码迷,mamicode.com
首页 > 系统相关 > 详细

Ciscoasa ipsec ikev2

时间:2020-10-14 19:55:17      阅读:23      评论:0      收藏:0      [点我收藏+]

标签:protoc   end   公网   red   mat   mit   The   隧道   obj   

------------------IKEV2-----------------------------
1.基本上网配置
interfaceGigabitEthernet0 ---------配置外网口,定义接口
nameif outside
security-level 0
ip address 101.1.1.100 255.255.255.0
interfaceGigabitEthernet1 -----------配置内网扣,定义接口
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
2、定义object
object network inside_network -------------需要上互联网的sub
subnet 192.168.1.0 255.255.255.0
object network local_network ----------定义本端***网络
subnet 192.168.1.0 255.255.255.0
object network remote_network---------定义远端***网络
subnet 172.16.1.0 255.255.255.0
3、定义ACL
access-list 100 extended permit ip any any ------定义any any互联网ACL
access-list 110 extended permit ip object local_network object remote_network -----定义***感兴趣流量
4、配置NAT
objectnetwork inside_network -------配置PAT
nat (inside,outside) dynamic interface
access-group 100 in interface inside -------将ACL 100应用到inside接口
nat (inside,outside) source static local_network local_network destination static remote_network remote_network /拒绝***流量被NAT
5、配置默认路由
route outside 0.0.0.0 0.0.0.0 101.1.1.1
6、配置IPSEC-***
6.1 IPSEC-***第一阶段ike配置
crypto ikev2 policy 10 ---------定义ikev2策略
encryption aes-256
integrity sha256 md5
group 2
prf sha256 md5
lifetime seconds 86400

tunnel-group 201.1.1.100 type ipsec-l2l ------定义隧道,类型为ipsec-l2l
tunnel-group 201.1.1.100 ipsec-attributes
ikev2 remote-authentication pre-shared-key cisco ------配置预共享密钥为cisco
ikev2 local-authentication pre-shared-key cisco

6.2 IPSEC-***第二阶段ipsec配置
crypto ipsec ikev2 ipsec-proposal cisco -------定义ipsec转换集
protocol esp encryption aes-256
protocol esp integrity md5

6.3 定义map映射绑定策略与ipsec转换集
crypto map cisco 10 match address 110 -----定义crypto map,绑定***感兴趣流ACL 110
crypto map cisco 10 set peer 201.1.1.100-------指定peer对等体公网IP地址
crypto map cisco 10 set ikev2 ipsec-proposal cisco ------调用刚才创建的ipsec转换集
cryptomap cisco interface outside -------将map应用到outside接口

6.4 开启ikev2策略到outside接口
crypto ikev2 enable outside

Ciscoasa ipsec ikev2

标签:protoc   end   公网   red   mat   mit   The   隧道   obj   

原文地址:https://blog.51cto.com/13251917/2541562

(0)
(0)
   
举报
评论 一句话评论(0
登录后才能评论!
© 2014 mamicode.com 版权所有  联系我们:gaon5@hotmail.com
迷上了代码!