ASA上配置L2TP over IPSec VPN 远程访问VPN笔记

1、定义地址池：

ip local pool L2TPVPNPool 10.1.2.55-10.1.2.59 mask 255.255.255.0

2、定义组策略：

group-policy DefaultRAGroup internal

group-policy DefaultRAGroup attributes

 dns-server value 10.1.2.140 10.1.2.35

 vpn-tunnel-protocol l2tp-ipsec

 default-domain value Antec-Beijing.com

3、定义隧道组：

tunnel-group DefaultRAGroup general-attributes

 address-pool L2TPVPNPool

 default-group-policy DefaultRAGroup

tunnel-group DefaultRAGroup ipsec-attributes

 pre-shared-key Antec@1986

tunnel-group DefaultRAGroup ppp-attributes

 authentication chap

 authentication ms-chap-v2

4、启用定义ISAKMP：

crypto isakmp enable outside

crypto isakmp policy 10

 authentication pre-share

 encryption 3des

 hash sha

 group 2

 lifetime 86400

5、定义IPSec转换集：

crypto ipsec transform-set TRANS_ESP_3DES_SHA esp-3des esp-sha-hmac

crypto ipsec transform-set TRANS_ESP_3DES_SHA mode transport

6、定义加密映射集并应用到outside接口：

crypto dynamic-map outside_dyn_map 65535 set transform-set TRANS_ESP_3DES_SHA

crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map

crypto map outside_map interface outside

7、绕过NAT:

access-list inside_nat0_outbound extended permit ip 10.1.2.0 255.255.255.0 10.1.2.0 255.255.255.0

nat (inside) 0 access-list inside_nat0_outbound

8、设置NAT穿越，若两个对等体之间存在PAT设备，则IPSec隧道无法传输流量。如果不设置拨号时会报错“789”：

crypto isakmp nat-traversal 30

9、配置本地用户认证：

username antec password antec1986 mschap

username antec attributes

 vpn-group-policy DefaultRAGroup

 vpn-tunnel-protocol IPSec l2tp-ipsec

10、允许流量从一个端口转发出去：

same-security-traffic permit intra-interface

11、启用IPSec hairpinning(发卡)特性，允许VPN客户端流量通过ASA的outside端口访问Internet：

nat (outside) 1 10.1.2.0 255.255.255.0

nat (inside) 1 0.0.0.0 0.0.0.0

global (outside) 1 interface

本文出自 “银凯的博客” 博客，请务必保留此出处http://yinkai.blog.51cto.com/3813923/1575058