Router-to-ASADynamicLAN-to-LAN×××1.拓扑2.步骤按照上图配置好各个路由器和ASA的接口,R1作为ISP路由器,R2外部接口使用DHCP动态获取IP地址。并配置好相应路
.
Router-to-ASA Dynamic LAN-to-LAN ×××
.
1.拓扑.. .. .
.
2.步骤..按照上图配置好各个路由器和ASA的接口,R1作为ISP路由器,R2外部接口使用DHCP动态获取IP地址。并配置好相应路由器的默认路由,基本配置不再写出。..1.在ASA上配置Dy L2L ×××:..ciscoasa(config)# crypto isakmp policy 1..ciscoasa(config-isakmp-policy)# en 3..ciscoasa(config-isakmp-policy)# ha s..ciscoasa(config-isakmp-policy)# au p..ciscoasa(config-isakmp-policy)# gr 2..ciscoasa(config-isakmp-policy)# ex..ciscoasa(config)# cry ipsec transform-set myset esp-3des esp-sha-hmac..ciscoasa(config)# crypto dynamic-map mydyn 1 set transform-set myset..ciscoasa(config)# crypto dynamic-map mydyn 1 set reverse-route..ciscoasa(config)# crypto map mymap 10 ipsec-isakmp dynamic mydyn..ciscoasa(config)# crypto map mymap interface outside..ciscoasa(config)# isakmp key cisco123 address 0 netmask 0..ciscoasa(config)# isakmp enable outside..ciscoasa(config)#..2.在R2上配置Dy L2L ×××:..R2(config)#crypto isakmp policy 1..R2(config-isakmp)#en 3..R2(config-isakmp)#au p..R2(config-isakmp)#ha s..R2(config-isakmp)#gr 2..R2(config-isakmp)#ex..R2(config)#cry isa key 0 cisco123 add 14.14.14.4..R2(config)#cry ipsec transform-set myset esp-3des esp-sha-hmac..R2(cfg-crypto-trans)#ex..R2(config)#access-list 100 per ip 26.26.26.0 0.0.0.255 45.45.45.0 0.0.0.255..R2(config)#cry map l2l 1 ipsec-isakmp..% NOTE: This new crypto map will remain disabled until a peer.. and a valid access list have been configured...R2(config-crypto-map)#set peer 14.14.14.4..R2(config-crypto-map)#set trans myset..R2(config-crypto-map)#match add 100..R2(config-crypto-map)#ex..R2(config)#int f0/0..R2(config-if)#cry map l2l..R2(config-if)#..*Oct 19 00:55:15.491: %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is ON..R2(config-if)#..3.在R3上配置Dy L2L ×××:..R3(config)#crypto isakmp policy 1..R3(config-isakmp)#en 3..R3(config-isakmp)#au p..R3(config-isakmp)#ha s..R3(config-isakmp)#gr 2..R3(config-isakmp)#ex..R3(config)#cry isakmp key 0 cisco123 add 14.14.14.4..R3(config)#cry ipsec transf myset esp-3des esp-sha-hmac..R3(cfg-crypto-trans)#ex..R3(config)#access-list 100 per ip 37.37.37.0 0.0.0.255 45.45.45.0 0.0.0.255..R3(config)#cry map l2l 1 ipsec-isakmp..% NOTE: This new crypto map will remain disabled until a peer.. and a valid access list have been configured...R3(config-crypto-map)#set peer 14.14.14.4..R3(config-crypto-map)#set transf myset..R3(config-crypto-map)#match add 100..R3(config-crypto-map)#ex..R3(config)#int f1/0..R3(config-if)#cry map l2l..R3(config-if)#..*Mar 1 00:44:15.147: %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is ON..R3(config-if)#..
3.验证..1.连通性达到预期要求:..R2#ping 14.14.14.4..Type escape sequence to abort...Sending 5, 100-byte ICMP Echos to 14.14.14.4, timeout is 2 seconds:..!!!!!..Success rate is 100 percent (5/5), round-trip min/avg/max = 24/65/212 ms..R2#ping 13.13.13.3..Type escape sequence to abort...Sending 5, 100-byte ICMP Echos to 13.13.13.3, timeout is 2 seconds:..!!!!!..Success rate is 100 percent (5/5), round-trip min/avg/max = 36/49/76 ms..R2#..2.先由spoke端(广州和北京)向hub端(上海)触发流量,才能建立IPSec ×××隧道:..R7#ping 45.45.45.5..Type escape sequence to abort...Sending 5, 100-byte ICMP Echos to 45.45.45.5, timeout is 2 seconds:.........Success rate is 0 percent (0/5)..R7#..R6#ping 45.45.45.5..Type escape sequence to abort...Sending 5, 100-byte ICMP Echos to 45.45.45.5, timeout is 2 seconds:.........Success rate is 0 percent (0/5)..R6#..3查看相关参数:..R3#show cry isakmp peer..R3#show cry isakmp sa..dst src state conn-id slot status..R3#..R2#show cry isakmp sa..IPv4 Crypto ISAKMP SA..dst src state conn-id slot status..IPv6 Crypto ISAKMP SA..R2#..ciscoasa(config)# show cry isakmp sa..There are no isakmp sas..ciscoasa(config)#..4实验未达到预期目的,经网上查阅资料,证实:在ASA模拟器上无法完整模拟..Router-to-ASA Dynamic LAN-to-LAN ×××。..5.此实验到此为止,以上×××配置应该是正确的,可以作为参考。..
广告