ASA 模擬 Ipsec ***


ASA1:


ASA1# show running-config 

: Saved

:

ASA Version 8.0(2) 

!

hostname ASA1

enable password 8Ry2YjIyt7RRXU24 encrypted

names

!

interface Ethernet0/0

 nameif outside

 security-level 0

 ip address 10.1.1.1 255.255.255.0 

!

interface Ethernet0/1

 nameif inside

 security-level 100

 ip address 192.168.1.1 255.255.255.0 

!

interface Ethernet0/2

 shutdown

 no nameif

 no security-level

 no ip address

!

interface Ethernet0/3

 shutdown     

 no nameif

 no security-level

 no ip address

!

interface Ethernet0/4

 shutdown

 no nameif

 no security-level

 no ip address

!

interface Ethernet0/5

 shutdown

 no nameif

 no security-level

 no ip address

!

passwd 2KFQnbNIdI.2KYOU encrypted

boot config disk0:/.private/startup-config

ftp mode passive

access-list per_ip extended permit ip any any 

access-list ping extended permit icmp any any 

access-list nonat extended permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0 

pager lines 24

mtu outside 1500

mtu inside 1500

no failover

icmp unreachable rate-limit 1 burst-size 1

no asdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 0 access-list nonat

nat (inside) 1 0.0.0.0 0.0.0.0

access-group ping in interface outside

route outside 0.0.0.0 0.0.0.0 10.1.1.2 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout uauth 0:05:00 absolute

dynamic-access-policy-record DfltAccessPolicy

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec transform-set myset esp-3des esp-md5-hmac 

crypto map mymap 10 match address nonat

crypto map mymap 10 set peer 10.1.1.2 

crypto map mymap 10 set transform-set myset

crypto map mymap interface outside

crypto isakmp enable outside

crypto isakmp policy 10

 authentication pre-share

 encryption 3des

 hash md5

 group 2

 lifetime 86400

no crypto isakmp nat-traversal

telnet timeout 5

ssh timeout 5

console timeout 0

management-access inside

threat-detection basic-threat

threat-detection statistics access-list

!

!

tunnel-group 10.1.1.2 type ipsec-l2l

tunnel-group 10.1.1.2 ipsec-attributes

 pre-shared-key *

prompt hostname context 

Cryptochecksum:eb72325b4a2d7567cce71e46bec34638

: end

ASA1# 



***********************************************************


R3#show run

Building configuration...


Current configuration : 1585 bytes

!

version 12.4

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname R3

!

boot-start-marker

boot-end-marker

!

!

no aaa new-model

memory-size iomem 5

no ip icmp rate-limit unreachable

!

!

ip cef

no ip domain lookup

!


ip tcp synwait-time 5

!

crypto isakmp policy 10

 encr 3des

 hash md5

 authentication pre-share

 group 2  

crypto isakmp key cisco address 10.1.1.1

!

!

crypto ipsec transform-set myset esp-3des esp-md5-hmac 

!

crypto map mymap 10 ipsec-isakmp 

 set peer 10.1.1.1

 set transform-set myset 

 match address ***

!

!

!

!

interface Ethernet0/0

 ip address 192.168.2.1 255.255.255.0

 ip nat inside

 ip virtual-reassembly

 full-duplex

!

interface Ethernet0/1

 ip address 10.1.1.2 255.255.255.0

 ip access-group 110 in

 ip nat outside

 ip virtual-reassembly

 full-duplex

 crypto map mymap

!

interface Ethernet0/2

 no ip address

 shutdown

 half-duplex

!

interface Ethernet0/3

 no ip address

 shutdown

 half-duplex

!

no ip http server

no ip http secure-server

ip route 0.0.0.0 0.0.0.0 10.1.1.1

!

!

ip nat inside source list nat interface Ethernet0/1 overload

!

!

ip access-list extended nat

 deny   ip 192.168.0.0 0.0.255.255 192.168.0.0 0.0.255.255

 permit ip any any

ip access-list extended ***

 permit ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255



control-plane


line con 0

 exec-timeout 0 0

 privilege level 15

 logging synchronous

line aux 0

 exec-timeout 0 0

 privilege level 15

 logging synchronous

line vty 0 4

 login

!

!

end




1)路由器×××查看与排错命令:
Show crypto isakmp policy    显示所有尝试的策略以及最后的默认策略设置:
clear cry session  清除×××连接
Show crypto ipsec transform-set  显示ipsec传输集设置
Show crypto map    显示crypto map相关配置
Show cyrpto isakmp sa   显示ISAKMP/IKE阶段1安全联盟SA---×××连接
Show crypto ipsec sa     显示ISAKMP/IKE阶段2安全联盟SA
Show crypto engine connction active   显示×××连接加\解密的数据包数量
2)ASA防火墙×××查看与排错命令:
show ***-sessiondb l2l   查看l2l ***的连接状态信息