes copied in 12.892 secs (32197 bytes/sec)

3、上传Cisco CSD软件 R1#copy tftp disk0:

Address or name of remote host []? 192.168.10.100 Source filename []? securedesktop-ios-3.1.1.45-k9.pkg

Destination filename [securedesktop-ios-3.1.1.45-k9.pkg]?

Accessing tftp://192.168.10.100/securedesktop-ios-3.1.1.45-k9.pkg...

Loading securedesktop-ios-3.1.1.45-k9.pkg from 192.168.10.100 (via FastEthernet0/0): !!!!!!O! [OK - 1697952 bytes]

1697952 bytes copied in 65.868 secs (25778 bytes/sec)

4、安装client 软件

波R1(config-webvpn-context)# policy group sslvpn-policy R1(config-webvpn-group)# functions svc-enabled R1(config-webvpn-group)# svc address-pool ssl-add

R1(config-webvpn-group)# svc split include 192.168.20.0 255.255.255.0 R1(config-webvpn-group)#exit

R1(config-webvpn-context)# default-group-policy sslvpn-policy R1(config-webvpn-context)# inservice

5、完整配置

R1#sh running-config Building configuration...

Current configuration : 3310 bytes !

version 12.4

service timestamps debug datetime msec service timestamps log datetime msec no service password-encryption !

hostname R1 !

boot-start-marker boot-end-marker !

enable password 123 !

aaa new-model ! !

aaa authentication login default local aaa authentication login webvpn local !

aaa session-id common !

resource policy !

ip cef ! ! ! ! ! ! !

制作：张选波crypto pki trustpoint TP-self-signed-4294967295 enrollment selfsigned subject-name cn=IOS-Self-Signed-Certificate-4294967295 revocation-check none rsakeypair TP-self-signed-4294967295 ! !

crypto pki certificate chain TP-self-signed-4294967295 certificate self-signed 01

3082023A 308201A3 A0030201 02020101 300D0609 2A864886 F70D0101 04050030 31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274 69666963 6174652D 34323934 39363732 3935301E 170D3038 31323135 31393039 30335A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649 4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D34 32393439 36373239 3530819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281 8100C6F2 B499879D 1CEB3638 BA59B459 A72167BB FDD2CD73 3E3E6FB6 D1347E43 8CC21C65 BAC01E28 50013497 71CF8062 C54F254C A6DB2D5A CDDB864D CFF71A50 F3C20566 1405E49B 18CE2DAB 469C58E8 5B4A1FD6 59DCBCA5 12A34543 4F6842B6 24B9A7BD CE36E98A A5463EB3 2D2C5BC0 FAA247C1 E44DB455 4537465F 18895A14

66D10203 010001A3 62306030 0F060355 1D130101 FF040530 030101FF 300D0603 551D1104 06300482 02523130 1F060355 1D230418 30168014 9F7F1B46 F6903BC5 803F4AD7 2433EBD0 5813E29D 301D0603 551D0E04 1604149F 7F1B46F6 903BC580 3F4AD724 33EBD058 13E29D30 0D06092A 864886F7 0D010104 05000381 81002516 3F75E2AA 33544113 9A9179DB DFED2529 DF5A972F C2BFDE0E 0279D1F5 8D30CAC7 59BE79C6 85825281 AB2D0B08 2CA84D01 85A4DB19 8977BC82 9E59F764 ADE75E22 9A7FF37A 9D83819A 2287BE75 773FAA32 D38DD3C2 2C0DF23F 7D45D7A3 E8006C1A 6B9E0540 12483241 6EEAA0FF B31240F3 94044BCB 75210037 FEF5AD15 F49B quit

username user1 password 0 123 ! !

interface Loopback0

ip address 11.1.1.1 255.255.255.0 !

interface FastEthernet0/0

制作：张选波 ip address 192.168.10.10 255.255.255.0 duplex half !

interface Serial1/0

ip address 10.1.1.1 255.255.255.0 serial restart-delay 0 !

interface Serial1/1 no ip address shutdown

serial restart-delay 0 !

interface Serial1/2 no ip address shutdown

serial restart-delay 0 !

interface Serial1/3 no ip address shutdown

serial restart-delay 0 !

router rip version 2 network 10.0.0.0 network 11.0.0.0 network 192.168.10.0 no auto-summary !

ip local pool ssl-add 11.1.1.10 11.1.1.20 no ip http server

no ip http secure-server ! ! !

logging alarm informational ! ! ! ! !

control-plane !

!

制作：张选波line con 0

exec-timeout 0 0 stopbits 1 line aux 0 stopbits 1 line vty 0 4 ! !

webvpn gateway vpngateway

ip address 192.168.10.10 port 443 ssl trustpoint TP-self-signed-4294967295 inservice !

webvpn install svc disk0:/webvpn/svc.pkg !

webvpn install csd disk0:/webvpn/sdesktop.pkg !

webvpn context webcontext ssl authenticate verify all ! !

policy group sslvpn-policy functions svc-enabled svc address-pool \"ssl-add\"

svc split include 192.168.20.0 255.255.255.0 default-group-policy sslvpn-policy aaa authentication list webvpn

gateway vpngateway domain sshvpn inservice ! ! end

R2#show running-config Building configuration...

Current configuration : 980 bytes !

version 12.4

service timestamps debug datetime msec service timestamps log datetime msec no service password-encryption !

制作：张选波hostname R2 !

boot-start-marker boot-end-marker ! !

no aaa new-model !

resource policy !

ip cef ! ! ! ! !

interface Loopback1

ip address 22.1.1.1 255.255.255.0 !

interface FastEthernet0/0

ip address 192.168.20.10 255.255.255.0 duplex half !

interface Serial1/0

ip address 10.1.1.2 255.255.255.252 serial restart-delay 0 !

interface Serial1/1 no ip address shutdown

serial restart-delay 0 !

interface Serial1/2 no ip address shutdown

serial restart-delay 0 !

interface Serial1/3 no ip address shutdown

serial restart-delay 0 !

router rip version 2

制作：张选波制 network 10.0.0.0 network 22.0.0.0 network 192.168.20.0 no auto-summary !

no ip http server

no ip http secure-server !

logging alarm informational ! !

control-plane ! !

line con 0

exec-timeout 0 0 stopbits 1 line aux 0 stopbits 1 line vty 0 4 login ! ! end

三、Cisco CSD策略配置

1、登录：

在IE浏览器中输入 https://192.168.10.10/csd_admin.html可以对CSD进行策略管理，登陆用户名为admin，密码为enable密码。界面如下：

作：张选波

2、配置策略

制作：张选

注意：关于CSD 的具体配置会在以后的文档中详细说明

波

3、则可以使用CSD配置WEB VPN的具体功能。