一、大概步骤:

1、配置各接口

2、建立客户端需要的地址池和用户名

3、定义隧道分离列表

4、建立配置IKE即ISAKMP策略。(第一阶段)

5、建立变换集(SA,第二阶段)

6、定义保密图。先建立动态保密图与变换集相关联;再把动态保密图绑定到保密图

7、定义和建立***客户端组策略

8、定义组成员的隧道属性和IPSEC属性,并应用定义的组策略。


二、详细配置参数:

1、配置接口
2、建立客户端需要的地址池和用户名
  (1) asa(config)#username name password word   //配置一个帐号和密码
  (2) asa(config)#ip local pool poolname ipaddress-ipaddress  mask mask      //设置remote客户端的地址池

3、定义隧道分离列表
access-list no-nat extended permit ip 192.168.10.0 255.255.255.0 192.168.5.0 255.255.255.0          //定义×××数据流
nat (inside) 0 access-list no-nat  //设置IPSEC ×××数据不作nat翻译

access-list mis_splitTunnelAcl standard permit 192.168.10.0 255.255.255.0   //隧道分离数据流配置,这里的源要配置为防火墙内网的地址。

4、建立配置IKE即ISAKMP策略。
   crypto isakmp policy 10 authentication pre-share   //进入isakmp的策略定义模式,策略号为10, 认证方式为pre-share认证,一共有三种认证方式

 
 crypto isakmp policy 10  encryption des  //定义协商用3DES加密算法
 crypto isakmp policy 10 hash md5         //定义协商认证算法为md5
 crypto isakmp policy 10 group 2          //定义diffie-hellman密钥交换模式为组2。
 crypto isakmp policy 10 lifetime 86400  //ike策略的生命周期    
 isakmp nat-traversal  20
5、定义变换集
crypto ipsec transform-set myset esp-des esp-md5-hmac
//定义一个名为myset的变换集,用esp-des加密,esp-md5-hmac认证。加密和认证方法有很多,这里是用的这两种方法。
crypto ipsec security-association lifetime seconds 28800 //用时间定义变换集的生存时间
crypto ipsec security-association lifetime kilobytes 4608000//用字节数来定义变换集的生存时间

6、定义保密图
rypto dynamic-map outside_dyn_map 20 set transform-set myset//定义动保密图。并把myset变换集添加到动态动态保密图outside_dyn_map中,序号为20
crypto dynamic-map outside_dyn_map 20 set reverse-route     //设置路由反转
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map     //定义保密图,保密图名为outside_map ,序号为65535,  并把上面定义的动态保密图绑定到保密图上。

crypto map ***map interface outside//把保密图outside_map绑定到outside,这点非常重要
crypto isakmp identity address
crypto isakmp enable outside    // outside接口启用isakmp

7、定义和建立***客户端组策略
group-policy mis internal                     //定义***客户端组策略名为mis,选项为internal
group-policy mis attributes                  //设置组策略属性
 split-tunnel-policy tunnelspecified      //启用隧道分离,且只有访问公司内网时才用。隧道分离有三种方式,这是其中一种。
tunnelspecified:允许客户端访问客户端本地网络以及internet,只有到公司内网的数据流才走分离隧道
excludespecified :仅允许客户端访问客户端本地的网络,internet和到公司内网的数据流都走分离隧道
tunnelall: 客户端所有所有流量都走分离隧道
 

split-tunnel-network-list value mis_splitTunnelAcl      //隧道分离保护的数据, 此处mis_splitTunnelAcl为上面定义的隧道分离列访问列表
***-filter value filteracl          //此命令可定义过滤×××某些流量,即不允许×××进来本地网后访问某些内容。或只允许访问某些内容。filteracl为定义的访问控制列表名
ipsec-udp enable      //ipsec使用udp端口
***-idle-timeout 30     //定义客户端超时时间30分钟,默认时间是30分钟。



8、定义组成员的隧道属性和IPSEC属性,并应用定义的组策略

tunnel-group mis type ipsec-ra                   //设置隧道类型为remote ***类型
tunnel-group mis general-attributes           //设置隧道属性
 address-pool ***client                       //地址池,为上面定义的定址池名
 default-group-policy mis                     //设置默认策略
tunnel-group mis ipsec-attributes             //设置隧道的ipsec属性        
 pre-shared-key 71305                           //共享密钥
71305




