WZ-2A10-SAS5525-0938# show running-config
: Saved
:
: Serial Number: FCH17307098
: Hardware: ASA5525, 8192 MB RAM, CPU Lynnfield 2394 MHz, 1 CPU (4 cores)
:
ASA Version 9.8(2)
!
hostname WZ-2A10-SAS5525-0938
enable password $sha512$5000$HztVSx0o3cSsFEoY7TKS8A==$lJrGN+VDV6hYZDCSxnx4SQ== pbkdf2
names
ip local pool vpnpool 10.254.232.1-10.254.232.254 mask 255.255.255.0
ip local pool idcicpvpnpool 192.168.41.100-192.168.41.199 mask 255.255.255.0 ######vpn本地地址池,自定義名字和ip段
!
interface GigabitEthernet0/0
description To:2A10-0457-G1/0/41
nameif outside ###定義為外部區域外網
security-level 0 ###level 0-100 ,值越大,區域代表越安全,這是外網區域所以是0
ip address 173.248.xxx.xx 255.255.xxx.xxx
!
interface GigabitEthernet0/1
description To:2A10-0457-G1/0/42
nameif inside ###定義為內部區域內網,
security-level 100
ip address 10.2.32.1 255.255.255.0
!
interface GigabitEthernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/4
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/5
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/6
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/7
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
management-only
nameif management ###這是管理口,網線口
security-level 100
ip address 192.168.232.1 255.255.255.0
!
ftp mode passive
same-security-traffic permit intra-interface ####默認防火牆是不允許同個接口(比如outside進outside出,會被定義為異常流量),這命令開啟同個接口區域進出
object network in-net
subnet 10.2.32.0 255.255.255.248
object network remote-net1
object network vpn-net
subnet 10.254.232.0 255.255.255.0
object network idcicpvpn-net ###這些是nat地址段
subnet 192.168.41.0 255.255.255.0
access-list vpn-traffic standard permit 10.2.32.0 255.255.255.0
access-list topnet extended permit ip any host 10.2.32.2
access-list topnet extended permit ip any host 10.2.32.3
access-list topnet extended permit ip any host 10.2.32.4
access-list topnet extended permit icmp any any
access-list no-nat extended permit ip 10.2.32.0 255.255.255.0 192.168.41.0 255.255.255.0 ###創建興趣流(即inside內網口訪問vpn-pool地址池網段),對應到不做nat規則。相當於inside內網網段可以直接訪問從vpn撥入進來的地址網段
pager lines 24
logging enable
logging timestamp
logging buffer-size 102400
logging buffered warnings
logging asdm informational
logging host outside 173.248.xxx.xxx ##這個地址設置和snmp一致
mtu outside 1500
mtu inside 1500
mtu management 1500
no failover
no monitor-interface service-module
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
arp rate-limit 16384
nat (inside,outside) source static in-net in-net destination static vpn-net vpn-net route-lookup
nat (inside,outside) source static in-net in-net destination static idcicpvpn-net idcicpvpn-net route-lookup ###將之前定義的興趣流設置為不NAT,這樣才能保證正常訪問內網網段,設置到這vpn撥號后獲得vpn-pool地址池ip已經可以和inside內網通訊了
!
object network in-net
nat (inside,outside) dynamic interface
object network idcicpvpn-net
nat (outside,outside) dynamic interface ####需要撥號訪問外網google的設置都是outside,進出都是外網。
access-group topnet in interface outside
route outside 0.0.0.0 0.0.0.0 173.248.xxx.xxx 1 ###這是默認路由
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 sctp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
timeout conn-holddown 0:00:15
timeout igp stale-route 0:01:10
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL
aaa authentication login-history
snmp-server host outside 173.248.xx.xx community ***** version 2c ###設置指定ip可以snmp
no snmp-server location
no snmp-server contact
crypto ipsec ikev1 transform-set vpnset esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set idcicpvpnset esp-3des esp-md5-hmac
crypto ipsec security-association pmtu-aging infinite
crypto dynamic-map dymap 50000 set ikev1 transform-set vpnset
crypto dynamic-map dymap 50000 set security-association lifetime seconds 86400
crypto dynamic-map dymap 50000 set reverse-route
crypto dynamic-map idcicpdymap 50001 set ikev1 transform-set idcicpvpnset
crypto dynamic-map idcicpdymap 50001 set security-association lifetime seconds 86400 ###備默認配置
crypto dynamic-map idcicpdymap 50001 set reverse-route ###代表這個路由從哪里就從哪里去
crypto map vpnmap 10000 ipsec-isakmp dynamic dymap
crypto map vpnmap 10001 ipsec-isakmp dynamic idcicpdymap #### 靜態map只能一個,不像上面動態地圖隨意創建,這邊創建了vpnmap后,優先級ID為10,靜態地圖可對應多個動態的地圖,設立不同優先級即可。
crypto map vpnmap interface outside ##將靜態地圖應用到出接口outside
crypto ca trustpool policy
crypto ikev1 enable outside ## 出接口使能ikev1(或者其他版本isakmp)
crypto ikev1 policy 10
authentication pre-share #### 認證方式預共享密鑰
encryption 3des
