Cisco Packet Tracer模拟：ASA5505 IP Sec VPN实验-阿里云开发者社区

Cisco Packet Tracer模拟：ASA5505 IP Sec VPN实验

2022-12-17 835

版权

本文内容由阿里云实名注册用户自发贡献，版权归原作者所有，阿里云开发者社区不拥有其著作权，亦不承担相应法律责任。具体规则请查看《阿里云开发者社区用户服务协议》和《阿里云开发者社区知识产权保护指引》。如果您发现本社区中有涉嫌抄袭的内容，填写侵权投诉表单进行举报，一经查实，本社区将立刻删除涉嫌侵权内容。

简介： Cisco Packet Tracer模拟：ASA5505 IP Sec VPN实验

01拓扑：

02实验目的：

验证 IP Sec VPN 工作过程
验证 ASA 5505 IP Sec VPN 配置过程

03实验过程

两个ASA上撤销已有的DHCP配置。

en
conf t
no dhcp address 192.168.1.5-192.168.1.35 inside
no dhcpd  enable  inside
no dhcpd  auto_config  outside

ASA上定义VLAN接口

ASA0:

int vlan 1
   nameif inside
   security-level 100
   ip add 192.168.1.254 255.255.255.0
   exit
int vlan 2
nameif outside
security-level 0
ip add 192.1.1.1 255.255.255.0
exit

ASA1:

int vlan 1
   nameif inside
   security-level 100
   ip add 192.168.2.254 255.255.255.0
   exit
int vlan 2
nameif outside
security-level 0
ip add 192.1.2.1 255.255.255.0
exit

配置扩展分组过滤器和作用接口

ASA0:

access-list  b-a extended  permit  icmp 192.168.2.0 255.255.255.0 192.168.1.0 255.255.255.0
access-group b-a out  interface inside

ASA1:

access-list  a-b extended  permit  icmp 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0
access-group a-b out  interface inside

配置加密映射：

ASA0

access-list a-b extended  permit icmp 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0
crypto  ipsec ikev1 transform-set 121 esp-aes esp-sha-hmac
crypto map a-b 1 match address a-b
crypto map a-b 1 set peer 192.168.2.1
crypto map a-b 1  set security-association  lifetime seconds 86400
crypto  map a-b 1 set ikev1 transform-set 121
crypto map a-b interface outside

ASA1:

access-list b-a extended  permit icmp 192.168.2.0 255.255.255.0 192.168.1.0 255.255.255.0
crypto  ipsec ikev1 transform-set 121 esp-aes esp-sha-hmac
crypto map b-a 1 match address b-a
crypto map b-a 1 set peer 192.168.1.1
crypto map b-a 1  set security-association  lifetime seconds 86400
crypto  map b-a 1 set ikev1 transform-set 121
crypto map b-a interface outside

配置IKEv1策略

ASA0:

crypto ikev1 policy  1
encryption  aes
hash md5
lifetime 86400
authentication pre-share
group 2
exit
crypto ikev1 enable outside

ASA1:

crypto ikev1 policy  1
encryption  aes
hash md5
lifetime 86400
authentication pre-share
group 2
exit
crypto ikev1 enable outside

配置隧道

ASA0:

tunnel-group  192.1.2.1 type ipsec-l2l
tunnel-group  192.1.2.1 ipsec-attributes
ikev1 pre-shared-key 1234
exit

ASA1:

tunnel-group  192.1.1.1 type ipsec-l2l
tunnel-group  192.1.1.1 ipsec-attributes
ikev1 pre-shared-key 1234
exit

配置静态路由：

ASA0:

route outside 192.168.2.0 255.255.255.0 192.1.2.1
route outside  192.1.2.1 255.255.255.255 192.1.1.2

ASA1:

route outside 192.168.1.0 255.255.255.0 192.1.1.1
route outside  192.1.1.1 255.255.255.255 192.1.2.2

Multilayer Switch0配置（模拟Internet)：

vlan 2
name v2
vlan 3
name v3
int f0/1
sw mo ac
sw ac vl 2
int f0/2
sw mo ac
sw ac vl 3
int vlan 2
ip add 192.1.1.2 255.255.255.0
int vlan 3
ip add 192.1.2.2 255.255.255.0

至此实验完成

Cisco Packet Tracer模拟：ASA5505 IP Sec VPN实验

VPN网关

热门文章

最新文章

相关产品

相关课程

相关电子书