当前位置：首页 - 正文

思科防火墙ASA5520 ipsec 配置实例

发布网友发布时间：2023-12-25 17:52

我来回答

共1个回答

热心网友时间：2024-06-10 03:56

ASA Local:

ASA Version 7.X

no names

interface GigabitEthernet0/0

nameif outside

security-level 0

ip address 30.30.30.1 255.255.255.0

!--- This line allows the unicast of OSPF over the IPsec tunnel.

ospf network point-to-point non-broadcast

!--- This line is optional and not required for OSPF to work.

!--- Enable this option only if you want to enable MD5 digest for OSPF.

ospf message-digest-key 10 md5 cisco

interface GigabitEthernet0/1

nameif inside

security-level 100

ip address 10.10.10.1 255.255.255.0

interface GigabitEthernet0/2

shutdown

no nameif

no security-level

no ip address

interface GigabitEthernet0/3

shutdown

no nameif

no security-level

no ip address

interface Management0/0

shutdown

no nameif

no security-level

no ip address

enable password cisco encrypted

passwd cisco encrypted

hostname Local

ftp mode passive

!--- These access control list (ACL) entries define

!--- interesting traffic for IPsec encryption and allow

!--- the traffic to bypass NAT. Note that OSPF is permitted and only

!--- in the crypto ACL.

same-security-traffic permit intra-interface

access-list nonat extended permit ip 10.10.10.0 255.255.255.0 20.20.20.0 255.255.255.0

access-list outside_cryptomap_10 extended permit ip 10.10.10.0 255.255.255.0 20.20.20.0 255.255.255.0

access-list outside_cryptomap_10 extended permit ospf interface outside host 40.40.40.2

pager lines 24

mtu outside 1500

mtu inside 1500

no failover

icmp permit any echo outside

icmp permit any echo-reply outside

icmp permit any echo inside

icmp permit any echo-reply inside

asdm image disk0:/asdm-502.bin

no asdm history enable

arp timeout 14400

global (outside) 10 interface

!--- Do not translate traffic with NAT.

nat (inside) 0 access-list nonat

nat (inside) 10 10.10.10.0 255.255.255.0

!--- This is OSPF.

!--- Note: You must define the outside network of the remote peer.

router ospf 100

network 10.10.10.0 255.255.255.0 area 0

network 30.30.30.0 255.255.255.0 area 0

network 40.40.40.0 255.255.255.0 area 0

!--- This is where OSPF is told where the

!--- PEER is located.

neighbor 40.40.40.2 interface outside

log-adj-changes

!--- This is a host based static. This is not always

!--- necessary, but recommended to prevent recursive routing loops when

!--- OSPF comes up over the IPsec tunnel.

route outside 40.40.40.2 255.255.255.255 30.30.30.2 1

route outside 0.0.0.0 0.0.0.0 30.30.30.2 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02 sunrpc 0:10:00

h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

http server enable

http 192.168.4.50 255.255.255.255 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp

!--- This is the IPsec and IKE/ISAKMP configuration.

!--- Make sure basic IPsec connectivity is present

!--- before you add in OSPF.

crypto ipsec transform-set myset esp-3des esp-sha-hmac

crypto map outside_map 10 match address outside_cryptomap_10

crypto map outside_map 10 set peer 40.40.40.2

crypto map outside_map 10 set transform-set myset

crypto map outside_map 10 set security-association lifetime seconds 86400

crypto map outside_map interface outside

isakmp identity address

isakmp enable outside

isakmp policy 10 authentication pre-share

isakmp policy 10 encryption 3des

isakmp policy 10 hash md5

isakmp policy 10 group 2

isakmp policy 10 lifetime 86400

isakmp policy 65535 authentication pre-share

isakmp policy 65535 encryption 3des

isakmp policy 65535 hash sha

isakmp policy 65535 group 2

isakmp policy 65535 lifetime 86400

telnet timeout 5

ssh timeout 5

console timeout 0

tunnel-group 40.40.40.2 type ipsec-l2l

tunnel-group 40.40.40.2 ipsec-attributes

pre-shared-key cisco

class-map inspection_default

match default-inspection-traffic

policy-map asa_global_fw_policy

class inspection_default

inspect dns maximum-length 512

inspect ftp

inspect h323 h225

inspect h323 ras

inspect netbios

inspect rsh

inspect rtsp

inspect skinny

inspect esmtp

inspect sqlnet

inspect sunrpc

inspect tftp

inspect sip

inspect xdmcp

service-policy asa_global_fw_policy global

Cryptochecksum:3d5f16a67ec0fa20aa3882acaa348e28

: end

ASA Remote:

ASA Version 7.X

no names

interface GigabitEthernet0/0

nameif outside

security-level 0

ip address 40.40.40.2 255.255.255.0

!--- This line allows the unicast of OSPF over to

!--- the IPsec tunnel.

ospf network point-to-point non-broadcast

!--- This line is optional and not required for OSPF to work.

