在PIX OS上打开webvpn
看到这个话题,一般懂CISCO FW的人会觉得奇怪,PIX 不支持WEBVPN,只有ASA才支持,没错.从硬件上来说 pix 任何一个型号都是不支持WEBVPN的,但是从软件上来看 pix与asa 在8.x之前(具体哪个小版本不详)是完全一样的,你可以认为PIXOS 与ASA OS 仅仅只是文件名不同.那么也就是说pix os 本质上是支持webvpn的.
注意:本文一下将介绍如何修改pixos,来打开webvpn.并用pemu加载.
我想说的是, 以下内容仅供学习交流之用,请不要做任何超出该范围之外的事.否则任何法律问题,后果自负.
1.验证pix722.bin MD5
#md5sum pix722.bin
d2641f1441347b0204449da1d4a06758 pix722.bin
之后解压pix722.bin
#unzip pix722.bin
2.去除image 校验认证
原 : 000122a4: e8 57 fc f3 00 85 c0 0f 84 86 01 00 00
修改后: 000122a4: 90 90 90 90 90 90 90 90 90 90 90 90 90
注意我使用的是linux 下的16进制编辑器hexedit
#hexedit pix722.bin
然后 Ctrl+G 输入0×122a4
光标将定位到
000122A0 00 00 10 00 E8 57 FC F3 00 85 C0 0F 84 86 01 00 …..W……….
000122B0 00 8B 45 EC 89 44 24 04 8B 45 F0 89 04 24 E8 DD ..E..D$..E…$..
将上面红色字段修改为以下蓝色字段
000122A0 00 00 10 00 90 90 90 90 90 90 90 90 90 90 90 90 …..W……….
000122B0 90 8B 45 EC 89 44 24 04 8B 45 F0 89 04 24 E8 DD ..E..D$..E…$..
继续下一步操作
3.修改webvpn是否开启的函数
原 : 00d31c18: 55 89 e5 57
修改后: 00d31c18: 31 C0 40 C3
光标定位到:
00D31C10 00 8D BC 27 00 00 00 00 55 89 E5 57 56 83 EC 20 …’….U..WV..
将上面红色字段修改为以下蓝色字段
00D31C10 00 8D BC 27 00 00 00 00 31 C0 40 C3 56 83 EC 20 …’….U..WV..
继续下一步操作
4.修改返回得到许可的ssl peers数量的函数
原 : 00f5c990: 55 a1 70 4c 3a 01
修改后: 00f5c990: b8 00 01 00 00 c3
光标将定位到
00F5C990 55 A1 70 4C 3A 01 89 E5 5D C3 8D B6 00 00 00 00 U.pL:…]…….
将上面红色字段修改为以下蓝色字段
00F5C990 b8 00 01 00 00 c3 89 E5 5D C3 8D B6 00 00 00 00 U.pL:…]…….
完成上面三个步骤 按F2保存,Ctrl+C,退出
之后就可以使用PEMU来加载这个修改过的PIX OS 了
5.使用pemu加载
引用:
pixfirewall# show version
Cisco PIX Security Appliance Software Version 7.2(2)
Compiled on Wed 22-Nov-06 14:16 by builders
System image file is “Unknown, monitor mode tftp booted image”
Config file at boot was “startup-config”pixfirewall up 51 secs
Hardware: PIX-525, 128 MB RAM, CPU Pentium II 1 MHz
Flash E28F128J3 @ 0xfff00000, 16MB
BIOS Flash AM29F400B @ 0xfffd8000, 32KB0: Ext: Ethernet0 : address is 00aa.0000.0202, irq 9
The Running Activation Key is not valid, using default settings:pixfirewall# conf t
pixfirewall(config)# web
pixfirewall(config)# webvpn
pixfirewall(config-webvpn)# ?WebVPN commands:
apcf Load Application Profile Customization Framework
(APCF) profile
authorization-dn-attributes The DN of the peer certificate used as username
for authorization
authorization-required Require users to authorize successfully in order
to connect
auto-signon Auto signon
cache Configure WebVPN cache
character-encoding Configures the character encoding for WebVPN
portal pages
csd This specifies whether Cisco Secure Desktop is
enabled and the package file name to be used.
customization Configure WebVPN GUI Customization object
default-idle-timeout This is the default idle timeout in seconds
enable Enable WebVPN on the specified interface
exit Exit from WebVPN configuration mode
file-encoding Configures the file encoding for a file sharing
server
help Help for WebVPN commands
http-proxy This is the proxy server to use for HTTP
requests
https-proxy This is the proxy server to use for HTTPS
requests
java-trustpoint Configure WebVPN java trustpoint
memory-size Configure WebVPN memory size
no Remove a WebVPN command or set to its default
port WebVPN should listen for connections on the
specified port
port-forward Configure the port-forward list for WebVPN
proxy-bypass Configure proxy bypass
rewrite Configure content rewriting rule
sso-server Configure an SSO Server
svc This specifies whether the SSL VPN Client is
enabled and the package file name to be used.
tunnel-group-list Configure WebVPN group list dropdown in login
page
url-list Configure a list of URLs for use with WebVPN
pixfirewall(config-webvpn)#
刚刚试过,成功在PIX722文件上获得WebVPN功能。前提是,必须使用Linux来解压缩BIN文件,在Windows下WINRAR/ULTTMATEZIP无法打开文件。 在Linux下,虽然也有错误信息,但是可以解压缩出来。