需求:某公司使用全网互联拓扑,使每个站点分别拥有去往相应IPSec对等体的IPSec隧道。同时使用RRI,通过OSPF将远端网络信息发布到本地芝加哥网络中。
Chicago ASA:
Chicago#show running ! hostname Chicago !outside interface GigabitEthernet0/0 interface GigabitEthernet0/0 nameif outside security-level 0 ip address 209.165.200.225 255.255.255.224 !inside interface GigabitEthernet0/1 interface GigabitEthernet0/1 nameif inside security-level 100 ip address 192.168.1.1 255.255.255.0 !magament interface mgmt interface Management0/0 nameif mgmt security-level 100 ip address 172.18.82.64 255.255.255.0 !NAT Exempt Access-list to bypass traffic from 192.168.1.0/24 to 10.10.1.0/24 access-list inside_nat0_outbound remark to bypass 192.168.1.0/24 to 10.10.1.0/24 access-list inside_nat0_outbound extended permit 192.168.1.0 255.255.255.0 10.10.1.0 255.255.255.0 !NAT Exempt Access-list to bypass traffic from 192.168.1.0/24 to 172.16.1.0/24 access-list inside_nat0_outbound remark to bypass 192.168.1.0/24 to 172.16.1.0/24 access-list inside_nat0_outbound extended permit 192.168.1.0 255.255.255.0 172.16.1.0 255.255.255.0 !encryption access-list to encrypt the traffic from 192.168.1.0/24 to 10.10.1.0/24 access-list outside_cryptomap_1 remark to encrypt traffic from 192.168.1.0/24 to 10.10.1.0/24 access-list outside_cryptomap_1 extended permit 192.168.1.0 255.255.255.0 10.10.1.0 255.255.255.0 !encryption access-list to encrypt the traffic from 192.168.1.0/24 to 172.16.1.0/24 access-list outside_cryptomap_2 remark to encrypt traffic from 192.168.1.0/24 to 172.16.1.0 255.255.255.0 access-list outside_cryptomap_2 extended permit 192.168.1.0 255.255.255.0 172.16.1.0 255.255.255.0
! route outside 0.0.0.0 0.0.0.0 209.165.200.227 1 !OSPF Process router opsf 100 area 0 network 192.168.0.0 255.255.0.0 area network redistribute static ! http server enable http 172.18.82.0 255.255.255.0 mgmt !Transform set to specify encryption and hashing algorithm crypto ipsec transform-set AES-SHA esp-aes-256 esp-sha-hmac !Crypto map configuration for NewYork ASA crypto map outside_map 1 match address outside_cryptomap_1 crypto map outside_map 1 set peer 209.165.201.1 crypto map outside_map 1 set transform-set AES-SHA crypto map outside_map 1 set reverse-route !Crypto map configuration for London ASA crypto map outside_map 2 match address outside_cryptomap_2 crypto map outside_map 2 set peer 209.165.202.129 crypto map outside_map 2 set transform-set AES-SHA crypto map outside_map 2 set reverse-route crypto map outside_map interface outside !isakmp configure crypto isakmp enable crypto isakmp policy 1 authentication pre-share encryption pre-share hash sha group 5 lifetime 86400 !L2L tunnel-group configuration for New York ASA tunnel-group 209.168.201.1 type ipsec-l2l tunnel-group 209.165.201.1 ipsec-attributes pre-shared-key cisco123 !L2L tunnel-group configuration for New York ASA tunnel-group 209.165.202.129 type ipsec-l2l tunnel-group 209.165.202.129 ipsec-attributes pre-shared-key cisco123 |
New York ASA:
NewYork#show running ! hostname NewYork !outside interface GigabitEthernet0/0 interface GigabitEthernet0/0 nameif outside security-level 0 ip address 209.165.201.1 255.255.255.224 !inside interface GigabitEthernet0/1 interface GigabitEthernet0/1 nameif inside security-level 100 ip address 10.10.1.1 255.255.255.0 !magament interface mgmt interface Management0/0 nameif mgmt security-level 100 ip address 172.18.101.164 255.255.255.0 !NAT Exempt Access-list to bypass traffic from 10.10.1.0/24 to 192.168.1.0/24 access-list inside_nat0_outbound remark to bypass 10.10.1.0/24 to 192.168.1.0/24 access-list inside_nat0_outbound extended permit 10.10.1.0 255.255.255.0 192.168.1.0 255.255.255.0 !NAT Exempt Access-list to bypass traffic from 10.10.1.0/24 to 172.16.1.0/24 access-list inside_nat0_outbound remark to bypass 10.10.1.0/24 to 172.16.1.0/24 access-list inside_nat0_outbound extended permit 10.10.1.0 255.255.255.0 172.16.1.0 255.255.255.0 !encryption access-list to encrypt the traffic from from 10.10.1.0/24 to 192.168.1.0/24 access-list outside_cryptomap_1 remark to encrypt traffic from 192.168.1.0/24 to 10.10.1.0/24 access-list outside_cryptomap_1 extended permit 10.10.1.0 255.255.255.0 