Bowen directory
works a, SSL virtual private network
1, SSL virtual private network client mode
2, authentication, encryption and SSL virtual private network content control
3, SSL virtual private network for use in what environment?
Two, SSL virtual private network and the difference IPSec virtual private network
. 1, preferably SSL virtual private network, drawbacks
2, IPSec and SSL VPN virtual private network compare
three configured without SSL VPN client
Virtual Private Network: (Virtual Private Network), look at the first letter of the English, they know what it is, because it is sensitive / sense of vocabulary, so all the text using a virtual private network instead.
A, SSL virtual private network works
SSL VPN is an emerging technology that SSL encryption via the local web browser, providing a flexible, low-cost Internet-based remote access solutions. SSL VPN does not require a dedicated computer pre-installed client software, any computer can access the Internet are able to establish an SSL VPN sessions, enabling anytime, anywhere access to the network.
1, SSL virtual private network client mode
As shown below, the security device to ASA VPN gateway as an example, two components to achieve a virtual private network comprises a SSL VPN server, and SSL SSL VPN client.
SSL VPN can be deployed in the following three access methods:
1) non-client modes:
Clientless mode is actually not entirely without the client, but using a web browser on a user's computer for remote access, without the need for additional software. Clientless mode provides secure access to web resources, and access web-based content. It can also provide remote file sharing via Common Internet File System (Common Internet File System CIFS). CIFS file server listed in a list of connections, so that remote users can browse domains, servers, directories, folders, files etc. listed in the portal page. No client mode drawback is that it can only protect web traffic.2) thin-client mode (also known as port forwarding mode):
thin-client mode provides remote access to TCP-based services, such as POP, POP3, SMTP, SSH and so on. After the thin client model to establish an SSL virtual private network sessions private network applications dynamically downloaded from the SSL virtual Java or activeX program to the user's desktop, which allows some non-web programs transmitted via SSL virtual private network. Thin-client mode extends the Web browser encryption.3) fat client mode (also called tunnel mode or full tunnel client mode):
fat client mode provides remote access to a large number of applications that support may be virtual private network client (SSL VPN Client download SSL, SVC) software, providing full access to all network layer (layer 3) application. After use fat client mode, the client software is generally the customer to the central site to establish an SSL VPN, dynamic download and install on users' computers. Because the client needs to be installed on the user's computer, all users must have administrator privileges on their computers. Without administrator privileges you can not install the client, use only non-client or thin-client mode.
2, SSL virtual private network authentication, encryption and content control
SSL virtual private network usually supports authentication in two ways: the digital certificate with the user name and password. Users using the HTTPS protocol to access, enter after obtaining a certificate to practice basketball in the WEB user name, password, enter, start accessing content resources.
SSL VPNs use SSL to encrypt data traffic: SSL developed by Netscape. The latest version of the draft standard SSL for SSLv3, its support Rc4, DES and 3DES. After development, IETF based on SSL establishes a Transport Layer Security (TLS) is, RFC2246 defines TLS 1.0.
For non-client mode, or thin-client mode SSL VPN, it can be open to different applications depending on the user so that the user's access control. Use SSL VPN users initially connect to a Web page, using the user name and password login page that lists the appropriate connection in the list page, a list of users access the appropriate server.
3, SSL virtual private network for use in what environment?
- Whether the user using a Web browser to access the application;
- Users may use non-proprietary computer access, that is, without using a computer administrator privileges to access;
- Administrator administrative rights on the user's computer is small, the user can not control the installation of software;
- In addition, also consider non-Web-based applications support, then you need to see a list of non-Web programs supported by the vendor. You may not have administrator privileges on this computer caused primarily non-proprietary client can not be installed due.
