用思科防火墙两边做VPN,当其中一边是非固定IP地址的时候,一般采用的EZVPN来实现。在这里我们其实也可以使用Site To Site来实现。配置起来比较比EZVPN复杂,但是效果比较好。
拓扑图如下:
固定IP地址:
ASA1配置:
interface Ethernet0/0
nameif outside
ip address 202.1.1.1 255.255.255.0
interface Ethernet0/1
nameif inside
ip address 192.168.1.1 255.255.255.0
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
access-list S2S permit ip 192.168.1.0 255.255.255.0 172.16.1.0 255.255.255.0
global (outside) 1 interface
nat (inside) 0 access-list S2S
nat (inside) 1 0.0.0.0 0.0.0.0
route outside 0.0.0.0 0.0.0.0 202.1.1.2 1
crypto ipsec transform-set JIAMI esp-3des esp-sha-hmac
crypto map MAP 20 match address S2S
crypto map MAP 20 set peer 11.11.11.11
crypto map MAP 20 set transform-set JIAMI
crypto map MAP interface outside
global (outside) 1 interface
nat (inside) 0 access-list S2S
nat (inside) 1 0.0.0.0 0.0.0.0
route outside 0.0.0.0 0.0.0.0 202.1.1.2 1
tunnel-group 202.1.1.1 type ipsec-l2l
tunnel-group 202.1.1.1 ipsec-attributes
pre-shared-key cisco
——————————————————————————————————————————————————
非固定IP:
ASA2配置:
interface Ethernet0/1
nameif inside
ip address 172.16.1.1 255.255.255.0
access-list S2S permit ip 172.16.1.0 255.255.255.0 192.168.1.0 255.255.255.0
global (outside) 1 interface
nat (inside) 0 access-list S2S
nat (inside) 1 0.0.0.0 0.0.0.0
route outside 0.0.0.0 0.0.0.0 200.1.1.2 1
crypto ipsec transform-set JIAMI esp-3des esp-sha-hmac
crypto dynamic-map dyn1 1 set transform-set JIAMI
crypto dynamic-map dyn1 1 set reverse-route
crypto map outside_map 65535 ipsec-isakmp dynamic dyn1
crypto map outside_map interface outside
crypto isakmp identity hostname
crypto isakmp enable outside
crypto isakmp policy 10
tunnel-group DefaultL2LGroup ipsec-attributes
per-shared-key cisco
本文为旋风网络原创,转载请注明出处,谢谢。
crypto map MAP 20 set peer 11.11.11.11
这里的11.11.11.11是哪里来的?