1、定义地址池:
ip local pool L2TP×××Pool 10.1.2.55-10.1.2.59 mask 255.255.255.0
2、定义组策略:
group-policy DefaultRAGroup internal
group-policy DefaultRAGroup attributes
dns-server value 10.1.2.140 10.1.2.35
vpn-tunnel-protocol l2tp-ipsec
default-domain value Antec-Beijing.com
3、定义隧道组:
tunnel-group DefaultRAGroup general-attributes
address-pool L2TP×××Pool
default-group-policy DefaultRAGroup
tunnel-group DefaultRAGroup ipsec-attributes
pre-shared-key Antec@1986
tunnel-group DefaultRAGroup ppp-attributes
authentication chap
authentication ms-chap-v2
4、启用定义ISAKMP:
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
5、定义IPSec转换集:
crypto ipsec transform-set TRANS_ESP_3DES_SHA esp-3des esp-sha-hmac
crypto ipsec transform-set TRANS_ESP_3DES_SHA mode transport
6、定义加密映射集并应用到outside接口:
crypto dynamic-map outside_dyn_map 65535 set transform-set TRANS_ESP_3DES_SHA
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
7、绕过NAT:
access-list inside_nat0_outbound extended permit ip 10.1.2.0 255.255.255.0 10.1.2.0 255.255.255.0
nat (inside) 0 access-list inside_nat0_outbound
8、设置NAT穿越,若两个对等体之间存在PAT设备,则IPSec隧道无法传输流量。如果不设置拨号时会报错“789”:
crypto isakmp nat-traversal 30
9、配置本地用户认证:
username antec password antec1986 mschap
username antec attributes
vpn-group-policy DefaultRAGroup
vpn-tunnel-protocol IPSec l2tp-ipsec
10、允许流量从一个端口转发出去:
same-security-traffic permit intra-interface
11、启用IPSec hairpinning(发卡)特性,允许×××客户端流量通过ASA的outside端口访问Internet:
nat (outside) 1 10.1.2.0 255.255.255.0
nat (inside) 1 0.0.0.0 0.0.0.0
global (outside) 1 interface