一、ASA版本说明
ASA-5515# show version
Cisco Adaptive Security Appliance Software Version 9.1(2)
Device Manager Version 7.1(3)
二、配置步骤
1、接口启用ike协商
crypto ikev1 enable outside
2、配置isakmp协商策略
crypto ikev1 policy 200
authentication pre-share
encryption 3des
hash md5
group 2
3、配置isakmap与共享密码
tunnel-group x.x.x.x type ipsec-l2l
tunnel-group x.x.x.x ipsec-attributes
pre-shared-key XXXX
4、配置需要加密的数据流
access-list acl-to-xmms extended permit ip 192.168.30.0 255.255.255.0 192.168.92.0 255.255.255.0
5、配置ipsec策略(数据转换集)
crypto ipsec ikev1 transform-set trans_xmms esp-des esp-md5-hmac
6、配置crypto map
crypto map map-to-xmms 10 match address acl-to-xmms
crypto map map-to-xmms 10 set peer X.X.X.X
crypto map map-to-xmms 10 set ikev1 transform-set trans_xmms
7、外部接口调用
crypto map map-to-xmms interface outside
8、NO-NAT配置
object network net30 net30
subnet 192.168.30.0 255.255.255.0
object network net92 net92
subnet 192.168.92.0 255.255.255.0
nat (inside,outside) source static net30 net30 destination static net92 net92
三、状态查看
3.1、阶段1验证
show crypto isakmp sa
3.2、阶段2验证
show crypto ipsec sa
show crypto ipsec sa | in spi //安全参数索引(SPI)在两对等体正确地协商
show crypto ipsec sa | in pkts //确认是否在通道间的通信流
评论 在此处输入想要评论的文本。