hash md5
group 2
lifetime 86400
telnet timeout 5
ssh stricthostkeycheck
ssh 173.248.x.0 255.255.255.0 outside 設置指定段可以ssh遠程
ssh 0.0.0.0 0.0.0.0 management
ssh timeout 10
ssh version 2
ssh key-exchange group dh-group1-sha1
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
group-policy mygroup internal //隧道分離的策略,有三種,這里選擇隧道指定分離
group-policy mygroup attributes
dns-server value 8.8.8.8
vpn-idle-timeout 720
split-tunnel-policy tunnelspecified
split-tunnel-network-list value vpn-traffic //與前面acl列表匹配的流量,才會加入到VPN隧道中。
group-policy idcicpgrouppolicy internal ##建立組策略mygrouppolicy
group-policy idcicpgrouppolicy attributes
dns-server value 8.8.8.8 ###定義分配dns參數
vpn-idle-timeout 1800
split-tunnel-policy tunnelall ###設置隧道不分流,指所有流量j加入隧道,這個組策略用來上外網的,不同於另一個組策略mygroup
dynamic-access-policy-record DfltAccessPolicy
username test01 password $sha512$5000$fmWat2hp9BXoMCdrxH3O2g==$4P78z0G/ZPXZKTdVusCP3A== pbkdf2
username hydz01 password $sha512$5000$BwTlllmTZC6K7xQrHAAYyg==$gOgaxlaxp2q7BVD8t/l58w== pbkdf2
username admin password $sha512$5000$kVWg+pCWjCdGFWJ74Z+Uew==$2ra3lBuFlpAdEJjsxT0sIg== pbkdf2
username topdata password $sha512$5000$/LpLPZcYgLv9U0t4jI2yeA==$s1wfz4vTvKhj35NLgv7lxQ== pbkdf2 privilege 15
tunnel-group hangyidianzi type remote-access
tunnel-group hangyidianzi general-attributes
address-pool vpnpool
default-group-policy mygroup
tunnel-group hangyidianzi ipsec-attributes
ikev1 pre-shared-key *****
isakmp keepalive threshold 300 retry 5
tunnel-group idcicpmygroup type remote-access ###創建隧道組
tunnel-group idcicpmygroup general-attributes
address-pool idcicpvpnpool ### 指定關聯到之前定義的地址池
default-group-policy idcicpgrouppolicy ####默認組策略引用idcicpgrouppolicy
tunnel-group idcicpmygroup ipsec-attributes
ikev1 pre-shared-key ***** ###組密鑰,登錄的時候需要用到
isakmp keepalive threshold 301 retry 5
!
!
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:888d6f380050265e5c38fb64a5d4b5cb
: end
WZ-2A10-SAS5525-0938#
ASA5520 remote ipsec vpn配置
接口啟用ISAKMP:
crypto isakmp enable outside
crypto isakmp enable outside2
創建ISAKMP策略:
crypto isakmp policy 1
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 43200
定義組策略1:
group-policy vpnclient_policy internal
group-policy vpnclient_policy attributes
dns-server value 10.75.131.65 219.148.204.66
group-lock value it@lncrland
split-tunnel-policy tunnelspecified
split-tunnel-network-list value vpn-split-tunnel
定義組策略2:
group-policy ipsec_vpn_policy internal
group-policy ipsec_vpn_policy attributes
dns-server value 10.75.131.65 219.148.204.66
group-lock value lncrland
split-tunnel-policy tunnelspecified
split-tunnel-network-list value vpn-split-tunnel
定義radius服務器:
aaa-server ipsec_vpn_auth protocol radius
aaa-server ipsec_vpn_auth (inside) host 10.75.131.199
key *****
定義地址池:
ip local pool ipsec_vpn_pool 10.75.133.1-10.75.133.254 mask 255.255.254.0
ip local pool it_vpn_pool 10.75.132.101-10.75.132.255 mask 255.255.254.0
定義隧道分離內容:
access-list vpn-split-tunnel standard permit 172.17.0.0 255.255.0.0
access-list vpn-split-tunnel standard permit 172.16.0.0 255.255.0.0
access-list vpn-split-tunnel standard permit 10.0.0.0 255.0.0.0
access-list vpn-split-tunnel standard permit 192.200.40.0 255.255.255.0
access-list vpn-split-tunnel standard permit 172.20.0.0 255.255.0.0
access-list vpn-split-tunnel standard permit 172.18.0.0 255.255.0.0
access-list vpn-split-tunnel standard permit 172.19.0.0 255.255.0.0
access-list vpn-split-tunnel standard permit 172.21.0.0 255.255.0.0
定義隧道組(連接配置文件)1:
tunnel-group it@lncrland type remote-access
tunnel-group it@lncrland general-attributes
address-pool it_vpn_pool
authentication-server-group ipsec_vpn_auth LOCAL
default-group-policy vpnclient_policy
tunnel-group it@lncrland ipsec-attributes
pre-shared-key *****
定義隧道組(連接配置文件)2:
tunnel-group lncrland type remote-access
tunnel-group lncrland general-attributes
address-pool ipsec_vpn_pool
authentication-server-group ipsec_vpn_auth LOCAL
default-group-policy ipsec_vpn_policy
tunnel-group lncrland ipsec-attributes
pre-shared-key *****
!
定義ipsec策略:
crypto ipsec transform-set FirstSet esp-3des esp-md5-hmac
定義動態加密集:
crypto dynamic-map dyn1 1 set transform-set FirstSet
crypto dynamic-map dyn1 1 set reverse-route
定義靜態加密集:
crypto map mymap 1 ipsec-isakmp dynamic dyn1
應用靜態加密集:
crypto map mymap interface outside
crypto map mymap interface outside2
排故命令:
show vpn-sessiondb detail
View Code
