本帖最后由 zylccna2015 于 2020-12-28 21:49 编辑 CISCO URL-BASED ROUTING
1、 终端需求:
能够为LAN区域的终端及anyconnect拨号客户端下发策略,使终端设备的HTTP(包括TLS)流量能够走正确的路径
2、 中间系统需求:
采用IOS-XE设备及AX许可
3、 基础配置:
WAN口:
interfaceGigabitEthernet1
description WAN
no ip address
negotiation auto
pppoe enable group global
cdp enable
pppoe-client dial-pool-number 1
!
interfaceDialer1
description WAN
ip ddns update hostname xxx.f3322.net
ip ddns update 3322 host members.3322.net
ip address negotiated
ip nat outside
encapsulation ppp
ip tcp adjust-mss 1452
dialer pool 1
ppp pap sent-username xxx password 7 xxx
ppp ipcp dns request
ppp ipcp route default
!
LAN口配置:
interface range GigabitEthernet2-6
no ip address
negotiation auto
cdp enable
service instance 1 ethernet
encapsulation untagged
!
bridge-domain 1
member GigabitEthernet1 service-instance 1
member GigabitEthernet2 service-instance 1
member GigabitEthernet3 service-instance 1
member GigabitEthernet4 service-instance 1
member GigabitEthernet5 service-instance 1
member GigabitEthernet6 service-instance 1
bridge irb
!
interface BDI1
ipaddress 192.168.0.1 255.255.255.0
ipnbar protocol-discovery
ipnat inside
!
DHCP配置:
ip dhcp excluded-address 192.168.0.1 192.168.0.50
ip dhcp pool NAT
network 192.168.0.0255.255.255.0
dns-server 192.168.0.1
default-router 192.168.0.1
NAT配置:
ip nat inside source list 1 interfaceDialer1 overload
access-list 1 permit 192.168.0.00.0.255.255
!
VPN配置
aaa new-module
aaa authentication login sslvpn local
aaa authorization network sslvpn local
!
crypto ssl proposal sslvpn-proposal
protection rsa-3des-ede-sha1 rsa-rc4128-md5rsa-aes128-sha1 rsa-aes256-sha1
!
crypto ssl authorization policysslvpn-auth-policy
pool sslvpn
dns192.168.0.1
def-domain uq
!
crypto ssl policy sslvpn-policy
sslproposal sslvpn-proposal
pkitrustpoint SIG sign
ipinterface Dialer1 port 4443
!
crypto ssl profile sslvpn-profile
match policy sslvpn-policy
aaaauthentication user-pass list sslvpn
aaaauthorization group user-pass list sslvpn sslvpn-auth-policy
authentication remote user-pass
max-users 100
!
ip local pool sslvpn 192.168.32.100192.168.32.254
===============================================================================
4、 搭建web流量代理服务
iox
!
app-hostingappid guestshell
app-vnic gateway0 virtualportgroup 0guest-interface 0
guest-ipaddress 192.168.1.100 netmask255.255.255.0
app-default-gateway 192.168.1.1guest-interface 0
name-server0192.168.1.1
!
interface VirtualPortGroup0
ipaddress 192.168.1.1 255.255.255.0
ip nat inside
!
安装privoxy与v2ray服务和nginx
Echo “actionsfilegfwlist.action” >> /etc/privoxy/config
listen-address 0.0.0.0:8118 #监听LAN的数据
下载gfwlist.action文件到/etc/privoxy目录
启动v2ray服务
[root@guestshellguestshell]# systemctl status v2ray.service
● v2ray.service -V2Ray Service
Loaded: loaded(/etc/systemd/system/v2ray.service; enabled; vendor preset: disabled)
Active: active (running) since Fri2020-12-25 12:48:30 UTC; 3 days ago
Main PID: 34 (v2ray)
CGroup:/system.slice/libvirtd.service/system.slice/v2ray.service
└─34/usr/bin/v2ray/v2ray -config /etc/v2ray/config.json
启动nginx服务
[root@guestshellguestshell]# systemctl status v2ray.service
● v2ray.service -V2Ray Service
Loaded: loaded(/etc/systemd/system/v2ray.service; enabled; vendor preset: disabled)
Active: active (running) since Fri2020-12-25 12:48:30 UTC; 3 days ago
Main PID: 34 (v2ray)
CGroup:/system.slice/libvirtd.service/system.slice/v2ray.service
└─34/usr/bin/v2ray/v2ray -config /etc/v2ray/config.json
在nginx的根目录下创建个proxy.pac文件
[root@guestshellguestshell]# more /usr/share/nginx/html/proxy.pac
functionFindProxyForURL(url, host) {
if (isPlainHostName(host) ||
shExpMatch(host,"*.local") ||
isInNet(dnsResolve(host),"10.0.0.0", "255.0.0.0") ||
isInNet(dnsResolve(host),"172.16.0.0", "255.240.0.0") ||
isInNet(dnsResolve(host),"192.168.0.0", "255.255.0.0") ||
isInNet(dnsResolve(host),"173.37.0.0", "255.255.0.0") ||
isInNet(dnsResolve(host),"127.0.0.0", "255.255.255.0"))
return "DIRECT";
else
return "PROXY 192.168.1.100:8118";
}
5、 为LAN和anyconnect客户端下发策略
ip dhcp pool NAT
option 252 asciihttp://192.168.1.100/proxy.pac
crypto ssl authorization policy sslvpn-auth-policy
msie-proxy server192.168.1.100:8118
