ASA S2S ×××基本配置

GW1:

route outside 0.0.0.0 0.0.0.0 202.1.1.10 1
route inside 0.0.0.0 0.0.0.0 10.1.1.10 tunneled //只路由解密后的×××流量

crypto ikev1 enable outside //外部接口启用ikev1
crypto ikev1 policy 10 //定义策略
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400

tunnel-group 64.1.1.1 type ipsec-l2l //定义认证密钥
tunnel-group 64.1.1.1 ipsec-attributes
ikev1 pre-shared-key cisco

access-list *** extended permit ip 1.1.1.0 255.255.255.0 2.2.2.0 255.255.255.0 //感兴趣流

crypto ipsec ikev1 transform-set SET esp-aes esp-sha-hmac //第二阶段策略

关联策略

crypto map cisco 10 match address ***
crypto map cisco 10 set pfs group5
crypto map cisco 10 set peer 64.1.1.1
crypto map cisco 10 set ikev1 transform-set SET
crypto map cisco interface outside //应用在外部接口

 

默认所有流量都可以进过×××加解密传输

如果只想针对特定流量放行

no sysopt connection permit-*** //关闭自动放行×××解密后流量

只放行telnet流量

access-list out extended permit tcp 2.2.2.0 255.255.255.0 1.1.1.0 255.255.255.0
access-group out in interface outside

不能PING通，telnet能通

转载于:https://blog.51cto.com/q3322095/985401