ASA 5520IOS version 8.4 IKEv2 IPSEC ×××实验配置

 

1.实验TOP图如下:

ASA 5520(IOS version 8.4) IKEv2 IPSEC ***实验配置_第1张图片

2.实验目的:

使用IKEv2实现点到点的IPSEC×××通信,即本示例中192.168.1.100172.16.1.100之间实现×××通信。

 

3.具体配置如下:

ASA1配置

interfaceGigabitEthernet0

 nameif outside

 security-level 0

 ip address 11.1.1.2 255.255.255.0

!

interfaceGigabitEthernet1

 nameif inside

 security-level 100

 ip address 192.168.1.1 255.255.255.0

!

//以下是定义object,方便后面调用

objectnetwork Inside_network

 subnet 192.168.1.0 255.255.255.0

objectnetwork ***_address  //定义×××远端点的具体ip地址,即要实现点到点×××的点ip

 host 172.16.1.100

objectnetwork Inside_address  //定义×××本端点的具体ip地址,即要实现点到点×××的点ip

 host 192.168.1.100

access-list110 extended permit ip any any

access-list××× extended permit ip object Inside_address object ***_address //定义×××兴趣流

nat(inside,outside) source static Inside_address Inside_address destination static***_address ***_address  //×××数据流和NAT分离

!

objectnetwork Inside_network

 nat (inside,outside) dynamic interface  //设置PAT

access-group110 in interface outside

routeoutside 0.0.0.0 0.0.0.0 11.1.1.1 1

cryptoipsec ikev2 ipsec-proposal TRAN  //定义ipsec转换集

 protocol esp encryption aes-256

 protocol esp integrity md5

cryptomap TEST 10 match address ×××  //定义crypto map,此处的“×××”便是刚才创建的×××兴趣流的ACL的名称

cryptomap TEST 10 set peer 12.1.1.2 //设置×××对端出口ip

cryptomap TEST 10 set ikev2 ipsec-proposal TRAN  //调用刚才创建的ipsec转换集

cryptomap TEST interface outside  //将其运用到outside端口

cryptoikev2 policy 10  //定义ikev2策略

 encryption aes-256

 integrity sha256 md5

 group 2

 prf sha256 md5

 lifetime seconds 86400

cryptoikev2 enable outside //outside端口启用ikev2,这个很重要,如果不启用,其余都是浮云

tunnel-group12.1.1.2 type ipsec-l2l  //定义×××隧道,类型为ipsec-l2l

tunnel-group12.1.1.2 ipsec-attributes  //定义×××隧道属性

 ikev2 remote-authentication pre-shared-key cisco

 ikev2 local-authentication pre-shared-key cisco

 

 

ASA2配置:

interfaceGigabitEthernet0

 nameif outside

 security-level 0

 ip address 12.1.1.2 255.255.255.0

!

interfaceGigabitEthernet1

 nameif inside

 security-level 100

 ip address 172.16.1.1 255.255.255.0

objectnetwork Inside_network

 subnet 172.16.1.0 255.255.255.0

objectnetwork Inside_address

 host 172.16.1.100

objectnetwork ***_address

 host 192.168.1.100

access-list110 extended permit ip any any

access-list××× extended permit ip object Inside_address object ***_address

nat(inside,outside) source static Inside_address Inside_address destination static***_address ***_address

!

objectnetwork Inside_network

 nat (inside,outside) dynamic interface

access-group110 in interface outside

routeoutside 0.0.0.0 0.0.0.0 12.1.1.1 1

cryptoipsec ikev2 ipsec-proposal TRAN

 protocol esp encryption aes-256

 protocol esp integrity md5

cryptomap TEST 10 match address ×××

cryptomap TEST 10 set peer 11.1.1.2

cryptomap TEST 10 set ikev2 ipsec-proposal TRAN

cryptomap TEST interface outside

cryptoikev2 policy 10

 encryption aes-256

 integrity sha256 md5

 group 2

 prf sha256 md5

 lifetime seconds 86400

cryptoikev2 enable outside

tunnel-group11.1.1.2 type ipsec-l2l

tunnel-group11.1.1.2 ipsec-attributes

 ikev2 remote-authentication pre-shared-key cisco

 ikev2 local-authentication pre-shared-key cisco

!

 

4.验证:从192.168.1.100ping的结果,和172.16.1.100可以通,和172.16.1.200不通。

ASA 5520(IOS version 8.4) IKEv2 IPSEC ***实验配置_第2张图片

showcrypto ipsec sa的结果

ASA 5520(IOS version 8.4) IKEv2 IPSEC ***实验配置_第3张图片