我司防火墙与cisco asa 5510对接配置指导

1 我司防火墙配置

acl number 3003 rule 5 permit ip source 1.1.1.1 0 destination 2.2.2.2 0

# ike proposal 1 authentication-method rsa-sig

dh group2 # ike peer peer1 exchange-mode aggressive certificate local-filename usg2100_local.cer

ike-proposal 1 undo version 2

local-id-type ip/name/user-fqdn ----------与cisco对接不支持dn认证 remote-name ciscoasa -----------对端的CN remote-address 10.0.0.2 nat traversal # ipsec proposal prop1 # ipsec policy aaa 1 isakmp security acl 3003 ike-peer peer1

proposal prop1 # interface Ethernet2/0/0 ip address 10.0.0.1 255.255.255.0 ipsec policy aaa

# # pki entity usg2100 common-name usg2100 fqdn usg2100.huawei.com ip-address 10.0.0.1 email usg2100@huawei.com

# pki domain usg2100 ca identifier ca certificate request url http://2.2.10.105/certsrv/mscep/mscep.dll

certificate request entity usg2100

crl scep certificate request polling interval 2

crl update-period 1 crl auto-update enable crl url http://2.2.10.105/certsrv/mscep/mscep.dll #

2 CISCO配置

2.1 设备型号

Hardware: ASA5510, 256 MB RAM, CPU Pentium 4 Celeron 1600 MHz Cisco Adaptive Security Appliance Software Version 8.4(1) 版本不同将导致配置略有差别。

2.2 配置数字证书（离线方式） 2.2.1 创建密钥对;

系统有默认的rsa密钥对，名字为Default-RSA-Key；再次创建将覆盖默认密钥对 ciscoasa(config)# crypto key generate rsa

WARNING: You have a RSA keypair already defined named .

Do you really want to replace them? [yes/no]: y Keypair generation process begin. Please wait...

2.2.2 申请CA证书

创建trustpoint

ciscoasa(config)# crypto ca trustpoint ASDM_TrustPoint1 --进入视图 ciscoasa(config-ca-trustpoint)# subject-name CN=ciscoasa --配置主题 ciscoasa(config-ca-trustpoint)# enrollment terminal --离线方式，命令行输入整数 离线申请ca证书

ciscoasa(config)# crypto ca authenticate ASDM_TrustPoint1 Enter the base 64 encoded CA certificate.

End with the word \ ---粘贴base64格式ca证书到命令行 -----BEGIN CERTIFICATE-----

MIIDajCCAlKgAwIBAgIQC1AATG77kIpMGLCMyhkkjDANBgkqhkiG9w0BAQUFADAR MQ8wDQYDVQQDEwZjYS1kdHQwHhcNMTIwMzA2MTkxNDM0WhcNMTcwMzA2MTkyNDA1

WjARMQ8wDQYDVQQDEwZjYS1kdHQwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK

AoIBAQCHOE1I0bgaF4WfHZErjaf8Et96xHaZuQxA3DPwO6jIDbXiBdSM4z+OYY+f zz/M1zN/3M1O3az24hEiGnr1hOch4q0Ie466hjV9rB8znbcIN5NAUhBClcAbe+en

Fz1uWjy7e6lRQo+h8E8Z3kyciOX7qQ9km4YI1bOfVnTzff87AGAOunLMkPnj3QHH

852XGz87195OF6n+lc5wK2QLW6hVWoocBwlAZ0J16brXON7CXfBH+wBUn+C+gTMq

zQQyDvZIe3IfHkbGm4Cbtn669BJrXg1f+y19QPeiEjOMi+8UHYPctPJE93stWvVv

lhJ2CuSVvTcaXb/iycBk4EJX5HzXAgMBAAGjgb0wgbowCwYDVR0PBAQDAgGGMA8G

A1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYEFFLzw1X1qS/+ZN/fjwGnX9bHwzCFMGkG

