转载——Cisco ASA5510防火墙IP secure 配置
小鸟前几天遇到要修改防火墙超时时间和生命时间,特意找文档看了下,现在分享给碰壁的童靴
原地址 :http://wenku.baidu.com/view/e8bda8c56137ee06eff918b0.html
1、IPSECIPSEC VPN
VPN 基本配置基本配置
access-list nono--nat extended permit ip 192.168.222.0 255.255.255.0 172.16.100.0 255.255.255.0 定义VPN数据流
nat (inside) 0 access-list nono--nat 设置IPSEC VPN数据不作nat翻译
ip local pool --pool 172.16.100.1-172.16.100.100 mask 255.255.255.0 划分地址池,用于VPN用户拨入之后分配的地址
crypto ipsec transform-set set esp-des esp-md5-hmac 定义一个变换集myset,用esp-md5加密的
crypto dynamic-map dymap 10 set transform-set set 把set添加到动态加密策略dynmap
crypto dynamic-map dymap 10 set reverse-route 设置路由反转
crypto map map 10 ipsec-isakmp dynamic dymapdymap 把动态加密策略绑定到map动态加密图上
crypto map map interface outside 把动态加密图map绑定到outside口
crypto isakmp identity address
crypto isakmp enable outside outside接口启用isakmp
crypto isakmp policy 10 //进入isakmp的策略定义模式
authentication pre-share //使用pre-shared key进行认证
encryption des //定义协商用DES加密算法(与前面对应,这里使用des,而不是3des)
hash md5 //定义协商用md5加密算法(和前面一样,网上使用的是sha,我这里为了配合前面的sp-md5-hmac,而使用md5)
group 2 //定义协商组为2,标准有1、2、3、5等多组,主要用于块的大小和生命时间等
lifetime 86400 //定义生命时间
group-policy whjt internal 定义策略组(用于想进入的)想要运用策略组就必须用默认的策略组名,否则无法激活该组
group-policy whjt attributes //定义策略组属性
-idle-timeout 1800 //设置VPN超时时间为1800秒
tunnel-group whjt type ipsec-ra 建立VPN 远程登入(即使用隧道分离)组
tunnel-group whjt general-attributes 定义隧道组"whjt"属性
address-pool -pool 将VPN client地址池绑定到"whjt"隧道组
username test password testtest 设定用户名和密码
authentication-server-group (outside) LOCAL 本地认证服务组(本条命令没用)
default-group-policy whjt 默认策略组为whjt
tunnel-group whjt ipsec-attributes 定义whjt组IPSec的属性
pre-shared-key 730211 定义共享密钥为:730211
isakmp nat-traversal 20
//每20秒向VPN对端发送一个包来防止中间PAT设备的PAT超时,就相当于路由器中的 isakmp keepalive threshold 20
retry 2 在生存时间监控前,设备被允许空闲20秒,发现生存时间没有响应后,2秒钟内重试
sysopt connection permit-
通过使用sysopt connect命令,我们告诉ASA准许SSL/IPsec客户端绕过接口的访问列表(未加此命令会出现可以ping能内网地址,但不能访问内网服务,比如23、80等端口)
2、开启隧道分离
access-list vpsplitnsplitnsplit standard permit 192.168.222.0 255.255.255.0 //注意源地址为ASA的inside网络地址
group-policy whjt attributes //定义策略组属性
split-tunnel-policy tunnelspecifiedtunnelspecified //建立隧道分离策略为tunnelspecified
split-tunnel-network-list value split //与split匹配的网络将全部使用隧道分离 注1:如要实现VPN用户能ping通ASA的inside口,即192.168.222.1192.168.222.1,,可以可以在在防火墙中加入如下命令防火墙中加入如下命令::
managementmanagement--access insideaccess inside
注2:如果远程用户上互联网是通过nat方式上网方式上网((所有宽带用户都通过同一个公网IP访问外部访问外部),),那么通那么通过如下命令可穿越natnat:: crypto isakmp natcrypto isakmp nat--traversal 20 //缺省keepalives时间20秒
3、客户端的配置
我使用的客户端是Cisco VPN Client 5.0,配置如下图: Host:ASA外网口IP,组账号:whjt ,密码:730211
配置好后,连接VPN,会弹出下面对话框,输入远程用户的用户名和密码,上例均为test
ASA5510
test# sh run
:
Saved :
ASA Version 8.0(2)
!
hostname test
domain-name test.net
enable password 2KFQnbNIdI.2KYOU encrypted
names
!
interface Ethernet0/0
nameif outside
security-level 0
ip address 10.65.222.1 255.255.128.0
!
interface Ethernet0/1
nameif inside
security-level 100
ip address 192.168.222.1 255.255.255.0
!
interface Ethernet0/2 shutdown
no nameif
no security-level
no ip address
!
interface Ethernet0/3 shutdown
no nameif
no security-level
no ip address
!
interface Management0/0 shutdown
no nameif
no security-level
no ip address
!
passwd 2KFQnbNIdI.2KYOU encrypted
ftp mode passive
dns server-group DefaultDNS
domain-name test.net
access-list 101 extended permit icmp any any
access-list nono--nat extended permit ip 192.168.222.0 255.255.255.0 172.16.100.0 255.255.255.0
access-list split standard permit 192.168.222.0 255.255.255.0
pager lines 24
mtu outside 1500
mtu inside 1500
ip local pool --pool 172.16.100.1-172.16.100.100 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 1 10.65.222.100 netmask 255.255.128.0
nat (inside) 0 access-list no--nat
nat (inside) 1 0.0.0.0 0.0.0.0
access-group 101 in interface outside
route outside 0.0.0.0 0.0.0.0 10.65.156.27 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
http 192.168.0.1 255.255.255.255 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set set esp-des esp-md5-hmac
crypto dynamic-map dymap 10 set transform-set set
crypto dynamic-map dymap 10 set reverse-route
crypto map map 10 ipsec-isakmp dynamic dymap
crypto map mamapp interface outside
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp enable inside
crypto isakmp policy 10
authentication pre-share encryption des hash md5 group 2
lifetime 86400
telnet 192.168.222.0 255.255.255.0 inside
telnet timeout 5
ssh 10.65.128.0 255.255.128.0 outside
ssh 0.0.0.0 0.0.0.0 inside
ssh timeout 60
ssh version 1 console timeout 0
management-access inside
threat-detection basic-threat
threat-detection statistics access-list
!
!
group-policy whjt internal
group-policy whjt attributes
-idle-timeout 1800 //我在实际中一般用3600000,时间长些不易掉线
split-tunnel-policy tunnelspecified
split-tunnel-network-list value split
username test password 4ttSyrm33SV8TYp encrypted
tunnel-group whjt type remote-access
tunnel-group whjt general-attributes
address-pool --pool
default-group-policy whjt
tunnel-group whjt ipsec-attributes
pre-shared-key *
isakmp keepalive threshold 20 retry 2
prompt hostname context
Cryptochecksum:6f13b4f4e5c0d5f0a08f0f86be414b16
: end