網上搜不到ASA5505動態圖加密***配置具體案例文檔,發表一個。
asa5505 ios-825 動態***配置
ASA5505總部配置
ASA Version 8.2(5)
!
hostname C-FW
enable password aMoTHvjlJ2eSVOPB encrypted
passwd aMoTHvjlJ2eSVOPB encrypted
!
interface Ethernet0/0
switchport access vlan 10
!
interface Ethernet0/1
switchport access vlan 20
!
interface Vlan10
nameif outside
security-level 0
ip address 192.168.9.59 255.255.255.0
!
interface Vlan20
nameif inside
security-level 100
ip address 191.168.1.1 255.255.255.0
!
object-group network local
network-object 191.168.1.0 255.255.255.0
object-group network remote
network-object 191.168.2.0 255.255.255.0
access-list 101 extended permit ip any any
access-list 101 extended permit icmp any any
access-list *** extended permit ip object-group local object-group remote
access-list nonat extended permit ip object-group local object-group remote
global (outside) 1 interface
nat (inside) 0 access-list nonat
nat (inside) 1 0.0.0.0 0.0.0.0
access-group 101 in interface outside
route outside 0.0.0.0 0.0.0.0 192.168.9.1 1
crypto ipsec transform-set spring esp-des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map dm*** 10 set transform-set spring
crypto map ***map 9 match address ***
crypto map ***map 10 ipsec-isakmp dynamic dm***
crypto map ***map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet 0.0.0.0 0.0.0.0 inside
tunnel-group DefaultL2LGroup ipsec-attributes
pre-shared-key *****
!
ASA5505分部配置
ASA Version 8.2(5)
!
hostname apartment
enable password aMoTHvjlJ2eSVOPB encrypted
passwd aMoTHvjlJ2eSVOPB encrypted
names
!
interface Ethernet0/0
switchport access vlan 10
!
interface Ethernet0/1
switchport access vlan 20
!
!
interface Vlan10
nameif outside
security-level 0
ip address 192.168.210.112 255.255.255.0
!
interface Vlan20
nameif inside
security-level 100
ip address 191.168.2.1 255.255.255.0
!
object-group network local-lan
network-object 191.168.2.0 255.255.255.0
object-group network remote-lan
network-object 191.168.1.0 255.255.255.0
access-list ***acl extended permit ip object-group local-lan object-group remote-lan
access-list nonat extended permit ip object-group local-lan object-group remote-lan
access-list wan extended permit ip any any
access-list wan extended permit icmp any any
global (outside) 1 interface
nat (inside) 0 access-list nonat
nat (inside) 1 0.0.0.0 0.0.0.0
access-group wan in interface outside
route outside 0.0.0.0 0.0.0.0 192.168.210.1 1
crypto ipsec transform-set spring esp-des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto map ***map 10 match address ***acl
crypto map ***map 10 set peer 192.168.9.59
crypto map ***map 10 set transform-set spring
crypto map ***map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet 0.0.0.0 0.0.0.0 outside
ssh 0.0.0.0 0.0.0.0 outside
ssh version 2
!
username spring password y7hhCuJ3JPnu5JRZ encrypted
tunnel-group 192.168.9.59 type ipsec-l2l
tunnel-group 192.168.9.59 ipsec-attributes
pre-shared-key *****
!