1.基本上网配置
interfaceGigabitEthernet0 ---------配置外网口,定义接口
nameif outside
security-level 0
ip address 101.1.1.100 255.255.255.0
interfaceGigabitEthernet1 -----------配置内网扣,定义接口
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
2、定义object
object network inside_network -------------需要上互联网的sub
subnet 192.168.1.0 255.255.255.0
object network local_network ----------定义本端***网络
subnet 192.168.1.0 255.255.255.0
object network remote_network---------定义远端***网络
subnet 172.16.1.0 255.255.255.0
3、定义ACL
access-list 100 extended permit ip any any ------定义any any互联网ACL
access-list 110 extended permit ip object local_network object remote_network -----定义***感兴趣流量
4、配置NAT
objectnetwork inside_network -------配置PAT
nat (inside,outside) dynamic interface
access-group 100 in interface inside -------将ACL 100应用到inside接口
nat (inside,outside) source static local_network local_network destination static remote_network remote_network /拒绝***流量被NAT
5、配置默认路由
route outside 0.0.0.0 0.0.0.0 101.1.1.1
6、配置IPSEC-***
6.1 IPSEC-***第一阶段ike配置
crypto ikev2 policy 10 ---------定义ikev2策略
encryption aes-256
integrity sha256 md5
group 2
prf sha256 md5
lifetime seconds 86400
tunnel-group 201.1.1.100 type ipsec-l2l ------定义隧道,类型为ipsec-l2l
tunnel-group 201.1.1.100 ipsec-attributes
ikev2 remote-authentication pre-shared-key cisco ------配置预共享密钥为cisco
ikev2 local-authentication pre-shared-key cisco
6.2 IPSEC-***第二阶段ipsec配置
crypto ipsec ikev2 ipsec-proposal cisco -------定义ipsec转换集
protocol esp encryption aes-256
protocol esp integrity md5
6.3 定义map映射绑定策略与ipsec转换集
crypto map cisco 10 match address 110 -----定义crypto map,绑定***感兴趣流ACL 110
crypto map cisco 10 set peer 201.1.1.100-------指定peer对等体公网IP地址
crypto map cisco 10 set ikev2 ipsec-proposal cisco ------调用刚才创建的ipsec转换集
cryptomap cisco interface outside -------将map应用到outside接口
6.4 开启ikev2策略到outside接口
crypto ikev2 enable outside