VPN及静态翻译
本帖最后由 泰克实验室塑造 于 2014-5-9 17:28 编辑http://bbs.tech-lab.cn/data/attachment/forum/0909252137d0857c5dac4ac574.bmp
A公司与B公司关系密切,C公司只允许A公司进行VPN拨号进来,而C公司不希望B公司的人进行VPN拨号,C点只允许返回给A点私网的加密流。A希望通过自己的帮助,让B公司实现对C公司的VPN拨入。
在A公司的asa上需要做到对R3的内网10.86.3.0做翻译,翻译成10.86.1.0/25位的地址,使之去往C的时候,数据包里的私网是10.86.1.0的地址。Static (outside,outside) 10.86.1.0 10.86.3.0 netmask 255.255.255.128
B公司的ACL:10.86.3.0--10.86.1.0
10.86.3.0--10.3.3.0
A公司的ACL:10.86.1.0--10.86.3.0
10.86.1.0--10.3.3.0
C公司的ACL:10.3.3.0--10.86.1.0
A:的配置:
interface Ethernet0
nameif inside
security-level 100
ip address 10.86.1.254 255.255.255.0
interface Ethernet1
nameif outside
security-level 0
ip address 8.8.5.254 255.255.255.0
same-security-traffic permit intra-interface
access-list out extended permit ip any any
access-list 100 extended permit ip 10.86.1.0 255.255.255.0 10.86.3.0 255.255.255.0
access-list 100 extended permit ip 10.3.3.0 255.255.255.0 10.86.3.0 255.255.255.0
access-list 110 extended permit ip 10.86.1.0 255.255.255.0 10.3.3.0 255.255.255.0
access-list 110 extended permit ip 10.86.3.0 255.255.255.0 10.3.3.0 255.255.255.0
static (outside,outside) 10.86.1.0 10.86.3.0 netmask 255.255.255.128 //outside接口进的流量outside口再出来,则做nat
access-group out in interface outside
route outside 0.0.0.0 0.0.0.0 8.8.5.2 1
crypto ipsec transform-set cisco esp-des esp-md5-hmac
crypto map cisco 10 match address 100
crypto map cisco 10 set peer 8.8.23.3
crypto map cisco 10 set transform-set cisco
crypto map cisco 20 match address 110
crypto map cisco 20 set peer 8.8.24.4
crypto map cisco 20 set transform-set cisco
crypto map cisco interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
tunnel-group 8.8.23.3 type ipsec-l2l
tunnel-group 8.8.23.3 ipsec-attributes
pre-shared-key cisco
tunnel-group 8.8.24.4 type ipsec-l2l
tunnel-group 8.8.24.4 ipsec-attributes
pre-shared-key cisco
R3:--B公司
crypto isakmp policy 10
encr 3des
authentication pre-share
group 2
crypto isakmp key cisco address 8.8.5.254
crypto ipsec transform-set cisco esp-des esp-md5-hmac
crypto map cisco 10 ipsec-isakmp
set peer 8.8.5.254
set transform-set cisco
match address 100
interface Loopback0
ip address 10.86.3.3 255.255.255.0
interface Serial1/0
ip address 8.8.23.3 255.255.255.0
encapsulation frame-relay
ip ospf network point-to-point
no arp frame-relay
frame-relay map ip 8.8.23.2 302 broadcast
no frame-relay inverse-arp
crypto map cisco
router ospf 100
network 8.8.23.0 0.0.0.255 area 0
ip route 0.0.0.0 0.0.0.0 8.8.23.2
access-list 100 permit ip 10.86.3.0 0.0.0.255 10.86.1.0 0.0.0.255
access-list 100 permit ip 10.86.3.0 0.0.0.255 10.3.3.0 0.0.0.255
R4:C公司
crypto isakmp policy 10
encr 3des
authentication pre-share
group 2
crypto isakmp key cisco address 8.8.5.254
crypto ipsec transform-set cisco esp-des esp-md5-hmac
crypto map cisco 10 ipsec-isakmp
set peer 8.8.5.254
set transform-set cisco
match address 100
interface Loopback0
ip address 10.3.3.4 255.255.255.0
interface Serial1/0
ip address 8.8.24.4 255.255.255.0
encapsulation frame-relay
ip ospf network point-to-point
serial restart-delay 0
no arp frame-relay
frame-relay map ip 8.8.24.4 402
frame-relay map ip 8.8.24.2 402 broadcast
no frame-relay inverse-arp
crypto map cisco
router ospf 1
network 8.8.24.0 0.0.0.255 area 0
ip route 0.0.0.0 0.0.0.0 8.8.24.2
access-list 100 permit ip 10.3.3.0 0.0.0.255 10.86.1.0 0.0.0.255
Thanks for your information.
页:
[1]