我想了很久这篇博文的名字,在IKEv2 L2L ×××前面加上“诡异的”三个字比较贴切,因为IKEv2的认证方式与IKEv1相比确实显得非常的诡异!因为两个ASA分别可以使用不同的预共享密钥进行认证,还能一方使用预共享密钥,另一方使用证书认证。传统的双方使用证书认证也是可以实现的。在后面的实验中我都会给出相应的配置!ASA8.4 ×××实验这个系列博文就到此结束了,我还会继续深入的研究IKEv2 ×××技术,会在后续的CCNP Security ×××v1.0课程中继续进行介绍,希望大家继续关注。顺便说一个事,我花了几个月的时间对我的书做了第二次修改,现在已经交稿给编辑了,编辑对我这次上交的稿件很满意,可能不久就能进入出版流程了。
实验拓扑:
=======================================预共享密钥认证================================
hostname ASA1
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface Ethernet0/0
nameif Outside
security-level 0
ip address 202.100.1.10 255.255.255.0
!
interface Ethernet0/1
nameif Inside
security-level 100
ip address 10.1.1.10 255.255.255.0
!
interface Ethernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
shutdown
no nameif
no security-level
no ip address
management-only
!
ftp mode passive
access-list yeslab-*** extended permit ip 10.1.1.0 255.255.255.0 192.168.1.0 255.255.255.0
pager lines 24
logging enable
mtu Outside 1500
mtu Inside 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
route Outside 0.0.0.0 0.0.0.0 202.100.1.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
crypto ipsec ikev2 ipsec-proposal yeslab-proposal
protocol esp encryption 3des
protocol esp integrity sha-1
crypto map yeslab-map 10 match address yeslab-***
crypto map yeslab-map 10 set peer 202.100.2.10
crypto map yeslab-map 10 set ikev2 ipsec-proposal yeslab-proposal
crypto map yeslab-map interface Outside
crypto ikev2 policy 10
encryption 3des
integrity sha
group 2
prf sha
lifetime seconds 86400
crypto ikev2 enable Outside
telnet timeout 5
ssh timeout 5
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
tunnel-group 202.100.2.10 type ipsec-l2l
tunnel-group 202.100.2.10 ipsec-attributes
ikev2 remote-authentication pre-shared-key 0 asa1-remote
ikev2 local-authentication pre-shared-key 0 asa1-local
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:2f71706149011ae8036c4bb3edd8d6f6
: end
----------------------------------------------------------------
hostname ASA2
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface Ethernet0/0
nameif Outside
security-level 0
ip address 202.100.2.10 255.255.255.0
!
interface Ethernet0/1
nameif Inside
security-level 100
ip address 192.168.1.10 255.255.255.0
!
interface Ethernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
shutdown
no nameif
no security-level
no ip address
management-only
!
ftp mode passive
access-list yeslab-*** extended permit ip 192.168.1.0 255.255.255.0 10.1.1.0 255.255.255.0
pager lines 24
logging enable
mtu Outside 1500
mtu Inside 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
route Outside 0.0.0.0 0.0.0.0 202.100.2.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
crypto ipsec ikev2 ipsec-proposal yeslab-proposal
protocol esp encryption 3des
protocol esp integrity sha-1
crypto map yeslab-map 10 match address yeslab-***
crypto map yeslab-map 10 set peer 202.100.1.10
crypto map yeslab-map 10 set ikev2 ipsec-proposal yeslab-proposal
crypto map yeslab-map interface Outside
crypto ikev2 policy 10
encryption 3des
integrity sha
group 2
prf sha
lifetime seconds 86400
crypto ikev2 enable Outside
telnet timeout 5
ssh timeout 5
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
web***
anyconnect-essentials
tunnel-group 202.100.1.10 type ipsec-l2l
tunnel-group 202.100.1.10 ipsec-attributes
ikev2 remote-authentication pre-shared-key 0 asa1-local
ikev2 local-authentication pre-shared-key 0 asa1-remote
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:f25f81615f8341e85e95b9a8eb459e74
: end
======================================预共享密钥加证书认证============================
hostname ASA1
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface Ethernet0/0
nameif Outside
security-level 0
ip address 202.100.1.10 255.255.255.0
!
