PIX/ASA 7.x：在现有 L2L VPN 隧道上添加/删除网络的配置示例

下载选项

PDF (344.4 KB)
在各种设备上使用 Adobe Reader 查看
ePub (162.1 KB)
在 iPhone、iPad、Android、Sony Reader 或 Windows Phone 上使用各种应用查看
Mobi (Kindle) (253.9 KB)
在 Kindle 设备上查看或在多个设备上使用 Kindle 应用查看

已更新: 2007 年 4 月 9 日

文档 ID:82209

非歧视性语言

此产品的文档集力求使用非歧视性语言。在本文档集中，非歧视性语言是指不隐含针对年龄、残障、性别、种族身份、族群身份、性取向、社会经济地位和交叉性的歧视的语言。由于产品软件的用户界面中使用的硬编码语言、基于 RFP 文档使用的语言或引用的第三方产品使用的语言，文档中可能无法确保完全使用非歧视性语言。深入了解思科如何使用包容性语言。

关于此翻译

思科采用人工翻译与机器翻译相结合的方式将此文档翻译成不同语言，希望全球的用户都能通过各自的语言得到支持性的内容。请注意：即使是最好的机器翻译，其准确度也不及专业翻译人员的水平。 Cisco Systems, Inc. 对于翻译的准确性不承担任何责任，并建议您总是参考英文原始文档（已提供链接）。

NY (HQ) 防火墙配置
ASA-NY-HQ#show running-config : Saved : ASA Version 7.2(2) ! hostname ASA-NY-HQ domain-name corp2.com enable password WwXYvtKrnjXqGbu1 encrypted names ! interface Ethernet0/0 nameif outside security-level 0 ip address 192.168.11.2 255.255.255.0 ! interface Ethernet0/1 nameif inside security-level 100 ip address 172.16.1.2 255.255.255.0 ! interface Ethernet0/2 nameif Cisco security-level 70 ip address 172.16.40.2 255.255.255.0 ! interface Ethernet0/3 shutdown no nameif no security-level no ip address ! interface Management0/0 shutdown no nameif no security-level no ip address ! passwd 2KFQnbNIdI.2KYOU encrypted ftp mode passive dns server-group DefaultDNS domain-name corp2.com access-list inside_nat0_outbound extended permit ip 172.16.1.0 255.255.255.0 10.10.10.0 255.255.255.0 !--- You must be sure that you configure the !--- opposite of these access control lists !--- on the other end of the VPN tunnel. access-list inside_nat0_outbound extended permit ip 172.16.40.0 255.255.255.0 10.10.10.0 255.255.255.0 access-list outside_20_cryptomap extended permit ip 172.16.1.0 255.255.255.0 10.10.10.0 255.255.255.0 !--- You must be sure that you configure the !--- opposite of these access control lists !--- on the other end of the VPN tunnel. access-list outside_20_cryptomap extended permit ip 172.16.40.0 255.255.255.0 10.10.10.0 255.255.255.0 !--- Output is suppressed. nat-control global (outside) 1 interface nat (inside) 0 access-list inside_nat0_outbound nat (inside) 1 172.16.1.0 255.255.255.0 !--- The new network is also required to have access to the Internet. !--- So enter an entry into the NAT statement for this new network. nat (inside) 1 172.16.40.0 255.255.255.0 route outside 0.0.0.0 0.0.0.0 192.168.11.100 1 timeout xlate 3:00:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02 timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00 timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00 timeout uauth 0:05:00 absolute no snmp-server location no snmp-server contact snmp-server enable traps snmp authentication linkup linkdown coldstart crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac crypto map outside_map 20 match address outside_20_cryptomap crypto map outside_map 20 set peer 192.168.10.10 crypto map outside_map 20 set transform-set ESP-3DES-SHA crypto map outside_map interface outside crypto isakmp enable outside crypto isakmp policy 10 authentication pre-share encryption 3des hash sha group 2 lifetime 86400 crypto isakmp nat-traversal 20 tunnel-group 192.168.10.10 type ipsec-l2l tunnel-group 192.168.10.10 ipsec-attributes pre-shared-key * !--- Output is suppressed. : end ASA-NY-HQ#

