ASA配置VPN.docx
《ASA配置VPN.docx》由会员分享,可在线阅读,更多相关《ASA配置VPN.docx(29页珍藏版)》请在冰豆网上搜索。
ASA配置VPN
一、网络拓扑
|172.x.x.x
|outside
|========|=========|
||-----Internet61.x.x.x
|========|=========|
|inside
|133.x.x.x
防火墙分别配置三个端口,端口名称和IP地址分配如上。
VPNClient的IPAddressPool为100.100.100.0255.255.255.0。
二、配置过程
1、建立动态map
cryptoipsectransform-setmysetesp-aes-256esp-sha-hmac
cryptodynamic-mapdymap1settransform-setmyset
cryptodynamic-mapdymap1setreverse-route
cryptomapmymap1ipsec-isakmpdynamicdymap
cryptomapmymapinterfaceInternet
cryptoisakmpenableInternet
cryptoisakmppolicy10
authenticationpre-share
encryption3des
hashsha
group2
lifetime86400
cryptoisakmpnat-traversal20
2、建立tunnelgroup
tunnel-groupmanagertypeipsec-ra
tunnel-groupmanagergeneral-attributes
address-poolvpn_pool_100
authorization-required
tunnel-groupmanageripsec-attributes
pre-shared-key*
3、添加access-list策略
access-listinside_nat0_outboundextendedpermitip100.100.100.0255.255.255.0133.x.x.x255.x.x.x
access-listsplit-sslextendedpermitip133.x.x.x255.x.x.0100.100.100.0255.255.255.224
4、建立grouppolicy,除了注明的以外,其它都是采用的asdm默认设置
group-policyDfltGrpPolicyattributes
bannernone
wins-servernone
dns-servernone
dhcp-network-scopenone
vpn-access-hoursnone
vpn-simultaneous-logins3
vpn-idle-timeout10
vpn-session-timeoutnone
vpn-filtervalueinside_nat0_outbound--由access-list添加
vpn-tunnel-protocolIPSec--tunnel采用IPSec
password-storagedisable
ip-compdisable
re-xauthdisable
group-locknone
pfsdisable
ipsec-udpdisable
ipsec-udp-port10000
split-tunnel-policytunnelspecified--是否采用tunnel分离,如果不指定tunnel分离,拨号成功后,客户端的网关会被修改成vpn获取的地址
split-tunnel-network-listvaluesplit-ssl--tunnel分离采用的策略,由access-list添加
default-domainnone
split-dnsnone
intercept-dhcp255.255.255.255disable
secure-unit-authenticationdisable
user-authenticationdisable
user-authentication-idle-timeout30
ip-phone-bypassdisable
leap-bypassdisable
nemdisable
backup-serverskeep-client-config
msie-proxyservernone
msie-proxymethodno-modify
msie-proxyexcept-listnone
msie-proxylocal-bypassdisable
nacdisable
nac-sq-period300
nac-reval-period36000
nac-default-aclnone
address-poolsnone
smartcard-removal-disconnectenable
client-firewallnone
client-access-rulenone
webvpn
functionsurl-entry
html-content-filternone
homepagenone
keep-alive-ignore4
http-compgzip
filternone
url-listnone
customizationvalueDfltCustomization
port-forwardnone
port-forward-namevalueApplicationAccess
sso-servernone
deny-messagevalueLoginwassuccessful,butbecausecertaincriteriahavenotbeenmetorduetosomespecificgrouppolicy,youdonothavepermissiontouseanyoftheVPNfeatures.ContactyourITadministratorformoreinformation
svcnone
svckeep-installerinstalled
svckeepalivenone
svcrekeytimenone
svcrekeymethodnone
svcdpd-intervalclientnone
svcdpd-intervalgatewaynone
svccompressiondeflate
5、添加路由
routeInternet0.0.0.00.0.0.061.x.x.x1
6、对VPNClient拨号所获取的地址在访问inside口时候需要做一个地址转换
nat(inside)0access-listinside_nat0_outbound
7、建立VPN拨号用户
usernameusernamepasswordS3DyQpSmLYSiQHIiencryptedprivilege0
usernameusernameattributes
vpn-group-policyDfltGrpPolicy
vpn-idle-timeout10
vpn-filternone
vpn-tunnel-protocolIPSec
password-storagedisable
group-lockvaluemanager
8、由于本地防火墙后面接有一个三层交换机,故还需要在三层交换机上添加路由,把VPN上使用的IPAddressPool指向防火墙的inside口
iproute100.100.100.0255.255.255.224133.x.x.x
9、采用Cisco的VPN拨号软件VPNClient5.0,拨号成功后,可以在统计信息中看到VPN的使用情况
10、如果需要禁止对防火墙Internet端口的ping,可以使用下面的命令:
icmpdenyanyInternet
附:
showrun
ASAVersion7.2(3)
!