192.168.1.0 255.255.255.0 !encryption access-list to encrypt the traffic from 10.10.1.0/24 to 172.16.1.0/24 access-list outside_cryptomap_2 remark to encrypt traffic from 192.168.1.0/24 to 172.16.1.0 255.255.255.0 access-list outside_cryptomap_2 extended permit 10.10.1.0 255.255.255.0 172.16.1.0 255.255.255.0 ! route outside 0.0.0.0 0.0.0.0 209.165.201.1 1 ! http server enable http 172.18.101.0 255.255.255.0 mgmt !Transform set to specify encryption and hashing algorithm crypto ipsec transform-set AES-SHA esp-aes-256 esp-sha-hmac !Crypto map configuration for Chicago ASA crypto map outside_map 1 match address outside_cryptomap_1 crypto map outside_map 1 set peer 209.165.200.225 crypto map outside_map 1 set transform-set AES-SHA !Crypto map configuration for London ASA crypto map outside_map 2 match address outside_cryptomap_2 crypto map outside_map 2 set peer 209.165.202.129 crypto map outside_map 2 set transform-set AES-SHA crypto map outside_map interface outside !isakmp configure crypto isakmp enable crypto isakmp policy 1 authentication pre-share encryption pre-share hash sha group 5 lifetime 86400 !L2L tunnel-group configuration for Chicago ASA tunnel-group 209.165.200.225 type ipsec-l2l tunnel-group 209.165.200.225 ipsec-attributes pre-shared-key cisco123 !L2L tunnel-group configuration for London ASA tunnel-group 209.165.202.129 type ipsec-l2l tunnel-group 209.165.202.129 ipsec-attributes pre-shared-key cisco123 |
London ASA:
London#show running ! hostname London !outside interface GigabitEthernet0/0 interface GigabitEthernet0/0 nameif outside security-level 0 ip address 209.165.202.129 255.255.255.224 !inside interface GigabitEthernet0/1 interface GigabitEthernet0/1 nameif inside security-level 100 ip address 172.16.1.1 255.255.255.0 !magament interface mgmt interface Management0/0 nameif mgmt security-level 100 ip address 172.18.200.164 255.255.255.0 !NAT Exempt Access-list to bypass traffic from 172.16.1.0/24 to 192.168.1.0/24 access-list inside_nat0_outbound remark to bypass 172.16.1.0/24 to 192.168.1.0/24 access-list inside_nat0_outbound extended permit 172.16.1.0 255.255.255.0 192.168.1.0 255.255.255.0 !NAT Exempt Access-list to bypass traffic from 172.16.1.0/24 to 172.16.1.0/24 access-list inside_nat0_outbound remark to bypass 172.16.1.0/24 to 10.10.1.0/24 access-list inside_nat0_outbound extended permit 172.16.1.0 255.255.255.0 10.10.1.0 255.255.255.0 !encryption access-list to encrypt the traffic from from 172.16.1.0/24 to 192.168.1.0/24 access-list outside_cryptomap_1 remark to encrypt traffic from 172.16.1.0/24 to 192.168.1.0/24 access-list outside_cryptomap_1 extended permit 172.16.1.0 255.255.255.0 192.168.1.0 255.255.255.0 !encryption access-list to encrypt the traffic from 172.16.1.0/24 to 10.10.1.0/24 access-list outside_cryptomap_2 remark to encrypt traffic from 172.16.1.0/24 to 10.10.1.0 255.255.255.0 access-list outside_cryptomap_2 extended permit 172.16.1.0 255.255.255.0 10.10.1.0 255.255.255.0 ! route outside 0.0.0.0 0.0.0.0 209.165.202.129 1 ! http server enable http 172.18.200.0 255.255.255.0 mgmt !Transform set to specify encryption and hashing algorithm crypto ipsec transform-set AES-SHA esp-aes-256 esp-sha-hmac !Crypto map configuration for Chicago ASA crypto map outside_map 1 match address outside_cryptomap_1 crypto map outside_map 1 set peer 209.165.200.225 crypto map outside_map 1 set transform-set AES-SHA !Crypto map configuration for New York ASA crypto map outside_map 2 match address outside_cryptomap_2 crypto map outside_map 2 set peer 209.165.201.1 crypto map outside_map 2 set transform-set AES-SHA crypto map outside_map interface outside !isakmp configure crypto isakmp enable crypto isakmp policy 1 authentication pre-share encryption pre-share hash sha group 5 lifetime 86400 !L2L tunnel-group configuration for Chicago ASA tunnel-group 209.165.200.225 type ipsec-l2l tunnel-group 209.165.200.225 ipsec-attributes pre-shared-key cisco123 !L2L tunnel-group configuration for New York ASA tunnel-group 209.165.201.1 type ipsec-l2l tunnel-group 209.165.201.1 ipsec-attributes pre-shared-key cisco123 |
转载于:https://blog.51cto.com/qinlouke/1037790