asa 5510 remote vpn配置实例
来源:互联网 发布:vfp网络编程 编辑:程序博客网 时间:2024/05/23 11:59
一、大概步骤:
1、配置各接口
2、建立客户端需要的地址池和用户名
3、定义隧道分离列表
4、建立配置IKE即ISAKMP策略。(第一阶段)
5、建立变换集(SA,第二阶段)
6、定义保密图。先建立动态保密图与变换集相关联;再把动态保密图绑定到保密图
7、定义和建立vpn客户端组策略
8、定义组成员的隧道属性和IPSEC属性,并应用定义的组策略。
二、详细配置参数:
1、配置接口
2、建立客户端需要的地址池和用户名
(1) asa(config)#username name password word //配置一个帐号和密码
(2) asa(config)#ip local pool poolname ipaddress-ipaddress mask mask //设置remote客户端的地址池
3、定义隧道分离列表
access-list no-nat extended permit ip 192.168.10.0 255.255.255.0 192.168.5.0 255.255.255.0 //定义VPN数据流
nat (inside) 0 access-list no-nat //设置IPSEC VPN数据不作nat翻译
access-list mis_splitTunnelAcl standard permit 192.168.10.0 255.255.255.0 //隧道分离数据流配置,这里的源要配置为防火墙内网的地址。
4、建立配置IKE即ISAKMP策略。
crypto isakmp policy 10 authentication pre-share //进入isakmp的策略定义模式,策略号为10, 认证方式为pre-share认证,一共有三种认证方式
crypto isakmp policy 10 encryption des //定义协商用3DES加密算法
crypto isakmp policy 10 hash md5 //定义协商认证算法为md5
crypto isakmp policy 10 group 2 //定义diffie-hellman密钥交换模式为组2。
crypto isakmp policy 10 lifetime 86400 //ike策略的生命周期
isakmp nat-traversal 20
5、定义变换集
crypto ipsec transform-set myset esp-des esp-md5-hmac
//定义一个名为myset的变换集,用esp-des加密,esp-md5-hmac认证。加密和认证方法有很多,这里是用的这两种方法。
crypto ipsec security-association lifetime seconds 28800 //用时间定义变换集的生存时间
crypto ipsec security-association lifetime kilobytes 4608000//用字节数来定义变换集的生存时间
6、定义保密图
rypto dynamic-map outside_dyn_map 20 set transform-set myset//定义动保密图。并把myset变换集添加到动态动态保密图outside_dyn_map中,序号为20
crypto dynamic-map outside_dyn_map 20 set reverse-route //设置路由反转
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map //定义保密图,保密图名为outside_map ,序号为65535, 并把上面定义的动态保密图绑定到保密图上。
crypto map vpnmap interface outside//把保密图outside_map绑定到outside,这点非常重要
crypto isakmp identity address
crypto isakmp enable outside // outside接口启用isakmp
7、定义和建立vpn客户端组策略
group-policy mis internal //定义vpn客户端组策略名为mis,选项为internal
group-policy mis attributes //设置组策略属性
split-tunnel-policy tunnelspecified //启用隧道分离,且只有访问公司内网时才用。隧道分离有三种方式,这是其中一种。
tunnelspecified:允许客户端访问客户端本地网络以及internet,只有到公司内网的数据流才走分离隧道
excludespecified :仅允许客户端访问客户端本地的网络,internet和到公司内网的数据流都走分离隧道
tunnelall: 客户端所有所有流量都走分离隧道
split-tunnel-network-list value mis_splitTunnelAcl //隧道分离保护的数据, 此处mis_splitTunnelAcl为上面定义的隧道分离列访问列表
vpn-filter value filteracl //此命令可定义过滤VPN某些流量,即不允许VPN进来本地网后访问某些内容。或只允许访问某些内容。filteracl为定义的访问控制列表名
ipsec-udp enable //ipsec使用udp端口
vpn-idle-timeout 30 //定义客户端超时时间30分钟,默认时间是30分钟。
8、定义组成员的隧道属性和IPSEC属性,并应用定义的组策略
tunnel-group mis type ipsec-ra //设置隧道类型为remote vpn类型
tunnel-group mis general-attributes //设置隧道属性
address-pool vpnclient //地址池,为上面定义的定址池名
default-group-policy mis //设置默认策略
tunnel-group mis ipsec-attributes //设置隧道的ipsec属性
pre-shared-key 71305 //共享密钥71305
三、实例详解:
ciscoasa(config)# show run
: Saved
:
ASA Version 7.0(8)
!
