实验IPSEC ×××

实验IPSEC ×××

 

一:实验要求:

ASA1模拟企业总部网络,ASA2模拟企业分部网络,R1,R2模拟Internet路由器,

要求企业总部主机和分部主机能够通过NAT访问公网,并且企业总部主机和分部

主机之间能够通过×××互访。

二:配置过程：

1:基本接口的配置:

ASA1(config)# int e0/0

ASA1(config-if)# nameif inside

ASA1(config-if)# ip add 192.168.1.1 255.255.255.0

ASA1(config-if)# no sh

ASA1(config-if)# int e0/1

ASA1(config-if)# nameif outside

ASA1(config-if)# ip add 10.0.0.1 255.255.255.252

ASA1(config-if)# no sh

R1(config)#int f1/0

R1(config-if)#ip add 10.0.0.2 255.255.255.252

R1(config-if)#no sh

R1(config-if)#int f0/0

R1(config-if)#ip add 12.0.0.1 255.255.255.252

R1(config-if)#no sh

R2(config)#int f0/0

R2(config-if)#ip add 12.0.0.2 255.255.255.252

R2(config-if)#no sh

R2(config-if)#int f1/0

R2(config-if)#ip add 23.0.0.2 255.255.255.252

R2(config-if)#no sh

ASA2(config)# int e0/1

ASA2(config-if)# nameif outside

ASA2(config-if)# ip add 23.0.0.1 255.255.255.252

ASA2(config-if)# no sh

ASA2(config-if)# int e0/0

ASA2(config-if)# nameif inside

ASA2(config-if)# ip add 172.16.1.1 255.255.255.0

ASA2(config-if)# no sh

2:做通路由:

ASA1(config)# route outside 0 0 10.0.0.2

R1(config)#ip route 23.0.0.0 255.255.255.252 12.0.0.2

R2(config)#ip route 10.0.0.0 255.255.255.252 12.0.0.1

ASA2(config)# route outside 0 0 23.0.0.2

3:配置NAT,让内网用户能够正常访问公网:

ASA1(config)# nat (inside) 1 0 0

ASA1(config)# global (outside) 1 interface

INFO: outside interface address added to PAT pool

ASA2(config)# nat (inside) 1 0 0

ASA2(config)# global (outside) 1 interface

INFO: outside interface address added to PAT pool

ASA1(config)# access-list permitICMP permit icmp any any echo-reply

ASA1(config)# access-group permitICMP in interface outside

ASA2(config)# access-list permitICMP permit icmp any any echo-reply

ASA2(config)# access-group permitICMP in interface outside

4:IPSEC ×××的配置:

(1) 配置管理连接:

ASA1(config)# crypto isakmp enable outside

ASA1(config)# crypto isakmp policy 1

ASA1(config-isakmp-policy)# encryption aes

ASA1(config-isakmp-policy)# hash md5

ASA1(config-isakmp-policy)# group 2

ASA1(config-isakmp-policy)# authentication pre-share

ASA1(config-isakmp-policy)# exit

ASA1(config)# isakmp key cisco address 23.0.0.1

 

ASA2(config)# crypto isakmp enable outside

ASA2(config)# crypto isakmp policy 1

ASA2(config-isakmp-policy)# encryption aes

ASA2(config-isakmp-policy)# hash md5

ASA2(config-isakmp-policy)# group 2

ASA2(config-isakmp-policy)# authentication pre-share

ASA2(config-isakmp-policy)# exit

ASA2(config)# isakmp key cisco address 10.0.0.1

(2) 配置数据连接:

ASA1(config)# crypto ipsec transform-set mytrans esp-aes esp-md5-hmac

ASA2(config)# crypto ipsec transform-set mytrans esp-aes esp-md5-hmac

(3) 配置map:

access-list vpn1 extended permit ip 192.168.1.0 255.255.255.0 172.16.1.0 255.255.255.0

ASA1(config)# nat (inside) 0 access-list vpn1

ASA1(config)# crypto map mymap 1 match address vpn1

ASA1(config)# crypto map mymap 1 set transform-set mytrans

ASA1(config)# crypto map mymap 1 set peer 23.0.0.1

 

ASA2(config)# access-list vpn2 permit ip 172.16.1.0

255.255.255.0 192.168.1.0 255.255.255.0

ASA2(config)# nat (inside) 0 access-list vpn2

 

ASA2(config)# crypto map mymap 1 match address vpn2

ASA2(config)# crypto map mymap 1 set transform-set mytrans

ASA2(config)# crypto map mymap 1 set peer 10.0.0.1

(4) 将map 调用到接口:

ASA1(config)# crypto map mymap interface outside

ASA2(config)# crypto map mymap interface outside