Shulou(Shulou.com)06/01 Report--

Use environment:

Customer branches access the internet through ASA firewalls via PPOE dial-up, and Hillstone firewalls at headquarters have independent public IP addresses. Two ends docking to achieve mutual access within the network

ASA Firewall Side Configuration

The current ASA version information is as follows:

The main configurations are as follows:

object network LAN_NAT

subnet 10.11.2.0 255.255.255.0

object network DC_01

subnet 172.16.0.0 255.240.0.0

nat (inside,outside) source static LAN_NAT LAN_NAT destination static DC_01 DC_01

access-list l2l_list extended permit ip 10.11.2.0 255.255.255.0 172.16.0.0 255.240.0.0

crypto ipsec ikev1 transform-set DCtest esp-3des esp-sha-hmac

crypto map testDC 1 match address l2l_list

crypto map testDC 1 set pfs

crypto map testDC 1 set peer xxx.xxx.xxx.xxx

crypto map testDC 1 set ikev1 phase1-mode aggressive

crypto map testDC 1 set ikev1 transform-set DCtest

crypto map testDC interface outside

crypto isakmp identity hostname

crypto ikev1 enable outside

crypto ikev1 policy 1

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

tunnel-group hillstone type ipsec-l2l

tunnel-group hillstone ipsec-attributes

ikev1 pre-shared-key xxxxxx

Hillstone Firewall Configuration

Description:

In authentication mode, select "savage mode" here.

Local ID: Select FQDN here.

Description:

Here, the proxy ID list is filled with the local IP network segment and the peer IP network end, that is, the network segment that the two ends will eventually communicate with.

Other options in Hillstone can be selected according to the situation.

After both ends are configured:

Hillstone End Display:

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.