Cấu hình vpn site to site bằng 2 Asa5505
Nhu cầu của công ty em muốn thiết lập 1 đường vpn site to site bằng 2 con Asa5505 theo mô hinh mạng dưới đây
Hai đầu mút bao gồm:
Một đầu dùng Lease line và một đầu dùng ADSL Maxxi Plus (1 IP tỉnh) thông tin về IP như trong mô hình (chú ý giúp em các chữ thay thế cho số tưng ứng với cấu hình bên dưới)
Em đã xây dựng hệ thống cho cả hai bên theo cấu hình bên dưới:
1. Đầu dùng đường truyền ADSL:
2. Đầu dùng đường truyền leaselineHTML Code:ASA Version 7.2(4) ! hostname vdt-asa-H3 domain-name abc.com.vn enable password yddQK/UKIgJ/zubh encrypted passwd yddQK/UKIgJ/zubh encrypted names dns-guard ! interface Vlan1 nameif inside security-level 100 ip address 192.168.100.1 255.255.255.0 ! interface Vlan2 nameif outside security-level 0 pppoe client vpdn group megavnn ip address pppoe ! interface Ethernet0/0 switchport access vlan 2 ! interface Ethernet0/1 ! interface Ethernet0/2 ! interface Ethernet0/3 ! interface Ethernet0/4 ! interface Ethernet0/5 ! interface Ethernet0/6 ! interface Ethernet0/7 ! ftp mode passive dns server-group DefaultDNS domain-name abc.com.vn object-group icmp-type ping icmp-object echo-reply icmp-object source-quench icmp-object unreachable icmp-object time-exceeded icmp-object echo access-list Allow-In extended permit icmp any any object-group ping access-list Allow-In extended permit 23 any any access-list Allow-In extended permit gre any any access-list inside_nat0_outbound extended permit ip 192.168.100.0 255.255.255.0 10.0.2.0 255.255.255.0 access-list outside_1_cryptomap extended permit ip 192.168.100.0 255.255.255.0 10.0.2.0 255.255.255.0 pager lines 24 logging asdm informational mtu inside 1500 mtu outside 1492 no failover icmp unreachable rate-limit 1 burst-size 1 asdm image disk0:/asdm-524.bin no asdm history enable arp timeout 14400 global (outside) 1 interface nat (inside) 0 access-list inside_nat0_outbound nat (inside) 1 0.0.0.0 0.0.0.0 access-group Allow-In in interface outside route outside 0.0.0.0 0.0.0.0 A.A.A.A 1 route outside 10.0.2.0 255.255.255.0 A.B.C.E 1 ! router rip network 10.0.0.0 version 2 ! timeout xlate 3:00:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02 timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00 timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00 timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute aaa authentication ssh console LOCAL http server enable http 192.168.100.0 255.255.255.0 inside http authentication-certificate outside no snmp-server location no snmp-server contact snmp-server enable traps snmp authentication linkup linkdown coldstart crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac crypto map outside_map 1 match address outside_1_cryptomap crypto map outside_map 1 set pfs group1 crypto map outside_map 1 set peer A.B.C.E crypto map outside_map 1 set transform-set ESP-3DES-SHA crypto map outside_map interface outside crypto isakmp enable outside crypto isakmp policy 10 authentication pre-share encryption 3des hash sha group 2 lifetime 86400 telnet 192.168.100.0 255.255.255.0 inside telnet timeout 5 console timeout 0 vpdn group megavnn request dialout pppoe vpdn group megavnn localname ABC vpdn group megavnn ppp authentication pap vpdn username ABC password ********* store-local dhcpd dns 203.162.4.190 dhcpd auto_config outside ! dhcpd address 192.168.100.200-192.168.100.250 inside dhcpd enable inside ! username khoapa password cognKwJugQmNVNoy encrypted tunnel-group A.B.C.E type ipsec-l2l tunnel-group A.B.C.E ipsec-attributes pre-shared-key * ! class-map inspection_default match default-inspection-traffic ! ! policy-map type inspect dns preset_dns_map parameters message-length maximum 512 policy-map global_policy class inspection_default inspect dns preset_dns_map inspect ftp inspect h323 h225 inspect h323 ras inspect rsh inspect rtsp inspect esmtp inspect sqlnet inspect skinny inspect sunrpc inspect xdmcp inspect sip inspect netbios inspect tftp ! service-policy global_policy global prompt hostname context Cryptochecksum:aa4c9cfdcf0a79095fbf1ae0e0414ddd : end
