ASA上配置L2TP over IPSec VPN 远程访问VPN笔记
1、定义地址池:
ip local pool L2TPVPNPool 10.1.2.55-10.1.2.59 mask 255.255.255.0
2、定义组策略:
group-policy DefaultRAGroup internal
group-policy DefaultRAGroup attributes
dns-server value 10.1.2.140 10.1.2.35
vpn-tunnel-protocol l2tp-ipsec
default-domain value Antec-Beijing.com
3、定义隧道组:
tunnel-group DefaultRAGroup general-attributes
address-pool L2TPVPNPool
default-group-policy DefaultRAGroup
tunnel-group DefaultRAGroup ipsec-attributes
pre-shared-key Antec@1986
tunnel-group DefaultRAGroup ppp-attributes
authentication chap
authentication ms-chap-v2
4、启用定义ISAKMP:
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
5、定义IPSec转换集:
crypto ipsec transform-set TRANS_ESP_3DES_SHA esp-3des esp-sha-hmac
crypto ipsec transform-set TRANS_ESP_3DES_SHA mode transport
6、定义加密映射集并应用到outside接口:
crypto dynamic-map outside_dyn_map 65535 set transform-set TRANS_ESP_3DES_SHA
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
7、绕过NAT:
access-list inside_nat0_outbound extended permit ip 10.1.2.0 255.255.255.0 10.1.2.0 255.255.255.0
nat (inside) 0 access-list inside_nat0_outbound
8、设置NAT穿越,若两个对等体之间存在PAT设备,则IPSec隧道无法传输流量。如果不设置拨号时会报错“789”:
crypto isakmp nat-traversal 30
9、配置本地用户认证:
username antec password antec1986 mschap
username antec attributes
vpn-group-policy DefaultRAGroup
vpn-tunnel-protocol IPSec l2tp-ipsec
10、允许流量从一个端口转发出去:
same-security-traffic permit intra-interface
11、启用IPSec hairpinning(发卡)特性,允许VPN客户端流量通过ASA的outside端口访问Internet:
nat (outside) 1 10.1.2.0 255.255.255.0
nat (inside) 1 0.0.0.0 0.0.0.0
global (outside) 1 interface
本文出自 “银凯的博客” 博客,请务必保留此出处http://yinkai.blog.51cto.com/3813923/1575058
郑重声明:本站内容如果来自互联网及其他传播媒体,其版权均属原媒体及文章作者所有。转载目的在于传递更多信息及用于网络分享,并不代表本站赞同其观点和对其真实性负责,也不构成任何其他建议。