联系邮箱:zxg6668@163.com 咨询电话:13565936697 手机版

联系我们

扫一扫加微信

ASA防火墙VPN配置教程测试通过

先上图

ASA1-----------IPSEC  VPN  Site---site-------ASA2   
验证通过!!!!!!!!!
以下标了各个疑难点,没有标注的属于超简单问题,请自行百度,如果还有问题,请联系QQ:44317016或18160686404
ASA1的配置:
asa1# show run
 
ASA Version 8.0(2)
!
hostname asa1
 
 
interface Ethernet0/0
 nameif inside
 security-level 100
 ip address 192.168.10.1 255.255.255.0
!
interface Ethernet0/1
 nameif outside
 security-level 0
 ip address 202.1.1.1 255.255.255.252
!
 
access-list 100 extended permit icmp any any
access-list 100 extended permit ip any any
access-list ipsec_vpn extended permit ip 192.168.10.0 255.255.255.0 192.168.20.0 255.255.255.0
 
 
nat-control
global (outside) 1 interface
nat (inside) 0 access-list ipsec_vpn       //匹配vpn的流量不做nat
nat (inside) 1 0.0.0.0 0.0.0.0             //内网nat流量
access-group 100 in interface outside
route outside 0.0.0.0 0.0.0.0 202.1.1.2 
 
 
crypto ipsec transform-set my_trans esp-3des esp-md5-hmac    //定义my_trans
crypto map vpn_to_test 10 match address ipsec_vpn            //关联兴趣流ACL
crypto map vpn_to_test 10 set peer 202.1.1.2                 //定义peer地址
crypto map vpn_to_test 10 set transform-set my_trans        //关联my_trans
crypto map vpn_to_test interface outside
crypto isakmp enable outside
crypto isakmp policy 10
 authentication pre-share
 encryption 3des
 hash md5
 group 2
 lifetime 86400
 
 
tunnel-group 202.1.1.2 type ipsec-l2l              //创建通道指向对端IP
tunnel-group 202.1.1.2 ipsec-attributes
 pre-shared-key cisco  //这里是密码,两端需要一致
 
 
 ------------------------------
 ASA2的配置:
asa1# show run
 
ASA Version 8.0(2)
!
hostname asa1
 
 
interface Ethernet0/0
 nameif inside
 security-level 100
 ip address 192.168.20.1 255.255.255.0
!
interface Ethernet0/1
 nameif outside
 security-level 0
 ip address 202.1.1.2 255.255.255.252
!
 
access-list 100 extended permit icmp any any
access-list 100 extended permit ip any any
access-list ipsec_vpn extended permit ip 192.168.20.0 255.255.255.0 192.168.10.0 255.255.255.0           //定义感兴趣流
 
 
nat-control
global (outside) 1 interface
nat (inside) 0 access-list ipsec_vpn       //匹配vpn的流量不做nat
nat (inside) 1 0.0.0.0 0.0.0.0             //内网nat流量
access-group 100 in interface outside
route outside 0.0.0.0 0.0.0.0 202.1.1.1 
 
 
crypto ipsec transform-set my_trans esp-3des esp-md5-hmac    //定义my_trans
crypto map vpn_to_test 10 match address ipsec_vpn            //关联兴趣流ACL
crypto map vpn_to_test 10 set peer 202.1.1.1                //定义peer地址
crypto map vpn_to_test 10 set transform-set my_trans         //关联my_trans
crypto map vpn_to_test interface outside
crypto isakmp enable outside
crypto isakmp policy 10
 authentication pre-share
 encryption 3des
 hash md5
 group 2
 lifetime 86400
 
 
tunnel-group 202.1.1.1 type ipsec-l2l         //创建通道指向对端IP
tunnel-group 202.1.1.1 ipsec-attributes
 pre-shared-key cisco  //这里是密码,两端需要一致
 
  • 关于我们
  • |
  • 联系方式
  • |
  • 客户留言
  • |
  • 产品展示
  • |
  • 素材下载
  • |
  • 技术论坛
  • |
  • 人力资源
  • 网站版权:BYCMS博远flash动画工作室  Copyright (c) 2015-2018 All Rights Reserved
    咨询电话:13565936697 咨询信箱:zxg6668@163.com 网址:www.flash58.com
    联系地址:新疆乌鲁木齐鲤鱼山路599号