ASA8.0EzVPN没有隧道分割从总部访问公网测试

1.题目：

 二.测试

①测试拓扑：

②基本配置：

R1：
interface FastEthernet1/0
 ip address 10.1.1.1 255.255.255.0
 no shut
ip route 0.0.0.0 0.0.0.0 10.1.1.10
R2：
interface FastEthernet1/0
 ip address 202.100.1.2 255.255.255.0
 no shut
interface FastEthernet0/0
 ip address 209.165.201.2 255.255.255.0
 no shut
interface FastEthernet0/1
 ip address 202.100.2.2 255.255.255.0
 no shut
R3：
interface FastEthernet0/0
 ip address 209.165.201.10 255.255.255.0
 no shut
ip route 0.0.0.0 0.0.0.0 209.165.201.2
ASA:
interface Ethernet0/0
 nameif inside
 security-level 100
 ip address 10.1.1.10 255.255.255.0 
 no shut
interface Ethernet0/1
 nameif outside
 security-level 0
 ip address 202.100.1.10 255.255.255.0
 no shut
route outside 0 0 202.100.1.2 
policy-map global_policy
  class inspection_default
   inspect icmp
global (outside) 1 interface
nat (inside) 1 10.1.1.0 255.255.255.0
③ASA EzVPN配置:
A.第一阶段：
 crypto isakmp policy 10
   authen pre
   enc 3de
   has md
   grou 2
   exit
 crypto isakmp enable outside 
B.1.5阶段：
 ip local pool ezvpn-pool 192.168.1.1-192.168.1.254
 tunnel-group ezgroup type remote-access 
 tunnel-group ezgroup general-attributes 
 address-pool ezvpn-pool
 exit
 tunnel-group ezgroup ipsec-attributes 
 pre-shared-key cisco
 username ccsp password ccsp
C.第二阶段：
crypto ipsec transform-set transet esp-des esp-md5-hmac 
D.CRYPTO MAP：
 crypto dynamic-map dymap 10 set transform-set transet
 crypto map crymap 10 ipsec-isakmp dynamic dymap
E.应用crypto map：
ASA(config)# crypto map crymap interface outside
F.配置NAT免除：
access-list nonat extended permit ip 10.1.1.0 255.255.255.0 192.168.1.0 255.255.255.0
nat (inside) 0 access-list nonat
G.按题目答案配置相同接口的数据通讯和PAT：
same-security-traffic permit intra-interface
Global (outside) 1 202.100.1.11
Nat (outside) 1 192.168.1.0 255.255.255.0

④PC EzVPNK客户端配置:

A.拨号，输入用户名和密码后，能够成功连接：

B.能够ping通内网R1：
 
C.也能ping通互联网主机：
 
D.从R3的debug信息看，已经做了地址转换：
R3#
*Mar  1 00:02:14.559: ICMP: echo reply sent, src 209.165.201.10, dst 202.100.1.11
*Mar  1 00:02:15.559: ICMP: echo reply sent, src 209.165.201.10, dst 202.100.1.11
R3#
*Mar  1 00:02:16.567: ICMP: echo reply sent, src 209.165.201.10, dst 202.100.1.11
*Mar  1 00:02:17.563: ICMP: echo reply sent, src 209.165.201.10, dst 202.100.1.11
R3#

本文转自 碧云天 51CTO博客，原文链接：http://blog.51cto.com/333234/958557，如需转载请自行联系原作者