微思网络

CISCO LAN TO LAN VPN配置

本实验目的：

1. ASA和R1之间建立preshare-key认证的lan to lan vpn

2. 加密流量为172.16.2.0/24到172.16.1.0/24的流量

3. 同时使得网段172.16.2.0/24也可以上网

4.同时使得网段172.16.1.0/24也可以上网

路由要求：

ASA: route outside 0.0.0.0 0.0.0.0 202.1.1.10

R1: ip route 0.0.0.0 0.0.0.0 201.1.1.10

配置ASA：

第一阶段策略：

crypto isakmp enable outside

crypto isakmp policy 10

authentication pre-share

encryption des

hash md5

group 2

定义认证的key为cisco：

crypto isakmp key cisco address 201.1.1.1

或是使用第二种方法!

tunnel-group 201.1.1.1 type ipsec-l2l

tunnel-group 201.1.1.1 ipsec-attributes

pre-shared-key cisco

第二阶段策略：

Crypto ipsec transform-set myset esp-des esp-md5-hmac

定义感兴趣流：

Access-list vpn permit ip 172.16.2.0 255.255.255.0 172.16.1.0 255.255.255.0

定义crypto map:

crypto map mymap 10 match address vpn

crypto map mymap 10 set peer 201.1.1.1

crypto map mymap 10 set transform-set myset

应用crypto map到outside接口:

crypto map mymap interface outside

配置PAT，使得172.16.2.0/24可以上网:

access-list nonat extended permit ip 172.16.2.0 255.255.255.0 172.16.1.0 255.255.255.0

global (outside) 1 interface

nat (inside) 0 access-list nonat

nat (inside) 1 172.16.2.0 255.255.255.0

配置R1：

crypto isakmp policy 10

hash md5

encryption des

authentication pre-share

group 2

crypto isakmp key cisco address 202.1.1.1

crypto ipsec transform-set myset esp-des esp-md5-hmac

crypto map mymap 10 ipsec-isakmp

set peer 202.1.1.1

set transform-set myset

match address 100

interface e0/0

ip address 201.1.1.1 255.255.255.0

ip nat outside

crypto map mymap

interface e0/1

ip address 172.16.1.1 255.255.255.0

ip nat inside

ip nat inside source list for.nat interface e0/0 overload

ip route 0.0.0.0 0.0.0.0 201.1.1.10

ip access-list extended for.nat

deny ip 172.16.1.0 0.0.0.255 172.16.2.0 0.0.0.255

permit ip 172.16.1.0 0.0.0.255 any

access-list 100 permit ip 172.16.1.0 0.0.0.255 172.16.2.0 0.0.0.255