hostname ciscoasa
domain-name default.domain.invalid
enable password 5tHlvHD3zNc8tf8s encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
dns-guard
!
interface Ethernet0/0
nameif outside
security-level 0
ip address 218.107.xxx.xxx 255.255.255.248 //外网地址
!
interface Ethernet0/1
nameif dmz
security-level 50
ip address 192.168.9.42 255.255.255.0
!
interface Ethernet0/2
nameif inside
security-level 100
ip address 192.168.10.3 255.255.255.0 //内网地址
!
interface Management0/0
nameif guanli
security-level 100
ip address 192.168.1.1 255.255.255.0
management-only
!
ftp mode passive
same-security-traffic permit inter-interface
access-list ICMP extended permit icmp any any //允许icmp数据包通过外网接口
access-list denywww extended permit ip 192.168.10.0 255.255.255.192 any //控制内网部分地址可以上internet
access-list no-nat extended permit ip 192.168.10.0 255.255.255.0 192.168.9.0 255.255.255.0
access-list no-nat extended permit ip 192.168.9.0 255.255.255.0 192.168.10.0 255.255.255.0
access-list mis_splitTunnelAcl standard permit 192.168.10.0 255.255.255.0 //隧道分离配置
access-list ftp extended permit tcp any interface outside eq ftp //ftp服务器地址映射
pager lines 24
logging enable
logging asdm informational
mtu outside 1500
mtu dmz 1500
mtu inside 1500
mtu guanli 1500
ip local pool vpnclient 192.168.5.1-192.168.5.50 mask 255.255.255.0 //客户端ip地址池
icmp permit any dmz
icmp permit any inside
asdm image disk0:/asdm-508.bin
asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (dmz) 0 access-list no-nat
nat (dmz) 1 0.0.0.0 0.0.0.0
nat (inside) 1 192.168.10.0 255.255.255.0
static (inside,outside) tcp interface ftp 192.168.10.4 ftp netmask 255.255.255.255
access-group ftp in interface outside //ftp服务器映射配置,应用到outside接口
access-group ICMP in interface dmz
access-group denywww in interface inside
route outside 0.0.0.0 0.0.0.0 218.107.xxx.xxx 1 //默认路由配置
route inside 192.168.9.0 255.255.255.0 192.168.9.11 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
group-policy mis internal //定义vpn客户端组策略
group-policy mis attributes
split-tunnel-policy tunnelspecified //启用隧道分离,且只有访问公司内网时才用。
split-tunnel-network-list value mis_splitTunnelAcl //隧道分离保护的数据
webvpn
username honyigroup password JGJnz3KpDlG3EiNK encrypted privilege 15
username elitek password 0EeiPx2DeaCfBhyF encrypted
aaa authentication telnet console LOCAL
aaa authentication ssh console LOCAL
http server enable
http 192.168.10.19 255.255.255.255 inside
http 192.168.1.0 255.255.255.0 guanli
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set myset esp-3des esp-sha-hmac //转换集的定义
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map outside_dyn_map 20 set transform-set myset //把转换集应用到动态加入密策略
crypto dynamic-map outside_dyn_map 20 set security-association lifetime seconds 28800
crypto dynamic-map outside_dyn_map 20 set security-association lifetime kilobytes 4608000
crypto dynamic-map outside_dyn_map 20 set reverse-route //设置路由反转
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map //动态加入密策略绑定到静定加密策略上。
crypto map outside_map interface outside //静态保密策略应用到outside接口
isakmp identity address
isakmp enable outside //isakmap策略用到outside口
isakmp enable inside
isakmp policy 10 authentication pre-share //定义isakmap策略
isakmp policy 10 encryption des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
isakmp nat-traversal 20
tunnel-group mis type ipsec-ra //设置通道类型为remote vpn类型
tunnel-group mis general-attributes //设置通道属性
address-pool vpnclient //地址池
default-group-policy mis //默认策略
tunnel-group mis ipsec-attributes
pre-shared-key * //共享密钥
telnet 192.168.10.0 255.255.255.0 inside //设置可以telnet 的IP
telnet 0.0.0.0 0.0.0.0 inside
telnet timeout 20
ssh 0.0.0.0 0.0.0.0 inside
ssh timeout 30
ssh version 1
console timeout 0
dhcpd address 192.168.1.2-192.168.1.254 guanli
dhcpd lease 3600
dhcpd ping_timeout 50
dhcpd enable guanli
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map global_policy
class inspection_default
inspect dns maximum-length 512
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
!
