×××實驗配置2 思科路由器與思科ASA防火牆傳統IPSEC ×××配置例項
一,ASA1配置:
asa1#
asa1#showver
CiscoAdaptiveSecurityApplianceSoftwareVersion8.0(2)
CompiledonFri15-Jun-0719:29bybuilders
Systemp_w_picpathfileis"Unknown,monitormodetftpbootedp_w_picpath"
Configfileatbootwas"startup-config"
asa1up57secs
Hardware:,128MBRAM,CPUPentiumII2796MHz
InternalATACompactFlash,256MB
0:Ext:Ethernet0/0:addressis00ab.cd92.5200,irq255
1:Ext:Ethernet0/1:addressis00ab.cd92.5201,irq255
2:Ext:Ethernet0/2:addressis0000.abdf.c502,irq255
3:Ext:Ethernet0/3:addressis0000.abfa.3703,irq255
4:Ext:Ethernet0/4:addressis0000.aba1.d004,irq255
5:Ext:Ethernet0/5:addressis0000.abfc.8705,irq255
VLANs:200
Failover:Active/Active
SecurityContexts:20
GTP/GPRS:Enabled
×××Peers:5000
Web×××Peers:2500
ADVENDSEC:Enabled
Configurationregisteris0x0
Configurationhasnotbeenmodifiedsincelastsystemrestart.
asa1#showrun
:Saved
:
ASAVersion8.0(2)
!
hostnameasa1
enablepassword8Ry2YjIyt7RRXU24encrypted
names
!
interfaceEthernet0/0
security-level100
ipaddress10.1.1.1255.255.255.0
!
interfaceEthernet0/1
nameifoutside
security-level0
ipaddress202.100.1.1255.255.255.0
!
interfaceEthernet0/2
shutdown
nonameif
nosecurity-level
noipaddress
!
interfaceEthernet0/3
shutdown
nonameif
nosecurity-level
noipaddress
!
interfaceEthernet0/4
shutdown
nonameif
nosecurity-level
noipaddress
!
interfaceEthernet0/5
shutdown
nonameif
nosecurity-level
noipaddress
!
passwd2KFQnbNIdI.2KYOUencrypted
bootconfigdisk0:/.private/startup-config
ftpmodepassive
access-list***extendedpermitip1.1.1.0255.255.255.02.2.2.0255.255.255.0
pagerlines24
mtuInside1500
mtuoutside1500
nofailover
icmpunreachablerate-limit1burst-size1
noasdmhistoryenable
arptimeout14400
routeoutside0.0.0.00.0.0.0202.100.1.101
routeInside0.0.0.00.0.0.010.1.1.10tunneled
timeoutxlate3:00:00
timeoutconn1:00:00half-closed0:10:00udp0:02:00icmp0:00:02
timeoutsunrpc0:10:00h3230:05:00h2251:00:00mgcp0:05:00mgcp-pat0:05:00
timeoutsip0:30:00sip_media0:02:00sip-invite0:03:00sip-disconnect0:02:00
timeoutuauth0:05:00absolute
dynamic-access-policy-recordDfltAccessPolicy
nosnmp-serverlocation
nosnmp-servercontact
snmp-serverenabletrapssnmpauthenticationlinkuplinkdowncoldstart
cryptoipsectransform-setTransesp-desesp-md5-hmac
cryptomapcry-map10matchaddress***
cryptomapcry-map10setpfs
cryptomapcry-map10setpeer61.128.1.1
cryptomapcry-map10settransform-setTrans
cryptomapcry-map10setsecurity-associationlifetimeseconds1800
cryptomapcry-mapinterfaceoutside
cryptoisakmpenableoutside
cryptoisakmppolicy10
authenticationpre-share
encryption3des
hashmd5
group2
lifetime86400
nocryptoisakmpnat-traversal
telnettimeout5
sshtimeout5
consoletimeout0
threat-detectionbasic-threat
threat-detectionstatisticsaccess-list
!
!
tunnel-group61.128.1.1typeipsec-l2l
tunnel-group61.128.1.1ipsec-attributes
pre-shared-key*
prompthostnamecontext
Cryptochecksum:9a4bd12084c52f9f42e68ed07755eef4
:end
asa1#
二,路由器配置:
Site2#showrun
Buildingconfiguration...
Currentconfiguration:1468bytes
!
version12.4
servicetimestampsdebugdatetimemsec
servicetimestampslogdatetimemsec
noservicepassword-encryption
!
hostnameSite2
!
boot-start-marker
boot-end-marker
!
!
noaaanew-model
memory-sizeiomem5
!
!
ipcef
noipdomainlookup
ipdomainnamelab.local
!
!
ipauth-proxymax-nodata-conns3
ipadmissionmax-nodata-conns3
!
cryptoisakmppolicy10
encr3des
hashmd5
authenticationpre-share
group2
cryptoisakmpkeyL2Lkeyaddress202.100.1.1
!
!
cryptoipsectransform-setciscoesp-desesp-md5-hmac
!
cryptomapcisco10ipsec-isakmp
setpeer202.100.1.1
settransform-setcisco
matchaddress***
!
!
!
!
interfaceLoopback0
ipaddress2.2.2.2255.255.255.0
!
interfaceFastEthernet0/0
noipaddress
shutdown
duplexauto
speedauto
!
interfaceFastEthernet1/0
noipaddress
shutdown
duplexauto
speedauto
!
interfaceFastEthernet2/0
ipaddress61.128.1.1255.255.255.0
duplexauto
speedauto
cryptomapcisco
!
interfaceFastEthernet3/0
noipaddress
shutdown
duplexauto
speedauto
!
noiphttpserver
noiphttpsecure-server
!
ipforward-protocolnd
iproute0.0.0.00.0.0.061.128.1.10
!
!
!
ipaccess-listextended***
permitip2.2.2.00.0.0.2551.1.1.00.0.0.255
!
!
!
control-plane
!
linecon0
exec-timeout00
privilegelevel15
loggingsynchronous
lineaux0
exec-timeout00
privilegelevel15
loggingsynchronous
linevty04
login
!
!
end
Site2#
轉載於:https://blog.51cto.com/ccie18405/1213881