您当前的位置是:首页

ASA防火墙VPN配置教程测试通过

发表于:2017-05-23 阅读: 165
先上图

ASA1-----------IPSEC  VPN  Site---site-------ASA2   
验证通过!!!!!!!!!
以下标了各个疑难点,没有标注的属于超简单问题,请自行百度,如果还有问题,请联系QQ:44317016或18160686404
ASA1的配置:
asa1# show run
 
ASA Version 8.0(2)
!
hostname asa1
 
 
interface Ethernet0/0
 nameif inside
 security-level 100
 ip address 192.168.10.1 255.255.255.0
!
interface Ethernet0/1
 nameif outside
 security-level 0
 ip address 202.1.1.1 255.255.255.252
!
 
access-list 100 extended permit icmp any any
access-list 100 extended permit ip any any
access-list ipsec_vpn extended permit ip 192.168.10.0 255.255.255.0 192.168.20.0 255.255.255.0
 
 
nat-control
global (outside) 1 interface
nat (inside) 0 access-list ipsec_vpn       //匹配vpn的流量不做nat
nat (inside) 1 0.0.0.0 0.0.0.0             //内网nat流量
access-group 100 in interface outside
route outside 0.0.0.0 0.0.0.0 202.1.1.2 
 
 
crypto ipsec transform-set my_trans esp-3des esp-md5-hmac    //定义my_trans
crypto map vpn_to_test 10 match address ipsec_vpn            //关联兴趣流ACL
crypto map vpn_to_test 10 set peer 202.1.1.2                 //定义peer地址
crypto map vpn_to_test 10 set transform-set my_trans        //关联my_trans
crypto map vpn_to_test interface outside
crypto isakmp enable outside
crypto isakmp policy 10
 authentication pre-share
 encryption 3des
 hash md5
 group 2
 lifetime 86400
 
 
tunnel-group 202.1.1.2 type ipsec-l2l              //创建通道指向对端IP
tunnel-group 202.1.1.2 ipsec-attributes
 pre-shared-key cisco  //这里是密码,两端需要一致
 
 
 ------------------------------
 ASA2的配置:
asa1# show run
 
ASA Version 8.0(2)
!
hostname asa1
 
 
interface Ethernet0/0
 nameif inside
 security-level 100
 ip address 192.168.20.1 255.255.255.0
!
interface Ethernet0/1
 nameif outside
 security-level 0
 ip address 202.1.1.2 255.255.255.252
!
 
access-list 100 extended permit icmp any any
access-list 100 extended permit ip any any
access-list ipsec_vpn extended permit ip 192.168.20.0 255.255.255.0 192.168.10.0 255.255.255.0           //定义感兴趣流
 
 
nat-control
global (outside) 1 interface
nat (inside) 0 access-list ipsec_vpn       //匹配vpn的流量不做nat
nat (inside) 1 0.0.0.0 0.0.0.0             //内网nat流量
access-group 100 in interface outside
route outside 0.0.0.0 0.0.0.0 202.1.1.1 
 
 
crypto ipsec transform-set my_trans esp-3des esp-md5-hmac    //定义my_trans
crypto map vpn_to_test 10 match address ipsec_vpn            //关联兴趣流ACL
crypto map vpn_to_test 10 set peer 202.1.1.1                //定义peer地址
crypto map vpn_to_test 10 set transform-set my_trans         //关联my_trans
crypto map vpn_to_test interface outside
crypto isakmp enable outside
crypto isakmp policy 10
 authentication pre-share
 encryption 3des
 hash md5
 group 2
 lifetime 86400
 
 
tunnel-group 202.1.1.1 type ipsec-l2l         //创建通道指向对端IP
tunnel-group 202.1.1.1 ipsec-attributes
 pre-shared-key cisco  //这里是密码,两端需要一致