Cisco IPSec *** 配置攻略一:站點到站點*** 配置案例2

原創 李善科 2019-02-22 20:31

 

需求:某公司使用全網互聯拓撲,使每個站點分別擁有去往相應IPSec對等體的IPSec隧道。同時使用RRI,通過OSPF將遠端網絡信息發佈到本地芝加哥網絡中。

Chicago ASA

Chicago#show running

!

hostname Chicago

!outside interface GigabitEthernet0/0

interface GigabitEthernet0/0

 nameif outside

 security-level 0

 ip address 209.165.200.225 255.255.255.224

!inside interface GigabitEthernet0/1

interface GigabitEthernet0/1

 nameif inside

 security-level 100

 ip address 192.168.1.1 255.255.255.0

!magament interface mgmt

interface Management0/0

 nameif mgmt

 security-level 100

 ip address 172.18.82.64 255.255.255.0

!NAT Exempt Access-list to bypass traffic from 192.168.1.0/24 to 10.10.1.0/24

access-list inside_nat0_outbound remark to bypass 192.168.1.0/24 to 10.10.1.0/24

access-list inside_nat0_outbound extended permit 192.168.1.0 255.255.255.0 10.10.1.0 255.255.255.0

!NAT Exempt Access-list to bypass traffic from 192.168.1.0/24 to 172.16.1.0/24

access-list inside_nat0_outbound remark to bypass 192.168.1.0/24 to 172.16.1.0/24

access-list inside_nat0_outbound extended permit 192.168.1.0 255.255.255.0 172.16.1.0 255.255.255.0

!encryption access-list to encrypt the traffic from 192.168.1.0/24 to 10.10.1.0/24

access-list outside_cryptomap_1 remark to encrypt traffic from 192.168.1.0/24 to 10.10.1.0/24

access-list outside_cryptomap_1 extended permit 192.168.1.0 255.255.255.0 10.10.1.0 255.255.255.0

!encryption access-list to encrypt the traffic from 192.168.1.0/24 to 172.16.1.0/24

access-list outside_cryptomap_2 remark to encrypt traffic from 192.168.1.0/24 to 172.16.1.0 255.255.255.0

access-list outside_cryptomap_2 extended permit 192.168.1.0 255.255.255.0 172.16.1.0 255.255.255.0

 

!

route outside 0.0.0.0 0.0.0.0 209.165.200.227 1

!OSPF Process

router opsf 100

 area 0

 network 192.168.0.0 255.255.0.0 area network

 redistribute static

!

http server enable

http 172.18.82.0 255.255.255.0 mgmt

!Transform set to specify encryption and hashing algorithm

crypto ipsec transform-set AES-SHA esp-aes-256 esp-sha-hmac

!Crypto map configuration for NewYork ASA

crypto map outside_map 1 match address outside_cryptomap_1

crypto map outside_map 1 set peer 209.165.201.1

crypto map outside_map 1 set transform-set AES-SHA

crypto map outside_map 1 set reverse-route

!Crypto map configuration for London ASA

crypto map outside_map 2 match address outside_cryptomap_2

crypto map outside_map 2 set peer 209.165.202.129

crypto map outside_map 2 set transform-set AES-SHA

crypto map outside_map 2 set reverse-route

crypto map outside_map interface outside

!isakmp configure

crypto isakmp enable

crypto isakmp policy 1

 authentication pre-share

 encryption pre-share

 hash sha

 group 5

 lifetime 86400

!L2L tunnel-group configuration for New York ASA

tunnel-group 209.168.201.1 type ipsec-l2l

tunnel-group 209.165.201.1 ipsec-attributes

 pre-shared-key cisco123

!L2L tunnel-group configuration for New York ASA

tunnel-group 209.165.202.129 type ipsec-l2l

tunnel-group 209.165.202.129 ipsec-attributes

 pre-shared-key cisco123

New York ASA:

NewYork#show running

!

