防火墙配置IPSec ***

topo图：

防火墙配置

FW1配置：

FW1(config)# inter g0
FW1(config-if)# nameif inside
INFO: Security level for "inside" set to 100 by default.
FW1(config-if)# ip address 10.1.1.254 255.255.255.0
FW1(config-if)# no shutdown
FW1(config-if)# inter g1
FW1(config-if)# nameif internet
INFO: Security level for "internet" set to 0 by default
FW1(config-if)# security-level 50
FW1(config-if)# ip address 10.2.2.254 255.255.255.0
FW1(config-if)# no shutdown
FW1(config-if)# inter g2
FW1(config-if)# nameif outside
INFO: Security level for "outside" set to 0 by default.
FW1(config-if)# ip address 200.0.0.1 255.255.255.0
FW1(config-if)# no shutdown
FW1(config-if)# q
测试：
FW1(config)# ping 10.1.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.1.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms
FW1(config)# ping 10.2.2.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.2.2.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/6/10 ms
FW1(config)# ping 200.0.0.10
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 200.0.0.10, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/4/10 ms

配置IPSec ×××：

FW1(config)# route outside 0.0.0.0 0.0.0.0 200.0.0.2
FW1(config)# crypto ikev1 enable outside
FW1(config)# crypto ikev1 policy 1
FW1(config-ikev1-policy)# encryption aes
FW1(config-ikev1-policy)# hash sha
FW1(config-ikev1-policy)# authentication pre-share
FW1(config-ikev1-policy)# group 2
FW1(config-ikev1-policy)# q
FW1(config)# tunnel-group 200.0.0.2 type ipsec-l2l
FW1(config)# tunnel-group 200.0.0.2 ipsec-attributes
FW1(config-tunnel-ipsec)# ikev1 pre-shared-key hahui
FW1(config-tunnel-ipsec)# access-list 100 permit ip 10.1.1.0 255.255.255.0 192.168.1.0 255.255.255.0
FW1(config)# crypto ipsec ikev1 transform-set hh-set esp-aes esp-sha-hmac
FW1(config)# crypto map hh-map 1 match address 100
FW1(config)# crypto map hh-map 1 set peer 200.0.0.2
FW1(config)# crypto map hh-map 1 set ikev1 transform-set hh-set
FW1(config)# crypto map hh-map interface outside
查看状态：

FW2配置：

ciscoasa(config)# hostname FW2
FW2(config)# inter g0
FW2(config-if)# nameif inside
INFO: Security level for "inside" set to 100 by default.
FW2(config-if)# ip address 192.168.1.254 255.255.255.0
FW2(config-if)# no shutdown
FW2(config-if)# inter g1
FW2(config-if)# nameif outside
INFO: Security level for "outside" set to 0 by default.
FW2(config-if)# ip address 200.0.0.2 255.255.255.0
FW2(config-if)# no shutdown
FW2(config-if)# q
测试：
FW2(config)# ping 192.168.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.1.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/10 ms
FW2(config)# ping 200.0.0.10
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 200.0.0.10, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/6/10 ms

配置IPSec ×××：

FW2(config)# route outside 0.0.0.0 0.0.0.0 200.0.0.1
FW2(config)# crypto ikev1 enable outside
FW2(config)# crypto ikev1 policy 1
FW2(config-ikev1-policy)# encryption aes
FW2(config-ikev1-policy)# hash sha
FW2(config-ikev1-policy)# authentication pre-share
FW2(config-ikev1-policy)# group 2
FW2(config-ikev1-policy)# q
FW2(config)# tunnel-group 200.0.0.1 type ipsec-l2l
FW2(config)# tunnel-group 200.0.0.1 ipsec-attributes
FW2(config-tunnel-ipsec)# ikev1 pre-shared-key hahui
FW2(config-tunnel-ipsec)# access-list 100 permit ip 192.168.1.0 255.255.255.0 10.1.1.0 255.255.255.0
FW2(config)# crypto ipsec ikev1 transform-set hh-set esp-aes esp-sha-hmac
FW2(config)# crypto map hh-map 1 match address 100
FW2(config)# crypto map hh-map 1 set peer 200.0.0.1
FW2(config)# crypto map hh-map 1 set ikev1 transform-set hh-set
FW2(config)# crypto map hh-map interface outside
查看状态：

测试，client1 访问server1

配置PAT：

FW1(config)# object network ob-internet
FW1(config-network-object)# subnet 10.2.2.0 255.255.255.0
FW1(config-network-object)# nat (internet,outside) dynamic interface

抓包查看地址是否转换：（首先要允许icmp流量穿过防火墙）