1、ASA配置VPN一、网络拓扑 |172.x.x.x |outside |=|=| | |-Internet 61.x.x.x |=|=| |inside |133.x.x.x 防火墙分别配置三个端口,端口名称和IP地址分配如上。VPN Client的IP Address Pool为100.100.100.0 255.255.255.0。二、配置过程1、建立动态mapcrypto ipsec transform-set myset esp-aes-256 esp-sha-hmac crypto dynamic-map dymap 1 set transform-set mysetcrypto d
2、ynamic-map dymap 1 set reverse-routecrypto map mymap 1 ipsec-isakmp dynamic dymapcrypto map mymap interface Internetcrypto isakmp enable Internetcrypto isakmp policy 10authentication pre-shareencryption 3deshash shagroup 2lifetime 86400crypto isakmp nat-traversal 202、建立tunnel grouptunnel-group manag
3、er type ipsec-ratunnel-group manager general-attributesaddress-pool vpn_pool_100authorization-requiredtunnel-group manager ipsec-attributespre-shared-key *3、添加access-list策略access-list inside_nat0_outbound extended permit ip 100.100.100.0 255.255.255.0 133.x.x.x 255.x.x.xaccess-list split-ssl extende
4、d permit ip 133.x.x.x 255.x.x.0 100.100.100.0 255.255.255.224 4、建立group policy,除了注明的以外,其它都是采用的asdm默认设置group-policy DfltGrpPolicy attributesbanner nonewins-server nonedns-server nonedhcp-network-scope nonevpn-access-hours nonevpn-simultaneous-logins 3vpn-idle-timeout 10vpn-session-timeout nonevpn-fil
5、ter value inside_nat0_outbound -由access-list添加vpn-tunnel-protocol IPSec -tunnel采用IPSecpassword-storage disableip-comp disablere-xauth disablegroup-lock nonepfs disableipsec-udp disableipsec-udp-port 10000split-tunnel-policy tunnelspecified -是否采用tunnel分离,如果不指定tunnel分离,拨号成功后,客户端的网关会被修改成vpn获取的地址split-t
6、unnel-network-list value split-ssl -tunnel分离采用的策略,由access-list添加default-domain nonesplit-dns noneintercept-dhcp 255.255.255.255 disablesecure-unit-authentication disableuser-authentication disableuser-authentication-idle-timeout 30ip-phone-bypass disableleap-bypass disablenem disablebackup-servers k
7、eep-client-configmsie-proxy server nonemsie-proxy method no-modifymsie-proxy except-list nonemsie-proxy local-bypass disablenac disablenac-sq-period 300nac-reval-period 36000nac-default-acl noneaddress-pools nonesmartcard-removal-disconnect enableclient-firewall noneclient-access-rule nonewebvpnfunc
8、tions url-entryhtml-content-filter nonehomepage nonekeep-alive-ignore 4http-comp gzipfilter noneurl-list nonecustomization value DfltCustomizationport-forward noneport-forward-name value Application Accesssso-server nonedeny-message value Login was successful, but because certain criteria have not b
9、een met or due to some specific group policy, you do not have permission to use any of the VPN features. Contact your IT administrator for more informationsvc nonesvc keep-installer installedsvc keepalive nonesvc rekey time nonesvc rekey method nonesvc dpd-interval client nonesvc dpd-interval gatewa
10、y nonesvc compression deflate5、添加路由route Internet 0.0.0.0 0.0.0.0 61.x.x.x 16、对VPN Client拨号所获取的地址在访问inside口时候需要做一个地址转换nat (inside) 0 access-list inside_nat0_outbound7、建立VPN拨号用户username username password S3DyQpSmLYSiQHIi encrypted privilege 0username username attributesvpn-group-policy DfltGrpPolicyv
11、pn-idle-timeout 10vpn-filter nonevpn-tunnel-protocol IPSec password-storage disablegroup-lock value manager8、由于本地防火墙后面接有一个三层交换机,故还需要在三层交换机上添加路由,把VPN上使用的IP Address Pool指向防火墙的inside口ip route 100.100.100.0 255.255.255.224 133.x.x.x9、采用Cisco的VPN拨号软件VPN Client 5.0,拨号成功后,可以在统计信息中看到VPN的使用情况10、如果需要禁止对防火墙Int
12、ernet端口的ping,可以使用下面的命令:icmp deny any Internet附:show runASA Version 7.2(3) !domain-name default.domain.invalidnames!interface GigabitEthernet0/0nameif outsidesecurity-level 0ip address 172.x.x.xospf cost 10!interface GigabitEthernet0/1nameif insidesecurity-level 100ip address 133.x.x.xospf cost 10!in
13、terface GigabitEthernet0/2nameif Internetsecurity-level 0ip address 61.x.x.xospf cost 10!interface Management0/0nameif managementsecurity-level 100ip address 192.168.1.1 255.255.255.0 ospf cost 10management-only!ftp mode passivedns server-group DefaultDNSdomain-name default.domain.invalidaccess-list
14、 inside_nat0_outbound extended permit ip 100.100.100.0 255.255.255.0 133.x.x.x 255.255.255.0access-list split-ssl extended permit ip 133.x.x.x 255.255.255.0 100.100.100.0 255.255.255.224 pager lines 24logging enablelogging timestamplogging asdm informationalmtu outside 1500mtu inside 1500mtu Interne
15、t 1500mtu management 1500mtu outbackup 1500mtu inbackup 1500ip local pool vpn_pool_100 100.100.100.1-100.100.100.20 mask 255.255.255.224no failovericmp unreachable rate-limit 1 burst-size 1icmp deny any Internetasdm image disk0:/asdm-523.binno asdm history enablearp timeout 14400nat (inside) 0 acces
