vxlan
ASA1 配置
interface GigabitEthernet0/0
nve-only
nameif outisde
security-level 0
ip address 202.100.12.1 255.255.255.0
multicast-routing
nve 1 # vtep
encapsulation vxlan
source-interface inside
default-mcast-group 224.0.0.1
interface vni1
segment-id 6000
nameif vxlan
security-level 50
ip address 202.100.1.10 255.255.255.0
vtep-nve 1
access-list out extended permit ip any any
access-group out in interface outside
ASA2
interface GigabitEthernet0/0
nve-only
nameif outisde
security-level 0
ip address 202.100.12.2 255.255.255.0
interface BVI1
ip address 202.100.1.100 255.255.255.0
nve 1 # vtep
encapsulation vxlan
source-interface outisde
interface GigabitEthernet0/1
nameif inside
bridge-group 1
security-level 100
interface BVI1
ip address 202.100.1.100 255.255.255.0
interface vni1
segment-id 6000
nameif vxlan
bridge-group 1
security-level 50
vtep-nve 1
mcast-group 224.0.0.1
access-list vxlan extended permit ip any any
access-group vxlan in interface vxlan
验证
TrustSec
TG
SGT ISE 充当
SGA 安全组访问 基于标签
SXP 安全组交换协议
aaa-server ISE protocol radius
aaa-server ISE (inside) host 192.168.1.241
key cisco
cts server-group ISE
PAN PSN MNT
policy admin node
policy server node
独立部署
分布式部署
cts sxp enable
cts sxp default password Cisco0123
cts sxp default source-ip 202.100.12.1
cts sxp connection peer 192.168.1.241 password default mode peer speaker
cts sxp enable
cts sxp default password Cisco0123
cts sxp default source-ip 192.168.1.10
cts sxp connection peer 192.168.1.241 password default mode peer speaker
sh cts sxp connections
sh cts sgt-map detail
sh cts sxp sgt-map
object-group security qytang-sg
security-group tag 16
access-list out extended deny icmp object-group-security qytang-sg any any
入方向流量控制
互联接口
cts manual
policy static sgt 600 trusted
接口 传递 sgt
cts manual
policy static sgt 600 trusted
SXP 传递 sgt
SSL VPN
ip local pool SSLPOOL 172.16.1.100-172.16.1.200
group-policy sslpolicy internal
group-policy sslpolicy attributes
vpn-tunnel-protocol ssl-client ssl-clientless
address-pools value SSLPOOL
tunnel-group DefaultWEBVPNGroup general-attributes
authentication-server-group ISE
webvpn
enable Outside
anyconnect image disk0:/anyconnect-win-4.3.04027-k9.pkg 1
anyconnect enable
API
安装API
asa_acl(ip,username,password,action,pro,src,dst,dstp=0,port=443)
asa_acl('10.1.1.1','admin','Cisc0123',1,'tcp','any','Inside-Server',80,port=443)
asa_nat_add(ip,username,password,srcobj,dstobj,port=443)
asa_nat_add('10.1.1.1','admin','Cisc0123','Inside-Server','outside_server')
扫一扫
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
