简单说明:
1.2台ASA模拟企业公网出口,并且有做PAT和静态映射,ASA1上做了静态ip映射ASA2上有做端口映射
2.R1模拟公网,只起ip地址,不写任何路由。
3.ASA1-ASA2起 lan-to-lan ***。
以下为具体配置;
ciscoasa1(config)# show run
: Saved
:
ASA Version 8.0(2)
!
hostname ciscoasa1
enable password 8Ry2YjIyt7RRXU24 encrypted
names
!
interface Ethernet0/0
nameif outside
security-level 0
ip address 100.1.1.2 255.255.255.0
!
interface Ethernet0/1
nameif inside
security-level 100
ip address 10.1.1.1 255.255.255.0
!
interface Ethernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet0/4
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet0/5
shutdown
no nameif
no security-level
no ip address
!
passwd 2KFQnbNIdI.2KYOU encrypted
ftp mode passive
access-list ACL_IN extended permit ip any interface outside
access-list ACL_IN extended permit ip any host 100.1.1.3
access-list 1 standard permit 10.1.2.0 255.255.255.0
access-list no-nat extended permit ip 10.1.2.0 255.255.255.0 192.168.2.0 255.255.255.0
pager lines 24
mtu inside 1500
mtu outside 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list no-nat ##nat 0 表示 list no-nat中地址 不做nat 优先级最高##
nat (inside) 1 10.1.1.0 255.255.255.0
nat (inside) 1 10.1.2.0 255.255.255.0
static (inside,outside) 100.1.1.3 10.1.2.1 netmask 255.255.255.255 ##静态映射##
access-group ACL_IN in interface outside
route outside 0.0.0.0 0.0.0.0 100.1.1.1 1
route inside 10.1.2.0 255.255.255.0 10.1.1.2 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set A-TO-B esp-3des esp-md5-hmac ##加密转换##
crypto map |2| 1 match address no-nat ##这里是定义××× 隧道流量
crypto map |2| 1 set peer 200.1.1.2 ##定义***对端地址##
crypto map |2| 1 set transform-set A-TO-B
crypto map |2| interface outside ##将 map|2| 应用于接口 outside##
crypto isakmp enable outside ##激活##
crypto isakmp policy 1 ## 这里表示 第一组 policy ##
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
crypto isakmp policy 65535
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet timeout 5
ssh timeout 5
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
!
!
tunnel-group 200.1.1.2 type ipsec-l2l ##定义***类型##
tunnel-group 200.1.1.2 ipsec-attributes ##定义共享密钥##
pre-shared-key *
prompt hostname context
Cryptochecksum:00000000000000000000000000000000
: end
ciscoasa2(config)# show run
: Saved
:
ASA Version 8.0(2)
!
hostname ciscoasa2
enable password 8Ry2YjIyt7RRXU24 encrypted
names
!
interface Ethernet0/0
nameif outside
security-level 0
ip address 200.1.1.2 255.255.255.0
!
interface Ethernet0/1
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
!
interface Ethernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet0/4
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet0/5
shutdown
no nameif
no security-level
no ip address
!
passwd 2KFQnbNIdI.2KYOU encrypted
ftp mode passive
access-list no-nat extended permit ip 192.168.2.0 255.255.255.0 10.1.2.0 255.255.255.0
access-list ACL_IN extended permit ip any interface outside
access-list ACL_IN extended permit ip any host 200.1.1.3
pager lines 24
mtu outside 1500
mtu inside 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list no-nat
nat (inside) 1 192.168.1.0 255.255.255.0
nat (inside) 1 192.168.2.0 255.255.255.0
static (inside,outside) tcp 200.1.1.3 50000 192.168.2.1 telnet netmask 255.255.255.255#端口映射
access-group ACL_IN in interface outside
route outside 0.0.0.0 0.0.0.0 200.1.1.1 1
route inside 192.168.2.0 255.255.255.0 192.168.1.3 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set B-TO-A esp-3des esp-md5-hmac
crypto map |2| 1 match address no-nat
crypto map |2| 1 set peer 100.1.1.2
crypto map |2| 1 set transform-set B-TO-A
crypto map |2| interface outside
crypto isakmp enable outside
crypto isakmp policy 1
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
crypto isakmp policy 65535
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet timeout 5
ssh timeout 5
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
!
