ASA防火墙动态VPN配置案例
ASA防火墙 动态VPN配置近年来,随着信息网络的不断发展,越来越多的公司建立了VPN网络。一些大的公司的总部与分公司及办事处已经建立了VPN网络,但投资过大。目前随着VPN技术的不断成熟,动态VPN应用越来越多,市面上此类产品也越来越多。但对于一些大的公司,总部的防火墙使用的是cisco ASA防火墙,而分公司通常没有专用的防火墙,特别是一些办事处,没有专线,没有固定IP,只是通过ADSL动态拨号的方式上网。如果要求 总部与办事处建立site to site之VPN网络,就需要建立动态VPN,而目前ASA5500系列防火墙只支持静态IP建立site to site之VPN,所以可以在办事处或分公司的路由器上与总部的ASA防火墙建立动态VPN。环境:
总部:内网---à中心交换机----àASA5510防火墙---à光纤专线连接到Internet
分公司或办事处:内网---à交换机----àcisco2611路由器---àADSL modem连接到Internet
配置步骤:
总部的ASA5510配置
ASA Version 7.2(1)
!
interface Ethernet0/1
nameif outside
security-level 0
ip address 203.132.90.89 255.255.255.252
!
interface Ethernet0/0
nameif inside
security-level 100
ip address 192.168.3.254 255.255.255.0
access-list 120 extended permit ip any any
access-list 110 extended permit ip 192.168.3.0 255.255.255.0 172.16.1.0 255.255.255.0
asdm image disk0:/asdm505.bin
global (outside) 1 interface
nat (inside) 0 access-list 110
nat (inside) 1 0.0.0.0 0.0.0.0
access-group 120 in interface outside
route outside 0.0.0.0 0.0.0.0 203.132.90.90 1
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set xp esp-des esp-sha-hmac
crypto dynamic-map cmldynamic 10 set transform-set xp
crypto map jiangmap 10 ipsec-isakmp dynamic cmldynamic
crypto map jiangmap interface outside
isakmp enable outside
isakmp policy 9 authentication pre-share
isakmp policy 9 encryption des
isakmp policy 9 hash sha
isakmp policy 9 group 1
isakmp policy 9 lifetime 86400
tunnel-group DefaultRAGroup ipsec-attributes 注意:上两行与pix配置有区别
pre-shared-key *
!
class-map inspection_default
match default-inspection-traffic
!
policy-map global_policy
class inspection_default
inspect dns maximum-length 512
inspect ftp
inspect h323 h225
inspect h323 ras
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
!
service-policy global_policy global
Cryptochecksum:72bd465cd632f344fec7ebe02a5a27ed
: end
办事处cisco2611路由器配置:
ip nbar pdlm flash:bittorrent.pdlm
!
!
vpdn enable
!
vpdn-group pppoe
request-dialin
protocol pppoe
!
crypto isakmp policy 1
authentication pre-share
crypto isakmp key xin%909988 address 203.132.90.89
!
crypto ipsec transform-set jiangset esp-des esp-sha-hmac
!
crypto map jiangmap 20 ipsec-isakmp
set peer 203.132.90.89
set transform-set jiangset
match address 110
!
mta receive maximum-recipients 0
!
!
class-map match-all bittorrent
match protocol bittorrent
!
policy-map cmlqos
class bittorrent
drop
!
interface FastEthernet0/0
ip address 172.16.1.1 255.255.255.0
ip nat inside
service-policy output cmlqos
!
interface FastEthernet0/1
no ip address
pppoe enable
pppoe-client dial-pool-number 1
!
interface Dialer1
ip address negotiated
ip mtu 1492
ip nat outside
encapsulation ppp
no ip route-cache
no ip mroute-cache
dialer pool 1
dialer-group 1
ppp authentication pap callin
ppp pap sent-username dg50987634 password 7 121C58495740435F55
crypto map jiangmap
!
ip nat inside source list 120 interface Dialer1 overload
ip route 0.0.0.0 0.0.0.0 Dialer1
!
access-list 1 permit 172.16.1.0 0.0.0.255
access-list 110 permit ip 172.16.1.0 0.0.0.255 192.168.3.0 0.0.0.255
access-list 120 deny ip 172.16.1.0 0.0.0.255 192.168.3.0 0.0.0.255
access-list 120 permit ip 172.16.1.0 0.0.0.255 any
dialer-list 1 protocol ip permit
!
call rsvp-sync
!
mgcp profile default
!
dial-peer cor custom
!
end
http://bbs.hh010.com/xwb/images/bgimg/icon_logo.png 该贴已经同步到 小乔的微博 学习...
http://bbs.hh010.com/xwb/images/bgimg/icon_logo.png 来自 Chao-Manson 的新浪微博 学习了~ 1111111111111111111 {:6_267:}{:6_267:}{:6_267:} {:6_290:} 谢谢小乔,来得及时啊。这两天公司的ASA替换了原有的3662,一堆ADSL拨号的分支端,需要将配置迁移到ASA上 本帖最后由 zhgm 于 2012-2-16 14:41 编辑
我按照这个配置做了,没ping通,后来在国外的一个技术论坛上找到了问题所在
tunnel-group DefaultSAGroup ipsec-attributes
pre-shared-key *
但是site-to-site VPN是用L2L协商的,所以要定义L2L的协商方式 {:6_267:} thanks....
thank your share thing...
this is a very good information.... 有说明就更爽了 我要鸿鹄比 啊啊啊啊 学习了。谢谢 都快过来围观,楼主的好帖赞爆了
页:
[1]