ASA 防火墙站点到站点 VPN+NAT-T 一、试验拓扑图 ASA1 ASA2 R1 R2 ASA1 ASA2 PAT ISP 192.168.1.2/24 192.168.1.1/24 E0/0 outside 10.1.1.2/24 inside F0/0 F0/1 E0/0 outside 200.1.1.2/24 E0/3 inside 192.168.2.1/24 192.168.2.3/24 10.1.1.1/24 100.1.1.1/24 二、试验目的: 实现两个 ASA 设备之间站点到站点 VPN 连接的建立,并且可以由内向外,由外向内 都可以主动发起 IPSEC 的协商,中间经过了 PAT 设备。 三、试验步骤: 1、基本的配置 asa-1# show running-config interface Vlan1 nameif inside security-level 100 ip address 192.168.1.1 255.255.255.0 interface Vlan2 nameif outside security-level 0 ip address 10.1.1.2 255.255.255.0 interface Ethernet0/0 switchport access vlan 2 interface Ethernet0/3 switchport access vlan 1 route outside 0.0.0.0 0.0.0.0 10.1.1.1 access-list 100 extended permit icmp any any access-group 100 in interface outside 批注 [U1]: 默认路由 让经过的流量 可以出去 批注 [U2]: 为了测试用,工作中要开 放相应的流量即可 PAT#show running-config interface FastEthernet0/0 ip address 10.1.1.1 255.255.255.0 ip nat inside interface FastEthernet0/1 ip address 100.1.1.1 255.255.255.0 ip nat outside ip route 0.0.0.0 0.0.0.0 100.1.1.2 ip route 192.168.1.0 255.255.255.0 10.1.1.2 ISP#show running-config interface FastEthernet0/0 ip address 100.1.1.2 255.255.255.0 interface FastEthernet0/1 ip address 200.1.1.1 255.255.255.0 asa-2# show running-config interface Vlan1 nameif inside security-level 100 ip address 192.168.2.1 255.255.255.0 interface Vlan2 nameif outside security-level 0 ip address 200.1.1.2 255.255.255.0 interface Ethernet0/0 switchport access vlan 2 interface Ethernet0/3 switchport access vlan 1 access-list 100 extended permit icmp any any access-group 100 in interface outside nat (inside) 1 192.168.2.0 255.255.255.0 global (outside) 1 interface route outside 0.0.0.0 0.0.0.0 200.1.1.1 1 2、内网 PAT 设备的配置 access-list 1 permit 10.1.1.0 0.0.0.255 access-list 1 permit 192.168.1.0 0.0.0.255 ip nat inside source list 1 interface FastEthernet0/1 overload 批注 [U3]: 内部接口 批注 [U4]: 外部接口 批注 [U5]: 外网默认路由 批注 [U6]: 内网路由 批注 [U7]: 模拟互联网 批注 [U8]: 测试用 批注 [U9]: PAT 配置,内网可以访问 外网 批注 [U10]: 外网路由 批注 [U11]: 实现内部用户访问互联 网 ip nat inside source static udp 10.1.1.2 500 200.1.1.1 500 extendable ip nat inside source static udp 10.1.1.2 4500 200.1.1.1 4500 extendable 3、双方 VPN 设备的策略配置 asa-1# show running-config crypto isakmp enable outside crypto isakmp policy 10 authentication pre-share encryption des hash sha group 5 lifetime 10000 access-list vpn extended permit ip host 192.168.1.2 host 192.168.2.3 tunnel-group 200.1.1.2 type ipsec-l2l tunnel-group 200.1.1.2 ipsec-attributes pre-shared-key cisco crypto ipsec transform-set aaa esp-des esp-sha-hmac crypto map cisco 10 match address vpn crypto map cisco 10 set peer 200.1.1.2 crypto map cisco 10 set transform-set aaa crypto map cisco interface outside crypto isakmp nat-traversal asa-2# show running-config crypto isakmp enable outside crypto isakmp policy 10 authentication pre-share encryption des hash sha group 5 lifetime 10000 access-list vpn extended permit ip host 192.168.2.3 host 192.168.1.2 tunnel-group 100.1.1.1 type ipsec-l2l tunnel-group 100.1.1.1 ipsec-attributes pre-shared-key cisco crypto ipsec transform-set aaa esp-des esp-sha-hmac crypto map cisco 10 match address vpn 批注 [U12]: 静态映射 ISAKMP 的端 口 UDP 500 和 NAT-T 的端口 UDP 4500,以便双方的 IPSEC 连接和数据 可以互通 批注 [微软用户13]: 启用 isakmp,防 火墙默认不启用 批注 [微软用户14]: 第一阶段策略 批注 [微软用户15]: 感兴趣的流量 批注 [微软用户16]: 预共享密钥的配 置,防火墙也支持以前的老命令: crypto key cisco address peer-address 批注 [微软用户17]: 第二阶段策略 批注 [微软用户18]: Map 设置并应用 到外部接口 批注 [微软用户19]: 启用 NAT-T,路由 器默认启用,而防火墙默认没有启用 crypto map cisco 10 set peer 100.1.1.1 crypto map cisco 10 set transform-set aaa crypto map cisco interface outside crypto isakmp nat-traversal 主要还是要把最基本的 ipsecVPN 原理理解透彻,其他都是万变不离其宗。