ASA 8.02上一对多L2L ×××
ASA 8.02上一对多L2L ×××
一、背景:
XX公司的总部在上海,在北京和武汉都有分公司,要求用×××把北京和武汉这两个分公司与总公司连接起来,以便保护数据的安全性。公司出外网的设置都是cisco的设备。
二、逻辑的网络拓扑及IP地址规划如下(如下图):
三、下面给出R4和ASA上面的配置,其实R2和R4的配置基本上是一致的。
ASA上面的配置:
interface e 0/3
nameif inside
security-level 100
ip address 192.168.0.1 255.255.255.0
no sh
exit
nameif inside
security-level 100
ip address 192.168.0.1 255.255.255.0
no sh
exit
interface e 0/4
nameif outside
security-level 0
ip address 100.1.1.1 255.255.255.0
no sh
exit
nameif outside
security-level 0
ip address 100.1.1.1 255.255.255.0
no sh
exit
----配置使内网用户能够上网---
route outside 0.0.0.0 0.0.0.0 100.1.1.2
nat (inside) 1 192.168.0.0 255.255.255.0
global (outside) 1 interface
global (outside) 1 interface
--------------------***---------------------
crypto isakmp enable outside
---上面这个命令要注意。
crypto isakmp policy 10
authencation pre-share
encryption 3des
hash md5
group 2
exit
crypto isakmp policy 10
authencation pre-share
encryption 3des
hash md5
group 2
exit
tunnel-group 101.1.1.2 type ipsec-l2l
tunnel-group 101.1.1.2 ipsec-attributes
pre-shared-key whcisco
exit
tunnel-group 101.1.1.2 ipsec-attributes
pre-shared-key whcisco
exit
tunnel-group 200.1.1.2 type ipsec-l2l
tunnel-group 200.1.1.2 ipsec-attributes
pre-shared-key bjcisco
exit
tunnel-group 200.1.1.2 ipsec-attributes
pre-shared-key bjcisco
exit
access-list nonat extended permit ip 192.168.0.0 255.255.255.0 192.168.3.0 255.255.255.0
access-list nonat extended permit ip 192.168.0.0 255.255.255.0 192.168.10.0 255.255.255.0
access-list nonat extended permit ip 192.168.0.0 255.255.255.0 192.168.10.0 255.255.255.0
nat (inside) 0 access-list nonat
crypto ipsec transform-set shtran esp-3des esp-md5-hmac
crypto map shmap 10 ipsec-isakmp
crypto map shmap 10 set peer 101.1.1.2
crypto map shmap 10 set peer 200.1.1.2
crypto map shmap 10 set transform-set shtran
crypto map shmap 10 match address nonat
crypto map shmap 10 set peer 101.1.1.2
crypto map shmap 10 set peer 200.1.1.2
crypto map shmap 10 set transform-set shtran
crypto map shmap 10 match address nonat
crypto map shmap interface outside
R4的配置:
enable
configure terminal
no ip domain lookup
line console 0
exec-timeout 0 0
logging synchronous
exit
configure terminal
no ip domain lookup
line console 0
exec-timeout 0 0
logging synchronous
exit
interface f 2/0
ip address 200.1.1.2 255.255.255.0
no sh
exit
ip address 200.1.1.2 255.255.255.0
no sh
exit
interface f 1/0
ip address 192.168.3.1 255.2552.55.0
no sh
exit
ip address 192.168.3.1 255.2552.55.0
no sh
exit
-----配置pat上网---
access-list 100 deny ip 192.168.3.0 0.0.0.255 192.168.0.0 0.0.0.255
access-list 100 permit ip 192.168.3.0 0.0.0.255 any
interface f 1/0
ip nat inside
exit
interface f 2/0
ip nat outside
exit
ip nat inside
exit
interface f 2/0
ip nat outside
exit
ip nat inside source list 100 inteface f 2/0 overload
ip route 0.0.0.0 0.0.0.0 200.1.1.1
-----------------***----------------------
crypto isakmp policy 10
encryption 3des
authentication pre-share
hash md5
group 2
exit
crypto isakmp key 0 bjcisco address 100.1.1.1
access-list 101 pemrit ip 192.168.3.0 0.0.0.255 192.168.0.0 0.0.0.255
crypto ipsec transform-set bjtran esp-3des esp-md5-hmac
mode tunnel
exit
mode tunnel
exit
crypto map bjmap 10 ipsec-isakmp
match address 101
set peer 100.1.1.1
set transform-set bjtran
exit
match address 101
set peer 100.1.1.1
set transform-set bjtran
exit
interface f 2/0
crypto map bjmap
exit
crypto map bjmap
exit
四、验证×××:
1、在R5上ping R1:
并且在R4上用show crypto isakmp sa 和show ip nat translation查看如下:
2、在R2上验证的结果如下:
3、在ASA上的查看结果如下:
4、在R1上ping 北京和武汉的网关发现都能通:
五、总结:
1、在ASA上配置ACL的时候与路由器上的很不一样,它使用的是名称,而不是编号,还有就是在ASA上配置的时候全部是正掩码,不是反掩码。路由器上的ACL必须是反掩码。
2、在配置共享的**的时候,路由器上的是crypto isakmp key,虽然ASA上也支持这个命令,但是,你配置后发现是没有这条配置的,它是以tunnel-group存在的。所以说在配置的时候最好用tunnel-group来配置。
3、在配置ASA ×××的时候,要注意手工开启outside接口的 isakmp
crypto isakmp enable outside,因为在ASA上默认是没有开启的。但是,这在路由器上默认是开启的。
4、在配置路由器和路由器之间的L2L ×××的时候,还要配置到达对方网络的一条路由,但是,在这里是不用配置的,不过你配置了也行。不影响。
5、在配置一对多的×××的时候,要注意有多少个对端就配置多少个**,在这里也就是要配置多个tunnel-group ,还要配置多个 set peer
好了,就说这么多,还希望高手们多多指教!!在下不胜感激!
转载于:https://blog.51cto.com/xfzhou89/974829