本帖最后由 q634153517 于 2018-10-30 10:53 编辑
如题,求大神指导哪里有问题,配置如下
ASA配置
interface GigabitEthernet0/0
nameif outside
security-level 0
ip address 1.1.1.1 255.255.255.0
interface GigabitEthernet0/3
nameif inside
security-level 100
ip address 10.136.25.254 255.255.255.0
object network go-internet
subnet 10.136.0.0 255.255.0.0
object network pat-pool
range 1.1.1.1 1.1.1.2
object network Inside
subnet 10.136.64.0 255.255.192.0
object network IDC
subnet 10.132.0.0 255.255.0.0
access-list out-to-in extended permit icmp any any
access-list out-to-in extended permit ip any any
access-list out-to-in extended permit tcp any any
access-list out-to-in extended permit udp any any
access-list vpn extended permit ip object Inside object IDC
nat (inside,outside) source dynamic go-internet pat-pool pat-pool
nat (inside,outside) source static Inside Inside destination static IDC IDC
access-group out-to-in in interface outside
route outside 0.0.0.0 0.0.0.0 1.1.1.254
route inside 10.136.0.0 255.255.0.0 10.136.25.1
crypto ipsec ikev1 transform-set To-IDC esp-3des esp-md5-hmac
crypto ipsec security-association pmtu-aging infinite
crypto map cry-map 10 match address vpn
crypto map cry-map 10 set peer 2.2.2.2
crypto map cry-map 10 set ikev1 transform-set To-IDC
crypto map cry-map interface outside
crypto ca trustpool policy
crypto ikev1 enable outside
crypto ikev1 policy 1
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
!
tunnel-group 2.2.2.2 type ipsec-l2l
tunnel-group 2.2.2.2 ipsec-attributes
ikev1 pre-shared-key 123
路由器配置
crypto isakmp policy 2
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp key 123 address 1.1.1.1
crypto ipsec transform-set NEW-BJBAK-OA esp-3des esp-md5-hmac
mode tunnel
crypto map vpnpeer 1 ipsec-isakmp
set peer 1.1.1.1
set transform-set NEW-BJBAK-OA
match address 125
interface GigabitEthernet0/0
ip address 2.2.2.2 255.255.255.0
ip access-group DenyPort in
ip access-group DenyPort out
ip nat outside
ip virtual-reassembly in
duplex auto
speed auto
crypto map vpnpeer
interface GigabitEthernet0/1
ip address 10.132.4.1 255.255.252.0
ip nat inside
ip virtual-reassembly in
duplex auto
speed auto
ip nat inside source list 100 interface GigabitEthernet0/0 overload
ip route 0.0.0.0 0.0.0.0 2.2.2.254
ip access-list extended DenyPort
deny udp any any eq 445 135 netbios-ns netbios-ss 5357
deny tcp any any eq 445 135 137 139 5357
permit ip any any
access-list 100 deny ip 10.132.0.0 0.0.255.255 10.136.64.0 0.0.63.255
access-list 100 permit ip 10.132.4.0 0.0.3.255 any
access-list 125 permit ip 10.132.0.0 0.0.255.255 10.136.64.0 0.0.63.255