本文提供了两个Cisco ASA防火墙之间的IPSec隧道配置示例。通过详细配置步骤,展示了如何设置内外网接口、路由、NAT策略、ISAKMP策略及IKE密钥等,最终实现基于预共享密钥的IPSec连接。
转http://2294439.blog.51cto.com/2284439/733246
ASA1:
ciscoasa(config)# interface ethernet 0/0
ciscoasa(config-if)# nameif inside
ciscoasa(config-if)# ip add 1.1.1.254 255.255.255.0
ciscoasa(config-if)# no shutdown
ciscoasa(config)# interface ethernet 0/2
ciscoasa(config-if)# nameif outside
ciscoasa(config-if)# ip add 202.103.1.254 255.255.255.0
ciscoasa(config-if)# no shutdown
ciscoasa(config)# route outside 0 0 202.103.1.1
ciscoasa(config)# nat-control
ciscoasa(config)# nat (inside) 1 0 0
ciscoasa(config)# global (outside) 1 interface
ciscoasa(config)# access-list unat permit ip 1.1.1.0 255.255.255.0 2.2.2.0 255.255.255.0
ciscoasa(config)# nat (inside) 0 access-list unat
ciscoasa(config)# crypto isakmp enable outside
ciscoasa(config)# crypto isakmp policy 1
ciscoasa(config-isakmp-policy)# authentication pre-share
ciscoasa(config-isakmp-policy)# encryption des
ciscoasa(config-isakmp-policy)# hash sha
ciscoasa(config-isakmp-policy)# group 2
ciscoasa(config)# isakmp key 123456 address 202.103.2.254
ciscoasa(config)# crypto ipsec transform-set set esp-des esp-sha-hmac
ciscoasa(config)# crypto map map 1 match address unat
ciscoasa(config)# crypto map map 1 set peer 202.103.2.254
ciscoasa(config)# crypto map map 1 set transform-set set
ciscoasa(config)# crypto map map interface outside
ASA2:
ciscoasa(config)# interface ethernet 0/2
ciscoasa(config-if)# nameif outside
ciscoasa(config-if)# ip add 202.103.2.254 255.255.255.0
ciscoasa(config-if)# no shutdown
ciscoasa(config-if)# interface ethernet 0/0
ciscoasa(config-if)# nameif inside
ciscoasa(config-if)# ip add 2.2.2.254 255.255.255.0
ciscoasa(config-if)# no shutdown
ciscoasa(config)# route outside 0 0 202.103.2.1
ciscoasa(config)# nat-control
ciscoasa(config)# nat (inside) 1 0 0
ciscoasa(config)# global (outside) 1 interface
ciscoasa(config)# access-list unat permit ip 2.2.2.0 255.255.255.0 1.1.1.0 255.255.255.0
ciscoasa(config)# nat (inside) 0 access-list unat
ciscoasa(config)# crypto isakmp enable outside
ciscoasa(config)# crypto isakmp policy 1
ciscoasa(config-isakmp-policy)# encryption des
ciscoasa(config-isakmp-policy)# hash sha
ciscoasa(config-isakmp-policy)# authentication pre-share
ciscoasa(config-isakmp-policy)# group 2
ciscoasa(config)# isakmp key 123456 address 202.103.1.254
ciscoasa(config)# crypto ipsec transform-set zero esp-des esp-sha-hmac
ciscoasa(config)# crypto map ftm 1 match address unat
ciscoasa(config)# crypto map ftm 1 set peer 202.103.1.254
ciscoasa(config)# crypto map ftm 1 set transform-set zero
ciscoasa(config)# crypto map ftm interface outside
用PC0检验
转载于:https://blog.51cto.com/spaceand/1104724
扫一扫
458
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
