本地環境:
CISCO ASA5525
Cisco Adaptive Security Appliance Software Version 9.7(1)4
Firepower Extensible Operating System Version 2.1(1.66)
Device Manager Version 7.7(1)151
Hardware: ASA5525, 8192 MB RAM, CPU Lynnfield 2394 MHz, 1 CPU (4 cores)
ASA: 4192 MB RAM, 1 CPU (1 core)
對端環境AZURE雲
配置代碼
crypto ikev1 enable outside //打開ikev1並應用在outsdie接口
object-group network ***-pat
network-object 192.160.51.0 255.255.255.0
network-object 192.160.99.0 255.255.255.0 //定義本地子網
object-group network ***-azure-local
network-object 192.168.0.0 255.255.0.0 //定義對端子網
access-list ***-acl extended permit ip object-group ***-pat object-group ***-azure-local //匹配感興趣流量
nat (inside,outside) 1 source static ***-pat ***-pat destination static ***-azure-local ***-azure-local
//創建NAT 轉換列表
crypto ikev1 policy 5
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 28800
//配置ikev1
crypto ipsec ikev1 transform-set myset esp-aes-256 esp-sha-hmac
crypto ipsec security-association lifetime seconds 3600
crypto ipsec security-association lifetime kilobytes 102400000
crypto ipsec security-association pmtu-aging infinite
//創建加密集合
tunnel-group azure-ip type ipsec-l2l
tunnel-group azure-ip ipsec-attributes
ikev1 pre-shared-key *****
//隧道配置 注:azure-ip=對端ip地址,配置時要替換
crypto map mymap 1 match address ***-acl
crypto map mymap 1 set peer azure-ip
crypto map mymap 1 set ikev1 transform-set myset
crypto map mymap interface outside
//創建加密映射