cisco asa 5525 思科防火墙设置拨号访问内网以及外网
WZ-2A10-SAS5525-0938# show running-config
: Saved :
: Serial Number: FCH17307098
: Hardware: ASA5525, 8192 MB RAM, CPU Lynnfield 2394 MHz, 1 CPU (4 cores)
:
ASA Version 9.8(2)
!
hostname WZ-2A10-SAS5525-0938
enable password $sha512$5000$HztVSx0o3cSsFEoY7TKS8A==$lJrGN+VDV6hYZDCSxnx4SQ== pbkdf2
names
ip local pool vpnpool 10.254.232.1-10.254.232.254 mask 255.255.255.0
ip local pool idcicpvpnpool 192.168.41.100-192.168.41.199 mask 255.255.255.0 ######vpn本地地址池,自定义名字和ip段 !
interface GigabitEthernet0/0
description To:2A10-0457-G1/0/41
nameif outside ###定义为外部区域外网
security-level 0 ###level 0-100 ,值越大,区域代表越安全,这是外网区域所以是0
ip address 173.248.xxx.xx 255.255.xxx.xxx
!
interface GigabitEthernet0/1
description To:2A10-0457-G1/0/42
nameif inside ###定义为内部区域内网,
security-level 100
ip address 10.2.32.1 255.255.255.0
!
interface GigabitEthernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/4
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/5
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/6
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/7
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
management-only
nameif management ###这是管理口,网线口
security-level 100
ip address 192.168.232.1 255.255.255.0
!
ftp mode passive
same-security-traffic permit intra-interface ####默认防火墙是不允许同个接口(比如outside进outside出,会被定义为异常流量),这命令开启同个接口区域进出
object network in-net
subnet 10.2.32.0 255.255.255.248
object network remote-net1
object network vpn-net
subnet 10.254.232.0 255.255.255.0
object network idcicpvpn-net ###这些是nat地址段
subnet 192.168.41.0 255.255.255.0
access-list vpn-traffic standard permit 10.2.32.0 255.255.255.0
access-list topnet extended permit ip any host 10.2.32.2
access-list topnet extended permit ip any host 10.2.32.3
access-list topnet extended permit ip any host 10.2.32.4
access-list topnet extended permit icmp any any
access-list no-nat extended permit ip 10.2.32.0 255.255.255.0 192.168.41.0 255.255.255.0 ###创建兴趣流(即inside内网口访问vpn-pool地址池网段),对应到不做nat规则。相当于inside内网网段可以直接访问从vpn拨入进来的地址网段
pager lines 24
logging enable
logging timestamp
logging buffer-size 102400
logging buffered warnings
logging asdm informational
logging host outside 173.248.xxx.xxx ##这个地址设置和snmp一致
mtu outside 1500
mtu inside 1500
mtu management 1500
no failover
no monitor-interface service-module
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
arp rate-limit 16384
nat (inside,outside) source static in-net in-net destination static vpn-net vpn-net route-lookup
nat (inside,outside) source static in-net in-net destination static idcicpvpn-net idcicpvpn-net route-lookup ###将之前定义的兴趣流设置为不NAT,这样才能保证正常访问内网网段,设置到这vpn拨号后获得vpn-pool地址池ip已经可以和inside内网通讯了
!