service-policy global_policy global
tftp-server inside 192.168.10.19 cisco/asa/asa_config
Cryptochecksum:5cc4c5a21352c4a85ebcb9c6facf26f5
: end
1、配置各接口
2、建立客户端需要的地址池和用户名
3、定义隧道分离列表
4、建立配置IKE即ISAKMP策略。(第一阶段)
5、建立变换集(SA,第二阶段)
6、定义保密图。先建立动态保密图与变换集相关联;再把动态保密图绑定到保密图
7、定义和建立vpn客户端组策略
8、定义组成员的隧道属性和IPSEC属性,并应用定义的组策略。
二、详细配置参数:
1、配置接口
2、建立客户端需要的地址池和用户名
(1) asa(config)#username name password word //配置一个帐号和密码
(2) asa(config)#ip local pool poolname ipaddress-ipaddress mask mask //设置remote客户端的地址池
3、定义隧道分离列表
access-list no-nat extended permit ip 192.168.10.0 255.255.255.0 192.168.5.0 255.255.255.0 //定义VPN数据流
nat (inside) 0 access-list no-nat //设置IPSEC VPN数据不作nat翻译
access-list mis_splitTunnelAcl standard permit 192.168.10.0 255.255.255.0 //隧道分离数据流配置,这里的源要配置为防火墙内网的地址。
4、建立配置IKE即ISAKMP策略。
crypto isakmp policy 10 authentication pre-share //进入isakmp的策略定义模式,策略号为10, 认证方式为pre-share认证,一共有三种认证方式
crypto isakmp policy 10 encryption des //定义协商用3DES加密算法
crypto isakmp policy 10 hash md5 //定义协商认证算法为md5
crypto isakmp policy 10 group 2 //定义diffie-hellman密钥交换模式为组2。
crypto isakmp policy 10 lifetime 86400 //ike策略的生命周期
isakmp nat-traversal 20
5、定义变换集
crypto ipsec transform-set myset esp-des esp-md5-hmac
//定义一个名为myset的变换集,用esp-des加密,esp-md5-hmac认证。加密和认证方法有很多,这里是用的这两种方法。
crypto ipsec security-association lifetime seconds 28800 //用时间定义变换集的生存时间
crypto ipsec security-association lifetime kilobytes 4608000//用字节数来定义变换集的生存时间
6、定义保密图
rypto dynamic-map outside_dyn_map 20 set transform-set myset//定义动保密图。并把myset变换集添加到动态动态保密图outside_dyn_map中,序号为20
crypto dynamic-map outside_dyn_map 20 set reverse-route //设置路由反转
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map //定义保密图,保密图名为outside_map ,序号为65535, 并把上面定义的动态保密图绑定到保密图上。
crypto map vpnmap interface outside//把保密图outside_map绑定到outside,这点非常重要
crypto isakmp identity address
crypto isakmp enable outside // outside接口启用isakmp
7、定义和建立vpn客户端组策略
group-policy mis internal //定义vpn客户端组策略名为mis,选项为internal
group-policy mis attributes //设置组策略属性
split-tunnel-policy tunnelspecified //启用隧道分离,且只有访问公司内网时才用。隧道分离有三种方式,这是其中一种。
tunnelspecified:允许客户端访问客户端本地网络以及internet,只有到公司内网的数据流才走分离隧道
excludespecified :仅允许客户端访问客户端本地的网络,internet和到公司内网的数据流都走分离隧道
tunnelall: 客户端所有所有流量都走分离隧道
split-tunnel-network-list value mis_splitTunnelAcl //隧道分离保护的数据, 此处mis_splitTunnelAcl为上面定义的隧道分离列访问列表
vpn-filter value filteracl //此命令可定义过滤VPN某些流量,即不允许VPN进来本地网后访问某些内容。或只允许访问某些内容。filteracl为定义的访问控制列表名
ipsec-udp enable //ipsec使用udp端口
vpn-idle-timeout 30 //定义客户端超时时间30分钟,默认时间是30分钟。
8、定义组成员的隧道属性和IPSEC属性,并应用定义的组策略
tunnel-group mis type ipsec-ra //设置隧道类型为remote vpn类型
tunnel-group mis general-attributes //设置隧道属性