hostname NewYork

!outside interface GigabitEthernet0/0

interface GigabitEthernet0/0

 nameif outside

 security-level 0

 ip address 209.165.201.1 255.255.255.224

!inside interface GigabitEthernet0/1

interface GigabitEthernet0/1

 nameif inside

 security-level 100

 ip address 10.10.1.1 255.255.255.0

!magament interface mgmt

interface Management0/0

 nameif mgmt

 security-level 100

 ip address 172.18.101.164 255.255.255.0

!NAT Exempt Access-list to bypass traffic from 10.10.1.0/24 to 192.168.1.0/24

access-list inside_nat0_outbound remark to bypass 10.10.1.0/24 to 192.168.1.0/24

access-list inside_nat0_outbound extended permit 10.10.1.0 255.255.255.0 192.168.1.0 255.255.255.0

!NAT Exempt Access-list to bypass traffic from 10.10.1.0/24 to 172.16.1.0/24

access-list inside_nat0_outbound remark to bypass 10.10.1.0/24 to 172.16.1.0/24

access-list inside_nat0_outbound extended permit 10.10.1.0 255.255.255.0 172.16.1.0 255.255.255.0

!encryption access-list to encrypt the traffic from from 10.10.1.0/24 to 192.168.1.0/24

access-list outside_cryptomap_1 remark to encrypt traffic from 192.168.1.0/24 to 10.10.1.0/24

access-list outside_cryptomap_1 extended permit 10.10.1.0 255.255.255.0 192.168.1.0 255.255.255.0

!encryption access-list to encrypt the traffic from 10.10.1.0/24 to 172.16.1.0/24

access-list outside_cryptomap_2 remark to encrypt traffic from 192.168.1.0/24 to 172.16.1.0 255.255.255.0

access-list outside_cryptomap_2 extended permit 10.10.1.0 255.255.255.0 172.16.1.0 255.255.255.0

!

route outside 0.0.0.0 0.0.0.0 209.165.201.1 1

!

http server enable

http 172.18.101.0 255.255.255.0 mgmt

!Transform set to specify encryption and hashing algorithm

crypto ipsec transform-set AES-SHA esp-aes-256 esp-sha-hmac

!Crypto map configuration for Chicago ASA

crypto map outside_map 1 match address outside_cryptomap_1

crypto map outside_map 1 set peer 209.165.200.225

crypto map outside_map 1 set transform-set AES-SHA

!Crypto map configuration for London ASA

crypto map outside_map 2 match address outside_cryptomap_2

crypto map outside_map 2 set peer 209.165.202.129

crypto map outside_map 2 set transform-set AES-SHA

crypto map outside_map interface outside

!isakmp configure

crypto isakmp enable

crypto isakmp policy 1

 authentication pre-share

 encryption pre-share

 hash sha

 group 5

 lifetime 86400

!L2L tunnel-group configuration for Chicago ASA

tunnel-group 209.165.200.225 type ipsec-l2l

tunnel-group 209.165.200.225 ipsec-attributes

 pre-shared-key cisco123

!L2L tunnel-group configuration for London ASA

tunnel-group 209.165.202.129 type ipsec-l2l

tunnel-group 209.165.202.129 ipsec-attributes

 pre-shared-key cisco123

London ASA:

London#show running

!

hostname London

!outside interface GigabitEthernet0/0

interface GigabitEthernet0/0

 nameif outside

 security-level 0

 ip address 209.165.202.129 255.255.255.224

!inside interface GigabitEthernet0/1

interface GigabitEthernet0/1

 nameif inside

 security-level 100

 ip address 172.16.1.1 255.255.255.0

!magament interface mgmt

interface Management0/0

 nameif mgmt

 security-level 100

 ip address 172.18.200.164 255.255.255.0

!NAT Exempt Access-list to bypass traffic from 172.16.1.0/24 to 192.168.1.0/24

access-list inside_nat0_outbound remark to bypass 172.16.1.0/24 to 192.168.1.0/24

access-list inside_nat0_outbound extended permit 172.16.1.0 255.255.255.0 192.168.1.0 255.255.255.0

