GNS3模擬Cisco+ipsec+***配置例項
R1配置說明 :R1只需要按照圖在介面上配置好ip地址。
!
version 12.4
!
hostname R1
!
interface FastEthernet0/0
ip address 211.81.208.1 255.255.255.0
duplex auto
speed auto
!
interface FastEthernet0/1
ip address 211.81.209.1 255.255.255.0
duplex auto
speed auto
!
end
R2配置說明:R2在這裡使用的是c3660-telco-mz.124-15.T5.bin的IOS,再在slot1插槽上加上NM-16ESW模組模擬交換機;R3同R2模擬交換機。
!
version 12.4
!
hostname R2
!
interface FastEthernet0/0
ip address 11.1.1.2 255.255.255.0
duplex auto
speed auto
!
interface FastEthernet1/10
switchport access vlan 2
!
interface Vlan1
no ip address
!
interface Vlan2
ip address 192.168.2.1 255.255.255.0
!
ip route 0.0.0.0 0.0.0.0 11.1.1.1
!
end
R3配置說明
!
version 12.4
hostname R3
!
interface FastEthernet0/0
ip address 12.1.1.2 255.255.255.0
duplex auto
speed auto
!
interface FastEthernet1/10
switchport access vlan 2
!
interface Vlan1
no ip address
!
interface Vlan2
ip address 172.16.2.1 255.255.255.0
!
ip route 0.0.0.0 0.0.0.0 12.1.1.1
!
end
ASA1配置說明
: Saved
:
ASA Version 8.0(2)
hostname asa1
enable password 8Ry2YjIyt7RRXU24 encrypted
names
!
interface Ethernet0/0
nameif outside
security-level 0
ip address 211.81.208.2 255.255.255.0
!
interface Ethernet0/5
nameif inside
security-level 100
ip address 11.1.1.1 255.255.255.0
!
access-list icmp extended permit icmp any any
access-list nonat extended permit ip 192.168.2.0 255.255.255.0 172.16.2.0 255.255.255.0
access-list *** extended permit ip 192.168.2.0 255.255.255.0 172.16.2.0 255.255.255.0
global (outside) 1 interface
nat (inside) 0 access-list nonat
nat (inside) 1 0.0.0.0 0.0.0.0
access-group icmp in interface outside
route outside 0.0.0.0 0.0.0.0 211.81.208.1 1
route inside 192.168.2.0 255.255.255.0 11.1.1.2 1
crypto ipsec transform-set set esp-des esp-md5-hmac
crypto map map 111 match address ***
crypto map map 111 set peer 211.81.209.2
crypto map map 111 set transform-set set
crypto map map interface outside
crypto isakmp enable outside
crypto isakmp policy 11
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp policy 65535
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
!
tunnel-group 211.81.209.2 type ipsec-l2l
tunnel-group 211.81.209.2 ipsec-attributes
pre-shared-key *
: end
ASA2配置說明
asa2# sh run
: Saved
:
ASA Version 8.0(2)
!
hostname asa2
enable password 8Ry2YjIyt7RRXU24 encrypted
names
!
interface Ethernet0/0
nameif outside
security-level 0
ip address 211.81.209.2 255.255.255.0
!
interface Ethernet0/1
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet0/5
nameif inside
security-level 100
ip address 12.1.1.1 255.255.255.0
!
access-list icmp extended permit icmp any any
access-list nonat extended permit ip 172.16.2.0 255.255.255.0 192.168.2.0 255.255.255.0
access-list *** extended permit ip 172.16.2.0 255.255.255.0 192.168.2.0 255.255.255.0
global (outside) 1 interface
nat (inside) 0 access-list nonat
nat (inside) 1 0.0.0.0 0.0.0.0
access-group icmp in interface outside
route outside 0.0.0.0 0.0.0.0 211.81.209.1 1
route inside 172.16.2.0 255.255.255.0 12.1.1.2 1
crypto ipsec transform-set set esp-des esp-md5-hmac
crypto map map 111 match address ***
crypto map map 111 set peer 211.81.208.2
crypto map map 111 set transform-set set
crypto map map interface outside
crypto isakmp enable outside
crypto isakmp policy 11
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp policy 65535
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
!
!
tunnel-group 211.81.208.2 type ipsec-l2l
tunnel-group 211.81.208.2 ipsec-attributes
pre-shared-key *
: end
配置過程詳細:
ASA1配置詳細:
1.埠基礎配置
asa1(config)# interface ethernet 0/5
asa1(config-if)# nameif inside
INFO: Security level for "inside" set to 100 by default.
asa1(config-if)# security-level 100
asa1(config-if)# ip address 11.1.1.1 255.255.255.0
asa1(config-if)# no shutdown
asa1(config-if)# interface ethernet 0/0
asa1(config-if)# nameif outside
INFO: Security level for "outside" set to 0 by default.
asa1(config-if)# security-level 0
asa1(config-if)# ip address 211.81.208.2 255.255.255.0
asa1(config-if)# no shutdown
asa1(config)# global (outside) 1 interface
INFO: outside interface address added to PAT pool 3.ASA 路由 asa1(config)# route outside 0.0.0.0 0.0.0.0 211.81.208.1
asa1(config)# route inside 192.168.2.0 255.255.255.0 11.1.1.2 4.ASA做acl允許外部ping asa1(config)# access-list icmp extended permit icmp any any
asa1(config)# access-group icmp in interface outside B區配置同A區,將相應地址更改!! IPSEC ××× 配置 ASA1(此處僅列出asa1的相關配置步驟,asa2配置見ASA2配置說明) 1.定義從A區到B區要走***的流量,並且不做nat asa1(config)# access-list nonat extended permit ip 192.168.2.0 255.255.255.0 172.16.2.0 255.255.255.0 asa1(config)# nat (inside) 0 access-list nonat 2.啟用isakmp asa1(config)# crypto isakmp enable outside 3.配置階段一策略 asa1(config)# crypto isakmp policy 11
asa1(config-isakmp-policy)# authentication pre-share
asa1(config-isakmp-policy)# encryption 3des
asa1(config-isakmp-policy)# hash sha
asa1(config-isakmp-policy)# group 2
asa1(config-isakmp-policy)# lifetime 86400 4.配置IPSEC ×××型別為LAN TO LAN asa1(config)# tunnel-group 211.81.209.2 type ipsec-l2l 5.配置階段一需要使用的預共享金鑰 asa1(config)# tunnel-group 211.81.209.2 ipsec-attributes
asa1(config-tunnel-ipsec)# pre-shared-key xunshi 6.配置需要走***的流量 asa1(config)# access-list *** extended permit ip 192.168.2.0 255.255.255.0 172.16.2.0 255.255.255.0 7.配置階段二策略變換集 asa1(config)# crypto ipsec transform-set set esp-des esp-md5-hmac 8.配置階段二的相關map asa1(config)# crypto map map 111 match address ***
asa1(config)# crypto map map 111 set peer 211.81.209.2
asa1(config)# crypto map map 111 set transform-set set
asa1(config)# crypto map map interface outside 測試: R2#ping 172.16.2.1 source 192.168.2.1 Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.2.1, timeout is 2 seconds:
Packet sent with a source address of 192.168.2.1
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 120/138/168 ms
R2# R3#ping 192.168.2.1 source 172.16.2.1 Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.2.1, timeout is 2 seconds:
Packet sent with a source address of 172.16.2.1
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 52/115/228 ms
R3#
轉載於:https://blog.51cto.com/fendou929/1149019