防火牆配置IPsec ***

原創 曼尼 2019-02-23 00:31

實驗拓撲圖

 

 

 

配置文檔:

 

 

ISP
en
conf t
hostname ISP

int fa0/0
ip add 100.0.0.2 255.255.255.252
no shut
exit
int fa0/1
ip add 200.0.0.2 255.255.255.252
no shut
exit

 

 

ASA1

en

 

conf t
hostname ASA1

int e0/0
nameif inside
security-level 100
ip add 172.16.10.254 255.255.255.0
no shut
exit
int e0/1
nameif outside
security-level 0
ip add 100.0.0.1 255.255.255.252
no shut
exit

!配置默認路由
route outside 0 0 100.0.0.2

!配置NAT
nat-control
nat (inside) 1 0 0
global (outside) 1 int

!NAT豁免
access-list nonat extended permit ip 172.16.10.0 255.255.255.0 10.10.33.0 255.255.255.0
nat (inside) 0 access-list nonat


!啓動ISAKMP
crypto isakmp enable outside

!階段一管理連接
crypto isakmp policy 1
encryption aes
hash sha
authentication pre-share
group 2
lifetime 10800
exit

tunnel-group 200.0.0.1 type ipsec-l2l
tunnel-group 200.0.0.1 ipsec-attributes
pre-shared-key benet
exit


!配置crypto ACL
access-list *** extended permit ip 172.16.10.0 255.255.255.0 10.10.33.0 255.255.255.0


!階段二數據傳輸集
crypto ipsec transform-set benet-set esp-sha-hmac esp-aes

!配置crypto map
crypto map benet-map 1 match address ***
crypto map benet-map 1 set peer 200.0.0.1
crypto map benet-map 1 set transform-set benet-set


!應用到外接口
crypto map benet-map int outside

 

 

 


ASA2

en

 

conf t
hostname ASA2

int e0/0
nameif outside
security-level 0
ip add 200.0.0.1 255.255.255.252
no shut
exit
int e0/1
nameif inside
security-level 100
ip add 10.10.33.254 255.255.255.0
no shut
exit


!配置默認路由
route outside 0 0 200.0.0.2


!配置NAT
nat-control
nat (inside) 1 0 0
global (outside) 1 int

!NAT豁免
access-list nonat extended permit ip 10.10.33.0 255.255.255.0 172.16.10.0 255.255.255.0
nat (inside) 0 access-list nonat


!啓動ISAKMP
crypto isakmp enable outside

!階段一管理連接
crypto isakmp policy 1
encryption aes
hash sha
authentication pre-share
group 2
lifetime 10800
exit

tunnel-group 100.0.0.1 type ipsec-l2l
tunnel-group 100.0.0.1 ipsec-attributes
pre-shared-key benet
exit


!配置crypto ACL
access-list *** extended permit ip 10.10.33.0 255.255.255.0 172.16.10.0 255.255.255.0


!階段二數據傳輸集
crypto ipsec transform-set benet-set esp-sha-hmac esp-aes

!配置crypto map
crypto map benet-map 1 match address ***
crypto map benet-map 1 set peer 100.0.0.1
crypto map benet-map 1 set transform-set benet-set


!應用到外接口
crypto map benet-map int outside

 

 

 

本文原創由曼尼發佈http://mannysys.com

發表評論
所有評論
還沒有人評論,想成為第一個評論的人麼? 請在上方評論欄輸入並且點擊發布.
相關文章

教你打造一道超級防禦的電腦防火牆

lichenjing9 2019-02-23 14:06:52

第九章、防火牆與 NAT 伺服器------鳥哥的 Linux 私房菜

woaizca 2019-02-23 14:06:17

iptables的概述及應用(一)

shang61511 2019-02-23 14:04:46

linux 的DNS搭建

夢與時光眠 2019-02-23 13:51:55

CACTI 仙人掌監控平臺

夢與時光眠 2019-02-23 13:51:55

ShareTech 防火牆 使用手冊(適用型號:LB-2225)

yzy747 2019-02-23 13:50:59

dlink dfl-800

sly8259336 2019-02-23 13:49:40

信息系統安全管理以及風險管理

hua0221 2019-02-23 13:43:41

PIX515防火牆配置策略實例(二)

qinyihao 2019-02-23 13:29:34

iptables的詳細介紹及配置方法

qinyihao 2019-02-23 13:29:34

PIX515防火牆配置策略實例(一)

qinyihao 2019-02-23 13:29:33

防火牆的相關知識介紹及命令

譕淚寳唄 2019-02-23 13:28:55

迫使客戶機使用防火牆客戶端

zhanglong0123 2019-02-23 13:27:42

Cisco PIX防火牆配置命令大全

eddylin 2019-02-23 13:21:00

juniper 防火牆常用命令

shining007 2019-02-23 13:15:44