I. Tổng quan:
1.1 Sơ đồ:
1.2 Yêu cầu:
Triển khai Remote Access VPN behind a Nat Router.
II. Cấu hình:
2.1 Cấu hình ASA:
2.2 Cấu hình NAT Router (Gateway GPON):
1.1 Sơ đồ:
1.2 Yêu cầu:
Triển khai Remote Access VPN behind a Nat Router.
II. Cấu hình:
2.1 Cấu hình ASA:
ASA Version 9.2(1) ! hostname ASA1 domain-name svuit.com enable password 8Ry2YjIyt7RRXU24 encrypted xlate per-session deny tcp any4 any4 xlate per-session deny tcp any4 any6 xlate per-session deny tcp any6 any4 xlate per-session deny tcp any6 any6 xlate per-session deny udp any4 any4 eq domain xlate per-session deny udp any4 any6 eq domain xlate per-session deny udp any6 any4 eq domain xlate per-session deny udp any6 any6 eq domain passwd jDUXMyqeIzxQIVgK encrypted names ip local pool SVUIT_easy_vpn_pool 10.1.1.1-10.1.1.126 mask 255.255.255.0 ! interface GigabitEthernet0/0 nameif outside !security-level 0 ip address 172.16.1.2 255.255.255.0 interface GigabitEthernet0/1 nameif inside !security-level 100 ip address 192.168.1.1 255.255.255.0 interface GigabitEthernet0/2 nameif DMZ !security-level 50 ip address 192.168.2.1 255.255.255.0 interface Management0/0 management-only !nameif management security-level 100 ip address 10.0.0.1 255.255.255.0 ftp mode passive dns domain-lookup outside dns server-group GoogleDNS name-server 8.8.8.8 name-server 8.8.4.4 domain-name svuit.comsame-security-traffic permit inter-interface same-security-traffic permit intra-interface object network DMZ-SUBNET subnet 192.168.2.0 255.255.255.0 object network INSIDE-SUBNETsubnet 192.168.1.0 255.255.255.0 object network VPN-TUNNELsubnet 10.1.1.0 255.255.255.128 object network WEB-SERVERhost 192.168.2.20 object network DNS-SERVERhost 192.168.2.10 object network NAT-WEB-IPhost 172.16.1.3 access-list SVUIT_splitTunnelAcl standard permit 172.16.1.0 255.255.255.0 access-list SVUIT_splitTunnelAcl standard permit 192.168.1.0 255.255.255.0 access-list SVUIT_splitTunnelAcl standard permit 192.168.2.0 255.255.255.0 access-list outside_access_in extended permit icmp any any access-list outside_access_in extended permit tcp any host 192.168.2.20 eq www access-group outside_access_in in interface outside pager lines 23 mtu management 1500 mtu inside 1500 mtu DMZ 1500 mtu outside 1500 no failover icmp unreachable rate-limit 1 burst-size 1 asdm image disk0:/asdm-72145.bin asdm history enable arp timeout 14400 no arp permit-nonconnected nat (inside,outside) source static INSIDE-SUBNET INSIDE-SUBNET destination static VPN-TUNNEL VPN-TUNNEL no-proxy-arp route-lookup nat (DMZ,outside) source static DMZ-SUBNET DMZ-SUBNET destination static VPN-TUNNEL VPN-TUNNEL no-proxy-arp route-lookup nat (outside,outside) source dynamic VPN-TUNNEL interface! object network DMZ-SUBNET nat (DMZ,outside) dynamic interface object network INSIDE-SUBNETnat (inside,outside) dynamic interface object network WEB-SERVERnat (DMZ,outside) static NAT-WEB-IP service tcp www www route outside 0.0.0.0 0.0.0.0 172.16.1.1 1 timeout xlate 3:00:00 timeout pat-xlate 0:00:30 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02 timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00 timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00 timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute timeout tcp-proxy-reassembly 0:01:00 timeout floating-conn 0:00:00 dynamic-access-policy-record DfltAccessPolicy user-identity default-domain LOCAL http server enable http 10.0.0.0 255.255.255.0 management no snmp-server location no snmp-server contact crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac crypto ipsec security-association pmtu-aging infinite crypto dynamic-map SVUIT_CRYPTO_MAP 100 set ikev1 transform-set ESP-DES-MD5 crypto map outside_map 100 ipsec-isakmp dynamic SVUIT_CRYPTO_MAP crypto map outside_map interface outside crypto ca trustpool policy crypto ikev1 enable outside crypto ikev1 ipsec-over-tcp port 10000 crypto ikev1 policy 150 authentication pre-share encryption des hash sha group 2 lifetime 86400 telnet 10.0.0.0 255.255.255.0 management no telnet timeout ssh stricthostkeycheck ssh timeout 5 ssh key-exchange group dh-group1-sha1 console timeout 0 ! tls-proxy maximum-session 500 ! threat-detection basic-threat threat-detection statistics access-list no threat-detection statistics tcp-intercept webvpn anyconnect-essentials group-policy SVUIT internal group-policy SVUIT attributes dns-server value 192.168.2.10 4.2.2.2 vpn-tunnel-protocol ikev1 password-storage enable ipsec-udp enable ipsec-udp-port 10000 split-tunnel-policy tunnelspecified split-tunnel-network-list value SVUIT_splitTunnelAcl default-domain value svuit.com split-tunnel-all-dns disable username admin password fbFbxQS63ePiLd41 encrypted privilege 15 username vpnuser1 password 4/M7B0YaP2FnP/il encrypted privilege 0 username vpnuser1 attributes vpn-group-policy SVUIT tunnel-group SVUIT type remote-access tunnel-group SVUIT general-attributes address-pool SVUIT_easy_vpn_pool default-group-policy SVUIT tunnel-group SVUIT ipsec-attributes ikev1 pre-shared-key svuit.com !class-map inspection_default match default-inspection-traffic ! ! policy-map type inspect dns preset_dns_map ---parameters message-length maximum client auto ---class inspection_defaultmessage-length maximum 512 policy-map global_policy inspect rtsp !inspect sunrpc inspect xdmcp inspect netbios inspect tftp inspect ip-options inspect dns preset_dns_map inspect ftp inspect h323 h225 inspect h323 ras inspect rsh inspect esmtp inspect sqlnet inspect sip inspect skinny service-policy global_policy global prompt hostname context no call-home reporting anonymous call-home ---profile CiscoTAC-1 no active password encryption aesdestination address http https://tools.cisco.com/its/service/oddce/services/DDCEService destination address email callhome@cisco.com destination transport-method http subscribe-to-alert-group diagnostic subscribe-to-alert-group environment subscribe-to-alert-group inventory periodic monthly 27 subscribe-to-alert-group configuration periodic monthly 27 subscribe-to-alert-group telemetry periodic daily Cryptochecksum:4c08066afe4b3fa8c7f54d0fd7e36fbd : end asdm image disk0:/asdm-72145.bin asdm history enable |
2.2 Cấu hình NAT Router (Gateway GPON):
Last edited: