思科防火墙ASA5520 ipsec 配置实例
发布网友
发布时间:2023-02-13 19:20
共1个回答
热心网友
时间:2023-09-11 14:24
ASA Local:
ASA Version 7.X
no names
!
interface GigabitEthernet0/0
nameif outside
security-level 0
ip address 30.30.30.1 255.255.255.0
!--- This line allows the unicast of OSPF over the IPsec tunnel.
ospf network point-to-point non-broadcast
!--- This line is optional and not required for OSPF to work.
!--- Enable this option only if you want to enable MD5 digest for OSPF.
ospf message-digest-key 10 md5 cisco
!
interface GigabitEthernet0/1
nameif inside
security-level 100
ip address 10.10.10.1 255.255.255.0
!
interface GigabitEthernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
shutdown
no nameif
no security-level
no ip address
!
enable password cisco encrypted
passwd cisco encrypted
hostname Local
ftp mode passive
!--- These access control list (ACL) entries define
!--- interesting traffic for IPsec encryption and allow
!--- the traffic to bypass NAT. Note that OSPF is permitted and only
!--- in the crypto ACL.
same-security-traffic permit intra-interface
access-list nonat extended permit ip 10.10.10.0 255.255.255.0 20.20.20.0 255.255.255.0
access-list outside_cryptomap_10 extended permit ip 10.10.10.0 255.255.255.0 20.20.20.0 255.255.255.0
access-list outside_cryptomap_10 extended permit ospf interface outside host 40.40.40.2
pager lines 24
mtu outside 1500
mtu inside 1500
no failover
icmp permit any echo outside
icmp permit any echo-reply outside
icmp permit any echo inside
icmp permit any echo-reply inside
asdm image disk0:/asdm-502.bin
no asdm history enable
arp timeout 14400
global (outside) 10 interface
!--- Do not translate traffic with NAT.
nat (inside) 0 access-list nonat
nat (inside) 10 10.10.10.0 255.255.255.0
!
!--- This is OSPF.
!--- Note: You must define the outside network of the remote peer.
router ospf 100
network 10.10.10.0 255.255.255.0 area 0
network 30.30.30.0 255.255.255.0 area 0
network 40.40.40.0 255.255.255.0 area 0
!--- This is where OSPF is told where the
!--- PEER is located.
neighbor 40.40.40.2 interface outside
log-adj-changes
!
!--- This is a host based static. This is not always
!--- necessary, but recommended to prevent recursive routing loops when
!--- OSPF comes up over the IPsec tunnel.
route outside 40.40.40.2 255.255.255.255 30.30.30.2 1
route outside 0.0.0.0 0.0.0.0 30.30.30.2 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02 sunrpc 0:10:00
h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
http server enable
http 192.168.4.50 255.255.255.255 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp
!--- This is the IPsec and IKE/ISAKMP configuration.
!--- Make sure basic IPsec connectivity is present
!--- before you add in OSPF.
crypto ipsec transform-set myset esp-3des esp-sha-hmac
crypto map outside_map 10 match address outside_cryptomap_10
crypto map outside_map 10 set peer 40.40.40.2
crypto map outside_map 10 set transform-set myset
crypto map outside_map 10 set security-association lifetime seconds 86400
crypto map outside_map interface outside
isakmp identity address
isakmp enable outside
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
isakmp policy 65535 authentication pre-share
isakmp policy 65535 encryption 3des
isakmp policy 65535 hash sha
isakmp policy 65535 group 2
isakmp policy 65535 lifetime 86400
telnet timeout 5
ssh timeout 5
console timeout 0
tunnel-group 40.40.40.2 type ipsec-l2l
tunnel-group 40.40.40.2 ipsec-attributes
pre-shared-key cisco
class-map inspection_default
match default-inspection-traffic
policy-map asa_global_fw_policy
class inspection_default
inspect dns maximum-length 512
inspect ftp
inspect h323 h225
inspect h323 ras
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
!
service-policy asa_global_fw_policy global
Cryptochecksum:3d5f16a67ec0fa20aa3882acaa348e28
: end
ASA Remote:
ASA Version 7.X
no names
!
interface GigabitEthernet0/0
nameif outside
security-level 0
ip address 40.40.40.2 255.255.255.0
!--- This line allows the unicast of OSPF over to
!--- the IPsec tunnel.
ospf network point-to-point non-broadcast
!--- This line is optional and not required for OSPF to work.
!--- Enable this option only if you want to enable MD5 digest for OSPF.
ospf message-digest-key 10 md5 cisco
!
interface GigabitEthernet0/1
nameif inside
security-level 100
ip address 20.20.20.1 255.255.255.0
!
interface GigabitEthernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
shutdown
no nameif
no security-level
no ip address
!
enable password cisco encrypted
passwd cisco encrypted
hostname Remote
ftp mode passive
!--- These ACL entries define interesting traffic for IPsec encryption and allow
!--- the traffic to bypass NAT. Note that OSPF is permitted and only in the crypto ACL.
same-security-traffic permit intra-interface
access-list nonat extended permit ip 20.20.20.0 255.255.255.0 10.10.10.0 255.255.255.0
access-list crypto extended permit ip 20.20.20.0 255.255.255.0 10.10.10.0 255.255.255.0
access-list crypto extended permit ospf interface outside host 30.30.30.1
pager lines 24
mtu outside 1500
mtu inside 1500
no failover
icmp permit any echo outside
icmp permit any echo-reply outside
icmp permit any echo inside
icmp permit any echo-reply inside
asdm image disk0:/asdm-502.bin
no asdm history enable
arp timeout 14400
global (outside) 20 interface
!--- Do not translate traffic with NAT.
nat (inside) 0 access-list nonat
nat (inside) 20 20.20.20.0 255.255.255.0
!
!--- This is OSPF.
!--- Note: You must define the remote peer's outside network.
router ospf 100
network 20.20.20.0 255.255.255.0 area 0
network 30.30.30.0 255.255.255.0 area 0
network 40.40.40.0 255.255.255.0 area 0
!--- This is where the OSPF is told where the PEER is located.
neighbor 30.30.30.1 interface outside
log-adj-changes
!
!--- This is a host based static. This is not always necessary, but recommended to
prevent recursive routing loops when OSPF comes up over the IPsec tunnel.
route outside 0.0.0.0 0.0.0.0 40.40.40.1 1
route outside 30.30.30.1 255.255.255.255 40.40.40.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02 sunrpc 0:10:00
h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
http server enable
http 192.168.4.50 255.255.255.255 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp
!--- This is the IPsec configuration. Make sure basic IPsec connectivity is present
before you add in OSPF.
crypto ipsec transform-set myset esp-3des esp-sha-hmac
crypto map * 10 match address crypto
crypto map * 10 set peer 30.30.30.1
crypto map * 10 set transform-set myset
crypto map * interface outside
isakmp identity address
isakmp enable outside
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
isakmp policy 65535 authentication pre-share
isakmp policy 65535 encryption 3des
isakmp policy 65535 hash sha
isakmp policy 65535 group 2
isakmp policy 65535 lifetime 86400
telnet timeout 5
ssh timeout 5
console timeout 0
tunnel-group 30.30.30.1 type ipsec-l2l
tunnel-group 30.30.30.1 ipsec-attributes
pre-shared-key cisco
class-map inspection_default
match default-inspection-traffic
policy-map asa_global_fw_policy
class inspection_default
inspect dns maximum-length 512
inspect ftp
inspect h323 h225
inspect h323 ras
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
!
service-policy asa_global_fw_policy global
Cryptochecksum:3d5f16a67ec0fa20aa3882acaa348e28
: end
