1、IPSEC ××× 基本配置
access-list no-nat extended permit ip 192.168.222.0 255.255.255.0 172.16.100.0 255.255.255.0
//定义×××数据流
//定义×××数据流
nat (inside) 0 access-list no-nat
//设置IPSEC ×××数据不作nat翻译
//设置IPSEC ×××数据不作nat翻译
ip local pool ***-pool 172.16.100.1-172.16.100.100 mask 255.255.255.0
//划分地址池,用于×××用户拨入之后分配的地址。
//划分地址池,用于×××用户拨入之后分配的地址。
crypto ipsec transform-set ***set esp-des esp-md5-hmac
//定义一个变换集myset,用esp-md5加密的。(网上一般都是用esp-3des esp-sha-hmac 或esp-des esp-sha-hmac,而我使用的防火墙没开启3des,所以只能使用esp-des;至于esp-sha-hmac ,不知为什么,使用它隧道组始终无法连接上,所以改用esp-md5-hmac。具体原因不清楚。)
//定义一个变换集myset,用esp-md5加密的。(网上一般都是用esp-3des esp-sha-hmac 或esp-des esp-sha-hmac,而我使用的防火墙没开启3des,所以只能使用esp-des;至于esp-sha-hmac ,不知为什么,使用它隧道组始终无法连接上,所以改用esp-md5-hmac。具体原因不清楚。)
crypto dynamic-map dymap 10 set transform-set ***set
//把***set添加到动态加密策略dynmap
//把***set添加到动态加密策略dynmap
crypto dynamic-map dymap 10 set reverse-route
crypto map ***map 10 ipsec-isakmp dynamic dymap
//把动态加密策略绑定到***map动态加密图上
//把动态加密策略绑定到***map动态加密图上
crypto map ***map interface outside
//把动态加密图***map绑定到outside口
//把动态加密图***map绑定到outside口
crypto isakmp identity address
crypto isakmp enable outside
// outside接口启用isakmp
// outside接口启用isakmp
crypto isakmp policy 10
//进入isakmp的策略定义模式
authentication pre-share
//使用pre-shared key进行认证
//使用pre-shared key进行认证
encryption des
//定义协商用3DES加密算法
//定义协商用3DES加密算法
hash md5
//定义协商用md5加密算法(和前面一样,网上使用的是sha,我这里为了配合前面的esp-md5-hmac,而使用md5)
group 2
//定义协商组为2,标准有1、2、3、5等多组,主要用于块的大小和生命时间等
lifetime 86400
//定义生命时间
//定义协商用md5加密算法(和前面一样,网上使用的是sha,我这里为了配合前面的esp-md5-hmac,而使用md5)
group 2
//定义协商组为2,标准有1、2、3、5等多组,主要用于块的大小和生命时间等
lifetime 86400
//定义生命时间
group-policy whjt internal
//定义策略组(用于想进入的)想要运用策略组就必须用默认的策略组名,否则无法激活该组。
//定义策略组(用于想进入的)想要运用策略组就必须用默认的策略组名,否则无法激活该组。
group-policy whjt attributes
//定义策略组属性
//定义策略组属性
***-idle-timeout 1800
//设置×××超时时间为1800秒
//设置×××超时时间为1800秒
tunnel-group whjt type ipsec-ra
//建立××× 远程登入(即使用隧道分离)组
//建立××× 远程登入(即使用隧道分离)组
tunnel-group whjt general-attributes
//定义隧道组"whjt"属性
//定义隧道组"whjt"属性
address-pool ***-pool
//将××× client地址池绑定到"whjt"隧道组
//将××× client地址池绑定到"whjt"隧道组
username test password test
//设定用户名和密码
//设定用户名和密码
authentication-server-group (outside) LOCAL
//本地认证服务组(本条命令没用)
//本地认证服务组(本条命令没用)
default-group-policy whjt
//默认策略组为whjt
//默认策略组为whjt
tunnel-group whjt ipsec-attributes
//定义whjt组IPSec的属性
//定义whjt组IPSec的属性
pre-shared-key 730211
//定义共享密钥为:730211
//定义共享密钥为:730211
isakmp nat-traversal 20
//每20秒向×××对端发送一个包来防止中间PAT设备的PAT超时,就相当于路由器中的
//每20秒向×××对端发送一个包来防止中间PAT设备的PAT超时,就相当于路由器中的
isakmp keepalive threshold 20 retry 2
在生存时间监控前,设备被允许空闲20秒,发现生存时间没有响应后,2秒钟内重试
sysopt connection permit-***
//通过使用sysopt connect命令,我们告诉ASA准许SSL/IPsec客户端绕过接口的访问列表(未加此命令会出现可以ping能内网地址,但不能访问内网服务,比如23、80等端口。)
2、开启隧道分离
access-list ***split standard permit 192.168.222.0 255.255.255.0
//注意源地址为ASA的inside网络地址
//注意源地址为ASA的inside网络地址
group-policy whjt attributes
//定义策略组属性
//定义策略组属性
split-tunnel-policy tunnelspecified
//建立隧道分离策略为tunnelspecified
//建立隧道分离策略为tunnelspecified
split-tunnel-network-list value ***split
//与***split匹配的网络将全部使用隧道分离
//与***split匹配的网络将全部使用隧道分离
注1:如要实现×××用户可以ping通ASA的inside口,即192.168.222.1可以防火墙中加入如下命令:
management-access inside
注2:如果远程用户上互联网是通过nat方式上网(所有宽带用户都通过同一个公网IP访问外部),那么通过如下命令可穿越nat
crypto isakmp nat-traversal 20
//缺省keepalives时间20秒
3、客户端的配置
我使用的客户端是cisco ××× Client 5.0,配置如下图,
Host:ASA外网口IP,组账号:whjt 密码:730211
配置好后,连接×××,会弹出下面对话框,输入远程用户的用户名和密码,上例均为test
4、ASA5510完全配置
test# sh run
: Saved
:
ASA Version 8.0(2)
!
