CISCO ASA5500防火墙动态VPN配置!

前言：    近年来，随着信息网络的不断发展，越来越多的公司建立了VPN网络。一些大的公司的总部与分公司及办事处已经建立了VPN网络，但投资过大。目前随着VPN技术的不断成熟，动态VPN应用越来越多，市面上此类产品也越来越多。但对于一些大的公司，总部的防火墙使用的是cisco ASA防火墙，而分公司通常没有专用的防火墙，特别是一些办事处，没有专线，没有固定IP，只是通过ADSL动态拨号的方式上网。如果要求总部与办事处建立site to site之VPN网络，就需要建立动态VPN，而目前ASA5500系列防火墙只支持静态IP建立site to site之VPN，所以可以在办事处或分公司的路由器上与总部的ASA防火墙建立动态VPN。
环境：    总部：内网---à中心交换机----àASA5510防火墙---à光纤专线连接到Internet
   分公司或办事处：内网---à交换机----àcisco2611路由器---àADSL modem连接到Internet
配置步骤：总部的ASA5510配置
ASA Version 7.2(1)
!
interface Ethernet0/1
nameif outside
security-level 0
ip address 203.132.90.89 255.255.255.252
!
interface Ethernet0/0
nameif inside
security-level 100
ip address 192.168.3.254 255.255.255.0

access-list 120 extended permit ip any any
access-list 110 extended permit ip 192.168.3.0 255.255.255.0 172.16.1.0 255.255.255.0
asdm image disk0:/asdm505.bin
global (outside) 1 interface
nat (inside) 0 access-list 110
nat (inside) 1 0.0.0.0 0.0.0.0
access-group 120 in interface outside
route outside 0.0.0.0 0.0.0.0 203.132.90.90 1
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set xp esp-des esp-sha-hmac
crypto dynamic-map cmldynamic 10 set transform-set xp
crypto map jiangmap 10 ipsec-isakmp dynamic cmldynamic
crypto map jiangmap interface outside
isakmp enable outside
isakmp policy 9 authentication pre-share
isakmp policy 9 encryption des
isakmp policy 9 hash sha
isakmp policy 9 group 1
isakmp policy 9 lifetime 86400

tunnel-group DefaultRAGroup ipsec-attributes
注意：上两行与pix配置有区别
pre-shared-key *
!
class-map inspection_default
match default-inspection-traffic
!
policy-map global_policy
class inspection_default

inspect dns maximum-length 512

inspect ftp

inspect h323 h225

inspect h323 ras

inspect netbios

inspect rsh

inspect rtsp

inspect skinny

inspect esmtp

inspect sqlnet

inspect sunrpc

inspect tftp

inspect sip

inspect xdmcp
!
service-policy global_policy global
Cryptochecksum:72bd465cd632f344fec7ebe02a5a27ed
: end

办事处cisco2611路由器配置：
ip nbar pdlm flash:bittorrent.pdlm
!
!
vpdn enable
!
vpdn-group pppoe
request-dialin

protocol pppoe
!
crypto isakmp policy 1
authentication pre-share
crypto isakmp key xin%909988 address 203.132.90.89
!
crypto ipsec transform-set jiangset esp-des esp-sha-hmac
!
crypto map jiangmap 20 ipsec-isakmp
set peer 203.132.90.89
set transform-set jiangset
match address 110
!
mta receive maximum-recipients 0
!
!
class-map match-all bittorrent

match protocol bittorrent
!
policy-map cmlqos

class bittorrent

drop
!
interface FastEthernet0/0
ip address 172.16.1.1 255.255.255.0
ip nat inside
service-policy output cmlqos
!
interface FastEthernet0/1
no ip address
pppoe enable
pppoe-client dial-pool-number 1
!
interface Dialer1
ip address negotiated
ip mtu 1492
ip nat outside
encapsulation ppp
no ip route-cache
no ip mroute-cache
dialer pool 1
dialer-group 1
ppp authentication pap callin
ppp pap sent-username dg50987634 password 7 121C58495740435F55
crypto map jiangmap
!
ip nat inside source list 120 interface Dialer1 overload
ip route 0.0.0.0 0.0.0.0 Dialer1
!
access-list 1 permit 172.16.1.0 0.0.0.255
access-list 110 permit ip 172.16.1.0 0.0.0.255 192.168.3.0 0.0.0.255

access-list 120 deny
ip 172.16.1.0 0.0.0.255 192.168.3.0 0.0.0.255
access-list 120 permit ip 172.16.1.0 0.0.0.255 any

dialer-list 1 protocol ip permit
!
call rsvp-sync
!
mgcp profile default
!
dial-peer cor custom
!
end

posted on 2011-08-31 10:46 青蛙學堂阅读(1010) 评论(0) 编辑收藏引用所属分类: 硬件百科

只有注册用户登录后才能发表评论。

CISCO ASA5500防火墙动态VPN配置!

导航

统计

常用链接

留言簿(8)

随笔分类

随笔档案

收藏夹

青蛙学堂

最新评论

阅读排行榜

评论排行榜