cisco asa 5525 思科防火墙设置拨号访问内网以及外网
WZ-2A10-SAS5525-0938# show running-config
: Saved :
: Serial Number: FCH17307098
: Hardware: ASA5525, 8192 MB RAM, CPU Lynnfield 2394 MHz, 1 CPU (4 cores)
:
ASA Version 9.8(2)
!
hostname WZ-2A10-SAS5525-0938
enable password $sha512$5000$HztVSx0o3cSsFEoY7TKS8A==$lJrGN+VDV6hYZDCSxnx4SQ== pbkdf2
names
ip local pool vpnpool 10.254.232.1-10.254.232.254 mask 255.255.255.0
ip local pool idcicpvpnpool 192.168.41.100-192.168.41.199 mask 255.255.255.0 ######vpn本地地址池,自定义名字和ip段 !
interface GigabitEthernet0/0
description To:2A10-0457-G1/0/41
nameif outside ###定义为外部区域外网
security-level 0 ###level 0-100 ,值越大,区域代表越安全,这是外网区域所以是0
ip address 173.248.xxx.xx 255.255.xxx.xxx
!
interface GigabitEthernet0/1
description To:2A10-0457-G1/0/42
nameif inside ###定义为内部区域内网,
security-level 100
ip address 10.2.32.1 255.255.255.0
!
interface GigabitEthernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/4
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/5
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/6
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/7
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
management-only
nameif management ###这是管理口,网线口
security-level 100
ip address 192.168.232.1 255.255.255.0
!
ftp mode passive
same-security-traffic permit intra-interface ####默认防火墙是不允许同个接口(比如outside进outside出,会被定义为异常流量),这命令开启同个接口区域进出
object network in-net
subnet 10.2.32.0 255.255.255.248
object network remote-net1
object network vpn-net
subnet 10.254.232.0 255.255.255.0
object network idcicpvpn-net ###这些是nat地址段
subnet 192.168.41.0 255.255.255.0
access-list vpn-traffic standard permit 10.2.32.0 255.255.255.0
access-list topnet extended permit ip any host 10.2.32.2
access-list topnet extended permit ip any host 10.2.32.3
access-list topnet extended permit ip any host 10.2.32.4
access-list topnet extended permit icmp any any
access-list no-nat extended permit ip 10.2.32.0 255.255.255.0 192.168.41.0 255.255.255.0 ###创建兴趣流(即inside内网口访问vpn-pool地址池网段),对应到不做nat规则。相当于inside内网网段可以直接访问从vpn拨入进来的地址网段
pager lines 24
logging enable
logging timestamp
logging buffer-size 102400
logging buffered warnings
logging asdm informational
logging host outside 173.248.xxx.xxx ##这个地址设置和snmp一致
mtu outside 1500
mtu inside 1500
mtu management 1500
no failover
no monitor-interface service-module
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
arp rate-limit 16384
nat (inside,outside) source static in-net in-net destination static vpn-net vpn-net route-lookup
nat (inside,outside) source static in-net in-net destination static idcicpvpn-net idcicpvpn-net route-lookup ###将之前定义的兴趣流设置为不NAT,这样才能保证正常访问内网网段,设置到这vpn拨号后获得vpn-pool地址池ip已经可以和inside内网通讯了
!
