ASA与路由混搭问题 求助
如图拓扑结构做 IPSEC vpn C1 ping C3 目的主机不可到达C3 ping C1 超时 配置命令如下 求指导是哪里配置错误 !ISP
--------------------------------
en
conf t
access-list 1 deny 192.168.0.0 0.0.255.255
access-list 1 permit any
int f0/0
ip add 202.100.10.2 255.255.255.0
ip access-group 1 in
no shut
int f0/1
ip add 202.100.20.2 255.255.255.0
ip access-group 1 in
no shut
int f1/0
ip add 202.100.30.2 255.255.255.0
ip access-group 1 in
no shut
end
wr
-----------------------
R3
-----------
en
conf t
ip access-list ex nat
deny ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255
permit ip any any
exit
ip access-list ex vpn
permit ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255
deny ip any any
exit
int f0/0
ip add 202.100.20.1 255.255.255.0
no shut
ip nat outside
int f0/1
ip add 192.168.2.254 255.255.255.0
no shut
ip nat inside
exit
ip nat inside s list nat inter f0/0 overload
ip route 0.0.0.0 0.0.0.0 202.100.20.2
end
conf t
crypto isakmp policy 1
encryption des
authentication pre-share
group 2
hash sha
exit
crypto isakmp key 0 benet-key address 202.100.10.1 255.255.255.0
crypto ipsec transform-set benet-set esp-sha-hmac esp-des
exit
crypto map benet-map 1 ipsec-isakmp
set transform-set benet-set
set pfs group2
set peer 202.100.10.1
match address vpn
exit
int f0/0
crypto map benet-map
do wr
----------------
R1
-----------
en
conf t
int f0/0
ip add 192.168.10.2 255.255.255.0
no shut
int f0/1
ip add 192.168.1.254 255.255.255.0
no shut
exit
ip route 0.0.0.0 0.0.0.0 192.168.10.1
end
wr
--------------------
ASA
------------
en
conf t
int e0/0
ip add 202.100.10.1 255.255.255.0
nameif outside
no shut
int e0/1
ip add 192.168.10.1 255.255.255.0
nameif inside
exit
route outside 0 0 202.100.10.2
route inside 192.168.1.0 255.255.255.0 192.168.10.2
access-list ping ex permit icmp any any
access-list nonat ex permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0
access-list nonat ex permit ip 192.168.2.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list nonat ex deny ip any any
access-list vpn ex permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0
access-list vpn ex permit ip 192.168.2.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list vpn ex deny ip any any
access-group ping in inte outside
nat-control
nat (inside) 1 0 0
global (outside) 1 interface
nat (outside) 0 access-list nonat
crypto isakmp enable outside
crypto isakmp key benet-key address 202.100.20.1 netmask 255.255.255.0
crypto ipsec transform-set benet-set esp-sha-hmac esp-des
crypto isakmp policy 1
encryption des
authentication pre-share
group 2
hash sha
exit
crypto map benet-map 1 ipsec-isakmp
crypto map benet-map 1 set transform-set benet-set
crypto map benet-map 1 set peer 202.100.20.1
crypto map benet-map 1 set pfs group2
crypto map benet-map 1 match address vpn
crypto map benet-map interface outside
没明白,ACL好复杂 上图有个地方标错了 从发一张 Thanks for your information.
页:
[1]