学步园

实验拓扑：

一、基础配置
PC1的配置
Router>en
Router#conf t
Router(config)#hostname pc1  《==主机用路由器来模拟
pc1(config)#interface e0/0
pc1(config-if)#ip address 192.168.100.100 255.255.255.0
pc1(config-if)#no shutdown
pc1(config-if)#ex
pc1(config)#ip route 0.0.0.0 0.0.0.0 192.168.100.1
pc1(config)#end
pc1#

PC2的配置
Router>en
Router#conf t
Router(config)#hostname PC2
PC2(config)#interface e0/0
PC2(config-if)#ip address 172.16.100.100 255.255.255.0
PC2(config-if)#no shutdown
PC2(config)#ip route 0.0.0.0 0.0.0.0 172.16.100.1
PC2(config)#end
PC2#
internet的配置
Router>en
Router#conf t
Router(config)#hostname internet
internet(config)#interface e0/0
internet(config-if)#ip address 211.1.1.2 255.255.255.0
internet(config-if)#no shutdown
internet(config-if)#exit
internet(config)#interface e0/1
internet(config-if)#ip address 222.1.1.2 255.255.255.0
internet(config-if)#no shutdown
internet(config-if)#exit
internet(config)#interface loopback 0
internet(config-if)#ip address 100.100.100.100 255.255.255.0
internet(config-if)#exit
internet(config)#interface loopback 1
internet(config-if)#ip address 200.200.200.200 255.255.255.0
internet(config-if)#exit
internet(config)#line vty 0 4  《==开启telnet用来测试 网络互通性
internet(config-line)#privilege level 15
internet(config-line)#no login

ASA1配置
ciscoasa> en
Password:
ciscoasa(config)# hostname ASA1
ASA1(config)# interface e0/0  《==配置外部接口
ASA1(config-if)# nameif outside
ASA1(config-if)# ip address 211.1.1.1 255.255.255.0
ASA1(config-if)# no shutdown
ASA1(config-if)# exit
ASA1(config)# interface e0/1  《==配置内部接口
ASA1(config-if)# nameif inside
ASA1(config-if)# ip address 192.168.100.1 255.255.255.0
ASA1(config-if)# no shutdown
ASA1(config-if)# end
ASA2配置
ciscoasa> en
Password:
ciscoasa# conf t
ciscoasa(config)# hostname ASA2
ASA2(config)# interface e0/0
ASA2(config-if)# nameif outside
ASA2(config-if)# ip address 222.1.1.1 255.255.255.0
ASA2(config-if)# no shutdown
ASA2(config-if)# exit
ASA2(config)# interface e0/1
ASA2(config-if)# nameif inside
ASA2(config-if)# ip address 172.16.100.1 255.255.255.0
ASA2(config-if)# no shutdown
ASA2(config-if)# exit
ASA2(config)#

二、路由 ACL NAT配置
ASA1配置
ASA1(config)# route outside 0 0 211.1.1.2 《==默认路由指向运行商
ASA1(config)# global (outside) 1 interface 《==配置内网去Internet的NAT 包括下一句
ASA1(config)# nat (inside) 1 0 0
ASA1(config)# access-list out2in permit icmp any any  《== ACL从外网到内网 放行icmp和VPN用到的相关协议（esp ah isakmp）
ASA1(config)# access-list out2in permit esp host 222.1.1.1 host 211.1.1.1
ASA1(config)# access-list out2in permit ah host 222.1.1.1 host 211.1.1.1
ASA1(config)# access-list out2in permit udp host 222.1.1.1 host 211.1.1.1 eq isakmp
ASA1(config)# access-group out2in in interface outside 《==应用ACL到outside 接口的入方向
ASA2配置
ASA2(config)# route outside 0 0 222.1.1.2
ASA2(config)# global (outside) 1 interface
ASA2(config)# nat (inside) 1 0 0
ASA2(config)# access-list out2in permit icmp any any
ASA2(config)# access-list out2in permit esp host 211.1.1.1 host 222.1.1.1
ASA2(config)# access-list out2in permit ah host 211.1.1.1 host 222.1.1.1
ASA1(config)# access-list out2in permit udp host 211.1.1.1 host 222.1.1.1 eq isakmp
ASA2(config)# access-group out2in in interface outside
         
pc1#ping 100.100.100.100  《==此时PC1可以 ping telnet internet 上的100.100.100.100
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 100.100.100.100, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 8/21/56 ms
pc1#100.100.100.100
Trying 100.100.100.100 ... Open
internet#exit
[Connection to 100.100.100.100 closed by foreign host]
PC2#ping 100.100.100.100  《==此时PC2也可以 ping telnet internet 上的100.100.100.100
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 100.100.100.100, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 8/24/44 ms
PC2#100.100.100.100
Trying 100.100.100.100 ... Open
internet#exit
[Connection to 100.100.100.100 closed by foreign host]

三、配置VPN及其它
ASA1配置
ASA1(config)# access-list vpn permit ip 192.168.100.0 255.255.255.0 172.16.100.0 255.255.255.0 《== 定义感兴趣流量

