ASA防火墙VPN配置教程测试通过

阅读次数:150发布日期:2019-05-16

ASA1-----------IPSEC  VPN  Site---site-------ASA2   

验证通过!!!!!!!!!
以下标了各个疑难点,没有标注的属于超简单问题,请自行百度,如果还有问题,请联系QQ:44317016或18160686404

ASA1的配置:

asa1# show run

 

ASA Version 8.0(2)

!

hostname asa1

 

 

interface Ethernet0/0

 nameif inside

 security-level 100

 ip address 192.168.10.1 255.255.255.0

!

interface Ethernet0/1

 nameif outside

 security-level 0

 ip address 202.1.1.1 255.255.255.252

!

 

access-list 100 extended permit icmp any any

access-list 100 extended permit ip any any

access-list ipsec_vpn extended permit ip 192.168.10.0 255.255.255.0 192.168.20.0 255.255.255.0

 

 

nat-control

global (outside) 1 interface

nat (inside) 0 access-list ipsec_vpn       //匹配vpn的流量不做nat

nat (inside) 1 0.0.0.0 0.0.0.0             //内网nat流量

access-group 100 in interface outside

route outside 0.0.0.0 0.0.0.0 202.1.1.2 

 

 

crypto ipsec transform-set my_trans esp-3des esp-md5-hmac    //定义my_trans

crypto map vpn_to_test 10 match address ipsec_vpn            //关联兴趣流ACL

crypto map vpn_to_test 10 set peer 202.1.1.2                 //定义peer地址

crypto map vpn_to_test 10 set transform-set my_trans        //关联my_trans

crypto map vpn_to_test interface outside

crypto isakmp enable outside

crypto isakmp policy 10

 authentication pre-share

 encryption 3des

 hash md5

 group 2

 lifetime 86400

 

 

tunnel-group 202.1.1.2 type ipsec-l2l              //创建通道指向对端IP

tunnel-group 202.1.1.2 ipsec-attributes

 pre-shared-key cisco  //这里是密码,两端需要一致

 

 

 ------------------------------

 ASA2的配置:

asa1# show run

 

ASA Version 8.0(2)

!

hostname asa1

 

 

interface Ethernet0/0

 nameif inside

 security-level 100

 ip address 192.168.20.1 255.255.255.0

!

interface Ethernet0/1

 nameif outside

 security-level 0

 ip address 202.1.1.2 255.255.255.252

!

 

access-list 100 extended permit icmp any any

access-list 100 extended permit ip any any

access-list ipsec_vpn extended permit ip 192.168.20.0 255.255.255.0 192.168.10.0 255.255.255.0           //定义感兴趣流

 

 

nat-control

global (outside) 1 interface

nat (inside) 0 access-list ipsec_vpn       //匹配vpn的流量不做nat

nat (inside) 1 0.0.0.0 0.0.0.0             //内网nat流量

access-group 100 in interface outside

route outside 0.0.0.0 0.0.0.0 202.1.1.1 

 

 

crypto ipsec transform-set my_trans esp-3des esp-md5-hmac    //定义my_trans

crypto map vpn_to_test 10 match address ipsec_vpn            //关联兴趣流ACL

crypto map vpn_to_test 10 set peer 202.1.1.1                //定义peer地址

crypto map vpn_to_test 10 set transform-set my_trans         //关联my_trans

crypto map vpn_to_test interface outside

crypto isakmp enable outside

crypto isakmp policy 10

 authentication pre-share

 encryption 3des

 hash md5

 group 2

 lifetime 86400

 

 

tunnel-group 202.1.1.1 type ipsec-l2l         //创建通道指向对端IP

tunnel-group 202.1.1.1 ipsec-attributes

 pre-shared-key cisco  //这里是密码,两端需要一致


最新资讯

经典案例

flash动画