object network in-net
nat (inside,outside) dynamic interface
object network idcicpvpn-net
nat (outside,outside) dynamic interface ####需要拨号访问外网google的设置都是outside,进出都是外网。
access-group topnet in interface outside
route outside 0.0.0.0 0.0.0.0 173.248.xxx.xxx 1 ###这是默认路由
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 sctp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
timeout conn-holddown 0:00:15
timeout igp stale-route 0:01:10
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL
aaa authentication login-history
snmp-server host outside 173.248.xx.xx community ***** version 2c ###设置指定ip可以snmp
no snmp-server location
no snmp-server contact
crypto ipsec ikev1 transform-set vpnset esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set idcicpvpnset esp-3des esp-md5-hmac
crypto ipsec security-association pmtu-aging infinite
crypto dynamic-map dymap 50000 set ikev1 transform-set vpnset
crypto dynamic-map dymap 50000 set security-association lifetime seconds 86400
crypto dynamic-map dymap 50000 set reverse-route
crypto dynamic-map idcicpdymap 50001 set ikev1 transform-set idcicpvpnset
crypto dynamic-map idcicpdymap 50001 set security-association lifetime seconds 86400 ###备默认配置
crypto dynamic-map idcicpdymap 50001 set reverse-route ###代表这个路由从哪里就从哪里去
crypto map vpnmap 10000 ipsec-isakmp dynamic dymap
crypto map vpnmap 10001 ipsec-isakmp dynamic idcicpdymap #### 静态map只能一个,不像上面动态地图随意创建,这边创建了vpnmap后,优先级ID为10,静态地图可对应多个动态的地图,设立不同优先级即可。
crypto map vpnmap interface outside ##将静态地图应用到出接口outside
crypto ca trustpool policy
crypto ikev1 enable outside ## 出接口使能ikev1(或者其他版本isakmp)
crypto ikev1 policy 10
authentication pre-share #### 认证方式预共享密钥
encryption 3des
hash md5
group 2
lifetime 86400
telnet timeout 5
ssh stricthostkeycheck
ssh 173.248.x.0 255.255.255.0 outside 设置指定段可以ssh远程
ssh 0.0.0.0 0.0.0.0 management
ssh timeout 10
ssh version 2
ssh key-exchange group dh-group1-sha1
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
group-policy mygroup internal //隧道分离的策略,有三种,这里选择隧道指定分离
group-policy mygroup attributes
dns-server value 8.8.8.8
vpn-idle-timeout 720
split-tunnel-policy tunnelspecified
split-tunnel-network-list value vpn-traffic //与前面acl列表匹配的流量,才会加入到VPN隧道中。
group-policy idcicpgrouppolicy internal ##建立组策略mygrouppolicy
group-policy idcicpgrouppolicy attributes
dns-server value 8.8.8.8 ###定义分配dns参数
vpn-idle-timeout 1800
split-tunnel-policy tunnelall ###设置隧道不分流,指所有流量j加入隧道,这个组策略用来上外网的,不同于另一个组策略mygroup
dynamic-access-policy-record DfltAccessPolicy
username test01 password $sha512$5000$fmWat2hp9BXoMCdrxH3O2g==$4P78z0G/ZPXZKTdVusCP3A== pbkdf2
username hydz01 password $sha512$5000$BwTlllmTZC6K7xQrHAAYyg==$gOgaxlaxp2q7BVD8t/l58w== pbkdf2
username admin password $sha512$5000$kVWg+pCWjCdGFWJ74Z+Uew==$2ra3lBuFlpAdEJjsxT0sIg== pbkdf2
username topdata password $sha512$5000$/LpLPZcYgLv9U0t4jI2yeA==$s1wfz4vTvKhj35NLgv7lxQ== pbkdf2 privilege 15
tunnel-group hangyidianzi type remote-access
tunnel-group hangyidianzi general-attributes
address-pool vpnpool
default-group-policy mygroup
tunnel-group hangyidianzi ipsec-attributes
ikev1 pre-shared-key *****
isakmp keepalive threshold 300 retry 5
tunnel-group idcicpmygroup type remote-access ###创建隧道组
tunnel-group idcicpmygroup general-attributes
address-pool idcicpvpnpool ### 指定关联到之前定义的地址池
default-group-policy idcicpgrouppolicy ####默认组策略引用idcicpgrouppolicy
tunnel-group idcicpmygroup ipsec-attributes
ikev1 pre-shared-key ***** ###组密钥,登录的时候需要用到
isakmp keepalive threshold 301 retry 5
!
!