!--- Enable this option only if you want to enable MD5 digest for OSPF.

ospf message-digest-key 10 md5 cisco

interface GigabitEthernet0/1

nameif inside

security-level 100

ip address 20.20.20.1 255.255.255.0

interface GigabitEthernet0/2

shutdown

no nameif

no security-level

no ip address

interface GigabitEthernet0/3

shutdown

no nameif

no security-level

no ip address

interface Management0/0

shutdown

no nameif

no security-level

no ip address

enable password cisco encrypted

passwd cisco encrypted

hostname Remote

ftp mode passive

!--- These ACL entries define interesting traffic for IPsec encryption and allow

!--- the traffic to bypass NAT. Note that OSPF is permitted and only in the crypto ACL.

same-security-traffic permit intra-interface

access-list nonat extended permit ip 20.20.20.0 255.255.255.0 10.10.10.0 255.255.255.0

access-list crypto extended permit ip 20.20.20.0 255.255.255.0 10.10.10.0 255.255.255.0

access-list crypto extended permit ospf interface outside host 30.30.30.1

pager lines 24

mtu outside 1500

mtu inside 1500

no failover

icmp permit any echo outside

icmp permit any echo-reply outside

icmp permit any echo inside

icmp permit any echo-reply inside

asdm image disk0:/asdm-502.bin

no asdm history enable

arp timeout 14400

global (outside) 20 interface

!--- Do not translate traffic with NAT.

nat (inside) 0 access-list nonat

nat (inside) 20 20.20.20.0 255.255.255.0

!--- This is OSPF.

!--- Note: You must define the remote peer's outside network.

router ospf 100

network 20.20.20.0 255.255.255.0 area 0

network 30.30.30.0 255.255.255.0 area 0

network 40.40.40.0 255.255.255.0 area 0

!--- This is where the OSPF is told where the PEER is located.

neighbor 30.30.30.1 interface outside

log-adj-changes

!--- This is a host based static. This is not always necessary, but recommended to

prevent recursive routing loops when OSPF comes up over the IPsec tunnel.

route outside 0.0.0.0 0.0.0.0 40.40.40.1 1

route outside 30.30.30.1 255.255.255.255 40.40.40.1 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02 sunrpc 0:10:00

h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

http server enable

http 192.168.4.50 255.255.255.255 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp

!--- This is the IPsec configuration. Make sure basic IPsec connectivity is present

before you add in OSPF.

crypto ipsec transform-set myset esp-3des esp-sha-hmac

crypto map * 10 match address crypto

crypto map * 10 set peer 30.30.30.1

crypto map * 10 set transform-set myset

crypto map * interface outside

isakmp identity address

isakmp enable outside

isakmp policy 10 authentication pre-share

isakmp policy 10 encryption 3des

isakmp policy 10 hash md5

isakmp policy 10 group 2

isakmp policy 10 lifetime 86400

isakmp policy 65535 authentication pre-share

isakmp policy 65535 encryption 3des

isakmp policy 65535 hash sha

isakmp policy 65535 group 2

isakmp policy 65535 lifetime 86400

telnet timeout 5

ssh timeout 5

console timeout 0

tunnel-group 30.30.30.1 type ipsec-l2l

tunnel-group 30.30.30.1 ipsec-attributes

pre-shared-key cisco

class-map inspection_default

match default-inspection-traffic

policy-map asa_global_fw_policy

class inspection_default

inspect dns maximum-length 512

inspect ftp

inspect h323 h225

inspect h323 ras

inspect netbios

inspect rsh

inspect rtsp

inspect skinny

inspect esmtp

inspect sqlnet

inspect sunrpc

inspect tftp

inspect sip

inspect xdmcp

service-policy asa_global_fw_policy global

Cryptochecksum:3d5f16a67ec0fa20aa3882acaa348e28

: end

思科防火墙ASA5520 ipsec vpn 配置实例

左边的f0/0口的ip是192.168.1.254右边的f0/0口ip是192.168.2.254。配置VPN1Router>enRouter#conf tRouter(config)#host VPN1VPN1 (config)#int fa0/0VPN1（config-if)#ip add 192.168.1.254 255.255.255.0VPN1 (config-if)#no shVPN1 (config-if)#exitVPN1 (config)#int s1/0...