interface Ethernet0/1
nameif Inside
security-level 100
ip address 10.1.1.10 255.255.255.0
!
interface Ethernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
shutdown
no nameif
no security-level
no ip address
management-only
!
ftp mode passive
clock timezone GMT 8
access-list yeslab-*** extended permit ip 10.1.1.0 255.255.255.0 192.168.1.0 255.255.255.0
pager lines 24
logging enable
mtu Outside 1500
mtu Inside 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
route Outside 0.0.0.0 0.0.0.0 202.100.1.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
crypto ipsec ikev2 ipsec-proposal yeslab-proposal
protocol esp encryption 3des
protocol esp integrity sha-1
crypto map yeslab-map 10 match address yeslab-***
crypto map yeslab-map 10 set peer 202.100.2.10
crypto map yeslab-map 10 set ikev2 ipsec-proposal yeslab-proposal
crypto map yeslab-map 10 set trustpoint CA------注意此配置
crypto map yeslab-map interface Outside
crypto ca trustpoint CA
enrollment url http://202.100.1.1:80
subject-name cn=ASA1.yeslab.net
serial-number
crl configure
crypto ca certificate chain CA
certificate 02
3082023a 308201a3 a0030201 02020102 300d0609 2a864886 f70d0101 04050030
1e311c30 1a060355 04031313 496e7465 726e6574 2e796573 6c61622e 6e657430
1e170d31 31303631 35303833 3532345a 170d3132 30363134 30383335 32345a30
43311830 16060355 0403130f 41534131 2e796573 6c61622e 6e657431 27301106
092a8648 86f70d01 09021604 41534131 30120603 55040513 0b4a4d58 31343338
4c313445 30819f30 0d06092a 864886f7 0d010101 05000381 8d003081 89028181
00a8e60c 5f2a1476 da7b421d 48416ca1 dcb4af20 076c83d7 de64fa11 4839e0d1
dee006b1 a9de2a64 d969bf51 528098d1 e449e8b5 f4267122 e4980566 c6d84a85
3f0c66ae fc3e7b93 165f2e9a 3b851d82 e7a63ceb 1859a3a4 9149a0cb 35f38e47
7bc4161e 3080720d 91ef3587 a8f6020a b17fda3b a2cce793 53415c29 9172ea3d
35020301 0001a363 3061300f 0603551d 11040830 06820441 53413130 0e060355
1d0f0101 ff040403 0205a030 1f060355 1d230418 30168014 d0819152 f47c8c60
6249149d 5818bd13 81fed687 301d0603 551d0e04 16041495 fe643b27 e6a36f3b
63e2043f 24db5e2b a4579530 0d06092a 864886f7 0d010104 05000381 81007774
18d8057b ab15a02a 84348fcd aed985d0 1e6058a1 340a50c8 c3393150 a3810149
dc301417 95af943c 9cfe8484 08d3719a ba6d5a79 89659f0d 5337c9a3 541b5fe8
60a2beb0 8d40ab0f 5dff2f88 2ab5bb89 2953b8f2 200e342b da12a162 db962bed
f9f738fd c463acfb 1a871249 649cd2ac 1636d675 985cc54a 7918fa96 cb60
quit
certificate ca 01
30820215 3082017e a0030201 02020101 300d0609 2a864886 f70d0101 04050030
1e311c30 1a060355 04031313 496e7465 726e6574 2e796573 6c61622e 6e657430
1e170d31 31303631 35303833 3333315a 170d3134 30363134 30383333 33315a30
1e311c30 1a060355 04031313 496e7465 726e6574 2e796573 6c61622e 6e657430
819f300d 06092a86 4886f70d 01010105 0003818d 00308189 02818100 cc95efdd
797a14c4 fca64b97 55c20a79 4916c1f4 f39925ad 2fc36a77 5b692ae6 11305887
742ee3ed 7d91aef4 fb1343ef 9cae092a ce26e4a7 22d70012 6cede76b bbdc6774
