欢迎来到天天文库
浏览记录
ID:27260816
大小:450.50 KB
页数:8页
时间:2018-12-02
《用ASA5500实现IPSEC VPN(by jasonzhang).doc》由会员上传分享,免费在线阅读,更多相关内容在学术论文-天天文库。
1、用ASA5500实现IPSECVPN(BYJASONZHANG)一.SITE-TO-SITEIPSECVPN1.目的实现R1与R3的通信,在R2上没有防火墙后面的内网的路由。在R1上可以ping和telnetR3上的192.168.2.2和3.3.3.3。2.拓扑图3.ASA主要配置ASA1:interfaceEthernet0/0nameifinsidesecurity-level100ipaddress192.168.1.1255.255.255.0!interfaceEthernet0/1nameifo
2、utsidesecurity-level0ipaddress10.0.1.1255.255.255.0access-list100extendedpermitip192.168.1.0255.255.255.0192.168.2.0255.255.255.0access-list100extendedpermitip192.168.1.0255.255.255.03.3.3.0255.255.255.0nat(inside)0access-list100routeoutside0.0.0.00.0.0.010
3、.0.1.21routeinside1.1.1.0255.255.255.0192.168.1.21cryptoipsectransform-settra-set-zjxesp-3desesp-sha-hmaccryptomapousidemap1matchaddress100cryptomapousidemap1setpeer10.0.2.1cryptomapousidemap1settransform-settra-set-zjxcryptomapousidemapinterfaceoutsidecryp
4、toisakmpenableoutsidecryptoisakmppolicy10authenticationpre-shareencryption3deshashmd5group2lifetime86400tunnel-group10.0.2.1typeipsec-l2ltunnel-group10.0.2.1ipsec-attributespre-shared-keycisco123ASA2:interfaceEthernet0/0nameifinsidesecurity-level100ipaddres
5、s192.168.2.1255.255.255.0!interfaceEthernet0/1nameifoutsidesecurity-level0ipaddress10.0.2.1255.255.255.0!access-list100extendedpermitip192.168.2.0255.255.255.0192.168.1.0255.255.255.0access-list100extendedpermitip3.3.3.0255.255.255.0192.168.1.0255.255.255.0
6、nat(inside)0access-list100routeoutside0.0.0.00.0.0.010.0.2.21routeinside3.3.3.0255.255.255.0192.168.2.21cryptoipsectransform-settra-set-zjxesp-3desesp-sha-hmaccryptomapousidemap1matchaddress100cryptomapousidemap1setpeer10.0.1.1cryptomapousidemap1settransfor
7、m-settra-set-zjxcryptomapousidemapinterfaceoutsidecryptoisakmpenableoutsidecryptoisakmppolicy10authenticationpre-shareencryption3deshashmd5group2lifetime86400tunnel-group10.0.1.1typeipsec-l2ltunnel-group10.0.1.1ipsec-attributespre-shared-keycisco123注:在ASA的配
8、置中,不用设置ACL允许来自outside的IPSEC流量。这是因为通过使用sysopt命令告诉允许ASA在SSL/IPsec的客户绕过接口的访问控制列表. corpasa(config)#sysoptconnectionpermit-vpn。而这个配置是默认的。二.RemoteAccessIPSECVPN1.ASA的基本配置interfaceEthernet0/0nameifinsidesecu
此文档下载收益归作者所有