需求:
Remote作为分公司拨入ASA为边界的公司总部,且分公司内部的Inside2要与总公司内部的Inside1互访。
PC为员工在家办公使用接入内网
配置:
ASA
红字为新版本需要添加的ikev1字段
tunnel-group remote type remote-access
tunnel-group remote general-attributes
address-pool remote
tunnel-group remote ipsec-attributes
ikev1 pre-shared-key remote
tunnel-group remote general-attributes
address-pool remote
tunnel-group remote ipsec-attributes
ikev1 pre-shared-key remote
!
username blcoffe password blcoffe
!
crypto ikev1 enable Outside
crypto ikev1 policy 10
authentication pre-share
encryption 3des
hash md5
group 2
!
crypto ikev1 policy 10
authentication pre-share
encryption 3des
hash md5
group 2
!
crypto ipsec ikev1 transform-set cisco esp-des esp-md5-hmac
crypto dynamic-map dymap 10 set ikev1transform-set ciscocrypto dynamic-map dymap 10 set reverse-route
!
crypto map cisco 10 ipsec-isakmp dynamic dymap
crypto map cisco 10 ipsec-isakmp dynamic dymap
crypto map cisco interface Outside
Remote
crypto ipsec client ez*** remote
connect manual
group remote key cisco
mode network-plus
peer 202.100.1.1
手工拨入:
Remote#crypto ipsec client ez*** connect
*Mar 1 01:15:40.615: EZ***(remote): Pending XAuth Request, Please enter the following command:
*Mar 1 01:15:40.615: EZ***: crypto ipsec client ez*** xauth
Remote#crypto ipsec client ez*** xauth
Username: remote
Password:
注意配置ez***硬件客户端一定要在接口指定好
interface FastEthernet0/1
crypto ipsec client ez*** remote inside
interface FastEthernet0/0
crypto ipsec client ez*** remote outside
切不可配置上就着急测试,测试时最好在Inside2的位置测试,如果在remote路由器测试ping要加上源接口,如ping 10.1.1.1 so f0/1