domain-namedefault.domain.invalid
names
!
interfaceGigabitEthernet0/0
nameifoutside
security-level0
ipaddress172.x.x.x
ospfcost10
!
interfaceGigabitEthernet0/1
nameifinside
security-level100
ipaddress133.x.x.x
ospfcost10
!
interfaceGigabitEthernet0/2
nameifInternet
security-level0
ipaddress61.x.x.x
ospfcost10
!
interfaceManagement0/0
nameifmanagement
security-level100
ipaddress192.168.1.1255.255.255.0
ospfcost10
management-only
!
ftpmodepassive
dnsserver-groupDefaultDNS
domain-namedefault.domain.invalid
access-listinside_nat0_outboundextendedpermitip100.100.100.0255.255.255.0133.x.x.x255.255.255.0
access-listsplit-sslextendedpermitip133.x.x.x255.255.255.0100.100.100.0255.255.255.224
pagerlines24
loggingenable
loggingtimestamp
loggingasdminformational
mtuoutside1500
mtuinside1500
mtuInternet1500
mtumanagement1500
mtuoutbackup1500
mtuinbackup1500
iplocalpoolvpn_pool_100100.100.100.1-100.100.100.20mask255.255.255.224
nofailover
icmpunreachablerate-limit1burst-size1
icmpdenyanyInternet
asdmimagedisk0:
/asdm-523.bin
noasdmhistoryenable
arptimeout14400
nat(inside)0access-listinside_nat0_outbound
access-groupacl-outininterfaceoutside
access-groupacl-inininterfaceinside
routeInternet0.0.0.00.0.0.061.x.x.x1
timeoutxlate3:
00:
00
timeoutconn1:
00:
00half-closed0:
10:
00udp0:
02:
00icmp0:
00:
02
timeoutsunrpc0:
10:
00h3230:
05:
00h2251:
00:
00mgcp0:
05:
00mgcp-pat0:
05:
00
timeoutsip0:
30:
00sip_media0:
02:
00sip-invite0:
03:
00sip-disconnect0:
02:
00
timeoutuauth0:
05:
00absolute
httpserverenable
http192.168.1.0255.255.255.0management
http133.x.x.x255.255.255.255inside
nosnmp-serverlocation
nosnmp-servercontact
snmp-serverenabletrapssnmpauthenticationlinkuplinkdowncoldstart
cryptoipsectransform-setmysetesp-aes-256esp-sha-hmac
cryptodynamic-mapdymap1settransform-setmyset
cryptodynamic-mapdymap1setreverse-route
cryptomapmymap1ipsec-isakmpdynamicdymap
cryptomapmymapinterfaceInternet
cryptoisakmpenableInternet
cryptoisakmppolicy10
authenticationpre-share
encryption3des
hashsha
group2
lifetime86400
cryptoisakmpnat-traversal20
telnet133.x.x.x255.255.255.255inside
telnettimeout5
sshtimeout5
consoletimeout0
management-accessinside
dhcpdaddress192.168.1.2-192.168.1.254management
dhcpdenablemanagement
!
!
class-mapinspection_default
matchdefault-inspection-traffic
class-mapoutside-class
matchaccess-listoutside_mpc
!
