我一直在努力把一个configuration从PIX转换到ASA 8.2,但我遇到了一些麻烦的网站到网站的VPN部分。 PIX具有客户端VPN和站点到站点。 由于网站到站点的一些configuration跨越客户端VPN,我感到困惑。 任何帮助将被淹没。
Belows只是PIX的相关VPN命令的摘录。
access-list Remote_splitTunnelAcl permit ip 192.168.0.0 255.255.0.0 any access-list inside_outbound_nat0_acl permit ip any 192.168.0.160 255.255.255.240 access-list inside_outbound_nat0_acl permit ip host Zenoss_OS NOC 255.255.255.0 access-list inside_outbound_nat0_acl permit ip host SilverBack NOC 255.255.255.0 access-list inside_outbound_nat0_acl permit ip host enoss_Hardware NOC 255.255.255.0 access-list outside_cryptomap_dyn_20 permit ip any 192.168.0.160 255.255.255.240 access-list outside_cryptomap_20 permit ip host Zenoss_OS NOC 255.255.255.0 access-list outside_cryptomap_20 permit ip host SilverBack NOC 255.255.255.0 access-list outside_cryptomap_20 permit ip host Zenoss_Hardware NOC 255.255.255.0 ip local pool DHCP_Pool 192.168.0.161-192.168.0.174 nat (inside) 0 access-list inside_outbound_nat0_acl sysopt connection permit-vpn crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac crypto dynamic-map outside_dyn_map 20 match address outside_cryptomap_dyn_20 crypto dynamic-map outside_dyn_map 20 set transform-set ESP-DES-MD5 crypto map outside_map 20 ipsec-isakmp crypto map outside_map 20 match address outside_cryptomap_20 crypto map outside_map 20 set peer 205.x.29.41 crypto map outside_map 20 set transform-set ESP-DES-SHA crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map crypto map outside_map client authentication LOCAL crypto map outside_map interface outside isakmp enable outside isakmp key KEY address 205.x.29.41 netmask 255.255.255.255 no-xauth no-config-mode isakmp nat-traversal 180 isakmp policy 20 authentication pre-share isakmp policy 20 encryption des isakmp policy 20 hash md5 isakmp policy 20 group 2 isakmp policy 20 lifetime 86400 isakmp policy 40 authentication pre-share isakmp policy 40 encryption des isakmp policy 40 hash sha isakmp policy 40 group 2 isakmp policy 40 lifetime 86400 vpngroup GHA_Remote address-pool DHCP_Pool vpngroup GHA_Remote dns-server 192.168.0.11 vpngroup GHA_Remote wins-server 192.168.0.11 vpngroup GHA_Remote default-domain x.org vpngroup GHA_Remote split-tunnel Remote_splitTunnelAcl vpngroup GHA_Remote idle-time 1800 vpngroup GHA_Remote password KEY 我想我真正要问的是,如果有人可以将这个VPNconfiguration的站点到站点版本转换为ASA 8.2,那么我可以将其与我有的相比较。 我需要这个,所以我可以把它放在原地并工作。
也似乎isakmp政策40正在使用,正确?
以下命令是我不能直接input的唯一命令:
crypto map outside_map 20 ipsec-isakmp
我得到一个错误:%未完成命令然后我看到,我需要添加dynamic“dynamic地图名称”我不确定什么dynamic地图我需要把这个。
你为什么手动做这个? 思科提供了一个Pix到ASA迁移工具。 运行你的configuration,然后在你投入生产之前validation结果(并停止使用DESencryption,使用3des或者aes)。
编辑:
抱歉。 我已经使用了这个迁移工具已经有一段时间了。 我认为这是VPN的东西。 这是你的configuration应该是什么样子。 那里有很多额外的东西,如果你只是在网站上做网站,你不需要额外的东西,所以我把它拿出来了。 我也把你的3desencryption:
access-list inside_outbound_nat0_acl permit ip any 192.168.0.160 255.255.255.240
访问列表inside_outbound_nat0_acl允许ip主机Zenoss_OS NOC 255.255.255.0
access-list inside_outbound_nat0_acl允许ip主机SilverBack NOC 255.255.255.0
access-list inside_outbound_nat0_acl允许ip主机enoss_Hardware NOC 255.255.255.0
访问列表outside_cryptomap_20允许ip主机Zenoss_OS NOC 255.255.255.0
访问列表outside_cryptomap_20允许ip主机银行NOC 255.255.255.0
访问列表outside_cryptomap_20允许ip主机Zenoss_Hardware NOC 255.255.255.0NAT(内部)0访问列表inside_outbound_nat0_acl
crypto ipsec转换集ESP-3DES-SHA esp-3des esp-sha-hmac
encryptionipsec安全关联生存期秒28800
crypto ipsec安全关联生存期千字节4608000
crypto map outside_map 20匹配地址outside_cryptomap_20
crypto map outside_map 20 set peer 205.x.29.41
crypto map outside_map 20 set transform-set ESP-3DES-SHA
encryption映射outside_map接口外
crypto isakmp启用外部
密码isakmp政策20
authentication预共享
encryption3des
哈希沙
第2组
终生43200
tunnel-group 205.x.29.41 type ipsec-l2l
tunnel-group 205.x.29.41 ipsec-attributes
预共享密钥KEY