!NAT Exempt Access-list to bypass traffic from 172.16.1.0/24 to 172.16.1.0/24

access-list inside_nat0_outbound remark to bypass 172.16.1.0/24 to 10.10.1.0/24

access-list inside_nat0_outbound extended permit 172.16.1.0 255.255.255.0 10.10.1.0 255.255.255.0

!encryption access-list to encrypt the traffic from from 172.16.1.0/24 to 192.168.1.0/24

access-list outside_cryptomap_1 remark to encrypt traffic from 172.16.1.0/24 to 192.168.1.0/24

access-list outside_cryptomap_1 extended permit 172.16.1.0 255.255.255.0 192.168.1.0 255.255.255.0

!encryption access-list to encrypt the traffic from 172.16.1.0/24 to 10.10.1.0/24

access-list outside_cryptomap_2 remark to encrypt traffic from 172.16.1.0/24 to 10.10.1.0 255.255.255.0

access-list outside_cryptomap_2 extended permit 172.16.1.0 255.255.255.0 10.10.1.0 255.255.255.0

!

route outside 0.0.0.0 0.0.0.0 209.165.202.129 1

!

http server enable

http 172.18.200.0 255.255.255.0 mgmt

!Transform set to specify encryption and hashing algorithm

crypto ipsec transform-set AES-SHA esp-aes-256 esp-sha-hmac

!Crypto map configuration for Chicago ASA

crypto map outside_map 1 match address outside_cryptomap_1

crypto map outside_map 1 set peer 209.165.200.225

crypto map outside_map 1 set transform-set AES-SHA

!Crypto map configuration for New York ASA

crypto map outside_map 2 match address outside_cryptomap_2

crypto map outside_map 2 set peer 209.165.201.1

crypto map outside_map 2 set transform-set AES-SHA

crypto map outside_map interface outside

!isakmp configure

crypto isakmp enable

crypto isakmp policy 1

 authentication pre-share

 encryption pre-share

 hash sha

 group 5

 lifetime 86400

!L2L tunnel-group configuration for Chicago ASA

tunnel-group 209.165.200.225 type ipsec-l2l

tunnel-group 209.165.200.225 ipsec-attributes

 pre-shared-key cisco123

!L2L tunnel-group configuration for New York ASA

tunnel-group 209.165.201.1 type ipsec-l2l

tunnel-group 209.165.201.1 ipsec-attributes

 pre-shared-key cisco123

 

發表評論
所有評論
還沒有人評論,想成為第一個評論的人麼? 請在上方評論欄輸入並且點擊發布.
相關文章

凱文《欺騙的藝術》中文版

雪花飄飄 2019-02-23 14:03:53

東歐***全球施襲 2500機構中招

jkxuser 2019-02-23 13:49:04

Cisco 300-630 DCACIA Exam Questions - Get Success With Best Grades

jacobjerry012 2022-05-30 19:47:25

GNS3、VMware和物理機搭建網絡模擬環境(一)

lvqingpu 2019-02-24 13:15:35

Cisco路由器上配置DHCP全程詳解

wbzjacky 2019-02-24 13:12:37

關於Cisco的CCNA

179390988 2019-02-23 14:05:54

CISCO ACL配置全解

talkstone 2019-02-23 13:59:02

Cisco設備初始配置的幾個必備點

781732825 2019-02-23 13:43:04

Cisco常用單詞詞典

lzh0601 2019-02-23 13:41:43

真實的模擬***綜合實驗

wbzjacky 2019-02-24 13:12:37

******思路

lichenjing9 2019-02-23 14:06:52

ssl *** 應用場景

qyh282110204 2019-02-23 14:05:36

我是菜鳥…

love_qq0612 2019-02-23 13:53:45

PacketiX.NET ***使用教程

雨的印記 2019-02-23 13:49:40

遊俠網論壇遭遇十餘小時高流量DDOS***

jkxuser 2019-02-23 13:49:05