ASA上配置L2TP over IPSec VPN 远程访问VPN笔记

1、定义地址池:

ip local pool L2TPVPNPool 10.1.2.55-10.1.2.59 mask 255.255.255.0


2、定义组策略:

group-policy DefaultRAGroup internal

group-policy DefaultRAGroup attributes

 dns-server value 10.1.2.140 10.1.2.35

 vpn-tunnel-protocol l2tp-ipsec

 default-domain value Antec-Beijing.com

 

3、定义隧道组:

tunnel-group DefaultRAGroup general-attributes

 address-pool L2TPVPNPool

 default-group-policy DefaultRAGroup

tunnel-group DefaultRAGroup ipsec-attributes

 pre-shared-key Antec@1986

tunnel-group DefaultRAGroup ppp-attributes

 authentication chap

 authentication ms-chap-v2

 

4、启用定义ISAKMP:

crypto isakmp enable outside

crypto isakmp policy 10

 authentication pre-share

 encryption 3des

 hash sha

 group 2

 lifetime 86400

 

5、定义IPSec转换集:

crypto ipsec transform-set TRANS_ESP_3DES_SHA esp-3des esp-sha-hmac

crypto ipsec transform-set TRANS_ESP_3DES_SHA mode transport


6、定义加密映射集并应用到outside接口:

crypto dynamic-map outside_dyn_map 65535 set transform-set TRANS_ESP_3DES_SHA

crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map

crypto map outside_map interface outside


7、绕过NAT:

access-list inside_nat0_outbound extended permit ip 10.1.2.0 255.255.255.0 10.1.2.0 255.255.255.0

nat (inside) 0 access-list inside_nat0_outbound


8、设置NAT穿越,若两个对等体之间存在PAT设备,则IPSec隧道无法传输流量。如果不设置拨号时会报错“789”:

crypto isakmp nat-traversal 30


9、配置本地用户认证:

username antec password antec1986 mschap

username antec attributes

 vpn-group-policy DefaultRAGroup

 vpn-tunnel-protocol IPSec l2tp-ipsec

 

10、允许流量从一个端口转发出去:

same-security-traffic permit intra-interface


11、启用IPSec hairpinning(发卡)特性,允许VPN客户端流量通过ASA的outside端口访问Internet:

nat (outside) 1 10.1.2.0 255.255.255.0

nat (inside) 1 0.0.0.0 0.0.0.0

global (outside) 1 interface


本文出自 “银凯的博客” 博客,请务必保留此出处http://yinkai.blog.51cto.com/3813923/1575058

郑重声明:本站内容如果来自互联网及其他传播媒体,其版权均属原媒体及文章作者所有。转载目的在于传递更多信息及用于网络分享,并不代表本站赞同其观点和对其真实性负责,也不构成任何其他建议。