鸿鹄论坛 › Cisco安全 › Cisco ASA 5515(9.2) remote access

dakaiyan 发表于 2018-1-8 13:47:01

Cisco ASA 5515(9.2) remote access

1、配置ISAKMP策略和在outisde接口启用ISAKMP
crypto ikev1 policy 30
authentication pre-share
encryption 3des
hashmd5
group 2
lifetime 86400

2、配置地址池和ACL
ASA-Qingdao(config)# ip local pool vpn_pool192.168.8.100-192.168.8.200 mask 255.255.255.0
ASA-Qingdao(config)# access-listSPLIT_TUNNEL standard permit 10.31.34.0 255.255.255.0
ASA-Qingdao(config)# access-listSPLIT_TUNNEL standard permit 172.31.15.0 255.255.255.0
ASA-Qingdao(config)# access-listSPLIT_TUNNEL standard permit 172.16.0.0 255.255.255.0

3、增加用户
ASA-Qingdao(config)# username qingdaopassword 12345678
***已取消，取消后，可以拨通VPN，但无法连接

4、创建IKEV1transform-set 或IKEV2 Proposal
ASA-Qingdao(config)# crypto ipsec ikev1transform-set remote_set esp-3des esp- md5-hmac

5、定义Group policy和Tunnel group

定义group policy
ASA-Qingdao(config)# group-policy VPNGroupinternal   ***创建内部组策略，名称为VPNGroup
ASA-Qingdao(config)# group-policy VPNGroupattributes    ***组策略VPNGroup属性
ASA-Qingdao(config-group-policy)#dns-server value 172.31.15.250    ***配置首选和备用DNS
ASA-Qingdao(config-group-policy)#vpn-tunnel-protocol l2tp-ipsec
ASA-Qingdao(config-group-policy)#split-tunnel-policy tunnelspecified
ASA-Qingdao(config-group-policy)#split-tunnel-network-list value SPLIT_TUNNEL

定义tunnel group
Tunnel-group testgroup type ipsec-ra
Tunnel-group testgroup general-attributes
Address-pool vpn_pool
Tunnel-group testgroup ipsec-attributes
Ikev1 pre-shared-key ****

ASA-Qingdao(config)# tunnel-groupqingdaovpn type remote-access
ASA-Qingdao(config)# tunnel-groupqingdaovpn general-attribute
ASA-Qingdao(config-tunnel-general)#address-pool vpn_pool
ASA-Qingdao(config-tunnel-general)#default-group-policy VPNGroup   

ASA-Qingdao(config-tunnel-general)#default-group-policy VPNGroup
***已取消，取消后，可以拨通VPN，但无法接；
ASA-Qingdao(config)# tunnel-groupqingdaovpn general-attribute

6、创建动态加密映射dynamiccrypto map
ASA-Qingdao(config)# crypto dynamic-mapremote_map 30 set ikev1 transform-set remote_set
ASA-Qingdao(config)# crypto dynamic-mapremote_map 30 set reverse-route

7、创建使用动态加密映射的加密映射条目
ASA-Qingdao(config)# crypto map pingdumap 30ipsec-isakmp dynamic remote_map
ASA-Qingdao(config)# crypto map pingdumapinterface outside

以上配置完成，无法建立连接，无法ping通172.31.15.0/24，10.0.90.1

bahadurali93 发表于 2019-1-21 08:31:25

Thanks for your help... you are the best.

查看完整版本: Cisco ASA 5515(9.2) remote access