L2L××× on ASA/Router
拓扑:
10.1.2.1/Inside/10.1.1.1-----10.1.1.10/ASA/202.1.1.10------202.1.1.1/Internet/64.1.1.1------64.1.1.10/GW/20.1.1.10-----20.1.1.1/Private/20.1.2.1
=====================初始化配置==========================
Inside
int lo0
ip add 10.1.2.1 255.255.255.0
int f0/7
ip add 10.1.1.1 255.255.255.0
no sh
ip route 20.1.2.0 255.255.255.0 10.1.1.10
ASA
int e0/0
nameif inside
ip add 10.1.1.10 255.255.255.0
no sh
int e0/1
nameif outside
ip add 202.1.1.10 255.255.255.0
access-list out permit icmp any any echo-reply
access-group out in interface outside
route outside 64.1.1.10 255.255.255.255 202.1.1.1
route outside 20.1.2.0 255.255.255.0 202.1.1.1
route inside 10.1.2.0 255.255.255.0 10.1.1.1
Internet
int f0/0
ip add 202.1.1.1 255.255.255.0
no sh
int f0/1
ip add 64.1.1.1 255.255.255.0
no sh
GW
int f0/0
ip add 64.1.1.10 255.255.255.0
no sh
int f0/1
ip add 20.1.1.10 255.255.255.0
no sh
ip route 202.1.1.1 255.255.255.255 64.1.1.1
ip orute 10.1.2.0 255.255.255.0 64.1.1.1
ip route 20.1.2.0 255.255.255.0 20.1.1.1
private
int f0/0
ip add 20.1.1.1 255.255.255.0
no sh
int lo0
ip add 20.1.2.1 255.255.255.0
ip route 10.1.2.0 255.255.255.0 20.1.1.1
在完成下面配置前请确保ASA能PING通GW
===================PAT配置==============================
ASA
nat (inside) 1 10.1.1.0 255.255.255.0
nat (inside) 1 10.1.2.0 255.255.255.0
globle (outside) 1 interface
GW
ip access-list ex pat
permit 20.1.1.0 0.0.0.255 any
permit 20.1.2.0 0.0.0.255 any
ip nat source list pat interface f0/0 overload
int f0/0
ip nat outside
int f0/1
ip nat inside
===================L2L配置==============================
GW
crypto isakmp policy 10
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp key cisco address 202.1.1.10
!
!
crypto ipsec transform-set cisco esp-des esp-md5-hmac
!
crypto map cisco 10 ipsec-isakmp
set peer 202.1.1.10
set transform-set cisco
match address vpn
ip access-list extended vpn
permit ip 20.1.2.0 0.0.0.255 10.1.2.0 0.0.0.255
int f0/0
crymap map cisco
ip access-list ex pat
5deny 20.1.2.0 0.0.0.255 10.1.2.0 0.0.0.255 //bypass感兴趣流
ASA
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
tunnel-group 64.1.1.10 type ipsec-l2l
tunnel-group 64.1.1.10 ipsec-attributes
pre-shared-key cisco
crypto ipsec transform-set cisco esp-des esp-md5-hmac
access-list vpn extended permit ip 10.1.2.0 255.255.255.0 20.1.2.0 255.255.255.0
crypto map cisco 10 match address vpn
crypto map cisco 10 set peer 64.1.1.10
crypto map cisco 10 set transform-set cisco
crypto map cisco interface outside
让Private×××流量可以穿越防火墙
nat (inside) 0 access-list nonat
access-list nonat extended permit ip 10.1.2.0 255.255.255.0 20.1.2.0 255.255.255.0
只允许Private Telnet Inside
no sysopt connection permit-vpn //×××流量将被访问控制列表检查
access-list out extended permit tcp 20.1.2.0 255.255.255.0 10.1.2.0 255.255.255.0 eq telnet
access-group out in interface outside