ced862be 6741a968 8588d865 c77d94f2 02374fdf 208d46f3 5c02a682 05b70f06
2444bd19 33324b1f 12c87aaf 1fb05b06 372850db d6da9dac 9eed5859 02030100
01a36330 61300f06 03551d13 0101ff04 05300301 01ff300e 0603551d 0f0101ff
04040302 0186301f 0603551d 23041830 168014d0 819152f4 7c8c6062 49149d58
18bd1381 fed68730 1d060355 1d0e0416 0414d081 9152f47c 8c606249 149d5818
bd1381fe d687300d 06092a86 4886f70d 01010405 00038181 00327f4e 7f8c16a0
249a53a0 f4b90e15 296eeac2 25035b5c 86588fcc 57e49e12 66665ca3 88c25b35
0f68903f 30eeb03c 35b11092 94ecf9ab e7deef80 c0cba2a8 356a9363 90579285
740e3199 d7949713 3f7acd85 a6efbe30 1a54c460 a573dfd9 b2bc5728 7e2e3083
6e391a6d c6871758 77bac491 cdc00ca5 093cc959 07bbfda9 0e
quit
crypto ikev2 policy 10
encryption 3des
integrity sha
group 2
prf sha
lifetime seconds 86400
crypto ikev2 enable Outside
telnet timeout 5
ssh timeout 5
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ntp server 202.100.1.1
tunnel-group 202.100.2.10 type ipsec-l2l
tunnel-group 202.100.2.10 ipsec-attributes
ikev2 remote-authentication pre-shared-key yeslabccies
ikev2 local-authentication certificate CA
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:01c54b0fd42e2a519f5d52fe62c62abc
: end
-----------------------------------------------------------
hostname ASA2
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface Ethernet0/0
nameif Outside
security-level 0
ip address 202.100.2.10 255.255.255.0
!
interface Ethernet0/1
nameif Inside
security-level 100
ip address 192.168.1.10 255.255.255.0
!
interface Ethernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
shutdown
no nameif
no security-level
no ip address
management-only
!
ftp mode passive
clock timezone GMT 8
access-list yeslab-*** extended permit ip 192.168.1.0 255.255.255.0 10.1.1.0 255.255.255.0
pager lines 24
logging enable
mtu Outside 1500
mtu Inside 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
route Outside 0.0.0.0 0.0.0.0 202.100.2.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
crypto ipsec ikev2 ipsec-proposal yeslab-proposal
protocol esp encryption 3des
protocol esp integrity sha-1
crypto map yeslab-map 10 match address yeslab-***
crypto map yeslab-map 10 set peer 202.100.1.10
crypto map yeslab-map 10 set ikev2 ipsec-proposal yeslab-proposal
----本端没有必要配置此命令----crypto map yeslab-map 10 set trustpoint CA------注意此配置
crypto map yeslab-map interface Outside
crypto ca trustpoint CA
enrollment url http://202.100.2.1:80
subject-name cn=ASA2.yeslab.net
serial-number
crl configure
crypto ca certificate chain CA
certificate 03
3082023a 308201a3 a0030201 02020103 300d0609 2a864886 f70d0101 04050030
1e311c30 1a060355 04031313 496e7465 726e6574 2e796573 6c61622e 6e657430
1e170d31 31303631 35303834 3330345a 170d3132 30363134 30383433 30345a30
43311830 16060355 0403130f 41534132 2e796573 6c61622e 6e657431 27301106
092a8648 86f70d01 09021604 41534132 30120603 55040513 0b4a4d58 31343139
