Add to Favorites | Login | Register
Network Security Internet Technology Development Database Servers Mobile Phone Android Software Apple Software Computer Software News IT Information

In addition to Weibo, there is also WeChat

Please pay attention

WeChat public account

Shulou

About us Contact us

IPSEC_ and SSL_ are configured on the ASA firewall.

2025-01-16 Update From: SLTechnology News&Howtos shulou NAV: SLTechnology News&Howtos > Network Security >

Share

Shulou(Shulou.com)06/01 Report--

IPSEC and SSL are configured on the ASA firewall.

One: experimental topology:

Second, the experimental requirements:

1:PC1 belongs to Shanghai Branch Intranet mainframe, PC2 belongs to head office mainframe. Users of the Shanghai branch are required to drink the PC2 communication of the head office directly. (Site-to-Site IPSEC × × implementation)

2: public network users can access the head office's OA server PC2. (SSL × × implementation)

Third, the configuration process:

1: basic configuration:

ASA1 (config) # int e0bin1

ASA1 (config-if) # nameif inside

INFO: Securitylevel for "inside" set to 100by default.

ASA1 (config-if) # ip add 172.16.1.254 255.255.255.0

ASA1 (config-if) # no sh

ASA1 (config-if) # int e0Universe 0

ASA1 (config-if) # nameif outside

INFO: Securitylevel for "outside" set to 0 by default.

ASA1 (config-if) # ip add 12.0.0.1 255.255.255.0

ASA1 (config-if) # no sh

ASA1 (config-if) #

ASA1# ping172.16.1.1

Type escapesequence to abort.

Sending 5100-byte ICMP Echos to 172.16.1.1, timeout is 2 seconds:

!

Success rateis 100 percent (5amp 5), round-trip min/avg/max = 10 Universe 344 percent 1670 ms

R1 (config) # intf0/0

R1 (config-if) # ipadd 12.0.0.2 255.255.255.0

R1 (config-if) # nosh

R1 (config-if) # intf1/0

R1 (config-if) # ipadd 23.0.0.2 255.255.255.0

R1 (config-if) # nosh

R1 (config-if) # intf2/0

R1 (config-if) # ipadd 1.1.1.254 255.255.255.0

R1 (config-if) # nosh

ASA2 (config) # int e0Universe 0

ASA2 (config-if) # nameif outside

INFO: Securitylevel for "outside" set to 0 by default.

ASA2 (config-if) # ip add 23.0.0.3 255.255.255.0

ASA2 (config-if) # no sh

ASA2 (config-if) # int e0bin1

ASA2 (config-if) # nameif inside

INFO: Securitylevel for "inside" set to 100by default.

ASA2 (config-if) # ip add 192.168.1.254 255.255.255.0

ASA2 (config-if) # no sh

Configure routing, NAT,ACL

ASA1 (config) # route outside 0 0 12.0.0.2

ASA1 (config) # nat-control

ASA1 (config) # nat (inside) 1 0 0

ASA1 (config) # global (outside) 1 interface

INFO: outsideinterface address added to PAT pool

ASA1 (config) # access-list permit icmp any any

ASA1 (config) # access-group in interface outside

ASA2 (config) # route outside 0 0 23.0.0.2

ASA2 (config) # nat-con

ASA2 (config) # nat-control

ASA2 (config) # nat (inside) 1 0 0

ASA2 (config) # global (outside) 1 interface

INFO: outsideinterface address added to PAT pool

ASA2 (config) # access-list permit icmp any any

ASA2 (config) # access-group in interface outside

The public network is fine on the private network, but the two private networks cannot communicate with each other.

2: configure Site-to-Site × ×

ASA1 (config) # access-list no-nat permit ip 172.16.1.0 255.255.255.0 192.168.1.0255.255.255.0

ASA1 (config) # nat (inside) 0 access-list no-nat

ASA2 (config) # access-list no-nat permit ip 192.168.1.0 255.255.255.0 172.16.1.0 255.255.255.0

