CENT-FW
conf t
access-list OUT-TO-IN extended permit tcp 110.240.50.0 255.255.255.0 host 172.16.0.1 eq 80
access-list OUT-TO-IN extended permit tcp 110.240.50.0 255.255.255.0 host 172.16.0.1 eq 443
access-group OUT-TO-IN in interface OUTSIDE
CENT-SRV
#cd /etc/ssl/
#openssl req –new –out www.req –newkey rsa:2048 –nodes –keyout www.key
※CN=www.skills2021.kr
WORK-R
end
crypto pki server SKILLS-CA request pkcs10 terminal
※www.req 파일의 내용을 삽입 후, 출력되는 인증서 내용을 CENT-SRV에 /etc/ssl/www.crt 파일로 저장
CENT-SRV
vim /etc/apache2/sites-available/default-ssl.conf
a2enmode authnz_ldap
a2enmod ssl
a2ensite default-ssl.conf
systemctl restart apache2
1) Cut Through Proxy
EX-FW
access-list OUT-TO-IN extended permit tcp 9.9.9.0 255.255.255.0 host 110.240.50.1 eq 80
access-list OUT-TO-IN extended permit tcp 9.9.9.0 255.255.255.0 host 110.240.50.1 eq 443
access-group OUT-TO-IN in interface OUTSIDE
ISP
apt –y install apache2
echo “This is Internet Service Provider” > /var/www/html/index.html
cd /etc/ssl
openssl req -new -out isp.req -newkey rsa:2048 -nodes -keyout isp.key
CN=www.isp.net
WORK-R
crypto pki server SKILLS-CA request pkcs10 terminal
※isp.req 파일의 내용을 삽입 후, 출력되는 인증서 내용을 ISP에 /etc/ssl/isp.crt 파일로 저장
ISP
a2enmod ssl
a2ensite default-ssl.conf
vim /etc/apache2/sites-available/default-ssl.conf
systemctl restart apache2
※SKILLS-CA를 /etc/ssl/cacert.pem으로 복사 후 진행
#cd /etc/ssl
#openssl pkcs12 -export -out isp.pfx -in isp.crt -inkey isp.key -certfile /etc/ssl/cacert.pem
※암호: korea2021##
#openssl base64 -in isp.pfx > isp.txt
※isp.txt를 REMOTE의 바탕화면으로 복사
EX-FW
crypto key generate rsa module 1024
username admin password korea2021##
ssh 0.0.0.0 0.0.0.0 inside
aaa authentication ssh console LOCAL
REMOTE
※cmd를 사용해서 EX-FW로 SSH접속
ssh admin@110.240.50.254
[yes/no]: yes
※PW = korea2021##
en
conf t
crypto ca import HTTPS pkcs12 korea2021##
※바탕화면에 있는 ISP.txt의 내용을 여기에 복사한다음 "quit"입력
EX-FW
ssl trust-point HTTPS
access-list AUTH extended permit tcp 9.9.9.0 255.255.255.0 host 110.240.50.1 eq 443
aaa authentication match AUTH outside LOCAL
aaa authentication secure-http-client
'물리서버' 카테고리의 다른 글
[21전국] 3과제 Monitoring (0) | 2021.11.11 |
---|---|
[21전국] 3과제 Dot1x Authentication (0) | 2021.11.11 |
[21전국] 3과제 DHCP 및 LDAP 설정 (0) | 2021.11.11 |
[21전국] 3과제 Site-to-Site VPN (0) | 2021.11.11 |
[21전국] 3과제 Certificate Authority (0) | 2021.11.10 |