Lab 1.3 VPN Site to Site ASA 5520 vs DrayTek 2820

thanhdc

Super Moderator
I. Mô hình:

II. Yêu cầu:

  • Cấu hình NAT trên ASA để Client ra Internet (ping được các địa chỉ trên Internet).
  • Cấu hình VPN Site to Side giữa em ASA 5520 và em DrayTek 2820.
  • Sử dụng IPSec VPN: IKEv1, DES (encryption), SHA (authentication)


III. Cấu hình:
3.0 Giả lập ISP:
Code:
ISP#show running-config | begin interface
    interface FastEthernet0/0
     ip address 100.100.100.1 255.255.255.248
    !
    interface FastEthernet0/1
     ip address 200.200.200.1 255.255.255.248
    ! 
    interface Loopback1
     ip address 1.1.1.1 255.255.255.255
    !
    interface Loopback2
     ip address 2.2.2.2 255.255.255.255
    !
    interface Loopback3
     ip address 3.3.3.3 255.255.255.0
    !

3.1 Cấu hình trên ASA:
3.1.1 Cấu hình cơ bản:

Code:
ciscoasa(config)# show running-config [B]interface[/B]
    !
    interface GigabitEthernet0
     nameif outside
     security-level 0
     ip address 100.100.100.3 255.255.255.248
    !
    interface GigabitEthernet1
     nameif inside
     security-level 100
     ip address 10.1.1.1 255.255.255.0
    !
    interface GigabitEthernet2
     shutdown
     no nameif
     no security-level
     no ip address



ciscoasa# show running-config route
    route outside 0.0.0.0 0.0.0.0 100.100.100.1 1




ciscoasa# show running-config [B]object[/B]
    object network [B]INSIDE_ASA[/B]
     subnet 10.1.1.0 255.255.255.0
    object network [B]LAN_DrayTek[/B]
     subnet 10.2.2.0 255.255.255.0




ciscoasa# show running-config [B]nat[/B]
    nat (inside,outside) source static [B]INSIDE-ASA[/B]  [B]INSIDE-ASA [/B]
              destination static [B]LAN-DaryTek[/B]  [B]LAN-DreyTek[/B] no-proxy-arp route-lookup
    nat (inside,outside) source dynamic [B]INSIDE-ASA[/B] interface


    
ciscoasa# show running-config [B]access-list[/B]
    access-list Outside_In extended permit icmp any any       [COLOR=#ff0000] (cho phép ping tá lả[/COLOR][COLOR=#ff0000]...)[/COLOR]
    access-list VPN_Traffic extended permit ip 10.1.1.0 255.255.255.0 10.2.2.0 255.255.255.0


    
ciscoasa# show running-config [B]access-group[/B]
    access-group Outside_In in interface outside

3.1.2 Cấu hình IPSec VPN Site to Site

Code:
ciscoasa# show running-config [B]crypto[/B]
    crypto ipsec ikev1 transform-set [B]ESP-DES-SHA[/B] esp-des esp-sha-hmac
    crypto map [B]ASA-DrayTek [/B]10 match address [B]VPN_Traffic[/B]
    crypto map [B]ASA-DrayTek[/B] 10 set connection-type answer-only
    crypto map [B]ASA-DrayTek[/B] 10 set peer 200.200.200.2
    crypto map [B]ASA-DrayTek[/B] 10 set ikev1 transform-set [B]ESP-DES-SHA[/B]
    crypto map [B]ASA-DrayTek[/B] interface outside
    crypto [B]ikev1 [/B]enable outside
    crypto [B]ikev1 [/B]policy 150
     authentication [B]pre-share[/B]
     encryption des
     hash sha
     group 1
     lifetime 86400


    
ciscoasa# show running-config [B]group-policy[/B]
    group-policy[B] GP_Lab_VPN_ASA_DrayTek[/B] internal
    group-policy [B]GP_Lab_VPN_ASA_DrayTek[/B] attributes
     vpn-tunnel-protocol ikev1


     
ciscoasa# show running-config [B]tunnel-group[/B]
    tunnel-group 200.200.200.2 type ipsec-l2l
    tunnel-group 200.200.200.2 general-attributes
     default-group-policy [B]GP_Lab_VPN_ASA_DrayTek[/B]
    tunnel-group 200.200.200.2 ipsec-attributes
     ikev1 pre-shared-key [B]svuit.com[/B]

3.2 Cấu hình trên DrayTek 2820:

3.2 Cấu hình trên DrayTek 2820:


























IV. Kết quả:
 
Last edited:
Top