Cisco ASA5510配置远程访问×××

原创

zhangquanyong 2012-01-30 11:12:14 博主文章分类：Cisco防火墙 ©著作权

文章标签 VPN Radius 思科防火墙 Cisco ASA 远程访问VPN 文章分类 网络安全

©著作权归作者所有：来自51CTO博客作者zhangquanyong的原创作品，请联系作者获取转载授权，否则将追究法律责任

1、网络拓扑图

网络拓扑图

2、ASA具体配置

部分已经省略

ASA5510# show run
: Saved
:
ASA Version 7.2(3)
!
hostname ASA5510
domain-name zqy.com
enable password oQMJ3TXqSC.skFhg encrypted
names
!
interface Ethernet0/0
nameif outside
security-level 0
ip address …… 255.255.255.252
!
interface Ethernet0/1
nameif dmz
security-level 50
ip address 192.168.100.254 255.255.255.0
!

interface Ethernet0/2
nameif inside2
security-level 100
ip address 10.0.0.5 255.255.255.252
!
interface Management0/0
shutdown
no nameif
no security-level
no ip address
management-only
!
passwd 2KFQnbNIdI.2KYOU encrypted
ftp mode passive
clock timezone HKST 8
dns server-group DefaultDNS
domain-name zqy.com
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
access-list in-out-nat extended deny ip host 192.168.1.188 any
access-list in-out-nat extended permit ip 192.168.1.0 255.255.255.0 any
……………………这是省略一万字

ip local pool ezvpn_pool 172.16.10.100-172.16.10.200 mask 255.255.255.0
no failover
nat-control
global (outside) ……
nat (dmz) 1 0.0.0.0 0.0.0.0
nat (inside2) 1 0.0.0.0 0.0.0.0
static (inside2,outside) ……
……省略一万字
access-group out-in in interface outside
access-group dmz-out-nat in interface dmz
access-group in-out-nat in interface inside2
route outside ……
!
aaa-server vpn_radius protocol radius
aaa-server vpn_radius (inside2) host 192.168.1.7
timeout 5
key ASA5510
aaa authentication enable console vpn_radius
aaa accounting enable console vpn_radius
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map outside_dyn_map 20 set pfs
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
console timeout 0
!

group-policy vpngroup internal
group-policy vpngroup attributes
wins-server value 172.16.10.100 172.16.10.100
dns-server value 192.168.1.13 192.168.1.14
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value ezvpn_splitTunnelAcl
default-domain value ipgchina.com
username zqy password O0qvlbgGwBBckWRt encrypted privilege 15
tunnel-group vpngroup type ipsec-ra
tunnel-group vpngroup general-attributes
address-pool ezvpn_pool
authentication-server-group vpn_radius
default-group-policy vpngroup
tunnel-group vpngroup ipsec-attributes
pre-shared-key *
smtp-server 192.168.0.155 192.168.0.156
prompt hostname context
Cryptochecksum:e53fcc41c616ae28c746da88e6d1e65a
: end