!
policy-maptypeinspectdnspreset_dns_map
parameters
message-lengthmaximum512
policy-mapglobal_policy
classinspection_default
inspectdnspreset_dns_map
inspectftp
inspecth323h225
inspecth323ras
inspectrsh
inspectrtsp
inspectesmtp
inspectsqlnet
inspectskinny
inspectsunrpc
inspectxdmcp
inspectsip
inspectnetbios
inspecttftp
inspecticmp
policy-mapoutside-policy
classoutside-class
inspectpptp
!
service-policyglobal_policyglobal
service-policyoutside-policyinterfaceoutside
group-policyDfltGrpPolicyattributes
bannernone
wins-servernone
dns-servernone
dhcp-network-scopenone
vpn-access-hoursnone
vpn-simultaneous-logins3
vpn-idle-timeout10
vpn-session-timeoutnone
vpn-filtervalueinside_nat0_outbound
vpn-tunnel-protocolIPSec
password-storagedisable
ip-compdisable
re-xauthdisable
group-locknone
pfsdisable
ipsec-udpdisable
ipsec-udp-port10000
split-tunnel-policytunnelspecified
split-tunnel-network-listvaluesplit-ssl
default-domainnone
split-dnsnone
intercept-dhcp255.255.255.255disable
secure-unit-authenticationdisable
user-authenticationdisable
user-authentication-idle-timeout30
ip-phone-bypassdisable
leap-bypassdisable
nemdisable
backup-serverskeep-client-config
msie-proxyservernone
msie-proxymethodno-modify
msie-proxyexcept-listnone
msie-proxylocal-bypassdisable
nacdisable
nac-sq-period300
nac-reval-period36000
nac-default-aclnone
address-poolsnone
smartcard-removal-disconnectenable
client-firewallnone
client-access-rulenone
webvpn
functionsurl-entry
html-content-filternone
homepagenone
keep-alive-ignore4
http-compgzip
filternone
url-listnone
customizationvalueDfltCustomization
port-forwardnone
port-forward-namevalueApplicationAccess
sso-servernone
deny-messagevalueLoginwassuccessful,butbecausecertaincriteriahavenotbeenmetorduetosomespecificgrouppolicy,youdonothavepermissiontouseanyoftheVPNfeatures.ContactyourITadministratorformoreinformation
svcnone
svckeep-installerinstalled
svckeepalivenone
svcrekeytimenone
svcrekeymethodnone
svcdpd-intervalclientnone
svcdpd-intervalgatewaynone
svccompressiondeflate
usernamexxxxxpasswordS3DyQpSmLYSiQHIiencryptedprivilege0
usernamexxxxxattributes
vpn-group-policyDfltGrpPolicy
vpn-idle-timeout10
vpn-filternone
vpn-tunnel-protocolIPSec
password-storagedisable
group-lockvaluemanager
tunnel-groupmanagertypeipsec-ra
tunnel-groupmanagergeneral-attributes
address-poolvpn_pool_100
authorization-required
tunnel-groupmanageripsec-attributes
pre-shared-key*
prompthostnamecontext
Cryptochecksum:
c9c8eefb4a85737d156f8b7a5fc7e4fa
:
end
回答者:
286531920|一级|2009-4-1515:
44
一、网络拓扑
|172.x.x.x
|outside
|========|=========|
||-----Internet61.x.x.x
|========|=========|
|inside
|133.x.x.x
防火墙分别配置三个端口,端口名称和IP地址分配如上。
VPNClient的IPAddressPool为100.100.100.0255.255.255.0。
二、配置过程
1、建立动态map
cryptoipsectransform-setmysetesp-aes-256esp-sha-hmac
cryptodynamic-mapdymap1settransform-setmyset
cryptodynamic-mapdymap1setreverse-route
cryptomapmymap1ipsec-isakmpdynamicdymap
cryptomapmymapinterfaceInternet
cryptoisakmpenableInternet
cryptoisakmppolicy10
authenticationpre-share
encryption3des
hashsha
group2
lifetime86400
cryptoisakmpnat-traversal20
2、建立tunnelgroup
tunnel-groupmanagertypeipsec-ra
tunnel-groupmanagergeneral-attributes
address-poolvpn_pool_100
authorization-required
tunnel-groupmanageripsec-attributes
pre-shared-key*
3、添加acc
升级会员 