cisco官方ASA 上 CLI 配置 IKEv1 IPsec 站点间隧道案例
ASA v9.14防火墙配置命令:
int g0/0
ip add 202.100.1.254 255.255.255.0
nameif outside
no shut
int g0/1
ip add 172.16.10.254 255.255.255.0
nameif inside
no shut
exit
crypto ikev1 enable outside
crypto ikev1 policy 10
authentication pre-share
encryption aes
hash sha
group 2
lifetime 86400
exit
tunnel-group 137.78.10.1 type ipsec-l2l
tunnel-group 137.78.10.1 ipsec-attributes
ikev1 pre-shared-key cisco
exit
object network 172.16.10.0_24
subnet 172.16.10.0 255.255.255.0
exit
object network 172.16.30.0_24
subnet 172.16.30.0 255.255.255.0
exit
access-list 100 extended permit ip object 172.16.10.0_24 object 172.16.30.0_24
crypto ipsec ikev1 transform-set myset esp-aes esp-sha-hmac
crypto map mymap 20 match address 100
crypto map mymap 20 set peer 137.78.10.1
crypto map mymap 20 set ikev1 transform-set myset
crypto map mymap 20 set pfs group2
crypto map mymap interface outside
route outside 0 0 202.100.1.1
fixup protocol icmp
NAT豁免决定哪些流量不进行NAT转换,no-proxy-arp表示关闭ARP代理功能。
nat (inside,outside) source static 172.16.10.0_24 172.16.10.0_24 destination static
172.16.30.0_24 172.16.30.0_24 no-proxy-arp route-lookup
正常NAT配置
nat (inside,outside) source dynamic 172.16.10.0_24 interface
注意:必须先NAT免流,再执行正常NAT配置
路由器配置命令:
int g0/0
ip add 172.16.30.254 255.255.255.0
no shut
int g0/1
ip add 137.78.10.1 255.255.255.0
no shut
exit
ip route 0.0.0.0 0.0.0.0 137.78.10.2
crypto isakmp policy 1
encryption aes
group 2
hash sha
authentication pre-share
exit
crypto isakmp key cisco address 202.100.1.254
crypto ipsec transform-set myset esp-aes esp-sha-hmac
exit
access-list 100 permit ip 172.16.30.0 0.0.0.255 172.16.10.0 0.0.0.255
crypto map mymap 1 ipsec-isakmp
set peer 202.100.1.254
match address 100
set transform-set myset
set pfs group2
exit
int g0/1
crypto map mymap
exit
同时实现NAT功能,注意将需要通过VPN的数据排除。
access-list 110 deny ip 172.16.30.0 0.0.0.255 172.16.10.0 0.0.0.255
access-list 110 permit ip 172.16.30.0 0.0.0.255 any
ip nat inside source list 110 interface g0/1 overload
总结排错思路:
阶段1的SA没有建立:
show crypto isakmp sa
接口是否应用了安全策略
是否有匹配的数据流触发
是否为对方配置了共享密钥,以及共享密钥是否一致
阶段2的SA没有建立:
show crypto ipsec sa
ACL是否匹配
安全提议是否一致
设置的隧道对端地址是否匹配
应用的接口是否正确
两个阶段的SA都成功建立,但不能通信:
一般都是由于ACL的配置不当引起的,检查ACL的配置是否符合要求
评论已关闭