阅读次数:150发布日期:2019-05-16
ASA1-----------IPSEC VPN Site---site-------ASA2
验证通过!!!!!!!!!
以下标了各个疑难点,没有标注的属于超简单问题,请自行百度,如果还有问题,请联系QQ:44317016或18160686404
ASA1的配置:
asa1# show run
ASA Version 8.0(2)
!
hostname asa1
interface Ethernet0/0
nameif inside
security-level 100
ip address 192.168.10.1 255.255.255.0
!
interface Ethernet0/1
nameif outside
security-level 0
ip address 202.1.1.1 255.255.255.252
!
access-list 100 extended permit icmp any any
access-list 100 extended permit ip any any
access-list ipsec_vpn extended permit ip 192.168.10.0 255.255.255.0 192.168.20.0 255.255.255.0
nat-control
global (outside) 1 interface
nat (inside) 0 access-list ipsec_vpn //匹配vpn的流量不做nat
nat (inside) 1 0.0.0.0 0.0.0.0 //内网nat流量
access-group 100 in interface outside
route outside 0.0.0.0 0.0.0.0 202.1.1.2
crypto ipsec transform-set my_trans esp-3des esp-md5-hmac //定义my_trans
crypto map vpn_to_test 10 match address ipsec_vpn //关联兴趣流ACL
crypto map vpn_to_test 10 set peer 202.1.1.2 //定义peer地址
crypto map vpn_to_test 10 set transform-set my_trans //关联my_trans
crypto map vpn_to_test interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
tunnel-group 202.1.1.2 type ipsec-l2l //创建通道指向对端IP
tunnel-group 202.1.1.2 ipsec-attributes
pre-shared-key cisco //这里是密码,两端需要一致
------------------------------
ASA2的配置:
asa1# show run
ASA Version 8.0(2)
!
hostname asa1
interface Ethernet0/0
nameif inside
security-level 100
ip address 192.168.20.1 255.255.255.0
!
interface Ethernet0/1
nameif outside
security-level 0
ip address 202.1.1.2 255.255.255.252
!
access-list 100 extended permit icmp any any
access-list 100 extended permit ip any any
access-list ipsec_vpn extended permit ip 192.168.20.0 255.255.255.0 192.168.10.0 255.255.255.0 //定义感兴趣流
nat-control
global (outside) 1 interface
nat (inside) 0 access-list ipsec_vpn //匹配vpn的流量不做nat
nat (inside) 1 0.0.0.0 0.0.0.0 //内网nat流量
access-group 100 in interface outside
route outside 0.0.0.0 0.0.0.0 202.1.1.1
crypto ipsec transform-set my_trans esp-3des esp-md5-hmac //定义my_trans
crypto map vpn_to_test 10 match address ipsec_vpn //关联兴趣流ACL
crypto map vpn_to_test 10 set peer 202.1.1.1 //定义peer地址
crypto map vpn_to_test 10 set transform-set my_trans //关联my_trans
crypto map vpn_to_test interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
tunnel-group 202.1.1.1 type ipsec-l2l //创建通道指向对端IP
tunnel-group 202.1.1.1 ipsec-attributes
pre-shared-key cisco //这里是密码,两端需要一致