实验目的,实现R2通过ipsec×××方式连通R3

ASA1配置:

底层配置

int e0/0

nameif outside

ip add 100.1.1.1 255.255.255.252

no sh

int e0/1

nameif inside

ip add 172.16.10.1 255.255.255.0

no sh

访问控制列表ACL

access-list in-out permit ip any any

access-group in-out in int outside

PATNAT控制

route outside 0 0 100.1.1.2

nat-control

nat (inside) 1 0 0

global (outside) 1 int

NAT豁免

access-list nonat permit ip 172.16.10.0255.255.255.0 10.10.33.0 255.255.255.0

nat (inside) 0 access-list nonat

建立ISAKMP并配置管理策略

crypto isakmp enable outside

crypto isakmp policy 1

encryption aes                        选择加密算法

hash sha                             指定hash算法

authentication pre-share                设备身份验证方式

group 1                              指定DH秘钥组

ex

crypto isakmp key benet address200.1.1.1            设置预共享密钥

配置Crypto ACL

access-list my*** permit ip 172.16.10.0255.255.255.0 10.10.33.0 255.255.255.0  

crypto ipsec transform-set benet-setesp-aes esp-sha-hmac       交换数据连接的传输集

配置Crypto Map并应用

crypto map benet-map 1 match address my***

crypto map benet-map 1 set peer 200.1.1.1

crypto map benet-map 1 set transform-setbenet-set

crypto map benet-map int outside

 

 

ASA2配置(以下配置的作用和上面一样,就不解说了)

int e0/0

nameif outside

ip add 200.1.1.1 255.255.255.252

no sh

int e0/1

nameif inside

ip add 10.10.33.1 255.255.255.0

no sh

 

route outside 0 0 200.1.1.2

nat (inside) 1 0 0

global (outside) 1 int

 

access-list nonat permit ip 10.10.33.0255.255.255.0 172.16.10.0 255.255.255.0

nat (inside) 0 access-list nonat

access-list in-out permit ip any any

access-group in-out in int outside

crypto isakmp enable outside

crypto isakmp policy 1

encryption aes

hash sha

authentication pre-share

group 1

ex

crypto isakmp key benet address 100.1.1.1

access-list my*** permit ip 10.10.33.0255.255.255.0 172.16.10.0 255.255.255.0

crypto ipsec transform-set benet-set esp-aesesp-sha-hmac

crypto map benet-map 1 match address my***

crypto map benet-map 1 set peer 100.1.1.1

crypto map benet-map 1 set transform-setbenet-set

crypto map benet-map int outside

 

R1配置

R1仅有底层配置,其他就没有了

conf t

int f0/0

ip add 100.1.1.2 255.255.255.252

no sh

int f0/1

ip add 200.1.1.2 255.255.255.252

no sh

 

R2配置

R2有底层配置还有一条出去的默认(默认必须做,不然会ping不通)做完之后要和它连接的ASA ping一下(注意,此处一定要通)

int f0/0

ip add 172.16.10.2 255.255.255.0

no sh

ip route 0.0.0.0 0.0.0.0 172.16.10.1

 

R3配置

R2配置一样的,配完之后也要ping一下直连的ASA(必须要通)

int f0/0

ip add 10.10.33.2 255.255.255.0

no sh

ip route 0.0.0.0 0.0.0.0 10.10.33.1

 

 

做完是可以ping通的

抓包(R1到ASA2)看到的是这样的

抓包结果我们可以看到数据包在公网上没有暴露内网地址,试验成功。