ASA8.42 NAT-T IPSEC ×××测试

1.测试拓扑：2.配置：A.R1：①接口配置interface Loopback0 ip address 1.1.1.1 255.255.255.0interface FastEthernet0/0

.

1.测试拓扑：

2.配置：

A.R1：

①接口配置

interface Loopback0
ip address 1.1.1.1 255.255.255.0
interface FastEthernet0/0
ip address 10.1.1.1 255.255.255.0
no shut
②路由配置
ip route 0.0.0.0 0.0.0.0 10.1.1.10
B.site1防火墙：

①接口配置
interface GigabitEthernet0
nameif Inside
security-level 100
ip address 10.1.1.10 255.255.255.0
no shut
interface GigabitEthernet1
nameif Outside
security-level 0
ip address 202.100.1.1 255.255.255.0
no shut
②路由配置
route Outside 0.0.0.0 0.0.0.0 202.100.1.10 1
route Inside 1.1.1.0 255.255.255.0 10.1.1.1 1
③IKEV1 第一阶段配置
crypto ikev1 enable Outside
crypto ikev1 policy 10
authentication pre-share
encryption des
hash md5
group 2
tunnel-group 202.100.1.10 type ipsec-l2l
tunnel-group 202.100.1.10 ipsec-attributes
ikev1 pre-shared-key cisco
④IKEV1第二阶段配置
crypto ipsec ikev1 transform-set transet esp-des esp-md5-hmac
⑤感谢兴趣流和cryto map配置
access-list *** extended permit ip 1.1.1.0 255.255.255.0 2.2.2.0 255.255.255.0
crypto map crymap 10 match address ***
crypto map crymap 10 set peer 202.100.1.10
crypto map crymap 10 set ikev1 transform-set transet
crypto map crymap interface Outside
C.ASA防火墙：

①接口配置

interface GigabitEthernet0
nameif Inside
security-level 100
ip address 192.168.1.10 255.255.255.0
interface GigabitEthernet1
nameif Outside
security-level 0
ip address 202.100.1.10 255.255.255.0
!路由配置-注意当前拓扑可以不配置outside接口的默认路由route Inside 2.2.2.0 255.255.255.0 192.168.1.1 1
②动态PAT配置
object network patnet1
subnet 2.2.2.0 255.255.255.0
nat (Inside,Outside) dynamic interface
object network patnet2
subnet 192.168.1.0 255.255.255.0
nat (Inside,Outside) dynamic interface

③静态PAT配置
object network site2
host 192.168.1.1
object service udp500
service udp destination eq isakmp
object service udp4500
service udp destination eq 4500
nat (Inside,Outside) source static site2  interface service udp500 udp500
nat (Inside,Outside) source static site2  interface service udp4500 udp4500
③访问控制列表配置
access-list outside extended permit icmp any any
access-list outside extended permit udp host 202.100.1.1 object site2  eq isakmp
access-list outside extended permit udp host 202.100.1.1 object site2  eq 4500
access-group outside in interface Outside
D:R2：

①接口配置

interface Loopback0
ip address 2.2.2.2 255.255.255.0
interface FastEthernet0/0
ip address 192.168.1.1 255.255.255.0
no shut
②路由配置
ip route 0.0.0.0 0.0.0.0 192.168.1.10
③第一阶段配置
crypto isakmp policy 10
hash md5
authentication pre-share
group 2
crypto isakmp key cisco address 202.100.1.1
④第二阶段配置
crypto ipsec transform-set transet esp-des esp-md5-hmac
⑤感兴趣流及cryto map配置
ip access-list extended ***
permit ip 2.2.2.0 0.0.0.255 1.1.1.0 0.0.0.255
crypto map crymap 10 ipsec-isakmp
set peer 202.100.1.1
set transform-set transet
match address ***
!
interface FastEthernet0/0
crypto map crymap

.