4c344b32 30819f30 0d06092a 864886f7 0d010101 05000381 8d003081 89028181
00b8d6e8 1e4d9065 49836f7b 03f9e22a 217abded a48c7584 917304a2 ac1fb986
f93dadf3 ea303cba d4f41885 0fdec719 5ad5c2e5 1a5d51a2 ec6616c0 46105bd2
08a748b9 8472957a 61a737d5 8e11d7b1 785e4795 0627b12e 07d82ae9 872eb411
ac927faa 6887622f 6bfd4770 5e45abf8 d138130d 074cb4ef 7a317528 d2a9b7f9
75020301 0001a363 3061300f 0603551d 11040830 06820441 53413230 0e060355
1d0f0101 ff040403 0205a030 1f060355 1d230418 30168014 d0819152 f47c8c60
6249149d 5818bd13 81fed687 301d0603 551d0e04 1604146f 68374d3c 362b0544
660af52f 54d39ca7 11045430 0d06092a 864886f7 0d010104 05000381 810040a3
2ee69860 a119deec cb15c6b6 59fd77b1 a0831368 66c66ded 9b5221e9 cd7c044a
95de539d d45d2fb3 de8a11ed 6ff5aa09 1cc50dd9 251379c6 32e7598c 0126f9bf
1249c9b9 6474838a 233d9145 d44440bb 5646d4f6 f256c6ad 4c8b8cb8 9f5c7992
0dc963d3 a3f00d3d f5e6bc6e c62d69d7 4ba1731a 51b55b09 f8035f31 1a34
quit
certificate ca 01
30820215 3082017e a0030201 02020101 300d0609 2a864886 f70d0101 04050030
1e311c30 1a060355 04031313 496e7465 726e6574 2e796573 6c61622e 6e657430
1e170d31 31303631 35303833 3333315a 170d3134 30363134 30383333 33315a30
1e311c30 1a060355 04031313 496e7465 726e6574 2e796573 6c61622e 6e657430
819f300d 06092a86 4886f70d 01010105 0003818d 00308189 02818100 cc95efdd
797a14c4 fca64b97 55c20a79 4916c1f4 f39925ad 2fc36a77 5b692ae6 11305887
742ee3ed 7d91aef4 fb1343ef 9cae092a ce26e4a7 22d70012 6cede76b bbdc6774
ced862be 6741a968 8588d865 c77d94f2 02374fdf 208d46f3 5c02a682 05b70f06
2444bd19 33324b1f 12c87aaf 1fb05b06 372850db d6da9dac 9eed5859 02030100
01a36330 61300f06 03551d13 0101ff04 05300301 01ff300e 0603551d 0f0101ff
04040302 0186301f 0603551d 23041830 168014d0 819152f4 7c8c6062 49149d58
18bd1381 fed68730 1d060355 1d0e0416 0414d081 9152f47c 8c606249 149d5818
bd1381fe d687300d 06092a86 4886f70d 01010405 00038181 00327f4e 7f8c16a0
249a53a0 f4b90e15 296eeac2 25035b5c 86588fcc 57e49e12 66665ca3 88c25b35
0f68903f 30eeb03c 35b11092 94ecf9ab e7deef80 c0cba2a8 356a9363 90579285
740e3199 d7949713 3f7acd85 a6efbe30 1a54c460 a573dfd9 b2bc5728 7e2e3083
6e391a6d c6871758 77bac491 cdc00ca5 093cc959 07bbfda9 0e
quit
crypto ikev2 policy 10
encryption 3des
integrity sha
group 2
prf sha
lifetime seconds 86400
crypto ikev2 enable Outside
telnet timeout 5
ssh timeout 5
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ntp server 202.100.2.1
web***
anyconnect-essentials
tunnel-group 202.100.1.10 type ipsec-l2l
tunnel-group 202.100.1.10 ipsec-attributes
ikev2 remote-authentication certificate
ikev2 local-authentication pre-shared-key yeslabccies
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:287a0c1e17b36b92f7d04d1a9157cc38
: end
====================================双方都用证书认证===================================
hostname ASA1
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface Ethernet0/0
nameif Outside
security-level 0
ip address 202.100.1.10 255.255.255.0
!
