博威---云架构决胜云计算

 找回密码
 注册

QQ登录

只需一步,快速开始

搜索
查看: 1595|回复: 0

VPN小实验(IOS-ASA Pre-share IPSec VPN 配置)

[复制链接]
发表于 2008-1-9 08:00:11 | 显示全部楼层 |阅读模式
VPN小实验(IOS-ASA Pre-share IPSec VPN 配置)


ASA的内网为e0/1,IP 10.2.2.1/24,外网为e0/0,IP 218.1.1.1/24。
Router的loop 0的IP为10.1.1.1/24,s0/0为173.16.1.5/30

ASA的e0/0通过Internet与Router的s0/0相连。
只列出了相关的配置。


ASA配置:
interface Ethernet0/0
nameif outside
security-level 0
ip address 218.1.1.1 255.255.255.0
!
interface Ethernet0/1
nameif inside
security-level 100
ip address 10.2.2.1 255.255.255.0
!
access-list per-icmp extended permit icmp any any
access-group per-icmp in interface outside
!
access-list go-vpn extended permit ip 10.2.2.0 255.255.255.0 10.1.1.0 255.255.255.0
!
nat-control
global (outside) 1 interface
nat (inside) 0 access-list go-vpn
!IPSec流量不作翻译

nat (inside) 1 10.2.2.0 255.255.255.0
!由于PIX/ASA在执行NAT时,对nat id是区分先后的,即先执行nat 0,然后执行nat 1,所以在此不必特别的注明IPSec流量不作翻译。

route outside 0.0.0.0 0.0.0.0 218.1.1.2 1
!
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
!
tunnel-group 173.16.1.5 type ipsec-l2l
tunnel-group 173.16.1.5 ipsec-attributes
pre-shared-key *
!
pix/asa 7.x新命令,在此处配置预共享密钥和VPN类型,值得注意的是,当配置lan2lan (site2site) VPN时,tunnel-group的名字必须为对等体的IP地址。
!
crypto ipsec transform-set ccsp esp-3des esp-sha-hmac
crypto map cisco 10 match address go-vpn
crypto map cisco 10 set peer 173.16.1.5
crypto map cisco 10 set transform-set ccsp
crypto map cisco interface outside


Router的配置:
crypto isakmp policy 10
encr 3des
authentication pre-share
hash sha
group 2
crypto isakmp key cisco1234 address 218.1.1.1
!
crypto ipsec transform-set ccsp esp-3des esp-sha-hmac
mode tunnel
!
crypto map cisco 10 ipsec-isakmp
set peer 218.1.1.1
set transform-set ccsp
match address 102
!
interface Loopback0
ip address 10.1.1.1 255.255.255.0
ip nat inside
ip virtual-reassembly
!
interface Serial0/0
ip address 173.16.1.5 255.255.255.252
ip nat outside
ip virtual-reassembly
crypto map cisco
!
ip route 0.0.0.0 0.0.0.0 173.16.1.6
!
ip nat inside source list 101 interface Serial0/0 overload
!         
access-list 101 deny   ip 10.1.1.0 0.0.0.255 10.2.2.0 0.0.0.255
access-list 101 permit ip 10.1.1.0 0.0.0.255 any
!定义NAT感兴趣流,要将IPSec流量在NAT中去掉

access-list 102 permit ip 10.1.1.0 0.0.0.255 10.2.2.0 0.0.0.255
!定义IPSec感兴趣流
您需要登录后才可以回帖 登录 | 注册

本版积分规则

小黑屋|手机版|Archiver|boway Inc. ( 冀ICP备10011147号 )

GMT+8, 2024-11-28 01:53 , Processed in 0.085159 second(s), 17 queries .

Powered by Discuz! X3.4

Copyright © 2001-2021, Tencent Cloud.

快速回复 返回顶部 返回列表