ASA1的配置:(lan1_lan2)
(1)开启IKE协商功能:
crypto isakmp enable outside
(2)配置管理连接
crypto isakmp policy 1
authentication pre-share
encryption aes
hash md5
group 2
lifetime 10000
(3)设置共享密钥:
crypto isakmp key 2008.cn address 202.0.0.1
也可以使用另外一种配置:
tunnel-group 202.0.0.1 type ipsec-l2l
tunnel-group 202.0.0.1 ipsec-attributes
pre-shared-key 2008.cn
(4)配置数据连接
access-list lan1_lan2 permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0
crypto ipsec transform-set test-set esp-aes esp-md5-hmac
crypto map test-map 1 match address lan1_lan2
crypto map test-map 1 set peer 202.0.0.1
crypto map test-map 1 set transform-set test-set
(5)应用到外部的逻辑接口上
crypto map test-map interface outside
--------------------------------------
ASA1的配置(lan1_lan3)
在上面的基础上添加几条:(管理连接使用lan1_lan2 的)
(1)设置lan1_lan3的共享密钥:
tunnel-group 203.0.0.1 type ipsec-l2l
tunnel-group 203.0.0.1 ipsec-attributes
pre-shared-key 2008.cn
(2)配置ACL
access-list lan1_lan3 permit ip 192.168.1.0 255.255.255.0 192.168.3.0 255.255.255.0
(3)数据连接
crypto map test-map 2 match address lan1_lan3
crypto map test-map 2 set peer 203.0.0.1
crypto map test-map 2 set transform-set test-set
-----------------------------------------------------------
如果要实现lan2_lan3 VPN通信,中间经过lan1转发
ASA1上需添加的配置:
(1)允许流量进入和离开同一个接口
same-security-traffic permit intra-interface
(2)添加ACL
access-list lan1_lan2 permit ip 192.168.3.0 255.255.255.0 192.168.2.0 255.255.255.0
access-list lan1_lan3 permit ip 192.168.2.0 255.255.255.0 192.168.3.0 255.255.255.0
ASA2上配置:
(1)添加ACL
access-list lan2_lan1 permit ip 192.168.2.0 255.255.255.0 192.168.3.0 255.255.255.0
ASA3上配置:
(1)添加ACL
access-list lan3_lan1 permit ip 192.168.3.0 255.255.255.0 192.168.2.0 255.255.255.0
-----------------------------------------------------------------------
如果需要让公司的其他网段能访问互联网,需要在ASA上做PAT,并启用nat控制,豁免vpn的流量
启用nat:nat-control
1、ASA1上配置:
nat (inside) 1 0 0
global (outside) 1 interface
不使用原来的ACL条目,因为有lan1_lan2和lan1_lan3,无法同时豁免两个,所有重新定义ACL.
access-list vpn permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0
access-list vpn permit ip 192.168.1.0 255.255.255.0 192.168.3.0 255.255.255.0
nat (inside) 0 access-list vpn
2、ASA2上配置:
nat (inside) 1 0 0
global (outside) 1 interface
nat (inside) 0 access-list lan2_lan1
3、ASA3上配置:
nat (inside) 1 0 0
global (outside) 1 interface
nat (inside) 0 access-list lan3_lan1
ASA_ipsecVPC配置文档说明
最新推荐文章于 2024-01-25 15:40:00 发布