Skip to main content

 路由器设置 > 新闻资讯 >

中间网络ASA防火墙对IPSEC VPN的影响和解决方法

2012-07-01 17:33 浏览:

ipsec VPN 实现了网络的拓展,防火墙实现了对网络流量的控制和过滤,因此会对IPSEC VPN的通信产生影响。默认ASA只对UDP/TCP流量维护状态会话,因此会丢弃返回的ESP流量。解决办法有两种:

一 使用ACL放行ESP流量.

二 应用检查ipsec vpn。

实验拓扑

R1配置:

crypto isakmp policy 10
 encr 3des
 authentication pre-share
 group 2
crypto isakmp key cisco address 192.168.200.2 no-xauth
!
!         
crypto ipsec transform-set trans esp-des esp-md5-hmac 
!
crypto map r1 10 ipsec-isakmp 
 set peer 192.168.200.2
 set transform-set trans 
 match address vpn
!

interface Loopback0
 ip address 1.1.1.1 255.255.255.0
!
interface FastEthernet0/0
 ip address 192.168.100.1 255.255.255.0
 duplex auto
 speed auto
 crypto map r1

ip route 0.0.0.0 0.0.0.0 192.168.100.254
!

ip access-list extended vpn
 permit ip 1.1.1.0 0.0.0.255 2.2.2.0 0.0.0.255

ASA配置:

interface Ethernet0/0
 nameif outside
 security-level 0
 ip address 192.168.100.254 255.255.255.0 
!
interface Ethernet0/1
 nameif inside
 security-level 100
 ip address 192.168.200.254 255.255.255.0

R2配置:

crypto isakmp policy 10
 encr 3des
 authentication pre-share
 group 2
crypto isakmp key cisco address 192.168.100.1 no-xauth
!
!         
crypto ipsec transform-set trans esp-des esp-md5-hmac 
!
crypto map r2 10 ipsec-isakmp 
 set peer 192.168.100.1
 set transform-set trans 
 match address vpn
!
!
!
!
interface Loopback0
 ip address 2.2.2.2 255.255.255.0
!
interface FastEthernet0/0
 ip address 192.168.200.2 255.255.255.0