interface Ethernet0/1
nameif Inside
security-level 100
ip address 10.1.1.10 255.255.255.0
!
interface Ethernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
shutdown
no nameif
no security-level
no ip address
management-only
!
ftp mode passive
clock timezone GMT 8
access-list yeslab-*** extended permit ip 10.1.1.0 255.255.255.0 192.168.1.0 255.255.255.0
pager lines 24
logging enable
mtu Outside 1500
mtu Inside 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
route Outside 0.0.0.0 0.0.0.0 202.100.1.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
crypto ipsec ikev2 ipsec-proposal yeslab-proposal
protocol esp encryption 3des
protocol esp integrity sha-1
crypto map yeslab-map 10 match address yeslab-***
crypto map yeslab-map 10 set peer 202.100.2.10
crypto map yeslab-map 10 set ikev2 ipsec-proposal yeslab-proposal
crypto map yeslab-map 10 set trustpoint CA
crypto map yeslab-map interface Outside
crypto ca trustpoint CA
enrollment url http://202.100.1.1:80
subject-name cn=ASA1.yeslab.net
serial-number
crl configure
crypto ca certificate chain CA
certificate 02
3082023a 308201a3 a0030201 02020102 300d0609 2a864886 f70d0101 04050030
1e311c30 1a060355 04031313 496e7465 726e6574 2e796573 6c61622e 6e657430
1e170d31 31303631 35303833 3532345a 170d3132 30363134 30383335 32345a30
43311830 16060355 0403130f 41534131 2e796573 6c61622e 6e657431 27301106
092a8648 86f70d01 09021604 41534131 30120603 55040513 0b4a4d58 31343338
4c313445 30819f30 0d06092a 864886f7 0d010101 05000381 8d003081 89028181
00a8e60c 5f2a1476 da7b421d 48416ca1 dcb4af20 076c83d7 de64fa11 4839e0d1
dee006b1 a9de2a64 d969bf51 528098d1 e449e8b5 f4267122 e4980566 c6d84a85
3f0c66ae fc3e7b93 165f2e9a 3b851d82 e7a63ceb 1859a3a4 9149a0cb 35f38e47
7bc4161e 3080720d 91ef3587 a8f6020a b17fda3b a2cce793 53415c29 9172ea3d
35020301 0001a363 3061300f 0603551d 11040830 06820441 53413130 0e060355
1d0f0101 ff040403 0205a030 1f060355 1d230418 30168014 d0819152 f47c8c60
6249149d 5818bd13 81fed687 301d0603 551d0e04 16041495 fe643b27 e6a36f3b
63e2043f 24db5e2b a4579530 0d06092a 864886f7 0d010104 05000381 81007774
18d8057b ab15a02a 84348fcd aed985d0 1e6058a1 340a50c8 c3393150 a3810149
dc301417 95af943c 9cfe8484 08d3719a ba6d5a79 89659f0d 5337c9a3 541b5fe8
60a2beb0 8d40ab0f 5dff2f88 2ab5bb89 2953b8f2 200e342b da12a162 db962bed
f9f738fd c463acfb 1a871249 649cd2ac 1636d675 985cc54a 7918fa96 cb60
quit
certificate ca 01
30820215 3082017e a0030201 02020101 300d0609 2a864886 f70d0101 04050030
1e311c30 1a060355 04031313 496e7465 726e6574 2e796573 6c61622e 6e657430
1e170d31 31303631 35303833 3333315a 170d3134 30363134 30383333 33315a30
1e311c30 1a060355 04031313 496e7465 726e6574 2e796573 6c61622e 6e657430
819f300d 06092a86 4886f70d 01010105 0003818d 00308189 02818100 cc95efdd
797a14c4 fca64b97 55c20a79 4916c1f4 f39925ad 2fc36a77 5b692ae6 11305887