ASA-NY-HQ#show running-config 

: Saved
:
ASA Version 7.2(2) 
!
hostname ASA-NY-HQ
domain-name corp2.com
enable password WwXYvtKrnjXqGbu1 encrypted
names
!
interface Ethernet0/0
 nameif outside
 security-level 0
 ip address 192.168.11.2 255.255.255.0 
!
interface Ethernet0/1
 nameif inside
 security-level 100
 ip address 172.16.1.2 255.255.255.0 
!
interface Ethernet0/2
 nameif Cisco
 security-level 70
 ip address 172.16.40.2 255.255.255.0
!
interface Ethernet0/3
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Management0/0
 shutdown
 no nameif
 no security-level
 no ip address 
!
passwd 2KFQnbNIdI.2KYOU encrypted
ftp mode passive
dns server-group DefaultDNS
 domain-name corp2.com
access-list inside_nat0_outbound extended permit ip 172.16.1.0 
 255.255.255.0 10.10.10.0 255.255.255.0 


!--- You must be sure that you configure the !--- opposite of these access control lists !--- on the other end of the VPN tunnel. 


access-list inside_nat0_outbound extended permit ip 172.16.40.0 
 255.255.255.0 10.10.10.0 255.255.255.0 

access-list outside_20_cryptomap extended permit ip 172.16.1.0 
 255.255.255.0 10.10.10.0 255.255.255.0 


!--- You must be sure that you configure the !--- opposite of these access control lists !--- on the other end of the VPN tunnel. 


access-list outside_20_cryptomap extended permit ip 172.16.40.0 
 255.255.255.0 10.10.10.0 255.255.255.0 


!--- Output is suppressed.


nat-control
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 172.16.1.0 255.255.255.0


!--- The new network is also required to have access to the Internet. !--- So enter an entry into the NAT statement for this new network.


nat (inside) 1 172.16.40.0 255.255.255.0

route outside 0.0.0.0 0.0.0.0 192.168.11.100 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac 
crypto map outside_map 20 match address outside_20_cryptomap
crypto map outside_map 20 set peer 192.168.10.10 
crypto map outside_map 20 set transform-set ESP-3DES-SHA
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
crypto isakmp nat-traversal  20
tunnel-group 192.168.10.10 type ipsec-l2l
tunnel-group 192.168.10.10 ipsec-attributes
 pre-shared-key *

!--- Output is suppressed.

: end
ASA-NY-HQ#

从 IPSec 隧道中删除网络

使用此步骤从IPSec隧道配置中删除网络。此处，请考虑网络172.16.40.0/24已从NY(HQ)安全设备配置中删除。

从隧道中删除网络之前，请先切断 IPSec 连接，这将同时清除与第 2 阶段相关的安全关联。
```
ASA-NY-HQ# clear crypto ipsec sa
```
按如下所示清除与第 1 阶段相关的安全关联
```
ASA-NY-HQ# clear crypto isakmp sa
```

删除 IPSec 隧道的相关数据流 ACL。

ASA-NY-HQ(config)# no access-list outside_20_cryptomap extended permit ip 172.16.40.0 
 255.255.255.0 10.10.10.0 255.255.255.0

由于无需对数据流进行 NAT，因此删除 ACL (inside_nat0_outbound)。

ASA-NY-HQ(config)# no access-list inside_nat0_outbound extended permit ip 172.16.40.0 
 255.255.255.0 10.10.10.0 255.255.255.0

如下所示清除 NAT 转换
```
ASA-NY-HQ# clear xlate
```
每当修改隧道配置时，都请删除并重新应用以下 crypto 命令以采用外部接口中的最新配置
```
ASA-NY-HQ(config)# crypto map outside_map interface outside
ASA-NY-HQ(config)# crypto isakmp enable outside
```
使用 write memory 将活动配置保存到闪存中。
对另一端（TN 安全设备）执行相同的过程以删除配置。
启动 IPSec 隧道并验证连接。