Two, SSL and IPSec virtual private network distinguish virtual private network
1, SSL virtual private network preferably disadvantages
SSL virtual private network for users using a Web browser and the server to access each other's company is undoubtedly very good. SSL virtual private network advantage is mainly reflected in the following aspects:
SSL VPN clientless, thin client mode can be done without installing any client software (other than a Web browser and other system comes with software outer);
You can visit the company's internal servers securely from anywhere;
Support multiple types of browsers;
Users do not need special training;
SSL VPN can be used with address translation device;
- You can be more finely control a variety of applications;
Since SSL VPN is based on the TCP protocol, so its content is encrypted application layer content, and more susceptible to denial of service and other Dos third party access. And, SSL virtual private network for data verification using only the TCP sequence number for data validation, and IPSec VPN using the HMAC for authentication, private virtual network better than SSL.
2, SSL VPN and IPSec virtual private network comparison
SSL and IPSec VPN virtual private network has its own advantages and disadvantages, the following simple comparison of these two techniques:
Third, configure Clientless SSL VPN
Network environment as follows:
Environmental analysis:
Loop 0 of the Back R1 router interface to simulate a network server;
ISP router loop back 0 Interface Analog Internet network server;
R2 configuration dhcp, traveling employees (VM2) to automatically obtain an IP address, gateway and DNS;
Start the configuration:
R1 configured as follows:
R1(config)#int f0/0 #进入接口
R1(config-if)#ip add 192.168.10.1 255.255.255.0 #接口配置IP地址
R1(config-if)#no shutdown #启用接口
R1(config-if)#exit
R1(config)#int loo0 #进入loop back 0接口
R1(config-if)#ip add 1.1.1.1 255.255.255.255 #配置IP地址
R1(config-if)#no shutdown #启用接口
R1(config-if)#exit
R1(config)#ip route 0.0.0.0 0.0.0.0 192.168.10.254 #配置默认路由,去往模拟公网的那台路由器ASA configuration is as follows:
ASA(config)# int eth 0/0 #进入接口
ASA(config-if)# nameif inside #接口配置为inside
ASA(config-if)# ip add 192.168.10.254 255.255.255.0 #配置IP地址
ASA(config-if)# no shu
ASA(config-if)# exit
ASA(config)# int eth0/1 #进入接口
ASA(config-if)# nameif outside #接口配置为outside
ASA(config-if)# ip add 192.168.20.254 255.255.255.0 #配置IP地址
ASA(config-if)# no shu
ASA(config-if)# exit
ASA(config)# route outside 0 0 192.168.20.1 #配置去往模拟公网的那台路由器的默认路由
ASA(config)# route inside 1.1.1.1 255.255.255.255 192.168.10.1 #配置去往内网的静态
ASA(config)# access-list out_to_in permit ip any any #允许外网访问内网
ASA(config)# access-group out_to_in in interface outside #ACL应用在outside
ASA(config)# fixup protocol icmp #允许icmp协议ISP configuration is as follows:
ISP(config)#int f0/0 #进入接口
ISP(config-if)#ip add 192.168.30.1 255.255.255.0 #接口配置IP地址
ISP(config-if)#no shutdown #启用接口
ISP(config-if)#exit
ISP(config)#int f1/0 #进入接口
ISP(config-if)#ip add 192.168.20.1 255.255.255.0 #接口配置IP地址
ISP(config-if)#no shutdown #启用接口
ISP(config-if)#exit
ISP(config)#int loo0 #进入loop back 0接口
ISP(config-if)#ip add 2.2.2.2 255.255.255.255 #接口配置IP地址
ISP(config-if)#no shutdown #启用接口
ISP(config-if)#exitR2 configured as follows:
