设为首页收藏本站language→→ 语言切换

鸿鹄论坛

 找回密码
 论坛注册

QQ登录

先注册再绑定QQ

查看: 1060|回复: 3
收起左侧

ASA与路由混搭问题 求助

[复制链接]
发表于 2014-8-29 03:35:01 | 显示全部楼层 |阅读模式
如图拓扑结构做 IPSEC vpn    C1 ping C3 目的主机不可到达  C3 ping C1 超时 配置命令如下   求指导  是哪里配置错误 !

ISP       
--------------------------------
en
conf t
access-list 1 deny 192.168.0.0 0.0.255.255
access-list 1 permit any
int f0/0
ip add 202.100.10.2 255.255.255.0
ip access-group 1 in
no shut
int f0/1
ip add 202.100.20.2 255.255.255.0
ip access-group 1 in
no shut
int f1/0
ip add 202.100.30.2 255.255.255.0
ip access-group 1 in
no shut
end
wr

-----------------------
R3
-----------
en
conf t
ip access-list ex nat
deny ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255
permit ip any any
exit
ip access-list ex vpn
permit ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255
deny ip any any
exit
int f0/0
ip add 202.100.20.1 255.255.255.0
no shut
ip nat outside
int f0/1
ip add 192.168.2.254 255.255.255.0
no shut
ip nat inside
exit
ip nat inside s list nat inter f0/0 overload
ip route 0.0.0.0 0.0.0.0 202.100.20.2
end
conf t
crypto isakmp policy 1
encryption des
authentication pre-share
group 2
hash sha
exit
crypto isakmp key 0 benet-key address 202.100.10.1 255.255.255.0
crypto ipsec transform-set benet-set esp-sha-hmac esp-des
exit
crypto map benet-map 1 ipsec-isakmp
set transform-set benet-set
set pfs group2
set peer 202.100.10.1
match address vpn
exit
int f0/0
crypto map benet-map
do wr

----------------
R1
-----------
en
conf t
int f0/0
ip add 192.168.10.2 255.255.255.0
no shut
int f0/1
ip add 192.168.1.254 255.255.255.0
no shut
exit
ip route 0.0.0.0 0.0.0.0 192.168.10.1
end
wr

--------------------
ASA
------------
en

conf t
int e0/0
ip add 202.100.10.1 255.255.255.0
nameif outside
no shut
int e0/1
ip add 192.168.10.1 255.255.255.0
nameif inside
exit
route outside 0 0 202.100.10.2
route inside 192.168.1.0 255.255.255.0 192.168.10.2
access-list ping ex permit icmp any any
access-list nonat ex permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0
access-list nonat ex permit ip 192.168.2.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list nonat ex deny ip any any
access-list vpn ex permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0
access-list vpn ex permit ip 192.168.2.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list vpn ex deny ip any any
access-group ping in inte outside
nat-control
nat (inside) 1 0 0
global (outside) 1 interface
nat (outside) 0 access-list nonat
crypto isakmp enable outside
crypto isakmp key benet-key address 202.100.20.1 netmask 255.255.255.0
crypto ipsec transform-set benet-set esp-sha-hmac esp-des
crypto isakmp policy 1
encryption des
authentication pre-share
group 2
hash sha
exit
crypto map benet-map 1 ipsec-isakmp
crypto map benet-map 1 set transform-set benet-set
crypto map benet-map 1 set peer 202.100.20.1
crypto map benet-map 1 set pfs group2
crypto map benet-map 1 match address vpn
crypto map benet-map interface outside





1.jpeg.jpeg.jpeg
发表于 2014-8-29 05:15:37 | 显示全部楼层
没明白,ACL好复杂
沙发 2014-8-29 05:15:37 回复 收起回复
回复 支持 反对

使用道具 举报

 楼主| 发表于 2014-8-29 10:49:04 | 显示全部楼层
上图有个地方标错了 从发一张
topology.jpeg.jpeg
板凳 2014-8-29 10:49:04 回复 收起回复
回复 支持 反对

使用道具 举报

发表于 2014-12-24 15:27:53 | 显示全部楼层
Thanks for your information.
地板 2014-12-24 15:27:53 回复 收起回复
回复 支持 反对

使用道具 举报

您需要登录后才可以回帖 登录 | 论坛注册

本版积分规则

QQ|Archiver|手机版|小黑屋|sitemap|鸿鹄论坛 ( 京ICP备14027439号 )  

GMT+8, 2024-3-29 19:34 , Processed in 0.078969 second(s), 11 queries , Redis On.  

  Powered by Discuz!

  © 2001-2024 HH010.COM

快速回复 返回顶部 返回列表