CiscoASA84链路冗余+VPN配置

CiscoASA8.4(8.0)链路冗余+VPN配置一、网络拓扑本部分ASA主要使用SLA、NAT、ACL、DPD及IPSecVPN等技术二、设备基本网络配置R1的基本网络配置!interfaceLoopback0ipaddress192.168.1.1255.255.255.0!interfaceEthernet1/0ipaddress10.1.1.2255.255.255.0!iproute0.0.0.00.0.0.010.1.1.1!R2的基本网络配置!interfaceLoopback0ipaddress2.2.2.2255.255.255.0!interfaceEthernet1/0ipaddress202.100.1.2255.255.255.0half-duplex!interfaceEthernet1/1ipaddress202.100.2.2255.255.255.0half-duplex!routerospf100router-id2.2.2.2log-adjacency-changespassive-interfaceEthernet1/0network202.100.1.00.0.0.255area0network202.100.2.00.0.0.255area0!R3上的基本网络配置!interfaceLoopback0ipaddress3.3.3.3255.255.255.0!interfaceEthernet1/0ipaddress61.1.1.2255.255.255.0half-duplex!interfaceEthernet1/1ipaddress61.1.2.2255.255.255.0half-duplex!routerospf100router-id3.3.3.3log-adjacency-changespassive-interfaceEthernet1/0network61.1.1.00.0.0.255area0network61.1.2.00.0.0.255area0!R4上的基本网络配置!interfaceLoopback0ipaddress4.4.4.4255.255.255.0!interfaceEthernet1/0ipaddress172.16.1.2255.255.255.0half-duplex!interfaceEthernet1/1ipaddress202.100.2.1255.255.255.0half-duplex!routerospf100router-id4.4.4.4log-adjacency-changespassive-interfaceEthernet1/0network61.1.2.00.0.0.255area0network172.16.1.00.0.0.255area0network202.100.2.00.0.0.255area0!ASA8.4上的基本网络配置!interfaceGigabitEthernet0nameifInsidesecurity-level100ipaddress10.1.1.1255.255.255.0!interfaceGigabitEthernet1nameifOutsidesecurity-level0ipaddress202.100.1.1255.255.255.0!interfaceGigabitEthernet2nameifBackupsecurity-level0ipaddress61.1.1.1255.255.255.0!routeInside192.168.1.0255.255.255.010.1.1.21!ASA8.0上的基本网络配置!interfaceEthernet0/0nameifOutsidesecurity-level0ipaddress172.16.1.1255.255.255.0!interfaceEthernet0/1nameifInsidesecurity-level100ipaddress10.1.2.1255.255.255.0!routeOutside0.0.0.00.0.0.0172.16.1.21routeInside192.168.2.0255.255.255.010.1.2.21!三、ASA上的SLA配置ASA8.4上的SLA配置ASA(config)#slamonitor1ASA(config-sla-monitor)#typeechoprotocolipIcmpEcho202.100.1.2interfaceOutsideASA(config-sla-monitor-echo)#frequency10ASA(config-sla-monitor-echo)#slamonitorschedule1lifeforeverstart-timenowASA(config)#slamonitor2ASA(config-sla-monitor)#typeechoprotocolipIcmpEcho61.1.1.2interfaceBackupASA(config-sla-monitor-echo)#frequency10ASA(config-sla-monitor-echo)#slamonitorschedule2lifeforeverstart-timenow关于SLA可以百度Track配置ASA(config)#track1rtr1reachabilityASA(config)#track2rtr2reachabilityASA(config)#routeOutside0.0.0.00.0.0.0202.100.1.21track1ASA(config)#routeBackup0.0.0.00.0.0.061.1.1.2254至此链路冗余配置完毕，可以通过ping跟traceroute命令来检测配置，在检测之前需要先在ASA上放行ICMP流量ASA(config)#access-listoutsideextendedpermiticmpanyanyASA(config)#access-listoutsideextendedpermitudpanyanyrange3343433523在出接口上应用ASA(config)#access-groupoutsideininterfaceOutsideASA(config)#access-groupoutsideininterfaceBackup在ASA上测试，长ping172.16.1.2，并关闭Internet_1的E1/0接口测试证明SLA配置正确，接下来继续配置IPSecVPN。四、NAT配置ASA8.4上的NAT配置ASA(config)#objectnetworkInside_network定义object名称ASA(config-network-object)#subnet192.168.1.0255.255.255.0定义内部网络ASA(config-network-object)#nat(inside,outside)staticinterface配置复用Outside接口的NAT转换ASA(config)#objectnetworkInside_network_BackupASA(config-network-object)#subnet192.168.1.0255.255.255.0定义内部网络，由于不同的出接口需要配置不同的NAT，所以需要定义两条ASA(config-network-object)#nat(inside,backup)staticinterface配置复用Backup接口的NAT转换ASA(config)#objectnetworkVPN_networkASA(config-network-object)#subnet192.168.1.0255.255.255.0定义分支机构的局域网地址配置NATASA(config)#nat(Inside,Outside)sourcestaticInside_networkInside_networkdestinationstaticVPN_networkVPN_network定义全局Outside接口对感兴趣流不执行NAT转换ASA(config)#nat(Inside,Backup)sourcestaticInside_network_BackupInside_network_BackupdestinationstaticVPN_networkVPN_network定义全局Backup接口对感兴趣流不执行NAT转换测试NATASA8.0上的NAT配置ASA(config)#access-listnonatextendedpermitip192.168.2.0255.255.255.0192.168.1.0255.255.255.0定义感兴趣流ASA(config)#global(Outside)1interface定义全区复用接口NATASA(config)#nat(Inside)0access-listnonat匹配感兴趣流的将不执行转换ASA(config)#nat(Inside)10.0.0.00.0.0.0内部网络转换测试NAT五、IPSecVPN配置ASA8.4上的IPSecVPN配置IKEV1第一阶段配置ASA(config)#cryptoikev1enableOutside激活Outside接口ASA(config)#cryptoikev1enableBackupASA(config)#cryptoikev1policy10ASA(config-ikev1-policy)#authenticationpre-shareASA(config-ikev1-policy)#encryption3desASA(config-ikev1-policy)#group2ASA(config-ikev1-policy)#hashmd5Tunnel配置ASA(config)#tunnel-group172.16.1.1typeipsec-l2lVPN类型ASA(config)#tunnel-group172.16.1.1ipsec-attributesASA(config-tunnel-ipsec)#ikev1pre-shared-keycisco预共享秘钥配置感兴趣流ASA(config)#access-listvpnextendedpermitip192.168.1.0255.255.255.0192.168.2.0255.255.255.0配置转换集ASA(config)#cryptoipsecikev1transform-settransesp-3desesp-md5-hmac加密策略配置MAPASA(config)#cryptomapmymap10matchaddressvpn匹配感兴趣流ASA(config)#cryptomapmymap10setpeer172.16.1.1对端地址ASA(config)#cryptomapmymap10setikev1transform-settrans转换集接口配置ASA(config)#cryptomapmymapinterfaceOutside接口应用ASA(config)#cryptomapmymapinterfaceBackup接口应用ASA8.0上的IPSecVPN配置ASA(config)#cryptoisakmpenableOutsideASA(config)#cryptoisakmppolicy10ASA(config-isakmp-policy)#authenticationpre-shareASA(config-isakmp-policy)#encryption3desASA(config-isakmp-policy)#hashmd5ASA(config-isak