Cisco ASA 之 Easy 虚拟专用网
具体原理及参数可以参考:https://cloud.tencent.com/developer/article/1538642
这里我就不详细说明了,大致原理都一样,我就直接开整了
1、环境如下:
2、开始配置(自行配置接口IP)
ASA 配置如下:
ciscoasa> en
Password:
ciscoasa# conf t
ciscoasa(config)# int e 0/0
ciscoasa(config-if)# nameif inside
INFO: Security level for "inside" set to 100 by default.
ciscoasa(config-if)# ip add 192.168.0.1
ciscoasa(config-if)# no shutdown
ciscoasa(config-if)# exit
ciscoasa(config)# int e 0/1
ciscoasa(config-if)# nameif outside
INFO: Security level for "outside" set to 0 by default.
ciscoasa(config-if)# ip add 200.0.0.2
ciscoasa(config-if)# no shutdown
ciscoasa(config)# route outside 0 0 200.0.0.1 # 0代表0.0.0.0
# ASA中的AAA默认开启,所以不需要手动开启了
ciscoasa(config)# username zhangsan password 123123 # 配置AAA认证用户
ciscoasa(config)# crypto isakmp enable outside # 开启IKE协商功能
# 阶段一:指定管理连接的相关参数,加密算法等
ciscoasa(config)# crypto isakmp policy 10
ciscoasa(config-isakmp-policy)# encryption 3des
ciscoasa(config-isakmp-policy)# hash sha
ciscoasa(config-isakmp-policy)# authentication pre-share
ciscoasa(config-isakmp-policy)# group 2
ciscoasa(config-isakmp-policy)# exit
ciscoasa(config)# ip local pool test-pool 192.168.1.200-192.168.1.210 # 创建地址池
ciscoasa(config)# access-list split-acl permit ip 192.168.0.0 255.255.255.0 any # 编写ACl
ciscoasa(config)# group-policy test-group internal
ciscoasa(config)# group-policy test-group attributes
ciscoasa(config-group-policy)# split-tunnel-policy tunnelspecified
ciscoasa(config-group-policy)# split-tunnel-network-list value split-acl
ciscoasa(config-group-policy)# exit
ciscoasa(config)# tunnel-group test1-group type ipsec-ra
ciscoasa(config)# tunnel-group test1-group general-attributes
ciscoasa(config-tunnel-general)# address-pool test-pool # 应用所创建的地址池
ciscoasa(config-tunnel-general)# default-group-policy test-group
ciscoasa(config-tunnel-general)# exit
ciscoasa(config)# tunnel-group test1-group ipsec-attributes
ciscoasa(config-tunnel-ipsec)# pre-shared-key 321321 # 配置组密钥
ciscoasa(config-tunnel-ipsec)# exit
ciscoasa(config)# crypto ipsec transform-set test-set esp-3des esp-sha-hmac
ciscoasa(config)# crypto dynamic-map test-dymap 1 set transform-set test-set
ciscoasa(config)# crypto map test-stamap 1000 ipsec-isakmp dynamic test-dymap
ciscoasa(config)# crypto map test-stamap int outside # 应用到接口客户端安装也可参考:https://cloud.tencent.com/developer/article/1538642 (后半部分)
3、验证
本文参与 腾讯云自媒体同步曝光计划,分享自作者个人站点/博客。
原始发表:2019-11-13 ,如有侵权请联系 cloudcommunity@tencent.com 删除
评论
登录后参与评论
推荐阅读