cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
210
Views
0
Helpful
1
Replies

Cisco asa ipsec is connected to other devices. Asa is a fixed IP, and

airsmon
Level 1
Level 1

拓扑图:

01.png

SP-ASA:

 

interface GigabitEthernet0/0
 nameif Outside
 security-level 0
 ip address 58.34.148.66 255.255.255.0 
!
interface GigabitEthernet0/1
 nameif Inside
 security-level 100
 ip address 172.30.32.254 255.255.255.0 

object network Net_10.0.0.0-8
 subnet 10.0.0.0 255.0.0.0
object network VPN_LNET_10.29.0.0-16
 subnet 10.29.0.0 255.255.0.0
object network VPN_PNET_10.6.0.0-16
 subnet 10.6.0.0 255.255.0.0
object network VPN_PNET_10.71.0.0-16
 subnet 10.71.0.0 255.255.0.0
object-group network VPN_LNET_GP
 network-object object VPN_LNET_10.29.0.0-16
object-group network VPN_PNET_GP
 network-object object VPN_PNET_10.6.0.0-16
 network-object object VPN_PNET_10.71.0.0-16
access-list Inft_Outside_In extended permit icmp any any 
access-list VPN_ACL_Yovo extended permit ip 10.29.0.0 255.255.0.0 10.6.0.0 255.255.0.0 
access-list VPN_ACL_Beijing extended permit ip 10.29.0.0 255.255.0.0 10.71.0.0 255.255.0.0

nat (Inside,Outside) source static VPN_LNET_GP VPN_LNET_GP destination static VPN_PNET_GP VPN_PNET_GP

object network Net_10.0.0.0-8
 nat (Inside,Outside) dynamic interface
access-group Inft_Outside_In in interface Outside
route Outside 0.0.0.0 0.0.0.0 58.34.148.65 1
route Inside 10.0.0.0 255.0.0.0 172.30.32.253 1

crypto ipsec ikev1 transform-set ESP_TRANS esp-aes esp-sha-hmac 
crypto ipsec ikev1 transform-set ESP_BEIJING esp-aes-256 esp-sha-hmac 
crypto ipsec security-association pmtu-aging infinite
crypto dynamic-map SP_BEIJING 20 match address VPN_ACL_Beijing
crypto dynamic-map SP_BEIJING 20 set ikev1 transform-set ESP_TRANS ESP_BEIJING
crypto dynamic-map SP_BEIJING 20 set reverse-route
crypto map DAOCLOUD_VPN_MAP 10 match address VPN_ACL_Yovo
crypto map DAOCLOUD_VPN_MAP 10 set peer 140.207.201.152 
crypto map DAOCLOUD_VPN_MAP 10 set ikev1 transform-set ESP_TRANS
crypto map DAOCLOUD_VPN_MAP 20 ipsec-isakmp dynamic SP_BEIJING
crypto map DAOCLOUD_VPN_MAP interface Outside

crypto isakmp identity hostname 
crypto ikev1 enable Outside
crypto ikev1 policy 10
 authentication pre-share
 encryption aes
 hash sha     
 group 14
 lifetime 86400

tunnel-group DC-BEIJING type ipsec-l2l
tunnel-group DC-BEIJING ipsec-attributes
 ikev1 pre-shared-key *****
 peer-id-validate nocheck

 


ASAv:

 

interface GigabitEthernet0/0
 nameif Outside
 security-level 0
 ip address 10.1.1.2 255.255.255.0 
!
interface GigabitEthernet0/1
 nameif Inside
 security-level 100
 ip address 172.16.100.1 255.255.255.0 

object network LNET_172.16.100.0-24
 subnet 172.16.100.0 255.255.255.0

object network LNET_172.16.100.0-24
 nat (Inside,Outside) dynamic interface
access-group Inft_Outside_In in interface Outside
route Outside 0.0.0.0 0.0.0.0 10.1.1.1 1

 

iKuai:

02.png03.png04.png

 

1 Reply 1

Need full config of asav