address-pool vpnclient //地址池,为上面定义的定址池名
default-group-policy mis //设置默认策略
tunnel-group mis ipsec-attributes //设置隧道的ipsec属性
pre-shared-key 71305 //共享密钥71305
三、实例详解:
ciscoasa(config)# show run
: Saved
:
ASA Version 7.0(8)
!
hostname ciscoasa
domain-name default.domain.invalid
enable password 5tHlvHD3zNc8tf8s encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
dns-guard
!
interface Ethernet0/0
nameif outside
security-level 0
ip address 218.107.xxx.xxx 255.255.255.248 //外网地址
!
interface Ethernet0/1
nameif dmz
security-level 50
ip address 192.168.9.42 255.255.255.0
!
interface Ethernet0/2
nameif inside
security-level 100
ip address 192.168.10.3 255.255.255.0 //内网地址
!
interface Management0/0
nameif guanli
security-level 100
ip address 192.168.1.1 255.255.255.0
management-only
!
ftp mode passive
same-security-traffic permit inter-interface
access-list ICMP extended permit icmp any any //允许icmp数据包通过外网接口
access-list denywww extended permit ip 192.168.10.0 255.255.255.192 any //控制内网部分地址可以上internet
access-list no-nat extended permit ip 192.168.10.0 255.255.255.0 192.168.9.0 255.255.255.0
access-list no-nat extended permit ip 192.168.9.0 255.255.255.0 192.168.10.0 255.255.255.0
access-list mis_splitTunnelAcl standard permit 192.168.10.0 255.255.255.0 //隧道分离配置
access-list ftp extended permit tcp any interface outside eq ftp //ftp服务器地址映射
pager lines 24
logging enable
logging asdm informational
mtu outside 1500
mtu dmz 1500
mtu inside 1500
mtu guanli 1500
ip local pool vpnclient 192.168.5.1-192.168.5.50 mask 255.255.255.0 //客户端ip地址池
icmp permit any dmz
icmp permit any inside
asdm image disk0:/asdm-508.bin
asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (dmz) 0 access-list no-nat
nat (dmz) 1 0.0.0.0 0.0.0.0
nat (inside) 1 192.168.10.0 255.255.255.0
static (inside,outside) tcp interface ftp 192.168.10.4 ftp netmask 255.255.255.255
access-group ftp in interface outside //ftp服务器映射配置,应用到outside接口
access-group ICMP in interface dmz
access-group denywww in interface inside
route outside 0.0.0.0 0.0.0.0 218.107.xxx.xxx 1 //默认路由配置
route inside 192.168.9.0 255.255.255.0 192.168.9.11 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
group-policy mis internal //定义vpn客户端组策略
group-policy mis attributes
split-tunnel-policy tunnelspecified //启用隧道分离,且只有访问公司内网时才用。
split-tunnel-network-list value mis_splitTunnelAcl //隧道分离保护的数据
webvpn
username honyigroup password JGJnz3KpDlG3EiNK encrypted privilege 15
username elitek password 0EeiPx2DeaCfBhyF encrypted
aaa authentication telnet console LOCAL
aaa authentication ssh console LOCAL
http server enable