ASA2 (config) # nat (inside) 1 access-list no-nat

ASA1 (config) # crypto isakmp enable outside

ASA1 (config-isakmp-policy) # authentication pre-share

ASA1 (config-isakmp-policy) # encryption des

ASA1 (config-isakmp-policy) # hash md5

ASA1 (config-isakmp-policy) # group 2

ASA1 (config-isakmp-policy) # exit

ASA1 (config) # isakmp key cisco address 23.0.0.3

ASA1 (config) # crypto ipsec transform-set mytrans esp-des esp-md

ASA1 (config) # crypto ipsec transform-set mytrans esp-des esp-md5-hmac

ASA1 (config) # crypto map mymap 10 set peer 23.0.0.3

ASA1 (config) # crypto map mymap 10 set transform-set mytrans

ASA1 (config) # crypto map mymap 10 match address no-nat

ASA1 (config) # crypto map mymap interface outside

ASA2 (config) # crypto isakmp enable outside

ASA2 (config-isakmp-policy) # authentication pre-share

ASA2 (config-isakmp-policy) # encryption des

ASA2 (config-isakmp-policy) # hash md5

ASA2 (config-isakmp-policy) # group 2

ASA2 (config-isakmp-policy) # exit

ASA2 (config) # isakmp key cisco address 12.0.0.1

ASA2 (config) # crypto ipsec transform-set mytrans esp-des esp-md

ASA2 (config) # crypto ipsec transform-set mytrans esp-des esp-md5-hmac

ASA2 (config) # crypto map mymap 10 set peer 12.0.0.1

ASA2 (config) # crypto map mymap 10 set transform-set mytrans

ASA2 (config) # crypto map mymap 10 match address no-nat

ASA2 (config) # crypto map mymap interface outside

Site-to-SiteIPSEC configuration is complete.

ASA2 (config) # web***

ASA2 (config-web***) # enable outside

INFO: Web × × and DTLS are enabled on 'outside'.

ASA2 (config-web***) # svc p_w_picpath disk0:/sslclient-win-1.1.3.173.pkg

ASA2 (config-web***) # svc enable

ASA2 (config-web***) # exit

ASA2 (config) # username cisco password cisco

ASA2 (config) # ip local pool * * 192.168.100.1-192.168.100.200

ASA2 (config) # access-list 100 permit ip 192.168.1.0 255.255.255.0 any

ASA2 (config) # group-policy my10 internal

ASA2 (config) # group-policy my10 attributes

ASA2 (config-group-policy) # *-tunnel-protocol web*** svc

ASA2 (config-group-policy) # split-tunnel-policy tunnelspecified

ASA2 (config-group-policy) # split-tunnel-network-list value 100

ASA2 (config-group-policy) # web***

ASA2 (config-group-web***) # svc ask enable

ASA2 (config-group-web***) # exit

ASA2 (config-group-policy) # exit

ASA2 (config) # tunnel-group jishu type web***

ASA2 (config) # tunnel-group jishu general-attributes

ASA2 (config-tunnel-general) # address-pool * *

ASA2 (config-tunnel-general) # default-group-policy my10

ASA2 (config-tunnel-general) # web***

ASA2 (config-web***) # tunnel-group-list enable

ASA2 (config-web***) # tunnel-group jishu web***-attributes

ASA2 (config-tunnel-web***) # group-alias 2t39

SSL × × configuration is complete.

Access-listssl*** extended permit ip 192.168.1.0 255.255.255.0 192.168.100.0 255.255.255.0

Nat (inside) 0access-list ssl***

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.

Views: 0

*The comments in the above article only represent the author's personal views and do not represent the views and positions of this website. If you have more insights, please feel free to contribute and share.

Tag Search: Configuration head office mainframe branch user Shanghai public network experiment fire prevention two basic configuration topology server routing process problem service communication vpn macOS Linux MariaDB MySQL Docker Shulou Information Shulou Technology Shulou Tech Info OPPO Reno Redmi Xiaomi NVidia Microsoft Huawei Apple macOS Linux Microsoft Huawei Shulou Information NVidia Docker Redmi MariaDB vpn OPPO Reno Xiaomi Apple Shulou Technology Shulou Tech Info MySQL macOS Linux Microsoft Huawei Shulou Information NVidia Docker Redmi MariaDB vpn OPPO Reno Xiaomi Apple Shulou Technology Shulou Tech Info MySQL

Share To

Related

Network Security

More Network Security >

Latest Network Security More Network Security >

Latest Internet Technology More Internet Technology >

Latest Development More Development >

Latest Database More Database >

Latest Servers More Servers >

Latest Mobile Phone More Mobile Phone >

Latest Android Software More Android Software >

Latest Apple Software More Apple Software >

Latest Computer Software News More Computer Software News >

Latest IT Information More IT Information >

Wechat

About us Contact us Product review car news thenatureplanet

© 2024 shulou.com SLNews company. All rights reserved.

12
Report