实验
拓扑图:
命令配置:
R1:
R1(config)#int f0/0
R1(config-if)#ip address 192.168.1.1 255.255.255.0
R1(config-if)#no shutdown
R1(config-if)#ex
R1(config)#ip route 0.0.0.0 0.0.0.0 192.168.1.254
R2:
R2(config)#int f0/0
R2(config-if)#ip address 192.168.11.2 255.255.255.0
R2(config-if)#no shutdown
R2(config)#int f1/0
R2(config-if)#ip address 192.168.23.2 255.255.255.0
R2(config-if)#no shutdown
R2(config)#int f2/0
R2(config-if)#ip address 192.168.34.2 255.255.255.0
R2(config-if)#no shutdown
R3:
R3(config)#int f0/0
R3(config-if)#ip address 192.168.23.3 255.255.255.0
R3(config-if)#no shutdown
R3(config-if)#ex
R3(config)#ip route 0.0.0.0 0.0.0.0 192.168.23.2
R4:
R4(config)#int f0/0
R4(config-if)#ip address 192.168.34.4 255.255.255.0
R4(config-if)#no sh
R4(config)#int f1/0
R4(config-if)#ip address 192.168.190.2 255.255.255.0
R4(config-if)#no sh
R4(config-if)#exit
R4(config)#ip route 0.0.0.0 0.0.0.0 192.168.34.2
路由器NAT端口多路复用:
R4(config)#access-list 10 permit any
R4(config)#ip nat inside source list 10 interface f0/0 overload
R4(config)#interface f1/0 //内网接口
R4(config-if)#ip nat inside
R4(config-if)#int f 0/0 //外网接口
R4(config-if)#ip nat outside
ASA-1:
ciscoasa(config)# int e0/0
ciscoasa(config-if)# nameif inside //定义内网接口
ciscoasa(config-if)# ip address 192.168.1.254 255.255.255.0
ciscoasa(config-if)# no sh
ciscoasa(config)# int e0/1
ciscoasa(config-if)# nameif outside //定义外网接口
ciscoasa(config-if)# ip address 192.168.11.254 255.255.255.0
ciscoasa(config-if)# no sh
ciscoasa(config-if)# exit
ciscoasa(config-if)# route outside 0.0.0.0 0.0.0.0 192.168.11.2 //外网默认路由
创建用户和密码:
ciscoasa(config)# username benet password abc-123
创建VPN ACL流量放行:
ciscoasa(config)# access-list vpn_acl extended permit ip any any
定义地址池vpn_pool:
ciscoasa(config)# ip local pool vpn_pool 192.168.210.10-192.168.210.200
创建IKE配置策略:
ciscoasa(config)# crypto isakmp enable outside
ciscoasa(config)# crypto isakmp policy 10
ciscoasa(config-isakmp-policy)# authentication pre-share
ciscoasa(config-isakmp-policy)# encryption 3des
ciscoasa(config-isakmp-policy)# hash sha
ciscoasa(config-isakmp-policy)# group 2
ciscoasa(config-isakmp-policy)# lifetime 86400
ciscoasa(config-isakmp-policy)# exit
创建组策略关联ACL:
ciscoasa(config)# group-policy vpn_group internal
ciscoasa(config)# group-policy vpn_group attributes
ciscoasa(config-group-policy)# split-tunnel-policy tunnelspecified
ciscoasa(config-group-policy)# split-tunnel-network-list value vpn_acl
ciscoasa(config-group-policy)# exit
创建隧道组 关联组策略:
ciscoasa(config)# tunnel-group benet_group type remote-access
ciscoasa(config)# tunnel-group benet_group general-attributes
ciscoasa(config-tunnel-general)# address-pool vpn_pool
ciscoasa(config-tunnel-general)# default-group-policy vpn_group
ciscoasa(config-tunnel-general)# tunnel-group benet_group ipsec-attributes
ciscoasa(config-tunnel-ipsec)# pre-shared-key abc-123
ciscoasa(config-tunnel-ipsec)# exit
创建传输集:
ciscoasa(config)# crypto ipsec transform-set benet esp-3des esp-sha-hmac
创建动态map:
ciscoasa(config)# crypto dynamic-map benet_dymap 1 set transform-set benet_group
创建静态map 关联动态map:
ciscoasa(config)# crypto map benet_map 1000 ipsec-isakmp dynamic benet_dymap
应用到接口:
ciscoasa(config)# crypto map benet_map interface outside
最后用主机192.168.190.101测试ping PC端R1