asa5510vpn试验.docx

Asa 5510 vpn实验实验目的通过GNS3软件模拟实验环境，完成asa基础配置，以及site to site vpn和remotevpn以及sslvpn的搭建实验拓扑ASA基础配置ASA1 //网卡配置interface Ethernet0/0nameif insidesecurity-level 100ip address 01 no shutdown interface Ethernet0/1nameif outsidesecurity-level 0ip address //NAT 配置和路由配置global (outside) 10 interfacenat (inside) 10 route outside 1//外接口允许ping access-list outside_acl extended permit icmp any any添加acl允许icmp协议通过。access-group outside_acl in interface outside将acl绑定在外网卡上ASA2的配置ASA2的配置和ASA1 基本一样，更换相关IP即可。路由器R1配置interface FastEthernet0/0ip address no shutdowninterface FastEthernet0/1ip address no shutdown测试从c1 ping ASA2 的外网ip 通则表示ASA1 和?R1配置正确从c2 ping ASA1 的外网ip 通则表示ASA2配置正确Site to site vpn配置ASA1 配置//定义兴趣流access-list vpn_asa2_acl extended permit ip //nat过滤 vpn的兴趣流nat (inside) 0 access-list no_nat//定义封装加密集合cryptoipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac//定义第一阶段cryptoisakmp enable outsidecryptoisakmp policy 10authentication pre-shareencryption 3deshash md5group 2lifetime 28800cryptoisakmpnat-traversal 20//定义第二阶段crypto map outside_map 20 match address vpn_asa2_aclcrypto map outside_map 20 set peer crypto map outside_map 20 set transform-set ESP-3DES-MD5crypto map outside_map 20 set security-association lifetime seconds 288000crypto map outside_map interface outside//定义隧道类型和密码tunnel-group type ipsec-l2ltunnel-group ipsec-attributespre-shared-keymimaASA2配置ASA2的配置参考　ASA1 的配置，更改相关ip信息即可。注意pre-shared-key必须一致。否则无法连接。测试和调试在c1 上ping c2如果能通，则表示vpn建立成功。如果不成功则通过如下命令排错Show cyrptoisakmpsa?? 显示ISAKMP/IKE阶段1Show crypto ipsecsa???? 显示ISAKMP/IKE阶段2ASA2上Remote vpn的搭建定义vpn数据流Access-list no_nat extended permit ip Nat (inside) 0 access-list no-natAccess-list vpn_acl extended permit ip 划分地址池，用于vpn拨入后获得IPIplocal pool vpn-pool -00 mask 定义变换集，ESP-3DES-MD5Crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac把ESP-3DES-MD5添加到outside_mapCrypto dynamic-map outside_map 10 set transform-set ESP-3DES-MD5 把动态加密策略绑定到vpn动态加密图上Crypto dynamic-map outside_map 10 set reverse-routeCrypto map