object network in-net
nat (inside,outside) dynamic interface
object network idcicpvpn-net
nat (outside,outside) dynamic interface ####需要拨号访问外网google的设置都是outside,进出都是外网。
access-group topnet in interface outside
route outside 0.0.0.0 0.0.0.0 173.248.xxx.xxx 1 ###这是默认路由
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 sctp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
timeout conn-holddown 0:00:15
timeout igp stale-route 0:01:10
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL
aaa authentication login-history
snmp-server host outside 173.248.xx.xx community ***** version 2c ###设置指定ip可以snmp
no snmp-server location
no snmp-server contact
crypto ipsec ikev1 transform-set vpnset esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set idcicpvpnset esp-3des esp-md5-hmac
crypto ipsec security-association pmtu-aging infinite
crypto dynamic-map dymap 50000 set ikev1 transform-set vpnset
crypto dynamic-map dymap 50000 set security-association lifetime seconds 86400
crypto dynamic-map dymap 50000 set reverse-route
crypto dynamic-map idcicpdymap 50001 set ikev1 transform-set idcicpvpnset
crypto dynamic-map idcicpdymap 50001 set security-association lifetime seconds 86400 ###备默认配置
crypto dynamic-map idcicpdymap 50001 set reverse-route ###代表这个路由从哪里就从哪里去
crypto map vpnmap 10000 ipsec-isakmp dynamic dymap
crypto map vpnmap 10001 ipsec-isakmp dynamic idcicpdymap #### 静态map只能一个,不像上面动态地图随意创建,这边创建了vpnmap后,优先级ID为10,静态地图可对应多个动态的地图,设立不同优先级即可。
crypto map vpnmap interface outside ##将静态地图应用到出接口outside
crypto ca trustpool policy
crypto ikev1 enable outside ## 出接口使能ikev1(或者其他版本isakmp)
crypto ikev1 policy 10
authentication pre-share #### 认证方式预共享密钥
encryption 3des
hash md5
group 2
lifetime 86400
telnet timeout 5
ssh stricthostkeycheck
ssh 173.248.x.0 255.255.255.0 outside 设置指定段可以ssh远程
ssh 0.0.0.0 0.0.0.0 management
ssh timeout 10
ssh version 2
ssh key-exchange group dh-group1-sha1
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
group-policy mygroup internal //隧道分离的策略,有三种,这里选择隧道指定分离
group-policy mygroup attributes
dns-server value 8.8.8.8
vpn-idle-timeout 720
split-tunnel-policy tunnelspecified
split-tunnel-network-list value vpn-traffic //与前面acl列表匹配的流量,才会加入到VPN隧道中。
group-policy idcicpgrouppolicy internal ##建立组策略mygrouppolicy
group-policy idcicpgrouppolicy attributes
dns-server value 8.8.8.8 ###定义分配dns参数
vpn-idle-timeout 1800
split-tunnel-policy tunnelall ###设置隧道不分流,指所有流量j加入隧道,这个组策略用来上外网的,不同于另一个组策略mygroup
dynamic-access-policy-record DfltAccessPolicy
username test01 password $sha512$5000$fmWat2hp9BXoMCdrxH3O2g==$4P78z0G/ZPXZKTdVusCP3A== pbkdf2
username hydz01 password $sha512$5000$BwTlllmTZC6K7xQrHAAYyg==$gOgaxlaxp2q7BVD8t/l58w== pbkdf2
username admin password $sha512$5000$kVWg+pCWjCdGFWJ74Z+Uew==$2ra3lBuFlpAdEJjsxT0sIg== pbkdf2
username topdata password $sha512$5000$/LpLPZcYgLv9U0t4jI2yeA==$s1wfz4vTvKhj35NLgv7lxQ== pbkdf2 privilege 15
tunnel-group hangyidianzi type remote-access
tunnel-group hangyidianzi general-attributes
address-pool vpnpool
default-group-policy mygroup
tunnel-group hangyidianzi ipsec-attributes
ikev1 pre-shared-key *****
isakmp keepalive threshold 300 retry 5
tunnel-group idcicpmygroup type remote-access ###创建隧道组
tunnel-group idcicpmygroup general-attributes
address-pool idcicpvpnpool ### 指定关联到之前定义的地址池
default-group-policy idcicpgrouppolicy ####默认组策略引用idcicpgrouppolicy
tunnel-group idcicpmygroup ipsec-attributes
ikev1 pre-shared-key ***** ###组密钥,登录的时候需要用到
isakmp keepalive threshold 301 retry 5
!
!
