防火墙配置IPsec ***-白红宇

防火墙配置IPsec ***

阅读量：6821 次

发布时间：2019-06-26

本文共 2279 字，大约阅读时间需要 7 分钟。

实验拓扑图

配置文档：

ISP

conf t

hostname ISP

int fa0/0

ip add 100.0.0.2 255.255.255.252

no shut

exit

int fa0/1

ip add 200.0.0.2 255.255.255.252

no shut

exit

ASA1

conf t

hostname ASA1

int e0/0

nameif inside

security-level 100

ip add 172.16.10.254 255.255.255.0

no shut

exit

int e0/1

nameif outside

security-level 0

ip add 100.0.0.1 255.255.255.252

no shut

exit

!配置默认路由

route outside 0 0 100.0.0.2

!配置NAT

nat-control

nat (inside) 1 0 0

global (outside) 1 int

!NAT豁免

access-list nonat extended permit ip 172.16.10.0 255.255.255.0 10.10.33.0 255.255.255.0

nat (inside) 0 access-list nonat

!启动ISAKMP

crypto isakmp enable outside

!阶段一管理连接

crypto isakmp policy 1

encryption aes

hash sha

authentication pre-share

group 2

lifetime 10800

exit

tunnel-group 200.0.0.1 type ipsec-l2l

tunnel-group 200.0.0.1 ipsec-attributes

pre-shared-key benet

exit

!配置crypto ACL

access-list *** extended permit ip 172.16.10.0 255.255.255.0 10.10.33.0 255.255.255.0

!阶段二数据传输集

crypto ipsec transform-set benet-set esp-sha-hmac esp-aes

!配置crypto map

crypto map benet-map 1 match address ***

crypto map benet-map 1 set peer 200.0.0.1

crypto map benet-map 1 set transform-set benet-set

!应用到外接口

crypto map benet-map int outside

ASA2

conf t

hostname ASA2

int e0/0

nameif outside

security-level 0

ip add 200.0.0.1 255.255.255.252

no shut

exit

int e0/1

nameif inside

security-level 100

ip add 10.10.33.254 255.255.255.0

no shut

exit

!配置默认路由

route outside 0 0 200.0.0.2

!配置NAT

nat-control

nat (inside) 1 0 0

global (outside) 1 int

!NAT豁免

access-list nonat extended permit ip 10.10.33.0 255.255.255.0 172.16.10.0 255.255.255.0

nat (inside) 0 access-list nonat

!启动ISAKMP

crypto isakmp enable outside

!阶段一管理连接

crypto isakmp policy 1

encryption aes

hash sha

authentication pre-share

group 2

lifetime 10800

exit

tunnel-group 100.0.0.1 type ipsec-l2l

tunnel-group 100.0.0.1 ipsec-attributes

pre-shared-key benet

exit

!配置crypto ACL

access-list *** extended permit ip 10.10.33.0 255.255.255.0 172.16.10.0 255.255.255.0

!阶段二数据传输集

crypto ipsec transform-set benet-set esp-sha-hmac esp-aes

!配置crypto map

crypto map benet-map 1 match address ***

crypto map benet-map 1 set peer 100.0.0.1

crypto map benet-map 1 set transform-set benet-set

!应用到外接口

crypto map benet-map int outside

本文原创由曼尼发布

转载于:https://blog.51cto.com/manny/973095

你可能感兴趣的文章

android 配置framework 使应用首选安装在SD卡

查看>>

h5 点击表单顶部fixed 菜单栏上移

查看>>

windows 2008 R2 64位系统杀毒软件

Webgoat 笔记总结 Web Services

Nagios达到阈值时发不出告警邮件问题总结

查看>>

互联网公司应该要有的技术人员配置和开发事项清单

查看>>

Android开发中如何改变RadioButton背景图片和文字的相对位置

查看>>

如何给Linux （Fedora Ubuntu等）安装字体