16、s-list inside_nat0_outboundaccess-group acl-out in interface outsideaccess-group acl-in in interface insideroute Internet 0.0.0.0 0.0.0.0 61.x.x.x 1timeout xlate 3:00:00timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp
17、-pat 0:05:00timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00timeout uauth 0:05:00 absolutehttp server enablehttp 192.168.1.0 255.255.255.0 managementhttp 133.x.x.x 255.255.255.255 insideno snmp-server locationno snmp-server contactsnmp-server enable traps snmp authenti
18、cation linkup linkdown coldstartcrypto ipsec transform-set myset esp-aes-256 esp-sha-hmac crypto dynamic-map dymap 1 set transform-set mysetcrypto dynamic-map dymap 1 set reverse-routecrypto map mymap 1 ipsec-isakmp dynamic dymapcrypto map mymap interface Internetcrypto isakmp enable Internetcrypto
19、isakmp policy 10authentication pre-shareencryption 3deshash shagroup 2lifetime 86400crypto isakmp nat-traversal 20telnet 133.x.x.x 255.255.255.255 insidetelnet timeout 5ssh timeout 5console timeout 0management-access insidedhcpd address 192.168.1.2-192.168.1.254 managementdhcpd enable management!cla
20、ss-map inspection_defaultmatch default-inspection-trafficclass-map outside-classmatch access-list outside_mpc!policy-map type inspect dns preset_dns_mapparametersmessage-length maximum 512policy-map global_policyclass inspection_defaultinspect dns preset_dns_map inspect ftp inspect h323 h225 inspect
21、 h323 ras inspect rsh inspect rtsp inspect esmtp inspect sqlnet inspect skinny inspect sunrpc inspect xdmcp inspect sip inspect netbios inspect tftp inspect icmp policy-map outside-policyclass outside-classinspect pptp !service-policy global_policy globalservice-policy outside-policy interface outsi
22、degroup-policy DfltGrpPolicy attributesbanner nonewins-server nonedns-server nonedhcp-network-scope nonevpn-access-hours nonevpn-simultaneous-logins 3vpn-idle-timeout 10vpn-session-timeout nonevpn-filter value inside_nat0_outboundvpn-tunnel-protocol IPSec password-storage disableip-comp disablere-xa
23、uth disablegroup-lock nonepfs disableipsec-udp disableipsec-udp-port 10000split-tunnel-policy tunnelspecifiedsplit-tunnel-network-list value split-ssldefault-domain nonesplit-dns noneintercept-dhcp 255.255.255.255 disablesecure-unit-authentication disableuser-authentication disableuser-authenticatio
24、n-idle-timeout 30ip-phone-bypass disableleap-bypass disablenem disablebackup-servers keep-client-configmsie-proxy server nonemsie-proxy method no-modifymsie-proxy except-list nonemsie-proxy local-bypass disablenac disablenac-sq-period 300nac-reval-period 36000nac-default-acl noneaddress-pools nonesm
25、artcard-removal-disconnect enableclient-firewall noneclient-access-rule nonewebvpnfunctions url-entryhtml-content-filter nonehomepage nonekeep-alive-ignore 4http-comp gzipfilter noneurl-list nonecustomization value DfltCustomizationport-forward noneport-forward-name value Application Accesssso-serve
26、r nonedeny-message value Login was successful, but because certain criteria have not been met or due to some specific group policy, you do not have permission to use any of the VPN features. Contact your IT administrator for more informationsvc nonesvc keep-installer installedsvc keepalive nonesvc r
27、ekey time nonesvc rekey method nonesvc dpd-interval client nonesvc dpd-interval gateway nonesvc compression deflateusername xxxxx password S3DyQpSmLYSiQHIi encrypted privilege 0username xxxxx attributesvpn-group-policy DfltGrpPolicyvpn-idle-timeout 10vpn-filter nonevpn-tunnel-protocol IPSec password
28、-storage disablegroup-lock value managertunnel-group manager type ipsec-ratunnel-group manager general-attributesaddress-pool vpn_pool_100authorization-requiredtunnel-group manager ipsec-attributespre-shared-key *prompt hostname context Cryptochecksum:c9c8eefb4a85737d156f8b7a5fc7e4fa: end 回答者: 28653
29、1920 | 一级 | 2009-4-15 15:44 一、网络拓扑 |172.x.x.x |outside |=|=| | |-Internet 61.x.x.x |=|=| |inside |133.x.x.x 防火墙分别配置三个端口,端口名称和IP地址分配如上。VPN Client的IP Address Pool为100.100.100.0 255.255.255.0。 二、配置过程 1、建立动态map crypto ipsec transform-set myset esp-aes-256 esp-sha-hmac crypto dynamic-map dymap 1 set tran
30、sform-set myset crypto dynamic-map dymap 1 set reverse-route crypto map mymap 1 ipsec-isakmp dynamic dymap crypto map mymap interface Internet crypto isakmp enable Internet crypto isakmp policy 10 authentication pre-share encryption 3des hash sha group 2 lifetime 86400 crypto isakmp nat-traversal 20 2、建立tunnel group tunnel-group manager type ipsec-ra tunnel-group manager general-attributes address-pool vpn_pool_100 authorization-required tunnel-group manager ipsec-attributes pre-shared-key * 3、添加acc
copyright@ 2008-2022 冰豆网网站版权所有
经营许可证编号:鄂ICP备2022015515号-1
升级会员 