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:888d6f380050265e5c38fb64a5d4b5cb
: end
WZ-2A10-SAS5525-0938#
ASA5520 remote ipsec vpn配置 接口启用ISAKMP:
crypto isakmp enable outside
crypto isakmp enable outside2 创建ISAKMP策略:
crypto isakmp policy 1
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 43200 定义组策略1:
group-policy vpnclient_policy internal
group-policy vpnclient_policy attributes
dns-server value 10.75.131.65 219.148.204.66
group-lock value it@lncrland
split-tunnel-policy tunnelspecified
split-tunnel-network-list value vpn-split-tunnel 定义组策略2:
group-policy ipsec_vpn_policy internal
group-policy ipsec_vpn_policy attributes
dns-server value 10.75.131.65 219.148.204.66
group-lock value lncrland
split-tunnel-policy tunnelspecified
split-tunnel-network-list value vpn-split-tunnel 定义radius服务器:
aaa-server ipsec_vpn_auth protocol radius
aaa-server ipsec_vpn_auth (inside) host 10.75.131.199
key ***** 定义地址池:
ip local pool ipsec_vpn_pool 10.75.133.1-10.75.133.254 mask 255.255.254.0
ip local pool it_vpn_pool 10.75.132.101-10.75.132.255 mask 255.255.254.0 定义隧道分离内容:
access-list vpn-split-tunnel standard permit 172.17.0.0 255.255.0.0
access-list vpn-split-tunnel standard permit 172.16.0.0 255.255.0.0
access-list vpn-split-tunnel standard permit 10.0.0.0 255.0.0.0
access-list vpn-split-tunnel standard permit 192.200.40.0 255.255.255.0
access-list vpn-split-tunnel standard permit 172.20.0.0 255.255.0.0
access-list vpn-split-tunnel standard permit 172.18.0.0 255.255.0.0
access-list vpn-split-tunnel standard permit 172.19.0.0 255.255.0.0
access-list vpn-split-tunnel standard permit 172.21.0.0 255.255.0.0 定义隧道组(连接配置文件)1:
tunnel-group it@lncrland type remote-access
tunnel-group it@lncrland general-attributes
address-pool it_vpn_pool
authentication-server-group ipsec_vpn_auth LOCAL
default-group-policy vpnclient_policy
tunnel-group it@lncrland ipsec-attributes
pre-shared-key ***** 定义隧道组(连接配置文件)2:
tunnel-group lncrland type remote-access
tunnel-group lncrland general-attributes
address-pool ipsec_vpn_pool
authentication-server-group ipsec_vpn_auth LOCAL
default-group-policy ipsec_vpn_policy
tunnel-group lncrland ipsec-attributes
pre-shared-key *****
! 定义ipsec策略:
crypto ipsec transform-set FirstSet esp-3des esp-md5-hmac 定义动态加密集:
crypto dynamic-map dyn1 1 set transform-set FirstSet
crypto dynamic-map dyn1 1 set reverse-route
定义静态加密集:
crypto map mymap 1 ipsec-isakmp dynamic dyn1
应用静态加密集:
crypto map mymap interface outside
crypto map mymap interface outside2 排故命令:
show vpn-sessiondb detail
cisco asa 5525 思科防火墙设置拨号访问内网以及外网的更多相关文章
- mysql 设置服务器的MySQL允许远程访问/外网访问
设置服务器的MySQL允许远程访问/外网访问 https://blog.csdn.net/weixin_34232363/article/details/85889037
- 内网DMZ外网之间的访问规则
当规划一个拥有DMZ的网络时候,我们可以明确各个网络之间的访问关系,可以确定以下六条访问控制策略. 1.内网可以访问外网 内网的用户显然需要自由地访问外网.在这一策略中,防火墙需要进行源地址转换. 2 ...
- 内网IP外网IP的关联及访问互联网原理
首先解释一下“内网”与“外网”的概念: 内网:即所说的局域网,比如学校的局域网,局域网内每台计算机的IP地址在本局域网内具有互异性,是不可重复的.但两个局域网内的内网IP可以有相同的. 外网:即互联网 ...
- iptables内网地外网之间访问
环境:一台带外网和内网的机器,另一台只有内网,默认不能上网.两台机器都是centos系统带外网机器的外网ip为 123.221.20.11, 内网网关ip为 192.168.15.100内网机器的内网 ...