742ee3ed 7d91aef4 fb1343ef 9cae092a ce26e4a7 22d70012 6cede76b bbdc6774
ced862be 6741a968 8588d865 c77d94f2 02374fdf 208d46f3 5c02a682 05b70f06
2444bd19 33324b1f 12c87aaf 1fb05b06 372850db d6da9dac 9eed5859 02030100
01a36330 61300f06 03551d13 0101ff04 05300301 01ff300e 0603551d 0f0101ff
04040302 0186301f 0603551d 23041830 168014d0 819152f4 7c8c6062 49149d58
18bd1381 fed68730 1d060355 1d0e0416 0414d081 9152f47c 8c606249 149d5818
bd1381fe d687300d 06092a86 4886f70d 01010405 00038181 00327f4e 7f8c16a0
249a53a0 f4b90e15 296eeac2 25035b5c 86588fcc 57e49e12 66665ca3 88c25b35
0f68903f 30eeb03c 35b11092 94ecf9ab e7deef80 c0cba2a8 356a9363 90579285
740e3199 d7949713 3f7acd85 a6efbe30 1a54c460 a573dfd9 b2bc5728 7e2e3083
6e391a6d c6871758 77bac491 cdc00ca5 093cc959 07bbfda9 0e
quit
crypto ikev2 policy 10
encryption 3des
integrity sha
group 2
prf sha
lifetime seconds 86400
crypto ikev2 enable Outside
telnet timeout 5
ssh timeout 5
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ntp server 202.100.1.1
tunnel-group 202.100.2.10 type ipsec-l2l
tunnel-group 202.100.2.10 ipsec-attributes
ikev2 remote-authentication certificate
ikev2 local-authentication certificate CA
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:deb8d6aeef7e269a78c07972a5c1f3b3
: end
----------------------------------------------------------------------
hostname ASA2
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface Ethernet0/0
nameif Outside
security-level 0
ip address 202.100.2.10 255.255.255.0
!
interface Ethernet0/1
nameif Inside
security-level 100
ip address 192.168.1.10 255.255.255.0
!
interface Ethernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
shutdown
no nameif
no security-level
no ip address
management-only
!
ftp mode passive
clock timezone GMT 8
access-list yeslab-*** extended permit ip 192.168.1.0 255.255.255.0 10.1.1.0 255.255.255.0
pager lines 24
logging enable
mtu Outside 1500
mtu Inside 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
route Outside 0.0.0.0 0.0.0.0 202.100.2.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
crypto ipsec ikev2 ipsec-proposal yeslab-proposal
protocol esp encryption 3des
protocol esp integrity sha-1
crypto map yeslab-map 10 match address yeslab-***
crypto map yeslab-map 10 set peer 202.100.1.10
crypto map yeslab-map 10 set ikev2 ipsec-proposal yeslab-proposal
crypto map yeslab-map 10 set trustpoint CA
crypto map yeslab-map interface Outside
crypto ca trustpoint CA
enrollment url http://202.100.2.1:80
subject-name cn=ASA2.yeslab.net
serial-number
crl configure
crypto ca certificate chain CA
certificate 03
3082023a 308201a3 a0030201 02020103 300d0609 2a864886 f70d0101 04050030
1e311c30 1a060355 04031313 496e7465 726e6574 2e796573 6c61622e 6e657430
1e170d31 31303631 35303834 3330345a 170d3132 30363134 30383433 30345a30
43311830 16060355 0403130f 41534132 2e796573 6c61622e 6e657431 27301106