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:888d6f380050265e5c38fb64a5d4b5cb
: end
WZ-2A10-SAS5525-0938#
ASA5520 remote ipsec vpn配置 接口启用ISAKMP:
crypto isakmp enable outside
crypto isakmp enable outside2 创建ISAKMP策略:
crypto isakmp policy 1
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 43200 定义组策略1:
group-policy vpnclient_policy internal
group-policy vpnclient_policy attributes
dns-server value 10.75.131.65 219.148.204.66
group-lock value it@lncrland
split-tunnel-policy tunnelspecified
split-tunnel-network-list value vpn-split-tunnel 定义组策略2:
group-policy ipsec_vpn_policy internal
group-policy ipsec_vpn_policy attributes
dns-server value 10.75.131.65 219.148.204.66
group-lock value lncrland
split-tunnel-policy tunnelspecified
split-tunnel-network-list value vpn-split-tunnel 定义radius服务器:
aaa-server ipsec_vpn_auth protocol radius
aaa-server ipsec_vpn_auth (inside) host 10.75.131.199
key ***** 定义地址池:
ip local pool ipsec_vpn_pool 10.75.133.1-10.75.133.254 mask 255.255.254.0
ip local pool it_vpn_pool 10.75.132.101-10.75.132.255 mask 255.255.254.0 定义隧道分离内容:
access-list vpn-split-tunnel standard permit 172.17.0.0 255.255.0.0
access-list vpn-split-tunnel standard permit 172.16.0.0 255.255.0.0
access-list vpn-split-tunnel standard permit 10.0.0.0 255.0.0.0
access-list vpn-split-tunnel standard permit 192.200.40.0 255.255.255.0
access-list vpn-split-tunnel standard permit 172.20.0.0 255.255.0.0
access-list vpn-split-tunnel standard permit 172.18.0.0 255.255.0.0
access-list vpn-split-tunnel standard permit 172.19.0.0 255.255.0.0
access-list vpn-split-tunnel standard permit 172.21.0.0 255.255.0.0 定义隧道组(连接配置文件)1:
tunnel-group it@lncrland type remote-access
tunnel-group it@lncrland general-attributes
address-pool it_vpn_pool
authentication-server-group ipsec_vpn_auth LOCAL
default-group-policy vpnclient_policy
tunnel-group it@lncrland ipsec-attributes
pre-shared-key ***** 定义隧道组(连接配置文件)2:
tunnel-group lncrland type remote-access
tunnel-group lncrland general-attributes
address-pool ipsec_vpn_pool
authentication-server-group ipsec_vpn_auth LOCAL
default-group-policy ipsec_vpn_policy
tunnel-group lncrland ipsec-attributes
pre-shared-key *****
! 定义ipsec策略:
crypto ipsec transform-set FirstSet esp-3des esp-md5-hmac 定义动态加密集:
crypto dynamic-map dyn1 1 set transform-set FirstSet
crypto dynamic-map dyn1 1 set reverse-route
定义静态加密集:
crypto map mymap 1 ipsec-isakmp dynamic dyn1
应用静态加密集:
crypto map mymap interface outside
crypto map mymap interface outside2 排故命令:
show vpn-sessiondb detail
cisco asa 5525 思科防火墙设置拨号访问内网以及外网的更多相关文章
- mysql 设置服务器的MySQL允许远程访问/外网访问
设置服务器的MySQL允许远程访问/外网访问 https://blog.csdn.net/weixin_34232363/article/details/85889037
- 内网DMZ外网之间的访问规则
当规划一个拥有DMZ的网络时候,我们可以明确各个网络之间的访问关系,可以确定以下六条访问控制策略. 1.内网可以访问外网 内网的用户显然需要自由地访问外网.在这一策略中,防火墙需要进行源地址转换. 2 ...
- 内网IP外网IP的关联及访问互联网原理
首先解释一下“内网”与“外网”的概念: 内网:即所说的局域网,比如学校的局域网,局域网内每台计算机的IP地址在本局域网内具有互异性,是不可重复的.但两个局域网内的内网IP可以有相同的. 外网:即互联网 ...
- iptables内网地外网之间访问
环境:一台带外网和内网的机器,另一台只有内网,默认不能上网.两台机器都是centos系统带外网机器的外网ip为 123.221.20.11, 内网网关ip为 192.168.15.100内网机器的内网 ...
