ASA5510防火墙VPN配置.docx
《ASA5510防火墙VPN配置.docx》由会员分享,可在线阅读,更多相关《ASA5510防火墙VPN配置.docx(9页珍藏版)》请在冰豆网上搜索。
ASA5510防火墙VPN配置
ASA5510防火墙remoteipsecvpn配置
1、IPSEC VPN基本配置
access-listno-natextendedpermitip192.168.222.0255.255.255.0172.16.100.0255.255.255.0
//定义VPN数据流
nat(inside)0access-listno-nat
//设置IPSECVPN数据不作nat翻译
iplocalpoolvpn-pool172.16.100.1-172.16.100.100mask255.255.255.0
//划分地址池,用于VPN用户拨入之后分配的地址。
cryptoipsectransform-setvpnsetesp-desesp-md5-hmac
//定义一个变换集myset,用esp-md5加密的。
(网上一般都是用esp-3desesp-sha-hmac或esp-des esp-sha-hmac,而我使用的防火墙没开启3des,所以只能使用esp-des;至于esp-sha-hmac,不知为什么,使用它隧道组始终无法连接上,所以改用esp-md5-hmac。
具体原因不清楚。
)
(补充:
后来利用ASA5520防火墙做了关于esp-3desesp-sha-hmac加密的测试,成功!
)
cryptodynamic-mapdymap10settransform-setvpnset
//把vpnset添加到动态加密策略dynmap
cryptodynamic-mapdymap10setreverse-route
cryptomapvpnmap10ipsec-isakmpdynamicdymap
//把动态加密策略绑定到vpnmap动态加密图上
cryptomapvpnmapinterfaceoutside
//把动态加密图vpnmap绑定到outside口
cryptoisakmpidentityaddress
cryptoisakmpenableoutside
//outside接口启用isakmp
cryptoisakmppolicy10
//进入isakmp的策略定义模式
authenticationpre-share
//使用pre-sharedkey进行认证
encryptiondes
//定义协商用DES加密算法(与前面对应,这里使用des,而不是3des)
hashmd5
//定义协商用md5加密算法(和前面一样,网上使用的是sha,我这里为了配合前面的esp-md5-hmac,而使用md5)
group2
//定义协商组为2,标准有1、2、3、5等多组,主要用于块的大小和生命时间等
lifetime86400
//定义生命时间
group-policywhjtinternal
//定义策略组(用于想进入的)想要运用策略组就必须用默认的策略组名,否则无法激活该组。
group-policywhjtattributes
//定义策略组属性
vpn-idle-timeout1800
//设置VPN超时时间为1800秒
tunnel-groupwhjttypeipsec-ra
//建立VPN远程登入(即使用隧道分离)组
tunnel-groupwhjtgeneral-attributes
//定义隧道组"whjt"属性
address-poolvpn-pool
//将VPNclient地址池绑定到"whjt"隧道组
usernametestpasswordtest
//设定用户名和密码
authentication-server-group(outside)LOCAL
//本地认证服务组(本条命令没用)
default-group-policywhjt
//默认策略组为whjt
tunnel-groupwhjtipsec-attributes
//定义whjt组IPSec的属性
pre-shared-key730211
//定义共享密钥为:
730211
isakmpnat-traversal20
//每20秒向VPN对端发送一个包来防止中间PAT设备的PAT超时,就相当于路由器中的
isakmpkeepalivethreshold20retry2
在生存时间监控前,设备被允许空闲20秒,发现生存时间没有响应后,2秒钟内重试
sysoptconnectionpermit-vpn
//通过使用sysoptconnect命令,我们告诉ASA准许SSL/IPsec客户端绕过接口的访问列表(未加此命令会出现可以ping能内网地址,但不能访问内网服务,比如23、80等端口。
)
2、开启隧道分离
access-listvpnsplitstandardpermit192.168.222.0255.255.255.0
//注意源地址为ASA的inside网络地址
group-policywhjtattributes
//定义策略组属性
split-tunnel-policytunnelspecified
//建立隧道分离策略为tunnelspecified
split-tunnel-network-listvaluevpnsplit
//与vpnsplit匹配的网络将全部使用隧道分离
注1:
如要实现VPN用户可以ping通ASA的inside口,即192.168.222.1可以防火墙中加入如下命令:
management-accessinside
注2:
如果远程用户上互联网是通过nat方式上网(所有宽带用户都通过同一个公网IP访问外部),那么通过如下命令可穿越nat
cryptoisakmpnat-traversal 20
//缺省keepalives时间20秒
3、客户端的配置
我使用的客户端是cisco VPNClient 5.0,配置如下图,
Host:
ASA外网口IP,组账号:
whjt 密码:
730211
配置好后,连接VPN,会弹出下面对话框,输入远程用户的用户名和密码,上例均为test
4、ASA5510完全配置
test#shrun
:
Saved
:
ASAVersion8.0
(2)
!
