思科配置实例系列---ASA防火墙动态VPN配置案例

fulltimes

ASA防火墙 动态VPN配置近年来，随着信息网络的不断发展，越来越多的公司建立了VPN网络。一些大的公司的总部与分公司及办事处已经建立了VPN网络，但投资过大。目前随着VPN技术的不断成熟，动态VPN应用越来越多，市面上此类产品也越来越多。但对于一些大的公司，总部的防火墙使用的是cisco ASA防火墙，而分公司通常没有专用的防火墙，特别是一些办事处，没有专线，没有固定IP，只是通过ADSL动态拨号的方式上网。如果要求 总部与办事处建立site to site之VPN网络，就需要建立动态VPN，而目前ASA5500系列防火墙只支持静态IP建立site to site之VPN，所以可以在办事处或分公司的路由器上与总部的ASA防火墙建立动态VPN。
环境：
       总部：内网---à中心交换机----àASA5510防火墙---à光纤专线连接到Internet
分公司或办事处：内网---à交换机----àcisco2611路由器---àADSL modem连接到Internet
配置步骤：
总部的ASA5510配置
ASA Version 7.2(1)
!
interface Ethernet0/1
nameif outside
security-level 0
ip address 203.132.90.89 255.255.255.252
!
interface Ethernet0/0
nameif inside
security-level 100
ip address 192.168.3.254 255.255.255.0
access-list 120 extended permit ip any any
access-list 110 extended permit ip 192.168.3.0 255.255.255.0 172.16.1.0 255.255.255.0
asdm image disk0:/asdm505.bin
global (outside) 1 interface
nat (inside) 0 access-list 110
nat (inside) 1 0.0.0.0 0.0.0.0
access-group 120 in interface outside
route outside 0.0.0.0 0.0.0.0 203.132.90.90 1
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set xp esp-des esp-sha-hmac
crypto dynamic-map cmldynamic 10 set transform-set xp
crypto map jiangmap 10 ipsec-isakmp dynamic cmldynamic
crypto map jiangmap interface outside
isakmp enable outside
isakmp policy 9 authentication pre-share
isakmp policy 9 encryption des
isakmp policy 9 hash sha
isakmp policy 9 group 1
isakmp policy 9 lifetime 86400
tunnel-group DefaultRAGroup ipsec-attributes 注意：上两行与pix配置有区别
pre-shared-key *
!
class-map inspection_default
match default-inspection-traffic
!
policy-map global_policy
class inspection_default
inspect dns maximum-length 512
inspect ftp
inspect h323 h225
inspect h323 ras
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
!
service-policy global_policy global
Cryptochecksum:72bd465cd632f344fec7ebe02a5a27ed
: end
办事处cisco2611路由器配置：
ip nbar pdlm flash:bittorrent.pdlm
!
!
vpdn enable
!
vpdn-group pppoe
request-dialin
protocol pppoe
!
crypto isakmp policy 1
authentication pre-share
crypto isakmp key xin%909988 address 203.132.90.89
!
crypto ipsec transform-set jiangset esp-des esp-sha-hmac
!
crypto map jiangmap 20 ipsec-isakmp
set peer 203.132.90.89
set transform-set jiangset
match address 110
!
mta receive maximum-recipients 0
!
!
class-map match-all bittorrent
match protocol bittorrent
!
policy-map cmlqos
class bittorrent
   drop
!
interface FastEthernet0/0
ip address 172.16.1.1 255.255.255.0
ip nat inside
service-policy output cmlqos
!
interface FastEthernet0/1
no ip address
pppoe enable
pppoe-client dial-pool-number 1
!
interface Dialer1
ip address negotiated
ip mtu 1492
ip nat outside
encapsulation ppp
no ip route-cache
no ip mroute-cache
dialer pool 1
dialer-group 1
ppp authentication pap callin
ppp pap sent-username dg50987634 password 7 121C58495740435F55
crypto map jiangmap
!
ip nat inside source list 120 interface Dialer1 overload
ip route 0.0.0.0 0.0.0.0 Dialer1
!
access-list 1 permit 172.16.1.0 0.0.0.255
access-list 110 permit ip 172.16.1.0 0.0.0.255 192.168.3.0 0.0.0.255
access-list 120 deny   ip 172.16.1.0 0.0.0.255 192.168.3.0 0.0.0.255
access-list 120 permit ip 172.16.1.0 0.0.0.255 any
dialer-list 1 protocol ip permit
!
call rsvp-sync
!
mgcp profile default
!
dial-peer cor custom
!
end

                               
登录/注册后可看大图

该贴已经同步到 fulltimes的微博

iook163

谢谢分享

空心

谢谢分享！

minghan

thanks....
thank your share thing...
this is a very good information....

zgcqyb2012

{:soso__5663373028670280397_3:}

xueyu20

有的东西真是很贵啊

lm6512

版本很低了……