背景介绍
ladies andgentlement,有没有碰到这样的情况,起实验,架拓扑,想在ASA上配个SSL VPN或者起个ASDM管理界面,吭吭唧唧,费了半天劲,IE流浪器里出来的是无法访问,汗死,一遍遍查配置,没问题啊,再试试,哼哼唧唧,嘿嘿呦呦,还是无法访问,汗!!!怎么办,往下看。
拓扑
问题描述 配置没有问题,winxp访问一切正常,win7访问就这样
什么猫病!!!,你妹,往下看
排错
碰到这种情况,我当时也是丈二和尚了,肿么办?开LOGGING,看看IE和ASA哥俩都聊什么了。
ciscoasa(config)#logging buffereddebugging 开启debug级别的log记录
ciscoasa(config)#logging buffer-size1048576 把log的buffer调大,要不寄存器会被冲刷
ciscoasa(config)#loggingon
这个时候我们重新用win7的ie访问ASA首页,然后在ASA敲show logging
%ASA-7-609002: Teardownlocal-host outside:10.1.1.1 duration 0:01:05
%ASA-7-609002: Teardown local-host identity:10.1.1.10 duration0:01:05
%ASA-6-725007: SSL session with client outside:10.1.1.1/1084terminated.
%ASA-7-609001: Built local-host outside:10.1.1.2
%ASA-7-609001: Built local-host identity:10.1.1.10
%ASA-6-302013: Built inbound TCP connection 14 foroutside:10.1.1.2/49177 (10.1.1.2/49177) to identity:10.1.1.10/443(10.1.1.10/443)
%ASA-6-725001: Starting SSL handshake with clientoutside:10.1.1.2/49177 for TLSv1 session.
%ASA-7-725010: Device supports the following 1 cipher(s).
%ASA-7-725011: Cipher[1] : DES-CBC-SHA
%ASA-7-725008: SSL client outside:10.1.1.2/49177 proposes thefollowing 8 cipher(s).
%ASA-7-725011: Cipher[1] : AES128-SHA
%ASA-7-725011: Cipher[2] : AES256-SHA
%ASA-7-725011: Cipher[3] : RC4-SHA
%ASA-7-725011: Cipher[4] : DES-CBC3-SHA
%ASA-7-725011: Cipher[5] : DHE-DSS-AES128-SHA
%ASA-7-725011: Cipher[6] : DHE-DSS-AES256-SHA
%ASA-7-725011: Cipher[7] : EDH-DSS-DES-CBC3-SHA
%ASA-7-725011: Cipher[8] : RC4-MD5
%ASA-7-725014: SSL liberror. Function: SSL3_GET_CLIENT_HELLO Reason: no sharedcipher
%ASA-6-302014: Teardown TCP connection 14 foroutside:10.1.1.2/49177 to identity:10.1.1.10/443 duration 0:00:00bytes 7 TCP Reset by appliance
%ASA-7-609002: Teardown local-host outside:10.1.1.2 duration0:00:00
%ASA-7-609002: Teardown local-host identity:10.1.1.10 duration0:00:00
看到用红色字体标出来的那行了吗,是双方的sll加密方法不匹配,你妹,原来哥俩互相喷外文那,谁也听不懂谁说话。咋办,往下看
既然IE看不懂ASA的加密方式,那咱们就让ASA多几种加密方式,先看看ASA会说什么鸟文。
cisco(config)#show ssl
Accept connections using SSLv2, SSLv3 or TLSv1 and negotiate toSSLv3 or TLSv1
Start connections using SSLv3 and negotiate to SSLv3 or TLSv1
Enabled cipher order:des-sha1
Disabled ciphers:3des-sha1 rc4-md5 rc4-sha1 aes128-sha1 aes256-sha1 null-sha1
No SSL trust-points configured
Certificate authentication is not enabled
看到了吧,ASA只会说des-sha1这种鸟文,不多说,让ASA学外语
ciscoasa(config)# ssl encryption 3des-sha1 aes128-sha1 aes256-sha1rc4-md5 rc4-sha1
如果当你敲完上面的命令 ^这个破玩意儿出来了,恭喜你,看看ASA的license吧
cisco(config)#show version
Licensed features for thisplatform:
Maximum PhysicalInterfaces :Unlimited perpetual
MaximumVLANs :100 perpetual
InsideHosts :Unlimited perpetual
Failover : Active/Active perpetual
VPN-DES :Enabled perpetual
VPN-3DES-AES :Disabled perpetual
SecurityContexts :5 perpetual
GTP/GPRS :Disabled perpetual
AnyConnect PremiumPeers :25 perpetual
AnyConnectEssentials :Disabled perpetual
Other VPNPeers :5000 perpetual
Total VPNPeers :0 perpetual
SharedLicense :Enabled perpetual
AnyConnect forMobile :Enabled perpetual
AnyConnect for Cisco VPNPhone :Enabled perpetual
Advanced EndpointAssessment :Enabled perpetual
UC Phone ProxySessions :10 perpetual
Total UC ProxySessions :10 perpetual
Botnet TrafficFilter :Enabled perpetual
Intercompany MediaEngine :Enabled perpetual
我靠,没有3des的license,咋办?找“死磕”去,点下面的连接申请个3des的license,免费的,“死磕”还挺仁义
https://tools.cisco.com/SWIFT/LicensingUI/loadDemoLicensee?FormId=139
把序列号填进去,一会“死磕”就给你邮箱发邮件了,把邮件里的key在ASA上激活
ciscoasa(config)# activation-key ******** **** ****
激活之后那?再让ASA学外语,命令如下
ciscoasa(config)#ssl encryption 3des-sha1 aes128-sha1 aes256-sha1 rc4-md5rc4-sha1
好了,现在再去试试吧,八成如下界面就会蹦出来。
总结
以上的总结是我做case的时候碰到的情况,问题的关键就是死路,浏览器打不开了,你也不知道为什么,怎么办,ASA上开log或者debug,你得搞明白IE和ASA哥俩都聊什么。
献丑了各位
libo zhao
QQ:99658078
2012.7.8
<跟“死磕”磕>