R2(config)#int f0/0 #进入接口
R2(config-if)#ip add 192.168.30.254 255.255.255.0 #接口配置IP地址
R2(config-if)#no shutdown #启用接口
R2(config-if)#exit
R2(config)#int f1/0 #进入接口
R2(config-if)#ip add 192.168.40.254 255.255.255.0 #接口配置IP地址
R2(config-if)#no shutdown #启用接口
R2(config-if)#exit
R2(config)#ip route 0.0.0.0 0.0.0.0 192.168.30.1 #配置去往模拟公网路由器的默认
R2(config)#ip dhcp pool lan #开启dhcp服务,名字为lan
R2(dhcp-config)#network 192.168.40.0 255.255.255.0 #下发网段
R2(dhcp-config)#default-router 192.168.40.254 #下发网关
R2(dhcp-config)#dns-server 8.8.8.8 114.114.114.114 #下发首选dns和备用dns
R2(dhcp-config)#exit
R2(config)#access-list 10 permit any #acl抓取所有流量
R2(config)#ip nat inside source list 10 interface fastEthernet 0/0 overload #应用在0/0接口
R2(config)#exit
R2(config)#int f0/0 #进入接口
R2(config-if)#ip nat outside #启用nat,outside方向
R2(config-if)#int f1/0 #进入接口
R2(config-if)#ip nat inside #启用nat,inside方向
R2(config-if)#exitThus bridging the PC can obtain an IP address, the need to run the CMD window, type ipconfig / release to release about IP address, and then enter ipconfig / renew retrieve it, and then view the card you will find detailed information automatically obtain an IP address, the gateway and DNS. As shown below:
Began to focus on today, configure Clientless SSL VPN:
ASA(config)# username benet password pwd@123 #创建SSL 虚拟专用网的验证账户和密码
ASA(config)# web #SSL虚拟专用网应用在外网接口
ASA(config-web虚拟专用网)# enable outside
INFO: Web虚拟专用网 and DTLS are enabled on 'outside'.
ASA(config-web虚拟专用网)# svc image disk0:/sslclient-win-1.1.3.173.pkg #配置SSL虚拟专用网客户端位置
ASA(config-web虚拟专用网)# svc enable
ASA(config-web虚拟专用网)# exit
ASA(config)# ip local pool dzc 192.168.100.10-192.168.100.100 #配置SSL虚拟专用网地址池,地址池名字为dzc
ASA(config)# access-list 100 permit ip 1.1.1.1 255.255.255.255 any #抓取隧道分离的流量
ASA(config)# access-list 100 permit ip 192.168.10.0 255.255.255.0 any#抓取隧道分离的流量
ASA(config)# group-policy local-policy internal #创建本地组策略,名字为local-policy
ASA(config)# group-policy local-policy attributes #配置本地组策略的属性
ASA(config-group-policy)# 虚拟专用网-tunnel-protocol web svc #允许客户端使用SSL 虚拟专用网客户端
ASA(config-group-policy)# split-tunnel-policy tunnelspecified #配置隧道分离的方式,满足访问控制列表后隧道分离
ASA(config-group-policy)# split-tunnel-network-list value 100 #调用隧道分离ACL
ASA(config-group-policy)# web #配置提醒用户安装SSL虚拟专用网客户端
ASA(config-group-web虚拟专用网)# svc ask enable
ASA(config-group-web虚拟专用网)# exit
ASA(config-group-policy)# exit
ASA(config)# tunnel-group ssl type web #配置隧道组,名字为ssl,组的类型为ssl 虚拟专用网
ASA(config)# tunnel-group ssl general-attributes #配置隧道组的属性
ASA(config-tunnel-general)# address-pool dzc #隧道组调用地址池
ASA(config-tunnel-general)# default-group-policy local-policy #隧道组调用组策略
ASA(config-tunnel-general)# exit
ASA(config)# tunnel-group ssl web***-attributes #配置下拉列表,再隧道组属性中配置
ASA(config-tunnel-web虚拟专用网)# group-alias benet.com enable #下载菜单的名字为benet.com
ASA(config-tunnel-web虚拟专用网)# group-alias accp.com enable #下载菜单的名字为accp.com
ASA(config-tunnel-web虚拟专用网)# exit
ASA(config)# web虚拟专用网 #启用下拉菜单
ASA(config-web虚拟专用网)# tunnel-group-list enable
ASA(config-web虚拟专用网)# exitClientless SSL VPN configuration will complete, start the verification
Enter here to verify the account password to login created: 
the login screen:
-------- end of this article so far, thanks for reading --------