hostnametest
domain-name
enablepassword2KFQnbNIdI.2KYOUencrypted
names
!
interfaceEthernet0/0
nameifoutside
security-level0
ipaddress10.65.222.1255.255.128.0
!
interfaceEthernet0/1
nameifinside
security-level100
ipaddress192.168.222.1255.255.255.0
!
interfaceEthernet0/2
shutdown
nonameif
nosecurity-level
noipaddress
!
interfaceEthernet0/3
shutdown
nonameif
nosecurity-level
noipaddress
!
interfaceManagement0/0
shutdown
nonameif
nosecurity-level
noipaddress
!
passwd2KFQnbNIdI.2KYOUencrypted
ftpmodepassive
dnsserver-groupDefaultDNS
domain-name
access-list101extendedpermiticmpanyany
access-listno-natextendedpermitip192.168.222.0255.255.255.0172.16.100.0255.255.255.0
access-listvpnsplitstandardpermit192.168.222.0255.255.255.0
pagerlines24
mtuoutside1500
mtuinside1500
iplocalpoolvpn-pool172.16.100.1-172.16.100.100mask255.255.255.0
icmpunreachablerate-limit1burst-size1
noasdmhistoryenable
arptimeout14400
global(outside)110.65.222.100netmask255.255.128.0
nat(inside)0access-listno-nat
nat(inside)10.0.0.00.0.0.0
access-group101ininterfaceoutside
routeoutside0.0.0.00.0.0.010.65.156.271
timeoutxlate3:
00:
00
timeoutconn1:
00:
00half-closed0:
10:
00udp0:
02:
00icmp0:
00:
02
timeoutsunrpc0:
10:
00h3230:
05:
00h2251:
00:
00mgcp0:
05:
00mgcp-pat0:
05:
00
timeoutsip0:
30:
00sip_media0:
02:
00sip-invite0:
03:
00sip-disconnect0:
02:
00
timeoutuauth0:
05:
00absolute
dynamic-access-policy-recordDfltAccessPolicy
http192.168.0.1255.255.255.255inside
nosnmp-serverlocation
nosnmp-servercontact
snmp-serverenabletrapssnmpauthenticationlinkuplinkdowncoldstart
cryptoipsectransform-setvpnsetesp-desesp-md5-hmac
cryptodynamic-mapdymap10settransform-setvpnset
cryptodynamic-mapdymap10setreverse-route
cryptomapvpnmap10ipsec-isakmpdynamicdymap
cryptomapvpnmapinterfaceoutside
cryptoisakmpidentityaddress
cryptoisakmpenableoutside
cryptoisakmpenableinside
cryptoisakmppolicy10
authenticationpre-share
encryptiondes
hashmd5
group2
lifetime86400
telnet192.168.222.0255.255.255.0inside
telnettimeout5
ssh10.65.128.0255.255.128.0outside
ssh0.0.0.00.0.0.0inside
sshtimeout60
sshversion1
consoletimeout0
management-accessinside
threat-detectionbasic-threat
threat-detectionstatisticsaccess-list
!
!
group-policywhjtinternal
group-policywhjtattributes
vpn-idle-timeout 1800 //我在实际中一般用3600000,时间长些不易掉线
split-tunnel-policytunnelspecified
split-tunnel-network-listvaluevpnsplit
usernametestpasswordP4ttSyrm33SV8TYpencrypted
tunnel-groupwhjttyperemote-access
tunnel-groupwhjtgeneral-attributes
address-poolvpn-pool
default-group-policywhjt
tunnel-groupwhjtipsec-attributes
pre-shared-key*
isakmpkeepalivethreshold20retry2
prompthostnamecontext
Cryptochecksum:
6f13b4f4e5c0d5f0a08f0f86be414b16
:
end
升级会员 