ASA防火墙上配置IPSEC ×××和SSL ×××
成都创新互联公司致力于互联网网站建设与网站营销,提供
网站建设、做网站、网站开发、seo优化、网站排名、互联网营销、
微信小程序开发、公众号商城、等建站开发,
成都创新互联公司网站建设策划专家,为不同类型的客户提供良好的互联网应用定制解决方案,帮助客户在新的全球化互联网环境中保持优势。
一:实验拓扑:
二:实验要求:
1:PC1属于上海分公司内网主机,PC2属于总公司主机.要求上海分公司的用户直接可以喝总公司的PC2通信.(Site-to-Site IPSEC ×××实现)
2:公网上用户可以访问总公司的OA服务器PC2.(SSL ×××实现)
三:配置过程:
1:基本配置:
ASA1(config)#int e0/1
ASA1(config-if)#nameif inside
INFO: Securitylevel for "inside" set to 100 by default.
ASA1(config-if)#ip add 172.16.1.254 255.255.255.0
ASA1(config-if)#no sh
ASA1(config-if)#int e0/0
ASA1(config-if)#nameif outside
INFO: Securitylevel for "outside" set to 0 by default.
ASA1(config-if)#ip add 12.0.0.1 255.255.255.0
ASA1(config-if)#no sh
ASA1(config-if)#
ASA1# ping172.16.1.1
Type escapesequence to abort.
Sending 5,100-byte ICMP Echos to 172.16.1.1, timeout is 2 seconds:
!!!!!
Success rateis 100 percent (5/5), round-trip min/avg/max = 10/344/1670 ms
R1(config)#intf0/0
R1(config-if)#ipadd 12.0.0.2 255.255.255.0
R1(config-if)#nosh
R1(config-if)#intf1/0
R1(config-if)#ipadd 23.0.0.2 255.255.255.0
R1(config-if)#nosh
R1(config-if)#intf2/0
R1(config-if)#ipadd 1.1.1.254 255.255.255.0
R1(config-if)#nosh
ASA2(config)#int e0/0
ASA2(config-if)#nameif outside
INFO: Securitylevel for "outside" set to 0 by default.
ASA2(config-if)#ip add 23.0.0.3 255.255.255.0
ASA2(config-if)#no sh
ASA2(config-if)#int e0/1
ASA2(config-if)#nameif inside
INFO: Securitylevel for "inside" set to 100 by default.
ASA2(config-if)#ip add 192.168.1.254 255.255.255.0
ASA2(config-if)#no sh
配置路由,NAT,ACL
ASA1(config)#route outside 0 0 12.0.0.2
ASA1(config)#nat-control
ASA1(config)#nat (inside) 1 0 0
ASA1(config)#global (outside) 1 interface
INFO: outsideinterface address added to PAT pool
ASA1(config)#access-list haha permit icmp any any
ASA1(config)#access-group haha in interface outside
ASA2(config)#route outside 0 0 23.0.0.2
ASA2(config)#nat-con
ASA2(config)#nat-control
ASA2(config)#nat (inside) 1 0 0
ASA2(config)#global (outside) 1 interface
INFO: outsideinterface address added to PAT pool
ASA2(config)#access-list haha permit icmp any any
ASA2(config)#access-group haha in interface outside
私网上公网没问题,但两个私网无法互通
2:配置Site-to-Site ×××
ASA1(config)#access-list no-nat permit ip 172.16.1.0 255.255.255.0 192.168.1.0 255.255.255.0
ASA1(config)#nat (inside) 0 access-list no-nat
ASA2(config)#access-list no-nat permit ip 192.168.1.0 255.255.255.0 172.16.1.0 255.255.255.0
ASA2(config)#nat (inside) 1 access-list no-nat
ASA1(config)#crypto isakmp enable outside
ASA1(config-isakmp-policy)#authentication pre-share
ASA1(config-isakmp-policy)#encryption des
ASA1(config-isakmp-policy)#hash md5
ASA1(config-isakmp-policy)#group 2
ASA1(config-isakmp-policy)#exit
ASA1(config)#isakmp key cisco address 23.0.0.3
ASA1(config)#crypto ipsec transform-set mytrans esp-des esp-md
ASA1(config)#crypto ipsec transform-set mytrans esp-des esp-md5-hmac
ASA1(config)#crypto map mymap 10 set peer 23.0.0.3
ASA1(config)#crypto map mymap 10 set transform-set mytrans
ASA1(config)#crypto map mymap 10 match address no-nat
ASA1(config)#crypto map mymap interface outside
ASA2(config)#crypto isakmp enable outside
ASA2(config-isakmp-policy)#authentication pre-share
ASA2(config-isakmp-policy)#encryption des
ASA2(config-isakmp-policy)#hash md5
ASA2(config-isakmp-policy)#group 2
ASA2(config-isakmp-policy)#exit
ASA2(config)#isakmp key cisco address 12.0.0.1
ASA2(config)#crypto ipsec transform-set mytrans esp-des esp-md
ASA2(config)#crypto ipsec transform-set mytrans esp-des esp-md5-hmac
ASA2(config)#crypto map mymap 10 set peer 12.0.0.1
ASA2(config)#crypto map mymap 10 set transform-set mytrans
ASA2(config)#crypto map mymap 10 match address no-nat
ASA2(config)#crypto map mymap interface outside
Site-to-SiteIPSEC 配置完成.
ASA2(config)#web***
ASA2(config-web***)#enable outside
INFO: Web×××and DTLS are enabled on 'outside'.
ASA2(config-web***)#svc p_w_picpath disk0:/sslclient-win-1.1.3.173.pkg
ASA2(config-web***)#svc enable
ASA2(config-web***)#exit
ASA2(config)#username cisco password cisco
ASA2(config)#ip local pool *** 192.168.100.1-192.168.100.200
ASA2(config)#access-list 100 permit ip 192.168.1.0 255.255.255.0 any
ASA2(config)#group-policy my10 internal
ASA2(config)#group-policy my10 attributes
ASA2(config-group-policy)#***-tunnel-protocol web*** svc
ASA2(config-group-policy)#split-tunnel-policy tunnelspecified
ASA2(config-group-policy)#split-tunnel-network-list value 100
ASA2(config-group-policy)#web***
ASA2(config-group-web***)#svc ask enable
ASA2(config-group-web***)#exit
ASA2(config-group-policy)#exit
ASA2(config)#tunnel-group jishu type web***
ASA2(config)#tunnel-group jishu general-attributes
ASA2(config-tunnel-general)#address-pool ***
ASA2(config-tunnel-general)#default-group-policy my10
ASA2(config-tunnel-general)#web***
ASA2(config-web***)#tunnel-group-list enable
ASA2(config-web***)#tunnel-group jishu web***-attributes
ASA2(config-tunnel-web***)#group-alias 2t39
SSL ×××配置完毕.
access-listssl*** extended permit ip 192.168.1.0 255.255.255.0 192.168.100.0 255.255.255.0
nat (inside) 0access-list ssl***
另外有需要云服务器可以了解下创新互联scvps.cn,海内外云服务器15元起步,三天无理由+7*72小时售后在线,公司持有idc许可证,提供“云服务器、裸金属服务器、高防服务器、香港服务器、美国服务器、虚拟主机、免备案服务器”等云主机租用服务以及企业上云的综合解决方案,具有“安全稳定、简单易用、服务可用性高、性价比高”等特点与优势,专为企业上云打造定制,能够满足用户丰富、多元化的应用场景需求。
分享标题:ASA防火墙上配置IPSEC_×××和SSL_×××-创新互联
标题URL:
http://cdkjz.cn/article/isgog.html
