拓扑如下:Cisco ASA-ASA 8.2-L2L ***_第1张图片

简单说明:

1.2台ASA模拟企业公网出口,并且有做PAT和静态映射,ASA1上做了静态ip映射ASA2上有做端口映射

2.R1模拟公网,只起ip地址,不写任何路由。

3.ASA1-ASA2起 lan-to-lan ***。

以下为具体配置;

ciscoasa1(config)# show run
: Saved
:
ASA Version 8.0(2)
!
hostname ciscoasa1
enable password 8Ry2YjIyt7RRXU24 encrypted
names
!
interface Ethernet0/0
 nameif outside
 security-level 0
 ip address 100.1.1.2 255.255.255.0
!
interface Ethernet0/1
 nameif inside
 security-level 100
 ip address 10.1.1.1 255.255.255.0
!
interface Ethernet0/2
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Ethernet0/3
 shutdown    
 no nameif
 no security-level
 no ip address
!
interface Ethernet0/4
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Ethernet0/5
 shutdown
 no nameif
 no security-level
 no ip address
!
passwd 2KFQnbNIdI.2KYOU encrypted
ftp mode passive
access-list ACL_IN extended permit ip any interface outside
access-list ACL_IN extended permit ip any host 100.1.1.3
access-list 1 standard permit 10.1.2.0 255.255.255.0
access-list no-nat extended permit ip 10.1.2.0 255.255.255.0 192.168.2.0 255.255.255.0
pager lines 24
mtu inside 1500
mtu outside 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list no-nat                    ##nat 0 表示 list no-nat中地址 不做nat 优先级最高##
nat (inside) 1 10.1.1.0 255.255.255.0
nat (inside) 1 10.1.2.0 255.255.255.0
static (inside,outside) 100.1.1.3 10.1.2.1 netmask 255.255.255.255  ##静态映射##
access-group ACL_IN in interface outside
route outside 0.0.0.0 0.0.0.0 100.1.1.1 1
route inside 10.1.2.0 255.255.255.0 10.1.1.2 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set A-TO-B esp-3des esp-md5-hmac  ##加密转换##
crypto map |2| 1 match address no-nat       ##这里是定义××× 隧道流量
crypto map |2| 1 set peer 200.1.1.2              ##定义***对端地址##
crypto map |2| 1 set transform-set A-TO-B
crypto map |2| interface outside                  ##将 map|2| 应用于接口 outside##
crypto isakmp enable outside                      ##激活##
crypto isakmp policy 1                                 ## 这里表示 第一组 policy ##
 authentication pre-share
 encryption 3des
 hash md5
 group 2
 lifetime 86400

crypto isakmp policy 65535
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
telnet timeout 5
ssh timeout 5
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
!
!
tunnel-group 200.1.1.2 type ipsec-l2l           ##定义***类型##
tunnel-group 200.1.1.2 ipsec-attributes       ##定义共享密钥##
 pre-shared-key *

prompt hostname context
Cryptochecksum:00000000000000000000000000000000
: end


ciscoasa2(config)# show run
: Saved
:
ASA Version 8.0(2)
!
hostname ciscoasa2
enable password 8Ry2YjIyt7RRXU24 encrypted
names
!
interface Ethernet0/0
 nameif outside
 security-level 0
 ip address 200.1.1.2 255.255.255.0
!
interface Ethernet0/1
 nameif inside
 security-level 100
 ip address 192.168.1.1 255.255.255.0
!
interface Ethernet0/2
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Ethernet0/3
 shutdown    
 no nameif
 no security-level
 no ip address
!
interface Ethernet0/4
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Ethernet0/5
 shutdown
 no nameif
 no security-level
 no ip address
!
passwd 2KFQnbNIdI.2KYOU encrypted
ftp mode passive
access-list no-nat extended permit ip 192.168.2.0 255.255.255.0 10.1.2.0 255.255.255.0
access-list ACL_IN extended permit ip any interface outside
access-list ACL_IN extended permit ip any host 200.1.1.3
pager lines 24
mtu outside 1500
mtu inside 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list no-nat
nat (inside) 1 192.168.1.0 255.255.255.0
nat (inside) 1 192.168.2.0 255.255.255.0
static (inside,outside) tcp 200.1.1.3 50000 192.168.2.1 telnet netmask 255.255.255.255#端口映射
access-group ACL_IN in interface outside
route outside 0.0.0.0 0.0.0.0 200.1.1.1 1
route inside 192.168.2.0 255.255.255.0 192.168.1.3 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set B-TO-A esp-3des esp-md5-hmac
crypto map |2| 1 match address no-nat
crypto map |2| 1 set peer 100.1.1.2
crypto map |2| 1 set transform-set B-TO-A
crypto map |2| interface outside
crypto isakmp enable outside
crypto isakmp policy 1
 authentication pre-share
 encryption 3des
 hash md5
 group 2
 lifetime 86400

