ASA8.0Ez***没有隧道分割从总部访问公网测试

于 2012-08-08 16:07:06 发布
阅读量88 收藏
点赞数
CC 4.0 BY-SA版权
版权声明:本文为博主原创文章,遵循 CC 4.0 BY-SA 版权协议,转载请附上原文出处链接和本声明。
本文链接:https://blog.youkuaiyun.com/weixin_34348805/article/details/85103076
本文详细介绍了一个EZVPN配置案例,包括路由器R1、R2、R3及ASA防火墙的具体配置步骤,实现内部网络与远程客户端的安全连接。同时,还展示了客户端配置及数据包通过隧道传输的调试信息。

1.题目:

 二.测试

①测试拓扑:

 

②基本配置:

R1:
interface FastEthernet1/0
 ip address 10.1.1.1 255.255.255.0
 no shut
ip route 0.0.0.0 0.0.0.0 10.1.1.10
R2:
interface FastEthernet1/0
 ip address 202.100.1.2 255.255.255.0
 no shut
interface FastEthernet0/0
 ip address 209.165.201.2 255.255.255.0
 no shut
interface FastEthernet0/1
 ip address 202.100.2.2 255.255.255.0
 no shut
R3:
interface FastEthernet0/0
 ip address 209.165.201.10 255.255.255.0
 no shut
ip route 0.0.0.0 0.0.0.0 209.165.201.2
ASA:
interface Ethernet0/0
 nameif inside
 security-level 100
 ip address 10.1.1.10 255.255.255.0
 no shut
interface Ethernet0/1
 nameif outside
 security-level 0
 ip address 202.100.1.10 255.255.255.0
 no shut
route outside 0 0 202.100.1.2
policy-map global_policy
  class inspection_default
   inspect icmp
global (outside) 1 interface
nat (inside) 1 10.1.1.0 255.255.255.0
③ASA Ez***配置:
A.第一阶段:
 crypto isakmp policy 10
   authen pre
   enc 3de
   has md
   grou 2
   exit
 crypto isakmp enable outside
B.1.5阶段:
 ip local pool ez***-pool 192.168.1.1-192.168.1.254
 tunnel-group ezgroup type remote-access
 tunnel-group ezgroup general-attributes
 address-pool ez***-pool
 exit
 tunnel-group ezgroup ipsec-attributes
 pre-shared-key cisco
 username ccsp password ccsp
C.第二阶段:
crypto ipsec transform-set transet esp-des esp-md5-hmac
D.CRYPTO MAP:
 crypto dynamic-map dymap 10 set transform-set transet
 crypto map crymap 10 ipsec-isakmp dynamic dymap
E.应用crypto map:
ASA(config)# crypto map crymap interface outside
F.配置NAT免除:
access-list nonat extended permit ip 10.1.1.0 255.255.255.0 192.168.1.0 255.255.255.0
nat (inside) 0 access-list nonat
G.按题目答案配置相同接口的数据通讯和PAT:
same-security-traffic permit intra-interface
Global (outside) 1 202.100.1.11
Nat (outside) 1 192.168.1.0 255.255.255.0

④PC Ez***K客户端配置:

A.拨号,输入用户名和密码后,能够成功连接:


B.能够ping通内网R1:
 
C.也能ping通互联网主机:
 
D.从R3的debug信息看,已经做了地址转换:
R3#
*Mar  1 00:02:14.559: ICMP: echo reply sent, src 209.165.201.10, dst 202.100.1.11
*Mar  1 00:02:15.559: ICMP: echo reply sent, src 209.165.201.10, dst 202.100.1.11
R3#
*Mar  1 00:02:16.567: ICMP: echo reply sent, src 209.165.201.10, dst 202.100.1.11
*Mar  1 00:02:17.563: ICMP: echo reply sent, src 209.165.201.10, dst 202.100.1.11
R3#

评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值