此页面有用吗?
您对此内容的反馈非常重要。 请告诉我们您的想法。
更多反馈?
1500 个剩余字符
Cisco ASA 模板

Cisco ASA 模板

更新时间: 2015年7月

下方的模板适用于 Cisco ASA 系列设备。请使用该模板作为指导。有关 VPN 设备支持,请联系你的设备制造商。

有关所有可用的设备模板的列表,请参见关于用于虚拟网络连接的 VPN 设备和网关。有关针对你的环境配置设备模板的信息,请参阅About configuring VPN device templates

! Microsoft Corporation
! Microsoft Azure Virtual Network

! This configuration template applies to Cisco ASA 5500 Series Adaptive Security Appliances running ASA Software 8.3.
! It configures an IPSec VPN tunnel connecting your on-premise VPN device with the Azure gateway.

! ---------------------------------------------------------------------------------------------------------------------
! ACL and NAT rules
! 
! Proper ACL and NAT rules are needed for permitting cross-premise network traffic.
! You should also allow inbound UDP/ESP traffic for the interface which will be used for the IPSec tunnel.
object-group network <RP_AzureNetwork>
 network-object <SP_AzureNetworkIpRange> <SP_AzureNetworkSubnetMask>
 exit
object-group network <RP_OnPremiseNetwork>
 network-object <SP_OnPremiseNetworkIpRange> <SP_OnPremiseNetworkSubnetMask>
 exit
access-list <RP_AccessList> extended permit ip object-group <RP_OnPremiseNetwork> object-group <RP_AzureNetwork>
nat (inside,outside) source static <RP_OnPremiseNetwork> <RP_OnPremiseNetwork> destination static <RP_AzureNetwork> <RP_AzureNetwork>

! ---------------------------------------------------------------------------------------------------------------------
! Internet Key Exchange (IKE) configuration
! 
! This section specifies the authentication, encryption, hashing, Diffie-Hellman, and lifetime parameters for the Phase
! 1 negotiation and the main mode security association. We have picked an arbitrary policy # "10" as an example. If
! that happens to conflict with an existing policy, you may choose to use a different policy #.
crypto isakmp enable outside
crypto isakmp policy 10
 authentication pre-share
 encryption aes-256
 hash sha
 group 2
 lifetime 28800
 exit

! ---------------------------------------------------------------------------------------------------------------------
! IPSec configuration
! 
! This section specifies encryption, authentication, and lifetime properties for the Phase 2 negotiation and the quick
! mode security association. 
crypto ipsec transform-set <RP_IPSecTransformSet> esp-aes-256 esp-sha-hmac
crypto ipsec security-association lifetime seconds 3600
crypto ipsec security-association lifetime kilobytes 102400000

! ---------------------------------------------------------------------------------------------------------------------
! Crypto map configuration
!
! This section defines a crypto map that binds the cross-premise network traffic to the
! IPSec transform set and remote peer. We have picked an arbitrary ID # "10" as an example. If
! that happens to conflict with an existing crypto map, you may choose to use a different ID #.
crypto map <RP_IPSecCryptoMap> 10 match address <RP_AccessList>
crypto map <RP_IPSecCryptoMap> 10 set peer <SP_AzureGatewayIpAddress>
crypto map <RP_IPSecCryptoMap> 10 set transform-set <RP_IPSecTransformSet>
crypto map <RP_IPSecCryptoMap> interface outside

! ---------------------------------------------------------------------------------------------------------------------
! Tunnel configuration
!
! This section defines an IPSec site-to-site tunnel connecting to the Azure gateway and specifies the pre-shared key
! value used for Phase 1 authentication.  
tunnel-group <SP_AzureGatewayIpAddress> type ipsec-l2l
tunnel-group <SP_AzureGatewayIpAddress> ipsec-attributes
 pre-shared-key <SP_PresharedKey>
 exit

! ---------------------------------------------------------------------------------------------------------------------
! TCPMSS clamping
!
! Adjust the TCPMSS value properly to avoid fragmentation
sysopt connection tcpmss 1350

Important重要提示
Cisco ASA 系列设备不支持动态路由。

另请参阅

显示:
© 2015 Microsoft