Em cấu hình xong, nhưng địa chỉ private của cả hai đầu dều không thể ping tới nhau. Anh chị xem giúp em cầu hinh bên trên đã đúng chưa ah.HTML Code:ASA Version 7.2(4) ! hostname vdt-asa-THD domain-name abc.com.vn enable password yddQK/UKIgJ/zubh encrypted passwd yddQK/UKIgJ/zubh encrypted names dns-guard ! interface Vlan1 nameif inside security-level 100 ip address 10.0.2.1 255.255.255.0 ! interface Vlan2 nameif outside security-level 0 ip address A.B.C.E 255.255.255.240 ! interface Ethernet0/0 switchport access vlan 2 ! interface Ethernet0/1 ! interface Ethernet0/2 ! interface Ethernet0/3 ! interface Ethernet0/4 ! interface Ethernet0/5 ! interface Ethernet0/6 ! interface Ethernet0/7 ! ftp mode passive dns server-group DefaultDNS domain-name abc.com.vn object-group icmp-type ping icmp-object echo-reply icmp-object source-quench icmp-object unreachable icmp-object time-exceeded icmp-object echo access-list Allow-In extended permit icmp any any object-group ping access-list Allow-In extended permit 23 any any access-list inside_nat0_outbound extended permit ip 10.0.2.0 255.255.255.0 192.168.100.0 255.255.255.0 access-list outside_2_cryptomap extended permit ip 10.0.2.0 255.255.255.0 192.168.100.0 255.255.255.0 pager lines 24 logging asdm informational mtu inside 1500 mtu outside 1500 no failover icmp unreachable rate-limit 1 burst-size 1 asdm image disk0:/asdm-524.bin no asdm history enable arp timeout 14400 global (outside) 1 interface nat (inside) 0 access-list inside_nat0_outbound nat (inside) 1 0.0.0.0 0.0.0.0 access-group Allow-In in interface outside route outside 0.0.0.0 0.0.0.0 A.B.C.E 1 route outside 192.168.100.0 255.255.255.0 A.A.A.A 1 ! router rip network 192.168.100.0 version 2 ! timeout xlate 3:00:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02 timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00 timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00 timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute aaa authentication ssh console LOCAL http server enable http 10.0.2.0 255.255.255.0 inside http authentication-certificate outside no snmp-server location no snmp-server contact snmp-server enable traps snmp authentication linkup linkdown coldstart crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac crypto map outside_map 2 match address outside_2_cryptomap crypto map outside_map 2 set pfs group1 crypto map outside_map 2 set peer A.A.A.A crypto map outside_map 2 set transform-set ESP-3DES-SHA crypto map outside_map interface outside crypto isakmp enable outside crypto isakmp policy 10 authentication pre-share encryption 3des hash sha group 2 lifetime 86400 telnet 10.0.2.0 255.255.255.0 inside telnet timeout 5 console timeout 0 dhcpd dns 210.245.24.22 dhcpd auto_config outside ! dhcpd address 10.0.2.100-10.0.2.250 inside dhcpd enable inside ! username khoapa password cognKwJugQmNVNoy encrypted tunnel-group A.A.A.A type ipsec-l2l tunnel-group A.A.A.A ipsec-attributes pre-shared-key * ! class-map inspection_default match default-inspection-traffic ! ! policy-map type inspect dns preset_dns_map parameters message-length maximum 512 policy-map global_policy class inspection_default inspect dns preset_dns_map inspect ftp inspect h323 h225 inspect h323 ras inspect rsh inspect rtsp inspect esmtp inspect sqlnet inspect skinny inspect sunrpc inspect xdmcp inspect sip inspect netbios inspect tftp ! service-policy global_policy global prompt hostname context Cryptochecksum:d2b21d26569fc21f12724e2d63456836 : end
Cho em hỏi thêm là liệu IP route của thằng lease line nó có ảnh hưởng gì trong trường hợp này không vì địa chỉ lớp ngoài của Asa em sữ dụng địa chỉ IP Route
Em cám ơn anh chị nhiều
Reply With Quote
