ASA的站点到站点VPN配置实例

1/3ASA的VPN配置（L2L）实验要求：通过在ASA上配置VPN，使Company的内网与Branch内网实现虚拟专用网通讯。配置NAT，同时满足公司和分部的内网与外网通讯PC1配置PC1ip192.168.10.10/24192.168.10.1PC2配置PC2ip193.168.10.20/24193.168.10.1ISP路由器配置ISP#conftISP(config)#intfa0/0ISP(config-if)#ipadd176.1.1.2255.255.255.0ISP(config-if)#noshutISP(config-if)#intfa0/1ISP(config-if)#ipadd176.1.2.2255.255.255.0ISP(config-if)#noshutASA-1配置ciscoasa(config)#intg0ciscoasa(config-if)#noshutciscoasa(config-if)#nameifinsideINFO:Securitylevelforinsidesetto100bydefault.ciscoasa(config-if)#ipadd192.168.10.1255.255.255.0ciscoasa(config-if)#intg1ciscoasa(config-if)#noshut2/3ciscoasa(config-if)#nameifoutsideINFO:Securitylevelforoutsidesetto0bydefault.ciscoasa(config-if)#ipadd176.1.1.1255.255.255.0ciscoasa(config-if)#exitciscoasa(config)#cryptoikev1policy1/定义一个IKE策略ciscoasa(config-ikev1-policy)#authenticationpre-share/VPN站点之间授权方式为pre-shareciscoasa(config-ikev1-policy)#encryptiondes/数据加密方式为desciscoasa(config-ikev1-policy)#hashmd5/数据完整性检测方式为md5ciscoasa(config-ikev1-policy)#exitciscoasa(config)#cryptoipsecikev1transform-setabcdesp-3desesp-md5-hmac/创建变换集esp-des和esp-md5-hmac,定义加密方式为3des,完整性验证为md5VPN定位ciscoasa(config)#objectnetworkcompanyciscoasa(config-network-object)#subnet192.168.10.0255.255.255.0ciscoasa(config-network-object)#exitciscoasa(config)#objectnetworkbranchciscoasa(config-network-object)#subnet193.168.10.0255.255.255.0ciscoasa(config-network-object)#exitciscoasa(config)#access-listvpnaclextendpermitipobjectcompanyobjectbranchciscoasa(config)#cryptomapvpnmap10matchaddressvpnaclciscoasa(config)#cryptomapvpnmap10setpeer176.1.2.1ciscoasa(config)#cryptomapvpnmap10setikev1transform-setabcd创建密钥ciscoasa(config)#tunnel-group176.1.2.1typeipsec-l2lciscoasa(config)#tunnel-group176.1.2.1ipsec-attributesciscoasa(config-tunnel-ipsec)#ikev1pre-shared-keyabc123ciscoasa(config-tunnel-ipsec)#exit应用VPN至端口ciscoasa(config)#cryptomapvpnmapintoutsideciscoasa(config)#cryptoikev1enableoutside添加静态路由ciscoasa(config)#routeoutside176.1.2.0255.255.255.0176.1.1.2ciscoasa(config)#routeoutside193.168.10.0255.255.255.0176.1.1.2添加NAT使内网能够访问网外并不影响VPNciscoasa(config)#nat(inside,outside)sourcestaticcompanycompanydestinationbranchbranch/VPN隧道内的指定网段不参与NAT地址转换ciscoasa(config)#nat(inside,outside)sourcedynamicanyinterface3/3ciscoasa(config)#access-listnataclextendpermitip176.1.1.0255.255.255.0objectcompanyciscoasa(config)#access-groupnataclinintoutsideASA2的配置参考ASA1