¶ vxlan
¶ 拓扑
ASA1 配置
interface GigabitEthernet0/0
nve-only
nameif outisde
security-level 0a
ip address 202.100.12.1 255.255.255.0
multicast-routing
nve 1 # vtep
encapsulation vxlan
source-interface inside
default-mcast-group 224.0.0.1
interface vni1
segment-id 6000
nameif vxlan
security-level 50
ip address 202.100.1.10 255.255.255.0
vtep-nve 1
access-list out extended permit ip any any
access-group out in interface outside
ASA2 配置
interface GigabitEthernet0/0
nve-only
nameif outisde
security-level 0
ip address 202.100.12.2 255.255.255.0
interface BVI1
ip address 202.100.1.100 255.255.255.0
nve 1 # vtep
encapsulation vxlan
source-interface outisde
interface GigabitEthernet0/1
nameif inside
bridge-group 1
security-level 100
interface BVI1
ip address 202.100.1.100 255.255.255.0
interface vni1
segment-id 6000
nameif vxlan
bridge-group 1
security-level 50
vtep-nve 1
mcast-group 224.0.0.1
access-list vxlan extended permit ip any any
access-group vxlan in interface vxlan
¶ 验证
¶ TrustSec
TG 标签
SGT ISE 充当
SGA 安全组访问 基于标签
SXP 安全组交换协议
aaa-server ISE protocol radius
aaa-server ISE (inside) host 192.168.1.241
key cisco
cts server-group ISE
PAN PSN MNT
policy admin node
policy server node
独立部署
分布式部署
cts sxp enable
cts sxp default password Cisco0123
cts sxp default source-ip 202.100.12.1
cts sxp connection peer 192.168.1.241 password default mode peer speaker
cts sxp enable
cts sxp default password Cisco0123
cts sxp default source-ip 192.168.1.10
cts sxp connection peer 192.168.1.241 password default mode peer speaker
sh cts sxp connections
sh cts sgt-map detail
sh cts sxp sgt-map
object-group security qytang-sg
security-group tag 16
access-list out extended deny icmp object-group-security qytang-sg any any
入方向流量控制
互联接口
cts manual
policy static sgt 600 trusted
接口 传递 sgt
cts manual
policy static sgt 600 trusted
SXP 传递 sgt
¶ SSL VPN
ip local pool SSLPOOL 172.16.1.100-172.16.1.200
group-policy sslpolicy internal
group-policy sslpolicy attributes
vpn-tunnel-protocol ssl-client ssl-clientless
address-pools value SSLPOOL
tunnel-group DefaultWEBVPNGroup general-attributes
authentication-server-group ISE
webvpn
enable Outside
anyconnect image disk0:/anyconnect-win-4.3.04027-k9.pkg 1
anyconnect enable
¶ API
安装API
asa_acl(ip,username,password,action,pro,src,dst,dstp=0,port=443)
asa_acl(‘10.1.1.1’,‘admin’,‘Cisc0123’,1,‘tcp’,‘any’,‘Inside-Server’,80,port=443)
asa_nat_add(ip,username,password,srcobj,dstobj,port=443)
asa_nat_add(‘10.1.1.1’,‘admin’,‘Cisc0123’,‘Inside-Server’,‘outside_server’)
