ASA842 L2L***沒有配置隧道分離，分支機構從總部上公網測試

一.測試拓撲：

二.測試思路：

A.總部ASA不配置隧道分離，分支機構所有流量都走***

B.總部ASA配置NAT允許分支網段PAT上公網

----因爲分支流量會從outside接口反彈流量，需要配置same-security-traffic permit intra-interface

三.基本配置：
A.Inside路由器：
interface Ethernet0/0
ip address 10.1.1.2 255.255.255.0
no shutdown
ip route 0.0.0.0 0.0.0.0 10.1.1.1
B.Center_ASA842防火牆：
interface GigabitEthernet0
nameif inside
security-level 100
ip address 10.1.1.1 255.255.255.0
interface GigabitEthernet1
nameif outside
security-level 0
ip address 202.100.1.1 255.255.255.0
route outside 0.0.0.0 0.0.0.0 202.100.1.10
access-list outside extended permit icmp any any
access-group outside in interface outside
C.Internet路由器：
interface Loopback0
ip address 61.1.1.1 255.255.255.0
interface Ethernet0/0
ip address 202.100.1.10 255.255.255.0
no shutdown
interface Ethernet0/1
ip address 202.100.2.10 255.255.255.0
no shutdown
D.Branch路由器：
interface Loopback0
ip address 61.1.1.1 255.255.255.0
interface Ethernet0/0
ip address 202.100.1.10 255.255.255.0
no shutdown
ip route 0.0.0.0 0.0.0.0 202.100.2.10
四.Site-to-Site ***配置：
A.Branch路由器：
①第一階段策略：
crypto isakmp policy 10
hash md5
authentication pre-share
group 2
crypto isakmp key cisco address 202.100.1.1
②第二階段轉換集：
crypto ipsec transform-set transet esp-des esp-md5-hmac
③配置感興趣流：
ip access-list extended ***
permit ip 192.168.1.0 0.0.0.255 any
④配置並應用crypto map：
crypto map crymap 10 ipsec-isakmp
set peer 202.100.1.1
set transform-set transet
match address ***
crypto map crymap 10 ipsec-isakmp
match address ***
B.Center_ASA842防火牆：
①第一階段策略：
crypto ikev1 policy 10
authentication pre-share
encryption des
hash md5
group 2
crypto isakmp identity address
tunnel-group 202.100.2.1 type ipsec-l2l
tunnel-group 202.100.2.1 ipsec-attributes
ikev1 pre-shared-key cisco
②第二階段轉換集：
crypto ipsec ikev1 transform-set transet esp-des esp-md5-hmac
③配置感興趣流：
access-list *** extended permit ip any 192.168.1.0 255.255.255.0
④配置並應用crypto map：
crypto map crymap 10 match address ***
crypto map crymap 10 set peer 202.100.2.1
crypto map crymap 10 set ikev1 transform-set transet
crypto map crymap 10 set reverse-route
crypto map crymap interface outside
⑤在外部接口啓用IKEV1：
crypto ikev1 enable outside
五.Center_ASA842防火牆NAT配置：
A.內部PAT出公網：
object network obj_any
subnet 0.0.0.0 0.0.0.0
nat (inside,outside) dynamic interface
B.***流量NAT免除：
object network obj-10.1.1.0
subnet 10.1.1.0 255.255.255.0
object network obj-192.168.1.0
subnet 192.168.1.0 255.255.255.0
nat (inside,any) source static obj-10.1.1.0 obj-10.1.1.0 destination static obj-192.168.1.0 obj-192.168.1.0 no-proxy-arp
C.Hairpin NAT使得分支機構PAT上公網：
same-security-traffic permit intra-interface
object network obj-192.168.1.0
nat (outside,outside) dynamic interface

ASA842 L2L***沒有配置隧道分離，分支機構從總部上公網測試

ASA的Twice-NAT實現anyconnect VeiPiN地址池內網無路由的PAT

蒲公英ＶＰＮ訪問外網需要放行的端口

ASA的Twice-NAT實現anyconnect***地址池內網無路由的PAT

我的友情鏈接

順時針和逆時針螺旋打印二維數組（行列式）

Mac下配置sublime實現LaTeX

https://yachay.unat.edu.pe/blog/index.php?comment_area=format_blog&comment_component=blog&comment_co

linux以太網驅動總結