crypto isakmp policy 65535
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
telnet timeout 5
ssh timeout 5
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
!
!
tunnel-group 100.1.1.2 type ipsec-l2l
tunnel-group 100.1.1.2 ipsec-attributes
 pre-shared-key *

prompt hostname context
Cryptochecksum:00000000000000000000000000000000
: end



R1#
*Jun 21 01:46:58.507: %SYS-5-CONFIG_I: Configured from console by console
R1#show run
Building configuration...

Current configuration : 933 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname R1
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
!
resource policy
!
ip subnet-zero
ip cef
!
!
no ip dhcp use vrf connected
!        
!
no ip domain lookup
no ip ips deny-action ips-interface
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!        
!
interface FastEthernet0/0
 no ip address
 shutdown
 duplex auto
 speed auto
!
interface FastEthernet0/1
 no ip address
 shutdown
 duplex auto
 speed auto
!
interface FastEthernet1/0
 ip address 100.1.1.1 255.255.255.0
 duplex auto
 speed auto
!
interface FastEthernet1/1
 ip address 200.1.1.1 255.255.255.0
 duplex auto
 speed auto
!        
ip classless
no ip http server
no ip http secure-server
!
!
!
!
!
!
!
control-plane
!
!
!
!
!
!
gatekeeper
 shutdown
!
!
line con 0
 exec-timeout 0 0
 logging synchronous
 stopbits 1
line aux 0
 stopbits 1
line vty 0 4
!
!
end

R1#


R2#show run
Building configuration...

Current configuration : 1120 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname R2
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
!
resource policy
!
ip subnet-zero
ip cef
!
!
no ip dhcp use vrf connected
!        
!
no ip domain lookup
no ip ips deny-action ips-interface
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
username cisco privilege 15 secret 5 $1$8WHo$7Rebm.rvyi21Gv6ob5EEt.
!
!
!
!        
!
!
interface Loopback0
 ip address 10.1.2.1 255.255.255.0
!
interface FastEthernet0/0
 no ip address
 shutdown
 duplex auto
 speed auto
!
interface FastEthernet0/1
 no ip address
 shutdown
 duplex auto
 speed auto
!
interface FastEthernet1/0
 ip address 10.1.1.2 255.255.255.0
 duplex auto
 speed auto
!
interface FastEthernet1/1
 no ip address
 shutdown
 duplex auto
 speed auto
!
ip classless
ip route 0.0.0.0 0.0.0.0 10.1.1.1
no ip http server
no ip http secure-server
!
!
!
!
!
!
!
control-plane
!
!
!
!
!
!        
gatekeeper
 shutdown
!
!
line con 0
 exec-timeout 0 0
 logging synchronous
 stopbits 1
line aux 0
 stopbits 1
line vty 0 4
 login local
line vty 5 15
 login local
!
!
end

R2#


R3#show run
Building configuration...

Current configuration : 1129 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname R3
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
!
resource policy
!
ip subnet-zero
ip cef
!
!
no ip dhcp use vrf connected
!        
!
no ip domain lookup
no ip ips deny-action ips-interface
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
username admin privilege 15 secret 5 $1$oJMg$QDFA9crs0VZdGL.x2Mw/F0
!
!
!
!        
!
!
interface Loopback0
 ip address 192.168.2.1 255.255.255.0
!
interface FastEthernet0/0
 no ip address
 shutdown
 duplex auto
 speed auto
!
interface FastEthernet0/1
 no ip address
 shutdown
 duplex auto
 speed auto
!
interface FastEthernet1/0
 ip address 192.168.1.3 255.255.255.0
 duplex auto
 speed auto
!
interface FastEthernet1/1
 no ip address
 shutdown
 duplex auto
 speed auto
!
ip classless
ip route 0.0.0.0 0.0.0.0 192.168.1.1
no ip http server
no ip http secure-server
!
!
!
!
!
!
!
control-plane
!
!
!
!
!
!        
gatekeeper
 shutdown
!
!
line con 0
 exec-timeout 0 0
 logging synchronous
 stopbits 1
line aux 0
 stopbits 1
line vty 0 4
 login local
line vty 5 15
 login local
!
!
end

R3#