I. Overview:
The acs4.x initial HTTP access Port is 2002, and subsequent ports are randomly changed by default from 1024~65535, It is not a problem to access the outside area from the inside area of ASA, but if you access inside from the outside area of the ASA, there is a problem and it is not possible to release all the acs4.x ports.
Two. Basic ideas:
A. Defining the range of changes in acs4.x dynamic ports
---Noteworthy is that asc4.x dynamic ports vary according to each session, and if you set change access to only one value, such as: 2003~2003, you will be able to manage at the same time only one sessions connection acs4.x.
B. Configure for HTTPS access (optional)
---just started to think that after the configuration of HTTPS will not dynamic port, the actual test found that HTTPS used the initial port is also 2002, the back port will still be random changes.
Three. Configuration method:
A. Defining the range of changes in acs4.x dynamic ports
---administration control->access policy->http port allocation, set the range of changes, assuming the range is 2003~2004.
B. Configure for HTTPS access (optional)
Reference Link: http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_server_for_windows/4.0/user/guide/ sau.html#wp327487
There are several ways to configure HTTPS certificates, either to request a CA or to create a self-signed certificate, which I tested with a self-signed certificate:
① Generate a self-signed certificate
---System Configuration->acs certificate Setup->generate self-signed certifcate
② Restart ACS According to the prompts
③ Modify access Policy, set to HTTPS access
---administration control->access policy->secure Socket Layer setup tick: Use HTTPS Transport for administration Access
C. Firewall release strategy
---Based on the previous dynamic port range setting and initial port 2002, the TCP 2002~2004 can only be released, allowing two users to manage acs4.x at the same time.
① topology:
202.100.1.0/24 10.1.1.0/24
PC1 (. 8)-----Outside--------------(. 1) ASA842 (. 1)------Inside-----------(.) acs4.x
② Firewall ASA842 configuration:
1. Intranet Pat out public network:
Object Network Inside_net
Subnet 10.1.1.0 255.255.255.0
Nat (inside,outside) Dynamic interface
2. Map Port range:
Object Network Inside_acs_host
Host 10.1.1.100
Object Service Acs_ports
Service TCP Destination Range 2002 2004
Nat (Outside,inside) source static any any destination static interface Inside_acs_host service Acs_ports acs_ports
3. Configure policy:
Policy-map Global_policy
Class Inspection_default
Inspect ICMP
Access-list Outside Extended Permit TCP host 202.100.1.8 Object Inside_acs_host range 2002 2004
Access-group Outside in Interface Outside
This article comes from "Httpyuntianjxxll.spac" blog, please be sure to keep this source http://333234.blog.51cto.com/323234/1220918