美国服务器怎么选择配置

作为一家专注于服务器和存储解决方案的提供商，JT TELECOM INTERNATIONAL PTE.LTD.为客户提供了一系列高性能的美国服务器选项。在选择美国服务器配置时，首先需要根据业务需求确定服务器的处理器、内存、存储和网络等关键组件的性能要求。如果需要处理大量数据或进行复杂计算，则需要选择高性能的处理器和足够的内存。对于需要存储大量数据的业务，则需要考虑服务器的存储容量和性能。此外，安全性也是选择服务器的重要考虑因素。JT TELECOM INTERNATIONAL PTE.LTD.提供的美国服务器都配备了高级的安全功能，例如防火墙和数据加密等，以保障客户的数…选择美国服务器的配置可以从硬盘、cpu、内存、IP等方面来考虑，具体如下：1、服务器CPU，服务器CPU它存在于长期稳定的工作中，相当于服务器的大脑，在选择中CPU要根据部署项目的复杂性来考虑，防止CPU资源不足。服务器CPU要求全年运行，稳定性要...

思科防火墙ASA5520 ipsec vpn 配置实例

!--- This is the IPsec and IKE/ISAKMP configuration. !--- Make sure basic IPsec connectivity is present !--- before you add in OSPF. crypto ipsec transform-set myset esp-3des esp-sha-hmac crypto map outside_map 10 match address outside_cryptomap_10 crypto map outside_map 10 set...

对于cisco ASA5520防火墙我这边有固定的外网IP如何使内部交换机cisco2970...

外网配置ip地址，并命名为“outside”，内网设置私有ip,如192.168.1，并命名为“inside”，最后再做网络地址转换即可。楼主可参考下面：1.进入外接口：nameif outside ip add 固定IP地址 no shutdown 2.进入内接口：nameif inside ip add 私有IP地址 no shutdown 3.NAT（网络地址转换）：nat-contro...

思科5520防火墙能支持多大带宽,多少并发数

Cisco ASA 5520详细特性如下:状态监控吞吐量：最大450Mbps IPS吞吐量：最大225Mbps（AIP-SSM-10）,最大375Mbps（AIP-SSM-20），最大450Mbps（AIP-SSM-40）3DES/AES VPN吞吐量：最大225Mbps IPSec VPN对等体数量：750个 Cisco云网页安全用户：300个增强型Anyconnect VPN对等体数量：默认包括2个/最...

ASA 5520 我配置好了,也能成功的连接到公司,但是连接以后不能用公司的...

我认为是你的ASA上在配置时的问题，应该是你拨接所得到的这个网段的IP地址没有做到nat里面去~

两台ASA5520互联site-to-site VPN ,A点可以向B点ping包触发形成隧道,B...

貌似你B点使用的是动态加密图吧，只有使用静态加密图的防火墙才可以发起建立隧道的请求

cisco asa5520 支持L2TP吗

支持，不过建议还是用cisco的EZVPN解决方案，l2tp必须over ipsec才能加密，而且权限管理以及穿越都非常差劲

思科asa5520,5525k哪个好

CISCO ASA5520-K8 产品类别：防火墙品牌：CISCO（思科）设备类型： VPN防火墙网络吞吐量： 450Mbps 并发连接数： 280000 用户数限制：无用户数限制用户网络端口： 4个千兆以太网接口+1个快速以太网接口安全过滤带宽： 225Mbps 管理：思科安全管理器（CS-Manager），Web VPN支持：支持优点：...

思科的ASA5540-K8和ASA550-Aip20-k8有什么区别呢

主用 /主用和主用 / 备用高可用性，DES 许可证 2、ASA5540-AIP20-K8 Cisco ASA 5540 IPS版，包括AIP-SSM-20，防火墙服务， 750个IPsec VPN对， 2个SSL VPN对，4个千兆以太网接口，1 个快速以太网接口 AIP20是一个IPS模块。可以插到ASA5520中使用 AIP20可以使用在5520,5540,5580 ...

谁有思科防火墙默认密码破解的方法

按照提示中断正常启动一般是Esc键中断正常启动后将进入到rommon模式按照下面操作方法操作即可：Booting system, please wait...CISCO SYSTEMSEmbedded BIOS Version 1.0(11)2 01/25/06 13:21:26.17Low Memory: 631 KBHigh Memory: 512 MBPCI Device Table.Bus Dev Func VendID DevID Class Irq ...

飞塔防火墙ipsec配置网神防火墙配置ipsec 飞塔防火墙100eipsec 飞塔防火墙ipsec ipsec用防火墙还是路由器 DCN路由器与防火墙ipsec 防火墙思科思科防火墙端口映射思科防火墙型号

声明：本网页内容为用户发布，旨在传播知识，不代表本网认同其观点，若有侵权等问题请及时与本网联系，我们将在第一时间删除处理。
E-MAIL:11247931@qq.com

焦点

思科防火墙ASA5520 ipsec 配置实例

最新推荐

猜你喜欢

热门推荐