Cloud Web Security (CWS) 上网安全服务

原理

新一代的 CWS 上网安全服务,在路由器与思科节点(tower)之间建立一个 IPSec GRE Tunnel,所有流量都会流经思科节点,并在节点上进行安全过滤与自定义阻挡。
目前亚太地区的节点位置在东京、香港、与新加坡。

要求

  • 16.3.1 以上的 IOS XE 版本。
  • 具备 SEC License 与 CWS License

网站配置

路由器配置

1. 配置连到思科节点的证书

ISR4321(config)#crypto pki trustpoint cws-trustpoint
ISR4321(ca-trustpoint)#revocation-check none
ISR4321(ca-trustpoint)#enrollment terminal 
ISR4321(ca-trustpoint)#exit
ISR4321(config)#crypto pki authenticate cws-trustpoint

Enter the base 64 encoded CA certificate.
End with a blank line or the word "quit" on a line by itself

MIIGxDCCBKygAwIBAgIUdRcWd4PQQ361VsNXlG5FY7jr06wwDQYJKoZIhvcNAQEL
BQAwRTELMAkGA1UEBhMCQk0xGTAXBgNVBAoTEFF1b1ZhZGlzIExpbWl0ZWQxGzAZ

略 《证书尚未公开,需向 CWS 服务团队索取》

kmhVGonSXy5aP+hDC+Ht+bxmc4wN5x+vB02hak8Hh8jIUStRxOsRfJozU0R9ysyP
EZAHFZ3Zivg2BaD4tOISO8/T2FDjG7PNUv0tgPAOKw2t94B+1evrSUhqJDU0Wf9c
9vkaKoPvX4w=

Trustpoint 'cws-trustpoint' is a subordinate CA and holds a non self signed cert
Certificate has the following attributes:
       Fingerprint MD5: 1135E326 56E5AADF 53A4DD32 C8D5590F 
      Fingerprint SHA1: AC4A728B 4DFC3560 1FA34B92 2422A42C 253F756C 

% Do you accept this certificate? [yes/no]: yes
Trustpoint CA certificate accepted.
% Certificate successfully imported

ISR4321(config)#

2. 配置要使用 CWS 上网安全的 Client IP 地址
access-list 80 permit 192.168.0.0 0.0.255.255

3. 配置 CWS 连线参数
parameter-map type cws-tunnel global
 primary
  tower name access1603.cws.sco.cisco.com
 secondary
  tower name access619.cws.sco.cisco.com
 license 0 A018DCD06D5DDD73BF8A8EA435388Cxx
 redirect-list 80

4. 在 LAN 和 WAN 端口上启用 CWS,并自动产生 Tunnel 配置

下面范例中配置 100,即会产生 Tunnel 100 与 Tunnel 101,如果路由器上原本就有 Tunnel 100 或 101 的话,原本配置会被覆盖,所以此处要小心不要盖到路由器上的 GRE Tunnel。

interface GigabitEthernet0/0/0
 cws-tunnel in
!
interface GigabitEthernet0/0/1
 cws-tunnel out tunnel-number 100

此时 show run 将会看到:
interface Tunnel100
 description CWS connector internal primary tunnel
 backup interface Tunnel101
 ip unnumbered GigabitEthernet0/0/1
 tunnel source GigabitEthernet0/0/1
 tunnel destination 108.171.142.194
 tunnel protection ipsec profile cws_ipsec_profile_100
 service-insertion waas
!         
interface Tunnel101
 description CWS connector internal secondary tunnel
 ip unnumbered GigabitEthernet0/0/1
 tunnel source GigabitEthernet0/0/1
 tunnel destination 108.171.133.210
 tunnel protection ipsec profile cws_ipsec_profile_100

确认配置正确

ISR4321No2#show cws-tunnel status

GigabitEthernet0/0/1-Tunnel100: Crypto session current status

Code: C - IKE Configuration mode, D - Dead Peer Detection     
K - Keepalives, N - NAT-traversal, T - cTCP encapsulation     
X - IKE Extended Authentication, F - IKE Fragmentation
R - IKE Auto Reconnect

Interface: Tunnel100
Profile: cws_ikev2_profile_100
Uptime: 00:02:49
Session status: UP-ACTIVE     
Peer: 108.171.142.194 port 4500 fvrf: (none) ivrf: (none)
      Phase1_id: 10.5.125.43
      Desc: (none)
  Session ID: 20  
  IKEv2 SA: local 192.168.1.6/4500 remote 108.171.142.194/4500 Active 
          Capabilities:DNX connid:1 lifetime:23:57:11
  IPSEC FLOW: permit 47 host 192.168.1.6 host 108.171.142.194 
        Active SAs: 2, origin: crypto map
        Inbound:  #pkts dec'ed 464 drop 0 life (KB/Sec) 4607701/3431
        Outbound: #pkts enc'ed 1163 drop 0 life (KB/Sec) 4607783/3431

*********************************************************
GigabitEthernet0/0/1-Tunnel101: 
*********************************************************
除非特别注明,本页内容采用以下授权方式: Creative Commons Attribution-ShareAlike 3.0 License