ASA 5520的ios版本:
Cisco Adaptive Security Appliance Software Version 8.4(3)
Device Manager Version 6.0(3)
Static site(固定IP站点):
crypto isakmp policy 5
authentication pre-share
encryption aes
hash sha
group 2
lifetime 86400
crypto isakmp enable outside
tunnel-group DefaultL2LGroup ipsec-attributes
pre-shared-key cisco123
crypto ipsec transform-set ESP-AES128-SHA esp-aes esp-sha-hmac
crypto dynamic-map ENCDOM-100-DYNMAP 10 set transform-set ESP-AES128-SHA
crypto map outside 100 ipsec-isakmp dynamic ENCDOM-100-DYNMAP
crypto map outside interface outside
由于静态站点是 crypto dynamic-map,依靠现有的IPsec sa来加密,所以不需要定义感兴趣流;
object network LOCAL_SITE
subnet 172.26.0.0 255.255.0.0
object network REMOTE_SITE
subnet 172.20.12.0 255.255.255.0
nat (inside,outside) 1 source static LOCAL_SITE LOCAL_SITE destination static REMOTE_SITE REMOTE_SITE
8.4.3版本的NAT排除对IPsec的影响;
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Dynamic site(动态获取地址的远程站点):
crypto isakmp policy 5
authentication pre-share
encryption aes
hash sha
group 2
lifetime 86400
crypto isakmp enable outside
tunnel-group 218.6.244.39 type ipsec-l2l
tunnel-group 218.6.244.39 ipsec-attributes
pre-shared-key cisco123
access-list ENCDOM-100 permit ip 172.20.12.0 255.255.255.0 172.26.0.0 255.255.0.0 //定义感兴趣流
crypto ipsec transform-set ESP-AES128-SHA esp-aes esp-sha-hmac
crypto map outside 100 match address ENCDOM-100
crypto map outside 100 set peer 218.6.244.39
crypto map outside 100 set transform-set ESP-AES128-SHA
crypto map outside interface outside
Ikev1特性配置:
crypto isakmp disconnect-notify
该命令含义:
Remote access or LAN-to-LAN sessions can drop for several reasons, such as an ASA shutdown or
reboot, session idle timeout, maximum connection time exceeded, or administrator cut-off.
crypto isakmp reload-wait
该命令含义:
You can schedule an ASA reboot to occur only when all active sessions have terminated voluntarily. This
feature is disabled by default.
如有不足,欢迎批评指正!