ASA1(config)# nat (inside) 0 access-list vpn 《==感兴趣流量不做NAT
ASA1(config)# crypto isakmp policy 10 《== 配置IKE阶段一isakmp 策略
ASA1(config-isakmp-policy)# authentication pre-share
ASA1(config-isakmp-policy)# encryption des
ASA1(config-isakmp-policy)# hash md5
ASA1(config-isakmp-policy)# lifetime 86400
ASA1(config-isakmp-policy)# group 2
ASA1(config)# crypto isakmp key 12345678 address 222.1.1.1
《==配置预共享密钥是12345678
ASA1(config)# crypto isakmp enable outside
ASA1(config)# crypto ipsec transform-set mytrans esp-des esp-md5-hmac
《==配置阶段二 ipsec变换集
ASA1(config)# crypto map vpn 10 ipsec-isakmp 《== 配置VPN MAP
ASA1(config)# crypto map vpn 10 match address vpn
ASA1(config)# crypto map vpn 10 set peer 222.1.1.1
ASA1(config)# crypto map vpn 10 set transform-set mytrans
ASA1(config)# crypto map vpn interface outside 《== 应用VPN MAP到接口上
ASA2配置 《==类似ASA1的配置 两边参数要一样
ASA2(config)#  access-list vpn permit ip 172.16.100.0 255.255.255.0 192.168.100.0 255.255.255.0
ASA2(config)#  nat (inside) 0 access-list vpn
ASA2(config)#
ASA2(config)#  crypto isakmp policy 10
ASA2(config-isakmp-policy)#  authentication pre-share
ASA2(config-isakmp-policy)#  encryption des
ASA2(config-isakmp-policy)#  hash md5
ASA2(config-isakmp-policy)#  lifetime 86400
ASA2(config-isakmp-policy)#  group 2
ASA2(config-isakmp-policy)#
ASA2(config-isakmp-policy)#  crypto isakmp key 12345678 address 211.1.1.1
ASA2(config)#  crypto isakmp enable outside
ASA2(config)#  crypto ipsec transform-set mytrans esp-des esp-md5-hmac
ASA2(config)#
ASA2(config)#  crypto map vpn 10 ipsec-isakmp
ASA2(config)#  crypto map vpn 10 match address vpn
ASA2(config)#  crypto map vpn 10 set peer 211.1.1.1
ASA2(config)#  crypto map vpn 10 set transform-set mytrans
ASA2(config)#  crypto map vpn interface outside

四、验证配置
pc1#ping 172.16.100.100       《==主机1可以ping 通分支内网的主机2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.100.100, timeout is 2 seconds:
.!!!!                         《==第一个包不通 是用来激活VPN隧道
Success rate is 80 percent (4/5), round-trip min/avg/max = 20/34/48 ms
pc1#
ASA1# show crypto isakmp sa   《==可以在下面的输出看出isamkp的安全关联(SA)已经建立
   Active SA: 1
    Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 1
1   IKE Peer: 222.1.1.1
    Type    : L2L             Role    : initiator
    Rekey   : no              State   : MM_ACTIVE

ASA1# show crypto ipsec sa 《== 从下面输出可以看到 IKE阶段二ipsec的的安全关联也建立 并且有4个包被加密解密
interface: outside
    Crypto map tag: vpn, seq num: 10, local addr: 211.1.1.1
      access-list vpn permit ip 192.168.100.0 255.255.255.0 172.16.100.0 255.255.255.0
      local ident (addr/mask/prot/port): (192.168.100.0/255.255.255.0/0/0)
      remote ident (addr/mask/prot/port): (172.16.100.0/255.255.255.0/0/0)
      current_peer: 222.1.1.1
      #pkts encaps: 4, #pkts encrypt: 4, #pkts digest: 4
《==ping5个包 加密解密4个 第一个ping用来激活VPN隧道 所以没有加密解密
      #pkts decaps: 4, #pkts decrypt: 4, #pkts verify: 4
      #pkts compressed: 0, #pkts decompressed: 0
      #pkts not compressed: 4, #pkts comp failed: 0, #pkts decomp failed: 0
      #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
      #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
      #send errors: 0, #recv errors: 0
      local crypto endpt.: 211.1.1.1, remote crypto endpt.: 222.1.1.1
      path mtu 1500, ipsec overhead 58, media mtu 1500
      current outbound spi: 18D04FD9
    inbound esp sas:
      spi: 0xA8F42FA1 (2834575265)
         transform: esp-des esp-md5-hmac none
         in use settings ={L2L, Tunnel, }
         slot: 0, conn_id: 4096, crypto-map: vpn
         sa timing: remaining key lifetime (kB/sec): (3824999/28782)
         IV size: 8 bytes
         replay detection support: Y
    outbound esp sas:
      spi: 0x18D04FD9 (416305113)
         transform: esp-des esp-md5-hmac none
         in use settings ={L2L, Tunnel, }
         slot: 0, conn_id: 4096, crypto-map: vpn
         sa timing: remaining key lifetime (kB/sec): (3824999/28782)
         IV size: 8 bytes
         replay detection support: Y
ASA1#