Cisco IPSec ××× 配置攻略一：站點到站點××× 配置案例2

 

需求：某公司使用全網互聯拓撲，使每一個站點分別擁有去往相應IPSec對等體的IPSec隧道。同時使用RRI，經過OSPF將遠端網絡信息發佈到本地芝加哥網絡中。

Chicago ASA：

Chicago#show running ! hostname Chicago !outside interface GigabitEthernet0/0 interface GigabitEthernet0/0  nameif outside  security-level 0  ip address 209.165.200.225 255.255.255.224 !inside interface GigabitEthernet0/1 interface GigabitEthernet0/1  nameif inside  security-level 100  ip address 192.168.1.1 255.255.255.0 !magament interface mgmt interface Management0/0  nameif mgmt  security-level 100  ip address 172.18.82.64 255.255.255.0 !NAT Exempt Access-list to bypass traffic from 192.168.1.0/24 to 10.10.1.0/24 access-list inside_nat0_outbound remark to bypass 192.168.1.0/24 to 10.10.1.0/24 access-list inside_nat0_outbound extended permit 192.168.1.0 255.255.255.0 10.10.1.0 255.255.255.0 !NAT Exempt Access-list to bypass traffic from 192.168.1.0/24 to 172.16.1.0/24 access-list inside_nat0_outbound remark to bypass 192.168.1.0/24 to 172.16.1.0/24 access-list inside_nat0_outbound extended permit 192.168.1.0 255.255.255.0 172.16.1.0 255.255.255.0 !encryption access-list to encrypt the traffic from 192.168.1.0/24 to 10.10.1.0/24 access-list outside_cryptomap_1 remark to encrypt traffic from 192.168.1.0/24 to 10.10.1.0/24 access-list outside_cryptomap_1 extended permit 192.168.1.0 255.255.255.0 10.10.1.0 255.255.255.0 !encryption access-list to encrypt the traffic from 192.168.1.0/24 to 172.16.1.0/24 access-list outside_cryptomap_2 remark to encrypt traffic from 192.168.1.0/24 to 172.16.1.0 255.255.255.0 access-list outside_cryptomap_2 extended permit 192.168.1.0 255.255.255.0 172.16.1.0 255.255.255.0   ! route outside 0.0.0.0 0.0.0.0 209.165.200.227 1 !OSPF Process router opsf 100  area 0  network 192.168.0.0 255.255.0.0 area network  redistribute static ! http server enable http 172.18.82.0 255.255.255.0 mgmt !Transform set to specify encryption and hashing algorithm crypto ipsec transform-set AES-SHA esp-aes-256 esp-sha-hmac !Crypto map configuration for NewYork ASA crypto map outside_map 1 match address outside_cryptomap_1 crypto map outside_map 1 set peer 209.165.201.1 crypto map outside_map 1 set transform-set AES-SHA crypto map outside_map 1 set reverse-route !Crypto map configuration for London ASA crypto map outside_map 2 match address outside_cryptomap_2 crypto map outside_map 2 set peer 209.165.202.129 crypto map outside_map 2 set transform-set AES-SHA crypto map outside_map 2 set reverse-route crypto map outside_map interface outside !isakmp configure crypto isakmp enable crypto isakmp policy 1  authentication pre-share  encryption pre-share  hash sha  group 5  lifetime 86400 !L2L tunnel-group configuration for New York ASA tunnel-group 209.168.201.1 type ipsec-l2l tunnel-group 209.165.201.1 ipsec-attributes  pre-shared-key cisco123 !L2L tunnel-group configuration for New York ASA tunnel-group 209.165.202.129 type ipsec-l2l tunnel-group 209.165.202.129 ipsec-attributes  pre-shared-key cisco123

New York ASA:

NewYork#show running ! hostname NewYork !outside interface GigabitEthernet0/0 interface GigabitEthernet0/0  nameif outside  security-level 0  ip address 209.165.201.1 255.255.255.224 !inside interface GigabitEthernet0/1 interface GigabitEthernet0/1  nameif inside  security-level 100  ip address 10.10.1.1 255.255.255.0 !magament interface mgmt interface Management0/0  nameif mgmt  security-level 100  ip address 172.18.101.164 255.255.255.0 !NAT Exempt Access-list to bypass traffic from 10.10.1.0/24 to 192.168.1.0/24 access-list inside_nat0_outbound remark to bypass 10.10.1.0/24 to 192.168.1.0/24 access-list inside_nat0_outbound extended permit 10.10.1.0 255.255.255.0 192.168.1.0 255.255.255.0 !NAT Exempt Access-list to bypass traffic from 10.10.1.0/24 to 172.16.1.0/24 access-list inside_nat0_outbound remark to bypass 10.10.1.0/24 to 172.16.1.0/24 access-list inside_nat0_outbound extended permit 10.10.1.0 255.255.255.0 172.16.1.0 255.255.255.0 !encryption access-list to encrypt the traffic from from 10.10.1.0/24 to 192.168.1.0/24 access-list outside_cryptomap_1 remark to encrypt traffic from 192.168.1.0/24 to 10.10.1.0/24 access-list outside_cryptomap_1 extended permit 10.10.1.0 255.255.255.0 192.168.1.0 255.255.255.0 !encryption access-list to encrypt the traffic from 10.10.1.0/24 to 172.16.1.0/24 access-list outside_cryptomap_2 remark to encrypt traffic from 192.168.1.0/24 to 172.16.1.0 255.255.255.0 access-list outside_cryptomap_2 extended permit 10.10.1.0 255.255.255.0 172.16.1.0 255.255.255.0 ! route outside 0.0.0.0 0.0.0.0 209.165.201.1 1 ! http server enable http 172.18.101.0 255.255.255.0 mgmt !Transform set to specify encryption and hashing algorithm crypto ipsec transform-set AES-SHA esp-aes-256 esp-sha-hmac !Crypto map configuration for Chicago ASA crypto map outside_map 1 match address outside_cryptomap_1 crypto map outside_map 1 set peer 209.165.200.225 crypto map outside_map 1 set transform-set AES-SHA !Crypto map configuration for London ASA crypto map outside_map 2 match address outside_cryptomap_2 crypto map outside_map 2 set peer 209.165.202.129 crypto map outside_map 2 set transform-set AES-SHA crypto map outside_map interface outside !isakmp configure crypto isakmp enable crypto isakmp policy 1  authentication pre-share  encryption pre-share  hash sha  group 5  lifetime 86400 !L2L tunnel-group configuration for Chicago ASA tunnel-group 209.165.200.225 type ipsec-l2l tunnel-group 209.165.200.225 ipsec-attributes  pre-shared-key cisco123 !L2L tunnel-group configuration for London ASA tunnel-group 209.165.202.129 type ipsec-l2l tunnel-group 209.165.202.129 ipsec-attributes  pre-shared-key cisco123

London ASA:

London#show running ! hostname London !outside interface GigabitEthernet0/0 interface GigabitEthernet0/0  nameif outside  security-level 0  ip address 209.165.202.129 255.255.255.224 !inside interface GigabitEthernet0/1 interface GigabitEthernet0/1  nameif inside  security-level 100  ip address 172.16.1.1 255.255.255.0 !magament interface mgmt interface Management0/0  nameif mgmt  security-level 100  ip address 172.18.200.164 255.255.255.0 !NAT Exempt Access-list to bypass traffic from 172.16.1.0/24 to 192.168.1.0/24 access-list inside_nat0_outbound remark to bypass 172.16.1.0/24 to 192.168.1.0/24 access-list inside_nat0_outbound extended permit 172.16.1.0 255.255.255.0 192.168.1.0 255.255.255.0 !NAT Exempt Access-list to bypass traffic from 172.16.1.0/24 to 172.16.1.0/24 access-list inside_nat0_outbound remark to bypass 172.16.1.0/24 to 10.10.1.0/24 access-list inside_nat0_outbound extended permit 172.16.1.0 255.255.255.0 10.10.1.0 255.255.255.0 !encryption access-list to encrypt the traffic from from 172.16.1.0/24 to 192.168.1.0/24 access-list outside_cryptomap_1 remark to encrypt traffic from 172.16.1.0/24 to 192.168.1.0/24 access-list outside_cryptomap_1 extended permit 172.16.1.0 255.255.255.0 192.168.1.0 255.255.255.0 !encryption access-list to encrypt the traffic from 172.16.1.0/24 to 10.10.1.0/24 access-list outside_cryptomap_2 remark to encrypt traffic from 172.16.1.0/24 to 10.10.1.0 255.255.255.0 access-list outside_cryptomap_2 extended permit 172.16.1.0 255.255.255.0 10.10.1.0 255.255.255.0 ! route outside 0.0.0.0 0.0.0.0 209.165.202.129 1 ! http server enable http 172.18.200.0 255.255.255.0 mgmt !Transform set to specify encryption and hashing algorithm crypto ipsec transform-set AES-SHA esp-aes-256 esp-sha-hmac !Crypto map configuration for Chicago ASA crypto map outside_map 1 match address outside_cryptomap_1 crypto map outside_map 1 set peer 209.165.200.225 crypto map outside_map 1 set transform-set AES-SHA !Crypto map configuration for New York ASA crypto map outside_map 2 match address outside_cryptomap_2 crypto map outside_map 2 set peer 209.165.201.1 crypto map outside_map 2 set transform-set AES-SHA crypto map outside_map interface outside !isakmp configure crypto isakmp enable crypto isakmp policy 1  authentication pre-share  encryption pre-share  hash sha  group 5  lifetime 86400 !L2L tunnel-group configuration for Chicago ASA tunnel-group 209.165.200.225 type ipsec-l2l tunnel-group 209.165.200.225 ipsec-attributes  pre-shared-key cisco123 !L2L tunnel-group configuration for New York ASA tunnel-group 209.165.201.1 type ipsec-l2l tunnel-group 209.165.201.1 ipsec-attributes  pre-shared-key cisco123