hostname test
domain-name test.net
enable password 2KFQnbNIdI.2KYOU encrypted
names
!
interface Ethernet0/0
nameif outside
security-level 0
ip address 10.65.222.1 255.255.128.0
!
interface Ethernet0/1
nameif inside
security-level 100
ip address 192.168.222.1 255.255.255.0
!
interface Ethernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
shutdown
no nameif
no security-level
no ip address
!
passwd 2KFQnbNIdI.2KYOU encrypted
ftp mode passive
dns server-group DefaultDNS
domain-name test.net
access-list 101 extended permit icmp any any
access-list no-nat extended permit ip 192.168.222.0 255.255.255.0 172.16.100.0 255.255.255.0
access-list ***split standard permit 192.168.222.0 255.255.255.0
pager lines 24
mtu outside 1500
mtu inside 1500
ip local pool ***-pool 172.16.100.1-172.16.100.100 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 1 10.65.222.100 netmask 255.255.128.0
nat (inside) 0 access-list no-nat
nat (inside) 1 0.0.0.0 0.0.0.0
access-group 101 in interface outside
route outside 0.0.0.0 0.0.0.0 10.65.156.27 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
http 192.168.0.1 255.255.255.255 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ***set esp-des esp-md5-hmac
crypto dynamic-map dymap 10 set transform-set ***set
crypto dynamic-map dymap 10 set reverse-route
crypto map ***map 10 ipsec-isakmp dynamic dymap
crypto map ***map interface outside
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp enable inside
crypto isakmp policy 10
authentication pre-share
encryption des
hash md5
group 2
lifetime 86400
telnet 192.168.222.0 255.255.255.0 inside
telnet timeout 5
ssh 10.65.128.0 255.255.128.0 outside
ssh 0.0.0.0 0.0.0.0 inside
ssh timeout 60
ssh version 1
console timeout 0
: Saved
:
ASA Version 8.0(2)
!
hostname test
domain-name test.net
enable password 2KFQnbNIdI.2KYOU encrypted
names
!
interface Ethernet0/0
nameif outside
security-level 0
ip address 10.65.222.1 255.255.128.0
!
interface Ethernet0/1
nameif inside
security-level 100
ip address 192.168.222.1 255.255.255.0
!
interface Ethernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
shutdown
no nameif
no security-level
no ip address
!
passwd 2KFQnbNIdI.2KYOU encrypted
ftp mode passive
dns server-group DefaultDNS
domain-name test.net
access-list 101 extended permit icmp any any
access-list no-nat extended permit ip 192.168.222.0 255.255.255.0 172.16.100.0 255.255.255.0
access-list ***split standard permit 192.168.222.0 255.255.255.0
pager lines 24
mtu outside 1500
mtu inside 1500
ip local pool ***-pool 172.16.100.1-172.16.100.100 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 1 10.65.222.100 netmask 255.255.128.0
nat (inside) 0 access-list no-nat
nat (inside) 1 0.0.0.0 0.0.0.0
access-group 101 in interface outside
route outside 0.0.0.0 0.0.0.0 10.65.156.27 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
http 192.168.0.1 255.255.255.255 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ***set esp-des esp-md5-hmac
crypto dynamic-map dymap 10 set transform-set ***set
crypto dynamic-map dymap 10 set reverse-route
crypto map ***map 10 ipsec-isakmp dynamic dymap
crypto map ***map interface outside
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp enable inside
crypto isakmp policy 10
authentication pre-share
encryption des
hash md5
group 2
lifetime 86400
telnet 192.168.222.0 255.255.255.0 inside
telnet timeout 5
ssh 10.65.128.0 255.255.128.0 outside
ssh 0.0.0.0 0.0.0.0 inside
ssh timeout 60
ssh version 1
console timeout 0
management-access inside
threat-detection basic-threat
threat-detection statistics access-list
!
!
group-policy whjt internal
group-policy whjt attributes
***-idle-timeout 1800 //我在实际中一般用3600000,时间长些不易掉线
split-tunnel-policy tunnelspecified
split-tunnel-network-list value ***split
username test password P4ttSyrm33SV8TYp encrypted
tunnel-group whjt type remote-access
tunnel-group whjt general-attributes
address-pool ***-pool
default-group-policy whjt
tunnel-group whjt ipsec-attributes
pre-shared-key *
threat-detection basic-threat
threat-detection statistics access-list
!
!
group-policy whjt internal
group-policy whjt attributes
***-idle-timeout 1800 //我在实际中一般用3600000,时间长些不易掉线
split-tunnel-policy tunnelspecified
split-tunnel-network-list value ***split
username test password P4ttSyrm33SV8TYp encrypted
tunnel-group whjt type remote-access
tunnel-group whjt general-attributes
address-pool ***-pool
default-group-policy whjt
tunnel-group whjt ipsec-attributes
pre-shared-key *
isakmp keepalive threshold 20 retry 2
prompt hostname context
Cryptochecksum:6f13b4f4e5c0d5f0a08f0f86be414b16
: end
prompt hostname context
Cryptochecksum:6f13b4f4e5c0d5f0a08f0f86be414b16
: end
转载于:https://blog.51cto.com/sunrc/255922
6205
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