- Windows 设置内网和外网同时使用
想要电脑同时使用内网和外网必须具备两个网卡,一个是无线网卡一个是本地连接,无线网卡用来连接wifi也就是外网,而本地连接需要网线连接内网,外网是不需要做设置的,我们只需要设置内网即可,鼠标右击电脑右下 ...
- H3C SecPath U200-S 如何在内网使用外网IP地址访问内网服务器
H3C SecPath U200-S 如何在内网使用外网IP地址访问内网服务器 ------------------------------------------------------------ ...
- VirtualBox-- 虚拟机网络设置2--主机与虚拟机互相访问且均上外网
转载自:http://blog.sina.com.cn/s/blog_7de9d5d80100t2uw.html VirtualBox中有4中网络连接方式:NATBridged AdapterIn ...
- win10 双网卡设置内网和外网同时访问
当前环境是内网使用固定ip 用有线连接 外网自动获取使用wifi模块连接wifi cmd窗口下运行route print -4 打印路由信息 首先删除 所有0.0.0.0的路由,也就是默认设置 rou ...
- 浏览器 Proxy SwitchyOmega 插件设置代理访问内网服务器
使用Proxy SwitchyOmega 插件通过代理 直接访问到内网网站 一.使用场景 如下图所示,如果在电脑的网络设置中开启代理,每次更换代理就需要进入这里设置改变代理.且我们可能回需求到两个网页 ...
随机推荐
- 开发你的第一个NCS(Zephyr)应用程序
Nordic有2套并存的SDK:老的nRF5 SDK和新的NCS SDK,两套SDK相互独立,大家选择其中一套进行开发即可.一般而言,如果你选择的芯片是nRF51或者nRF52系列,那么推荐使用nRF ...
- python lambda表达式应用
在python中有两种函数,一种是通过def得到的函数,一种是匿名函数,也就是lambda表达式.语法格式如下: lambda argument_list:expersion 语法中的argument ...
- 小团队产品研发管理V0.0.1
序言 之前做研发的时候非常鄙视管理,觉得管理的那些人就知道搞政治,后来做了开发主管,以及到部门经理之后,管的人多了发现管理真是门大学问,真的应该每个人都要学习一些基本管理知识,特别是刚入社会的打工人. ...
- 使用maven创建java项目是,jdk的版本默认为1.5,如何修改为1.8
<build> <plugins> <plugin> <groupId>org.apache.maven.plugins</groupId> ...
- 解决在Filter中读取Request中的流后, 然后再Control中读取不到的做法
摘要: 大家知道, StringMVC中@RequestBody是读取的流的方式, 如果在之前有读取过流后, 发现就没有了. 我们来看一下核心代码: filter中主要做的事情, 就是来校验请求是否合 ...
- 如何解决Renesas USB3.0RootHub警告
打开WINDOWS系统的[计算机管理]-[服务和应用程序]-[服务]-点击[Portable Device Enumerator Service]服务,设置为启动类型:自动(延迟启动).并点击&quo ...
- .Net Core — 依赖注入
在.NET Core 中 依赖注入Dependency-Injection)作为基础知识,在.Net Core中无处不在:这么重要的知识接下来就了解和在.Net Core中使用. 一.依赖注入 说到依 ...
- (转) 增加 header 参数,spring boot + swagger2(springfox)
1 @Configuration 2 @EnableSwagger2 3 public class Swagger2 { 4 @Bean 5 public Docket createRestApi() ...
- Elasticsearch节点下线(退役)and unassigned shards
一.节点退役当集群中个别节点出现故障预警等情况,需要进行退役工作,即让所有位于该退役节点上的分片的数据分配到其他节点上后,再将此节点关闭并从集群中移除. 1.ES提供了让某个节点上所有数据都移走的功能 ...
- flume的一些使用
一.第一层采集通道的编写 1.第一层采集脚本Source的选择①Source: 数据源在日志文件中! 读取日志中的数据,可以使用以下Source ExecSource: 可以执行一个linux命令,例 ...