文档介绍:我司防火墙与cisco asa 5510对接配置指导
1我司防火墙配置
acl number 3003
rule 5 permit ip source 0 destination 0
#
ike proposal 1
authentication-method rsa-sig
dh group2
#
ike peer peerl
exchange-mode aggressive
certificate local-filename
ike-proposal 1
undo version 2
local-id-type ip/name/user-fqdn 与 cisco 对接不支持 dn 认
证 remote-name ciscoasa
remote-address
nat traversal
# ipsec proposal propl
ipsec policy aaa 1 isakmp
security acl 3003
ike-peer peerl
proposal propl
#
interface 2/0/0
ip address
ipsec policy aaa
#
#
pki entity usg2100
common-name usg2100
fqdn usg2100.
ip-address
email usg2100@
#
pki domain usg2100
ca identifier ca
certificate request url
certificate request entity usg2100
crl seep
certificate request polling interval 2
crl update-period 1
crl auto-update enable
crl url
#
2 CISCO配置
Hardware: ASA5510, 256 MB RAM, CPU Pentium 4 Celeron 1600 MHz
Cisco Adaptive Security Appliance Software Version (1)
版本不同将导致配置略有差别。
(离线方式)
;
系统有默认的rsa密钥对,名字为Default-RSA-Key;再次创建将覆盖
默认密钥对
ciscoasa(config)# crypto key generate rsa
WARNING: You have a RSA keypair already defined named
< Defa u It-RSA-Key>.
Do you really want to replace them? [yes/no]: y
Keypair generation process begin. Please wait...
仓键 trustpoint
ciscoasa(config)# crypto ca trustpoint ASDM_TrustPointl
视图 ciscoasa(config-ca-trustpoint)#
subject-=ciscoasa --酉己置主题
ciscoasa(config-ca-trustpoint)# enrollment terminal --离
线方式,命令行输入整数
离线申请ca证书
ciscoasa(config)# crypto ca authenticate ASDM一TrustPointl
Enter the base 64 encoded CA certificate.
End with the word "quit" on a line by itself ---粘贴 base64 格式
ca 证书到命令行 -----BEGIN CERTIFICATE-—
AIKgAwlBAglQClAATG77klpMGLCMyhkkjDANBgkqhkiG9wOBAQUFAD
AR
MTcwMz
A2MTky
NDA1
WjARMQ8wDQYDVQQDEwZjYSlkdHQwggEiMA0GCSqGSIb3DQEBAQUAA4IBD
w