------------------------服务端
sever-set# sh run
: Saved
:
ASA Version 8.4(1)
!
hostname sever-set
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface GigabitEthernet0/0
nameif outside
security-level 0
ip address 192.168.100.221 255.255.255.0
!
interface GigabitEthernet0/1
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/2
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/0
nameif inside
security-level 100
ip address 1.1.1.1 255.255.255.0
!
interface GigabitEthernet1/1
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/2
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/3
shutdown
no nameif
no security-level
no ip address
!
ftp mode passive
access-list 110 extended permit icmp any any
access-list vpn extended permit ip 1.1.1.0 255.255.255.0 2.2.2.0 255.255.255.0
pager lines 24
mtu outside 1500
mtu inside 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
access-group 110 in interface outside
route outside 0.0.0.0 0.0.0.0 192.168.100.222 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication ssh console LOCAL
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
crypto ipsec ikev1 transform-set cisco esp-3des esp-sha-hmac
crypto map cisco 10 match address vpn
crypto map cisco 10 set peer 192.168.100.222
crypto map cisco 10 set trustpoint cisco
crypto map cisco interface outside
crypto isakmp identity address
crypto ikev1 enable outside
crypto ikev1 policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 65535
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
tunnel-group 192.168.100.222 type ipsec-l2l
tunnel-group 192.168.100.222 ipsec-attributes
ikev1 pre-shared-key csico
----------------------------------------------------客户端
set1# sh run
: Saved
:
ASA Version 8.2(5)
!
hostname set1
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
shutdown
!
interface Ethernet0/3
shutdown
!
interface Ethernet0/4
shutdown
!
interface Ethernet0/5
shutdown
!
interface Ethernet0/6
shutdown
!
interface Ethernet0/7
shutdown
!
interface Vlan1
nameif outside
security-level 0
ip address 192.168.100.222 255.255.255.0
!
interface Vlan2
nameif inside
security-level 100
ip address 2.2.2.2 255.255.255.0
!
ftp mode passive
access-list 110 extended permit icmp any any
access-list vpn extended permit ip 2.2.2.0 255.255.255.0 1.1.1.0 255.255.255.0
pager lines 24
mtu outside 1500
mtu inside 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
access-group 110 in interface outside
route outside 0.0.0.0 0.0.0.0 192.168.100.221 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set cisco esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto map cisco 10 match address vpn
crypto map cisco 10 set peer 192.168.100.221
crypto map cisco 10 set transform-set cisco
crypto map cisco interface outside
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet timeout 5
ssh timeout 5
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
tunnel-group 192.168.100.221 type ipsec-l2l
tunnel-group 192.168.100.221 ipsec-attributes
pre-shared-key *****