Cisco IPSec ××× 配置攻略一：站點到站點××× 配置案例1

 

Chicago ASA:

Chicago#shwo running ! hostname Chicago !outside interface configuration interface GigabitEthernet0/0  nameif outside  security-level 0  ip address 209.165.200.225 255.255.255.224 !inside interface configuration interface GigabitEthernet0/1  nameif inside  security-level 100  ip address 192.168.1.1 255.255.255.0 !Management interface configuration interface Management0/0  nameif mgmt

security-level 100  ip address 172.18.82.64 255.255.255.0 !NAT Exempt Access-list to bypass traffic from 192.168.1.0/24 to 10.10.1.0/24 access-list inside_nat0_outbound remark To Bypass NAT from 192.168.1.0/24 to 10.10.1.0/24 access-list inside_nat0_outbound extended permit 192.168.1.0 255.255.255.0 10.10.1.0 255.255.255.0 nat (inside) 0 access-list inside_nat0_outbound !Encrytption Access-list to encrypt the traffic from 192.168.1.0/24 to 10.10.1.0/24 access-list outside_cryptmap_1 remark To Encrypt Traffic from 192.168.1.0/24 to 10.10.1.0/24 access-list outside_cryptmap_1 extended permit 192.168.1.0 255.255.255.0 10.10.1.0 255.255.255.0 ! route outside 0.0.0.0 0.0.0.0 209.165.200.231 1 ! http server enable http 172.18.82.0 255.255.255.0 mgmt !Transform set specify encryption and hashing algorithm crypto ipsec transform AES-SHA esp-aes-256 esp-sha-hmac !Crypto map configuration crypto map outside_map_1 match address outside_cryptomap_1 crypto map outside_map_1 set peer 209.165.201.1 crypto map outside_map_1 set transform-set AES-SHA crypto map outside_map_1 interface outside !ISAKMP configuration crypto isakmp enable outside crypto isakmp policy 1  authentication pre-share  encryption aes-256  hash sha  group 5  lifetime 86400 !NAT-T configuration crypto isakmp nat-traversal 50 !L2L tunnel-group configuration tunnel-group 209.165.201.1 type ipsec-l2l tunnel-group 209.165.201.1 ipsec-attributes  pre-shared-key cisco123

New York ASA:

NewYork#shwo running ! hostname NewYork !outside interface configuration.The outside address is translated to 209.165.201.1 by PAT interface GigabitEthernet0/0  nameif outside  security-level 0  ip address 10.10.10.1 255.255.255.0 !inside interface configuration interface GigabitEthernet0/1  nameif inside  security-level 100  ip address 10.10.1.1 255.255.255.0 !Management interface configuration interface Management0/0  nameif mgmt

security-level 100  ip address 172.18.101.164 255.255.255.0 !NAT Exempt Access-list to bypass traffic from 10.10.1.0/24 to 192.168.1.0/24 access-list inside_nat0_outbound remark To Bypass NAT from 10.10.1.0/24 to 192.168.1.0/24 access-list inside_nat0_outbound extended permit 10.10.1.0 255.255.255.0 192.168.1.0 255.255.255.0 nat (inside) 0 access-list inside_nat0_outbound !Encrytption Access-list to encrypt the traffic from 10.10.1.0/24 to 192.168.1.0/24 access-list outside_cryptmap_1 remark To Encrypt Traffic from 10.10.1.0/24 to 192.168.1.0/24 access-list outside_cryptmap_1 extended permit 10.10.1.0 255.255.255.0 192.168.1.0 255.255.255.0 ! route outside 0.0.0.0 0.0.0.0 10.10.10.2 1 ! http server enable http 172.18.101.0 255.255.255.0 mgmt !Transform set specify encryption and hashing algorithm crypto ipsec transform AES-SHA esp-aes-256 esp-sha-hmac !Crypto map configuration crypto map outside_map_1 match address outside_cryptomap_1 crypto map outside_map_1 set peer 209.165.200.225 crypto map outside_map_1 set transform-set AES-SHA crypto map outside_map_1 interface outside !ISAKMP configuration crypto isakmp enable outside crypto isakmp policy 1  authentication pre-share  encryption aes-256  hash sha  group 5  lifetime 86400 !NAT-T configuration crypto isakmp nat-traversal 50 !L2L tunnel-group configuration tunnel-group 209.165.200.225 type ipsec-l2l tunnel-group 209.165.200.225 ipsec-attributes  pre-shared-key cisco123