VPN及静态翻译

泰克实验室塑造

A公司与B公司关系密切，C公司只允许A公司进行VPN拨号进来，而C公司不希望B公司的人进行VPN拨号，C点只允许返回给A点私网的加密流。A希望通过自己的帮助，让B公司实现对C公司的VPN拨入。
在A公司的asa上需要做到对R3的内网10.86.3.0做翻译，翻译成10.86.1.0/25位的地址，使之去往C的时候，数据包里的私网是10.86.1.0的地址。Static (outside,outside) 10.86.1.0 10.86.3.0 netmask 255.255.255.128
B公司的ACL:10.86.3.0--10.86.1.0
10.86.3.0--10.3.3.0
A公司的ACL:10.86.1.0--10.86.3.0
10.86.1.0--10.3.3.0
C公司的ACL:10.3.3.0--10.86.1.0

A:的配置：
interface Ethernet0

nameif inside

security-level 100

ip address 10.86.1.254 255.255.255.0
interface Ethernet1

nameif outside

security-level 0

ip address 8.8.5.254 255.255.255.0
same-security-traffic permit intra-interface
access-list out extended permit ip any any
access-list 100 extended permit ip 10.86.1.0 255.255.255.0 10.86.3.0 255.255.255.0
access-list 100 extended permit ip 10.3.3.0 255.255.255.0 10.86.3.0 255.255.255.0
access-list 110 extended permit ip 10.86.1.0 255.255.255.0 10.3.3.0 255.255.255.0
access-list 110 extended permit ip 10.86.3.0 255.255.255.0 10.3.3.0 255.255.255.0
static (outside,outside) 10.86.1.0 10.86.3.0 netmask 255.255.255.128 　　//outside接口进的流量outside口再出来，则做nat
access-group out in interface outside
route outside 0.0.0.0 0.0.0.0 8.8.5.2 1
crypto ipsec transform-set cisco esp-des esp-md5-hmac
crypto map cisco 10 match address 100
crypto map cisco 10 set peer 8.8.23.3
crypto map cisco 10 set transform-set cisco
crypto map cisco 20 match address 110
crypto map cisco 20 set peer 8.8.24.4
crypto map cisco 20 set transform-set cisco
crypto map cisco interface outside
crypto isakmp enable outside
crypto isakmp policy 10

authentication pre-share

encryption 3des

hash sha


group 2
tunnel-group 8.8.23.3 type ipsec-l2l
tunnel-group 8.8.23.3 ipsec-attributes

pre-shared-key cisco
tunnel-group 8.8.24.4 type ipsec-l2l
tunnel-group 8.8.24.4 ipsec-attributes

pre-shared-key cisco

R3:--B公司
crypto isakmp policy 10

encr 3des

authentication pre-share

group 2
crypto isakmp key cisco address 8.8.5.254
crypto ipsec transform-set cisco esp-des esp-md5-hmac
crypto map cisco 10 ipsec-isakmp

set peer 8.8.5.254

set transform-set cisco

match address 100
interface Loopback0

ip address 10.86.3.3 255.255.255.0
interface Serial1/0

ip address 8.8.23.3 255.255.255.0

encapsulation frame-relay

ip ospf network point-to-point

no arp frame-relay

frame-relay map ip 8.8.23.2 302 broadcast

no frame-relay inverse-arp

crypto map cisco
router ospf 100

network 8.8.23.0 0.0.0.255 area 0
ip route 0.0.0.0 0.0.0.0 8.8.23.2
access-list 100 permit ip 10.86.3.0 0.0.0.255 10.86.1.0 0.0.0.255
access-list 100 permit ip 10.86.3.0 0.0.0.255 10.3.3.0 0.0.0.255

R4:C公司
crypto isakmp policy 10

encr 3des

authentication pre-share

group 2
crypto isakmp key cisco address 8.8.5.254
crypto ipsec transform-set cisco esp-des esp-md5-hmac
crypto map cisco 10 ipsec-isakmp

set peer 8.8.5.254

set transform-set cisco

match address 100
interface Loopback0

ip address 10.3.3.4 255.255.255.0
interface Serial1/0

ip address 8.8.24.4 255.255.255.0

encapsulation frame-relay

ip ospf network point-to-point

serial restart-delay 0

no arp frame-relay

frame-relay map ip 8.8.24.4 402

frame-relay map ip 8.8.24.2 402 broadcast

no frame-relay inverse-arp

crypto map cisco
router ospf 1

network 8.8.24.0 0.0.0.255 area 0
ip route 0.0.0.0 0.0.0.0 8.8.24.2
access-list 100 permit ip 10.3.3.0 0.0.0.255 10.86.1.0 0.0.0.255

phil

Thanks for your information.