1. ASA和R1之間建立preshare-key認(rèn)證的lan to lan vpn

2. 加密流量為172.16.2.0/24到172.16.1.0/24的流量

3. 同時使得網(wǎng)段172.16.2.0/24也可以上網(wǎng)

4.同時使得網(wǎng)段172.16.1.0/24也可以上網(wǎng)

路由要求：

ASA: route outside 0.0.0.0 0.0.0.0 202.1.1.10

R1: ip route 0.0.0.0 0.0.0.0 201.1.1.10

配置ASA：

第一階段策略：

crypto isakmp enable outside

crypto isakmp policy 10

authentication pre-share

encryption des

hash md5

group 2

定義認(rèn)證的key為cisco：

crypto isakmp key cisco address 201.1.1.1

或是使用第二種方法!

tunnel-group 201.1.1.1 type ipsec-l2l

tunnel-group 201.1.1.1 ipsec-attributes

pre-shared-key cisco

第二階段策略：

Crypto ipsec transform-set myset esp-des esp-md5-hmac

定義感興趣流：

Access-list vpn permit ip 172.16.2.0 255.255.255.0 172.16.1.0 255.255.255.0

定義crypto map:

crypto map mymap 10 match address vpn

crypto map mymap 10 set peer 201.1.1.1

crypto map mymap 10 set transform-set myset

應(yīng)用crypto map到outside接口:

crypto map mymap interface outside

配置PAT，使得172.16.2.0/24可以上網(wǎng):

access-list nonat extended permit ip 172.16.2.0 255.255.255.0 172.16.1.0 255.255.255.0

global (outside) 1 interface

nat (inside) 0 access-list nonat

nat (inside) 1 172.16.2.0 255.255.255.0

配置R1：

crypto isakmp policy 10

hash md5

encryption des

authentication pre-share

group 2

crypto isakmp key cisco address 202.1.1.1

crypto ipsec transform-set myset esp-des esp-md5-hmac

crypto map mymap 10 ipsec-isakmp

set peer 202.1.1.1

set transform-set myset

match address 100

interface e0/0

ip address 201.1.1.1 255.255.255.0

ip nat outside

crypto map mymap

interface e0/1

ip address 172.16.1.1 255.255.255.0

ip nat inside

ip nat inside source list for.nat interface e0/0 overload

ip route 0.0.0.0 0.0.0.0 201.1.1.10

ip access-list extended for.nat

deny ip 172.16.1.0 0.0.0.255 172.16.2.0 0.0.0.255

permit ip 172.16.1.0 0.0.0.255 any

access-list 100 permit ip 172.16.1.0 0.0.0.255 172.16.2.0 0.0.0.255