Cisco ASA5505-K9 IPSec VPN配置
端口VLAN配置如下:
ASA Version 8.2(5)
interface Ethernet0/0
switchport access vlan 10
interface Ethernet0/1
switchport access vlan 20
interface Ethernet0/2
switchport access vlan 30
对应端口划分到不同的安全区域(Zone)如下:
interface Vlan10
nameif outside //端口Eth0/0 划分到outside区域zone
security-level 0
ip address 10.10.10.1 255.255.255.252
interface Vlan20
nameif inside //端口Eth0/1 划分到inside区域zone
security-level 90
ip address 10.6.1.1 255.255.255.0
interface Vlan30
nameif inside20 //端口Eth0/2 划分到inside20区域zone
security-level 60
ip address 192.168.20.1 255.255.255.0
IPSec VPN 感兴趣的数据流(本端LANIP段:10.6.156.0/24 对端LAN IP段:10.6.1.0/24 和10.0.0.0/16*
access-list vpn-nonat extended permit ip 10.6.156.0 255.255.255.0 10.6.1.0 255.255.255.0
access-list vpn-nonat extended permit ip 10.6.156.0 255.255.255.0 10.0.0.0 255.255.0.0
感兴趣数据流禁止做NAT转换
nat (inside) 0 access-list vpn-nonat
Define the phase-2 transform set/IPSec Policy(配置第二阶段转换集/ IPSec 策略)
//Configure static crypto map (配置map映射参数)
crypto ipsec transform-set dongtu-set esp-3des esp-md5-hmac
//vpn-nonat匹配的不做NAT转换的数据流
crypto map dongtu-map 1 match address** vpn-nonat
//设置对端IPSec Site的IP地址
crypto map dongtu-map 1 set peer 218.249.Y.Y
//dontu-set 转换集
crypto map dongtu-map 1 set transform-set dongtu-set
//Apply the crypto map and enable ISAKMP/IKEv1 on the outside interface (应用map和ISAKMP/IKEV1 到outside接口上)
crypto map dongtu-map interface outside
crypto isakmp enable outside
Define the phase-2/ISAKMP policy(配置第二阶段 IPsec策略)
crypto isakmp policy 10
authentication pre-share //认证方法为预共享密钥
encryption 3des //加密方法
hash md5 // 散列算法
group 2
lifetime 86400
Configure a tunnel-group for a static VPN peer and preshared key(配置通道类型type和通道预共享 密码)
tunnel-group 218.249.X.X type ipsec-l2l
tunnel-group 218.249.X.X ipsec-attributes
pre-shared-key donglai123
**//限速配置
class-map speed-limite-dl
match access-list inside-2-outside
policy-map speed-limite-dl
class speed-limite-dl
police output 4000000 1000000
service-policy speed-limite-dl interface inside
958

被折叠的 条评论
为什么被折叠?