http 192.168.10.19 255.255.255.255 inside
http 192.168.1.0 255.255.255.0 guanli
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set myset esp-3des esp-sha-hmac //转换集的定义
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map outside_dyn_map 20 set transform-set myset //把转换集应用到动态加入密策略
crypto dynamic-map outside_dyn_map 20 set security-association lifetime seconds 28800
crypto dynamic-map outside_dyn_map 20 set security-association lifetime kilobytes 4608000
crypto dynamic-map outside_dyn_map 20 set reverse-route //设置路由反转
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map //动态加入密策略绑定到静定加密策略上。
crypto map outside_map interface outside //静态保密策略应用到outside接口
isakmp identity address
isakmp enable outside //isakmap策略用到outside口
isakmp enable inside
isakmp policy 10 authentication pre-share //定义isakmap策略
isakmp policy 10 encryption des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
isakmp nat-traversal 20
tunnel-group mis type ipsec-ra //设置通道类型为remote vpn类型
tunnel-group mis general-attributes //设置通道属性
address-pool vpnclient //地址池
default-group-policy mis //默认策略
tunnel-group mis ipsec-attributes
pre-shared-key * //共享密钥
telnet 192.168.10.0 255.255.255.0 inside //设置可以telnet 的IP
telnet 0.0.0.0 0.0.0.0 inside
telnet timeout 20
ssh 0.0.0.0 0.0.0.0 inside
ssh timeout 30
ssh version 1
console timeout 0
dhcpd address 192.168.1.2-192.168.1.254 guanli
dhcpd lease 3600
dhcpd ping_timeout 50
dhcpd enable guanli
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map global_policy
class inspection_default
inspect dns maximum-length 512
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
!
service-policy global_policy global
tftp-server inside 192.168.10.19 cisco/asa/asa_config
Cryptochecksum:5cc4c5a21352c4a85ebcb9c6facf26f5
: end
- asa 5510 remote vpn配置实例
- asa SSL-VPN配置
- 思科ASA防火墙VPN配置
- ASA Failover配置实例
- Cisco ASA Web VPN 配置详解
- Cisco ASA防火墙SSL VPN的配置
- GNS下ASA配置ipsec VPN 实验
- cisco ASA 5505 配置实例
- Cisco remote-access VPN (easy VPN)配置
- ASA-5510 上网配置
- ASA Remote VPN AD 账户验证失败解…
- Cisco ASA 5505配置(PAT, WEB SSL VPN)
- [Cisco技术]ASA配置failover实例
- Cisco easy vpn remote/server全配置
- asa v9.1(2) VPN
- cisco asa VPN v9.1
- Cisco VPN连接配置实例
- redundancy ipsec vpn配置实例
- error: ‘BYTE’ was not declared in this scope
- Cisco VPN Client 相关问题的解决办法
- 开发者需知的5条应用内测法则
- java.util.zip.Deflater引发的内存溢出
- Ubuntu的一些实用技巧
- asa 5510 remote vpn配置实例
- Spring框架概述
- Visual.Assist.X.V10.7.1908采用DLL覆盖破解技术. 新增了对VS2012的支持
- javascript validate
- 指针和数组的千丝万缕(三)
- C语言中如何将二维数组作为函数的参数传递
- iPhone开发 解析xml NSData xml
- Android 中如何得到字符的像素宽度
- WebBrowser控件处理url中文传值时不能转换