三、实例详解:

ciscoasa(config)# show run
: Saved
:
ASA Version 7.0(8)
!
hostname ciscoasa
domain-name default.domain.invalid
enable password 5tHlvHD3zNc8tf8s encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
dns-guard
!
interface Ethernet0/0
 nameif outside
 security-level 0
 ip address 218.107.xxx.xxx  255.255.255.248          //外网地址
!
interface Ethernet0/1
 nameif dmz
 security-level 50
 ip address 192.168.9.42 255.255.255.0                      
!
interface Ethernet0/2
 nameif inside
 security-level 100
 ip address 192.168.10.3 255.255.255.0                      //内网地址
!             
interface Management0/0
 nameif guanli
 security-level 100
 ip address 192.168.1.1 255.255.255.0
 management-only
!
ftp mode passive
same-security-traffic permit inter-interface
access-list ICMP extended permit icmp any any                                    //允许icmp数据包通过外网接口
access-list denywww extended permit ip 192.168.10.0 255.255.255.192 any   //控制内网部分地址可以上internet
access-list no-nat extended permit ip 192.168.10.0 255.255.255.0 192.168.9.0 255.255.255.0     
access-list no-nat extended permit ip 192.168.9.0 255.255.255.0 192.168.10.0 255.255.255.0
access-list mis_splitTunnelAcl standard permit 192.168.10.0 255.255.255.0   //隧道分离配置
access-list ftp extended permit tcp any interface outside eq ftp         //ftp服务器地址映射

pager lines 24
logging enable
logging asdm informational
mtu outside 1500
mtu dmz 1500
mtu inside 1500
mtu guanli 1500
ip local pool ***client 192.168.5.1-192.168.5.50 mask 255.255.255.0     //客户端ip地址池
icmp permit any dmz
icmp permit any inside
asdm p_w_picpath disk0:/asdm-508.bin
asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (dmz) 0 access-list no-nat
nat (dmz) 1 0.0.0.0 0.0.0.0
nat (inside) 1 192.168.10.0 255.255.255.0
static (inside,outside) tcp interface ftp 192.168.10.4 ftp netmask 255.255.255.255
access-group ftp in interface outside           //ftp服务器映射配置,应用到outside接口
access-group ICMP in interface dmz
access-group denywww in interface inside
route outside 0.0.0.0 0.0.0.0 218.107.xxx.xxx  1               //默认路由配置
route inside 192.168.9.0 255.255.255.0 192.168.9.11 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
group-policy mis internal                     //定义***客户端组策略
group-policy mis attributes  
 split-tunnel-policy tunnelspecified      //启用隧道分离,且只有访问公司内网时才用。
 split-tunnel-network-list value mis_splitTunnelAcl      //隧道分离保护的数据
 web***       
username honyigroup password JGJnz3KpDlG3EiNK encrypted privilege 15
username elitek password 0EeiPx2DeaCfBhyF encrypted
aaa authentication telnet console LOCAL  
aaa authentication ssh console LOCAL
http server enable
http 192.168.10.19 255.255.255.255 inside
http 192.168.1.0 255.255.255.0 guanli
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart


crypto ipsec transform-set myset esp-3des esp-sha-hmac //转换集的定义
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map outside_dyn_map 20 set transform-set myset    //把转换集应用到动态加入密策略
crypto dynamic-map outside_dyn_map 20 set security-association lifetime seconds 28800
crypto dynamic-map outside_dyn_map 20 set security-association lifetime kilobytes 4608000
crypto dynamic-map outside_dyn_map 20 set reverse-route      //设置路由反转
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map   //动态加入密策略绑定到静定加密策略上。
crypto map outside_map interface outside      //静态保密策略应用到outside接口
isakmp identity address
isakmp enable outside                                //isakmap策略用到outside口
isakmp enable inside
isakmp policy 10 authentication pre-share     //定义isakmap策略
isakmp policy 10 encryption des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
isakmp nat-traversal  20
tunnel-group mis type ipsec-ra                   //设置通道类型为remote ***类型
tunnel-group mis general-attributes             //设置通道属性
 address-pool ***client                             //地址池
 default-group-policy mis                             //默认策略
tunnel-group mis ipsec-attributes             
 pre-shared-key *                                      //共享密钥

telnet 192.168.10.0 255.255.255 .0 inside     //设置可以telnet 的IP
telnet 0.0.0.0 0.0.0.0 inside
telnet timeout 20
ssh 0.0.0.0 0.0.0.0 inside
ssh timeout 30
ssh version 1
console timeout 0
dhcpd address 192.168.1.2-192.168.1.254 guanli
dhcpd lease 3600
dhcpd ping_timeout 50
dhcpd enable guanli
!             
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map global_policy
 class inspection_default
  inspect dns maximum-length 512
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
!
service-policy global_policy global
tftp-server inside 192.168.10.19 cisco/asa/asa_config
Cryptochecksum:5cc4c5a21352c4a85ebcb9c6facf26f5
: end