!
tunnel-group 100.1.1.2 type ipsec-l2l
tunnel-group 100.1.1.2 ipsec-attributes
pre-shared-key *
prompt hostname context
Cryptochecksum:00000000000000000000000000000000
: end
R1#
*Jun 21 01:46:58.507: %SYS-5-CONFIG_I: Configured from console by console
R1#show run
Building configuration...
Current configuration : 933 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname R1
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
!
resource policy
!
ip subnet-zero
ip cef
!
!
no ip dhcp use vrf connected
!
!
no ip domain lookup
no ip ips deny-action ips-interface
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
interface FastEthernet0/0
no ip address
shutdown
duplex auto
speed auto
!
interface FastEthernet0/1
no ip address
shutdown
duplex auto
speed auto
!
interface FastEthernet1/0
ip address 100.1.1.1 255.255.255.0
duplex auto
speed auto
!
interface FastEthernet1/1
ip address 200.1.1.1 255.255.255.0
duplex auto
speed auto
!
ip classless
no ip http server
no ip http secure-server
!
!
!
!
!
!
!
control-plane
!
!
!
!
!
!
gatekeeper
shutdown
!
!
line con 0
exec-timeout 0 0
logging synchronous
stopbits 1
line aux 0
stopbits 1
line vty 0 4
!
!
end
R1#
R2#show run
Building configuration...
Current configuration : 1120 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname R2
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
!
resource policy
!
ip subnet-zero
ip cef
!
!
no ip dhcp use vrf connected
!
!
no ip domain lookup
no ip ips deny-action ips-interface
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
username cisco privilege 15 secret 5 $1$8WHo$7Rebm.rvyi21Gv6ob5EEt.
!
!
!
!
!
!
interface Loopback0
ip address 10.1.2.1 255.255.255.0
!
interface FastEthernet0/0
no ip address
shutdown
duplex auto
speed auto
!
interface FastEthernet0/1
no ip address
shutdown
duplex auto
speed auto
!
interface FastEthernet1/0
ip address 10.1.1.2 255.255.255.0
duplex auto
speed auto
!
interface FastEthernet1/1
no ip address
shutdown
duplex auto
speed auto
!
ip classless
ip route 0.0.0.0 0.0.0.0 10.1.1.1
no ip http server
no ip http secure-server
!
!
!
!
!
!
!
control-plane
!
!
!
!
!
!
gatekeeper
shutdown
!
!
line con 0
exec-timeout 0 0
logging synchronous
stopbits 1
line aux 0
stopbits 1
line vty 0 4
login local
line vty 5 15
login local
!
!
end
R2#
R3#show run
Building configuration...
Current configuration : 1129 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname R3
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
!
resource policy
!
ip subnet-zero
ip cef
!
!
no ip dhcp use vrf connected
!
!
no ip domain lookup
no ip ips deny-action ips-interface
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
username admin privilege 15 secret 5 $1$oJMg$QDFA9crs0VZdGL.x2Mw/F0
!
!
!
!
!
!
interface Loopback0
ip address 192.168.2.1 255.255.255.0
!
interface FastEthernet0/0
no ip address
shutdown
duplex auto
speed auto
!
interface FastEthernet0/1
no ip address
shutdown
duplex auto
speed auto
!
interface FastEthernet1/0
ip address 192.168.1.3 255.255.255.0
duplex auto
speed auto
!
interface FastEthernet1/1
no ip address
shutdown
duplex auto
speed auto
!
ip classless
ip route 0.0.0.0 0.0.0.0 192.168.1.1
no ip http server
no ip http secure-server
!
!
!
!
!
!
!
control-plane
!
!
!
!
!
!
gatekeeper
shutdown
!
!
line con 0
exec-timeout 0 0
logging synchronous
stopbits 1
line aux 0
stopbits 1
line vty 0 4
login local
line vty 5 15
login local
!
!
end
R3#