092a8648 86f70d01 09021604 41534132 30120603 55040513 0b4a4d58 31343139
4c344b32 30819f30 0d06092a 864886f7 0d010101 05000381 8d003081 89028181
00b8d6e8 1e4d9065 49836f7b 03f9e22a 217abded a48c7584 917304a2 ac1fb986
f93dadf3 ea303cba d4f41885 0fdec719 5ad5c2e5 1a5d51a2 ec6616c0 46105bd2
08a748b9 8472957a 61a737d5 8e11d7b1 785e4795 0627b12e 07d82ae9 872eb411
ac927faa 6887622f 6bfd4770 5e45abf8 d138130d 074cb4ef 7a317528 d2a9b7f9
75020301 0001a363 3061300f 0603551d 11040830 06820441 53413230 0e060355
1d0f0101 ff040403 0205a030 1f060355 1d230418 30168014 d0819152 f47c8c60
6249149d 5818bd13 81fed687 301d0603 551d0e04 1604146f 68374d3c 362b0544
660af52f 54d39ca7 11045430 0d06092a 864886f7 0d010104 05000381 810040a3
2ee69860 a119deec cb15c6b6 59fd77b1 a0831368 66c66ded 9b5221e9 cd7c044a
95de539d d45d2fb3 de8a11ed 6ff5aa09 1cc50dd9 251379c6 32e7598c 0126f9bf
1249c9b9 6474838a 233d9145 d44440bb 5646d4f6 f256c6ad 4c8b8cb8 9f5c7992
0dc963d3 a3f00d3d f5e6bc6e c62d69d7 4ba1731a 51b55b09 f8035f31 1a34
quit
certificate ca 01
30820215 3082017e a0030201 02020101 300d0609 2a864886 f70d0101 04050030
1e311c30 1a060355 04031313 496e7465 726e6574 2e796573 6c61622e 6e657430
1e170d31 31303631 35303833 3333315a 170d3134 30363134 30383333 33315a30
1e311c30 1a060355 04031313 496e7465 726e6574 2e796573 6c61622e 6e657430
819f300d 06092a86 4886f70d 01010105 0003818d 00308189 02818100 cc95efdd
797a14c4 fca64b97 55c20a79 4916c1f4 f39925ad 2fc36a77 5b692ae6 11305887
742ee3ed 7d91aef4 fb1343ef 9cae092a ce26e4a7 22d70012 6cede76b bbdc6774
ced862be 6741a968 8588d865 c77d94f2 02374fdf 208d46f3 5c02a682 05b70f06
2444bd19 33324b1f 12c87aaf 1fb05b06 372850db d6da9dac 9eed5859 02030100
01a36330 61300f06 03551d13 0101ff04 05300301 01ff300e 0603551d 0f0101ff
04040302 0186301f 0603551d 23041830 168014d0 819152f4 7c8c6062 49149d58
18bd1381 fed68730 1d060355 1d0e0416 0414d081 9152f47c 8c606249 149d5818
bd1381fe d687300d 06092a86 4886f70d 01010405 00038181 00327f4e 7f8c16a0
249a53a0 f4b90e15 296eeac2 25035b5c 86588fcc 57e49e12 66665ca3 88c25b35
0f68903f 30eeb03c 35b11092 94ecf9ab e7deef80 c0cba2a8 356a9363 90579285
740e3199 d7949713 3f7acd85 a6efbe30 1a54c460 a573dfd9 b2bc5728 7e2e3083
6e391a6d c6871758 77bac491 cdc00ca5 093cc959 07bbfda9 0e
quit
crypto ikev2 policy 10
encryption 3des
integrity sha
group 2
prf sha
lifetime seconds 86400
crypto ikev2 enable Outside
telnet timeout 5
ssh timeout 5
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ntp server 202.100.2.1
web***
anyconnect-essentials
tunnel-group 202.100.1.10 type ipsec-l2l
tunnel-group 202.100.1.10 ipsec-attributes
ikev2 remote-authentication certificate
ikev2 local-authentication certificate CA
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:a2d8e9774ef16bfd32ae25849d006b28
: end
转载于:https://blog.51cto.com/xrmjjz/686385
扫一扫
265
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