- Windows 设置内网和外网同时使用
想要电脑同时使用内网和外网必须具备两个网卡,一个是无线网卡一个是本地连接,无线网卡用来连接wifi也就是外网,而本地连接需要网线连接内网,外网是不需要做设置的,我们只需要设置内网即可,鼠标右击电脑右下 ...
- H3C SecPath U200-S 如何在内网使用外网IP地址访问内网服务器
H3C SecPath U200-S 如何在内网使用外网IP地址访问内网服务器 ------------------------------------------------------------ ...
- VirtualBox-- 虚拟机网络设置2--主机与虚拟机互相访问且均上外网
转载自:http://blog.sina.com.cn/s/blog_7de9d5d80100t2uw.html VirtualBox中有4中网络连接方式:NATBridged AdapterIn ...
- win10 双网卡设置内网和外网同时访问
当前环境是内网使用固定ip 用有线连接 外网自动获取使用wifi模块连接wifi cmd窗口下运行route print -4 打印路由信息 首先删除 所有0.0.0.0的路由,也就是默认设置 rou ...
- 浏览器 Proxy SwitchyOmega 插件设置代理访问内网服务器
使用Proxy SwitchyOmega 插件通过代理 直接访问到内网网站 一.使用场景 如下图所示,如果在电脑的网络设置中开启代理,每次更换代理就需要进入这里设置改变代理.且我们可能回需求到两个网页 ...
随机推荐
- HCIP --- MPLS BGP 实验
实验要求: 实验拓扑: 一.配置IP地址 二.给AS 2配置OSPF 1.R2-R7配置相同: 查看路由表: 可以看到,业务网段学的是32位的 修改:在R2-R7上都修改 [R2]int loo1[R ...
- JS拼接字符串太长希望换行保持html格式拼接的方法
1. 通常情况 tabPeoStr +='<tr class="tabPeo"><td>'+data[i].name+'</td><td& ...
- 持续提升程序员幸福指数——使用abp vnext设计一款面向微服务的单体架构
可能你会面临这样一种情况,在架构设计之前,你对业务不甚了解,需求给到的也模棱两可,这个时候你既无法明确到底是要使用单体架构还是使用微服务架构,如果使用单体,后续业务扩展可能带来大量修改,如果使用微服务 ...
- Zookeeper什么,它可以做什么?看了这篇就懂了
前言 什么是ZooKeeper,你真的了解它吗.我们一起来看看吧~ 什么是 ZooKeeper ZooKeeper 是 Apache 的一个顶级项目,为分布式应用提供高效.高可用的分布式协调服务,提供 ...
- [leetcode]516. Longest Palindromic Subsequence最大回文子序列
Given a string s, find the longest palindromic subsequence's length in s. You may assume that the ma ...
- Java学习日报7.8
public class 定义要求文件名和类名保持一致,一个*.Java文件只允许有一个public class定义! 主方法是一切程序的起点, public static void main(Str ...
- 解析STM32的库函数
意法半导体在推出STM32微控制器之初,也同时提供了一套完整细致的固件开发包,里面包含了在STM32开发过程中所涉及到的所有底层操作.通过在程序开发中引入这样的固件开发包,可以使开发人员从复杂冗余的底 ...
- 多线程并行_countDown
/** * 首次启动加载数据至缓存 */ public class ApplicationStartTask { private static Logger logger = LoggerFactor ...
- 如何解决Visual Studio 首次调试 docker 的 vs2017u5 exists, deleting Opening stream failed, trying again with proxy settings
前言 因为之前我电脑安装的是windows10家庭版,然而windows10家庭没有Hyper-v功能. 搜索了几篇windows10家庭版安装docker相关的博客,了解一些前辈们走过的坑. 很多人 ...
- Head First 设计模式 —— 02. 观察者 (Observer) 模式
思考题 在我们的一个实现中,下列哪种说法正确?(多选) P42 public class WeatherDate { // 实例变量声明 public void measurementsChanged ...