實驗拓撲圖
配置文檔:
ISP
en
conf t
hostname ISP
int fa0/0
ip add 100.0.0.2 255.255.255.252
no shut
exit
int fa0/1
ip add 200.0.0.2 255.255.255.252
no shut
exit
ASA1
en
conf t
hostname ASA1
int e0/0
nameif inside
security-level 100
ip add 172.16.10.254 255.255.255.0
no shut
exit
int e0/1
nameif outside
security-level 0
ip add 100.0.0.1 255.255.255.252
no shut
exit
!配置默認路由
route outside 0 0 100.0.0.2
!配置NAT
nat-control
nat (inside) 1 0 0
global (outside) 1 int
!NAT豁免
access-list nonat extended permit ip 172.16.10.0 255.255.255.0 10.10.33.0 255.255.255.0
nat (inside) 0 access-list nonat
!啓動ISAKMP
crypto isakmp enable outside
!階段一管理連接
crypto isakmp policy 1
encryption aes
hash sha
authentication pre-share
group 2
lifetime 10800
exit
tunnel-group 200.0.0.1 type ipsec-l2l
tunnel-group 200.0.0.1 ipsec-attributes
pre-shared-key benet
exit
!配置crypto ACL
access-list *** extended permit ip 172.16.10.0 255.255.255.0 10.10.33.0 255.255.255.0
!階段二數據傳輸集
crypto ipsec transform-set benet-set esp-sha-hmac esp-aes
!配置crypto map
crypto map benet-map 1 match address ***
crypto map benet-map 1 set peer 200.0.0.1
crypto map benet-map 1 set transform-set benet-set
!應用到外接口
crypto map benet-map int outside
ASA2
en
conf t
hostname ASA2
int e0/0
nameif outside
security-level 0
ip add 200.0.0.1 255.255.255.252
no shut
exit
int e0/1
nameif inside
security-level 100
ip add 10.10.33.254 255.255.255.0
no shut
exit
!配置默認路由
route outside 0 0 200.0.0.2
!配置NAT
nat-control
nat (inside) 1 0 0
global (outside) 1 int
!NAT豁免
access-list nonat extended permit ip 10.10.33.0 255.255.255.0 172.16.10.0 255.255.255.0
nat (inside) 0 access-list nonat
!啓動ISAKMP
crypto isakmp enable outside
!階段一管理連接
crypto isakmp policy 1
encryption aes
hash sha
authentication pre-share
group 2
lifetime 10800
exit
tunnel-group 100.0.0.1 type ipsec-l2l
tunnel-group 100.0.0.1 ipsec-attributes
pre-shared-key benet
exit
!配置crypto ACL
access-list *** extended permit ip 10.10.33.0 255.255.255.0 172.16.10.0 255.255.255.0
!階段二數據傳輸集
crypto ipsec transform-set benet-set esp-sha-hmac esp-aes
!配置crypto map
crypto map benet-map 1 match address ***
crypto map benet-map 1 set peer 100.0.0.1
crypto map benet-map 1 set transform-set benet-set
!應用到外接口
crypto map benet-map int outside
本文原創由曼尼發佈http://mannysys.com