Cisco Packet Tracer模拟:ASA5505 IP Sec VPN实验

简介: Cisco Packet Tracer模拟:ASA5505 IP Sec VPN实验

01拓扑:

640.png

02实验目的:


  • 验证 IP Sec VPN 工作过程
  • 验证 ASA 5505 IP Sec VPN 配置过程

03实验过程


1.

两个ASA上撤销已有的DHCP配置。

en
conf t
no dhcp address 192.168.1.5-192.168.1.35 inside
no dhcpd  enable  inside
no dhcpd  auto_config  outside

2.

ASA上定义VLAN接口

ASA0:

int vlan 1
   nameif inside
   security-level 100
   ip add 192.168.1.254 255.255.255.0
   exit
int vlan 2
nameif outside
security-level 0
ip add 192.1.1.1 255.255.255.0
exit

ASA1:

int vlan 1
   nameif inside
   security-level 100
   ip add 192.168.2.254 255.255.255.0
   exit
int vlan 2
nameif outside
security-level 0
ip add 192.1.2.1 255.255.255.0
exit

3.

配置扩展分组过滤器和作用接口

ASA0:

access-list  b-a extended  permit  icmp 192.168.2.0 255.255.255.0 192.168.1.0 255.255.255.0
access-group b-a out  interface inside


ASA1:


access-list  a-b extended  permit  icmp 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0
access-group a-b out  interface inside

 4.  

配置加密映射:

ASA0

access-list a-b extended  permit icmp 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0
crypto  ipsec ikev1 transform-set 121 esp-aes esp-sha-hmac
crypto map a-b 1 match address a-b
crypto map a-b 1 set peer 192.168.2.1
crypto map a-b 1  set security-association  lifetime seconds 86400
crypto  map a-b 1 set ikev1 transform-set 121
crypto map a-b interface outside

ASA1:

access-list b-a extended  permit icmp 192.168.2.0 255.255.255.0 192.168.1.0 255.255.255.0
crypto  ipsec ikev1 transform-set 121 esp-aes esp-sha-hmac
crypto map b-a 1 match address b-a
crypto map b-a 1 set peer 192.168.1.1
crypto map b-a 1  set security-association  lifetime seconds 86400
crypto  map b-a 1 set ikev1 transform-set 121
crypto map b-a interface outside

 

5.

配置IKEv1策略

ASA0:

crypto ikev1 policy  1
encryption  aes
hash md5
lifetime 86400
authentication pre-share
group 2
exit
crypto ikev1 enable outside


ASA1:


crypto ikev1 policy  1
encryption  aes
hash md5
lifetime 86400
authentication pre-share
group 2
exit
crypto ikev1 enable outside

6.

配置隧道

ASA0:

tunnel-group  192.1.2.1 type ipsec-l2l
tunnel-group  192.1.2.1 ipsec-attributes
ikev1 pre-shared-key 1234
exit

ASA1:

tunnel-group  192.1.1.1 type ipsec-l2l
tunnel-group  192.1.1.1 ipsec-attributes
ikev1 pre-shared-key 1234
exit


7.

配置静态路由:

ASA0:

route outside 192.168.2.0 255.255.255.0 192.1.2.1
route outside  192.1.2.1 255.255.255.255 192.1.1.2

ASA1:

route outside 192.168.1.0 255.255.255.0 192.1.1.1
route outside  192.1.1.1 255.255.255.255 192.1.2.2

8.

Multilayer Switch0配置(模拟Internet):

vlan 2
name v2
vlan 3
name v3
int f0/1
sw mo ac
sw ac vl 2
int f0/2
sw mo ac
sw ac vl 3
int vlan 2
ip add 192.1.1.2 255.255.255.0
int vlan 3
ip add 192.1.2.2 255.255.255.0

至此实验完成

目录
打赏
0
0
0
0
16
分享
相关文章
配置BGP/MPLS IP VPN示例
本文介绍了通过配置MPLS VPN实现分部与总部之间的通信需求。具体要求为分部1和分部2只能与总部通信,而分部之间不能通信。配置思路包括使用BGP协议传递路由,并将各分部分别划分到不同的VPN实例中(VPN1、VPN2、VPN3),通过设置RD和Target属性确保路由隔离。操作步骤涵盖设备IP地址配置、MPLS域内互通、PE上的VPN实例配置、接口绑定、MP-IBGP配置、CE与PE间的路由交换及MPLS LDP功能配置。最终验证显示,同一VPN内的CE设备可以相互通信,不同VPN的CE设备则无法通信,满足了组网需求。
配置BGP/MPLS IP VPN示例
BGP MPLS VPN(OPTION C)实验笔记
BGP MPLS VPN(OPTION C)实验笔记
252 1
详细探讨 Cisco ASA VPN 的故障排除和调试方法
详细探讨 Cisco ASA VPN 的故障排除和调试方法
373 0
详细探讨 Cisco ASA VPN 的故障排除和调试方法
AI助理

你好,我是AI助理

可以解答问题、推荐解决方案等