A1UdHwRiMGAwXqBcoFqGKmh0dHA6Ly9odWF3ZWktY2Fyb290L0NlcnRFbnJvbGwv

Y2EtZHR0LmNybIYsZmlsZTovL1xcaHVhd2VpLWNhcm9vdFxDZXJ0RW5yb2xsXGNh LWR0dC5jcmwwEAYJKwYBBAGCNxUBBAMCAQAwDQYJKoZIhvcNAQEFBQADggEBAIb2

J/pmMW63167PznbHxqwhcNKh/9JljeYfED3o9uqkALd1U02A/Bx6gl3DxAHhatqr

5Tc4sI7BJPOhKRs0cUDnveT4Oq+riED/OZ+pT4q1BUQHVTkqtdshOagvVwPXw9nI QcoduaJ7gSDX3tEpxMhGXi4vBvR8h4PL9ZqVCqJlQoiB/aj0ZIkqAGolIlfFW+iP

Ees61qj4sRv19Wt0RHFwQmX1l3ECfM4j3c2g7VZYU7CudIQkoUUtZf2tEWvrzJ6k eFcl2zbXL833RrD6aBdQttfB989juvsorSO9tjf066s6ljzyZB/HEFeczC/tyKzU IzcNfkOqXIId5+jc7K8= -----END CERTIFICATE----- quit

INFO: Certificate has the following attributes:

Fingerprint: 2ba54dac 447a907b 933e1208 d00e1415 Do you accept this certificate? [yes/no]: y

Trustpoint CA certificate accepted.

% Certificate successfully imported 注：离线方式时，如果是证书链方式，创建新的trustpoint，逐级导入CA证书。每个trustpoint对应一个CA证书。

2.2.3 申请本地证书

ciscoasa(config)# crypto ca enroll ASDM_TrustPoint1 % Start certificate enrollment .. % The subject name in the certificate will be: CN=ciscoasa

% The fully-qualified domain name in the certificate will be: ciscoasa

% Include the device serial number in the subject name? [yes/no]: yes

% The serial number in the certificate will be: JMX1350L0F5

Display Certificate Request to terminal? [yes/no]: yes

Certificate Request follows:

-----BEGIN CERTIFICATE REQUEST-----

MIIBtjCCAR8CAQAwQDERMA8GA1UEAxMIY2lzY29hc2ExKzASBgNVBAUTC0pNWDEz NTBMMEY1MBUGCSqGSIb3DQEJAhYIY2lzY29hc2EwgZ8wDQYJKoZIhvcNAQEBBQAD gY0AMIGJAoGBAKhPgtFx1JRLaBxniWbmNH0iyiKyop+qSIIreAzIeDeDYjmaHxzv fXEa4nJ/ph1xSzdOUpIdoKvMmKrOim1bUOEMLrZKQv4zrnX1xDHpUgSqNoZ0lpxi g9vI+Pt/HY2LXPYoMQwPiRqKvVhAajbRuJ1PN3mPMHlLyPMgL3jXS0fBAgMBAAGg NjA0BgkqhkiG9w0BCQ4xJzAlMA4GA1UdDwEB/wQEAwIFoDATBgNVHREEDDAKgghj aXNjb2FzYTANBgkqhkiG9w0BAQUFAAOBgQBMXsz51KzQpI8AERyRBfeU3o7QOip+ Fe7+s/h4y0KcC//6q6HYBNgZ0/1K6v/CdDVLH+Ukjv6jwz/+1cNx76eAurRMWcm1

JC0mCMQm+dWz4DAgmN1MffVsOuySv89xYalmu9DZoWEx4CKG/MaN2dx4s/J7zuSQ Ht8UWbd1EFCV2A== -----END CERTIFICATE REQUEST----- Redisplay enrollment request? [yes/no]: n

2.2.4 导入本地证书

ciscoasa(config)# crypto ca import ASDM_TrustPoint1 certificate