Site--to---Site IPSEC_×××

PC1-----asash------Internet------asawh-----PC2

asawh配置
1.asawh接口配置
 interface GigabitEthernet0/0
 no sh
 security-level 0
 nameif Outside
 ip address 119.97.225.246 255.255.255.252
 exit
 interface GigabitEthernet0/1
 no sh
 security-level 100
 nameif Inside
 ip address 192.168.102.1 255.255.255.0

2.路由設置
  route Outside 0.0.0.0 0.0.0.0 119.97.225.245

3.Internet接口配置
  Internet不須要內網的路由，配置接口便可

4.asash配置
 interface GigabitEthernet0/0
 no sh
 security-level 0
 nameif Outside
 ip address 112.99.225.246 255.255.255.252
 exit
 interface GigabitEthernet0/1
 no sh
 security-level 100
 nameif Inside
 ip address 192.168.201.1 255.255.255.0

5.路由設置
  route Outside 0.0.0.0 0.0.0.0 112.99.225.245

6.asawh ipsec ***配置

 crypto isakmp policy 10
 encryption des
 hash sha
 authentication pre-share ---認證方式
 group 2 ---密鑰算法 1024位
 lifetime 86400
 exit
 isakmp key my*** address 112.99.225.246 ---定義認證標識
 crypto ipsec transform-set myset esp-des esp-md5-hmac
 crypto map newmap 2 match address 110
 crypto map newmap 2 set pfs
 crypto map newmap 2 set peer 112.99.225.246
 crypto map newmap 2 set transform-set myset
 crypto map newmap interface Outside
 crypto isakmp enable Outside
 
7.asash ipsec ***配置
 rypto isakmp policy 10
 encryption des
 hash sha
 authentication pre-share ---認證方式
 group 2 ---密鑰算法 1024位
 lifetime 86400
 exit
 isakmp key my*** address 119.97.225.246 ---定義認證標識
 crypto ipsec transform-set myset esp-des esp-md5-hmac
 crypto map newmap 2 match address 110
 crypto map newmap 2 set pfs
 crypto map newmap 2 set peer 119.97.225.246
 crypto map newmap 2 set transform-set myset
 crypto map newmap interface Outside
 crypto isakmp enable Outside

8.定義流量
 asawh內網到asash內網
 access-list 110 extended permit ip 192.168.100.0 255.255.255.0 192.168.1.0

 255.255.255.0
 asash內網到asawh內網
 access-list 110 extended permit ip 192.168.1.0 255.255.255.0 192.168.100.0

 255.255.255.0

注：對於作了NAT轉換的，***流量須要繞過NAT nat (Inside)