Lab 1.3 VPN Site to Site ASA 5520 vs DrayTek 2820

Discussion in 'Draytek' started by thanhdc, Aug 29, 2014.

  1. thanhdc

    thanhdc Super Moderator

    Joined:
    Aug 10, 2014
    Messages:
    139
    Likes Received:
    1
    Trophy Points:
    18
    I. Mô hình:
    [​IMG]

    II. Yêu cầu:

    • Cấu hình NAT trên ASA để Client ra Internet (ping được các địa chỉ trên Internet).
    • Cấu hình VPN Site to Side giữa em ASA 5520 và em DrayTek 2820.
    • Sử dụng IPSec VPN: IKEv1, DES (encryption), SHA (authentication)


    III. Cấu hình:
    3.0 Giả lập ISP:
    Code:
    ISP#show running-config | begin interface
        interface FastEthernet0/0
         ip address 100.100.100.1 255.255.255.248
        !
        interface FastEthernet0/1
         ip address 200.200.200.1 255.255.255.248
        ! 
        interface Loopback1
         ip address 1.1.1.1 255.255.255.255
        !
        interface Loopback2
         ip address 2.2.2.2 255.255.255.255
        !
        interface Loopback3
         ip address 3.3.3.3 255.255.255.0
        !
    

    3.1 Cấu hình trên ASA:
    3.1.1 Cấu hình cơ bản:

    Code:
    ciscoasa(config)# show running-config [B]interface[/B]
        !
        interface GigabitEthernet0
         nameif outside
         security-level 0
         ip address 100.100.100.3 255.255.255.248
        !
        interface GigabitEthernet1
         nameif inside
         security-level 100
         ip address 10.1.1.1 255.255.255.0
        !
        interface GigabitEthernet2
         shutdown
         no nameif
         no security-level
         no ip address
    
    
    
    ciscoasa# show running-config route
        route outside 0.0.0.0 0.0.0.0 100.100.100.1 1
    
    
    
    
    ciscoasa# show running-config [B]object[/B]
        object network [B]INSIDE_ASA[/B]
         subnet 10.1.1.0 255.255.255.0
        object network [B]LAN_DrayTek[/B]
         subnet 10.2.2.0 255.255.255.0
    
    
    
    
    ciscoasa# show running-config [B]nat[/B]
        nat (inside,outside) source static [B]INSIDE-ASA[/B]  [B]INSIDE-ASA [/B]
                  destination static [B]LAN-DaryTek[/B]  [B]LAN-DreyTek[/B] no-proxy-arp route-lookup
        nat (inside,outside) source dynamic [B]INSIDE-ASA[/B] interface
    
    
        
    ciscoasa# show running-config [B]access-list[/B]
        access-list Outside_In extended permit icmp any any       [COLOR=#ff0000] (cho phép ping tá lả[/COLOR][COLOR=#ff0000]...)[/COLOR]
        access-list VPN_Traffic extended permit ip 10.1.1.0 255.255.255.0 10.2.2.0 255.255.255.0
    
    
        
    ciscoasa# show running-config [B]access-group[/B]
        access-group Outside_In in interface outside
    
    

    3.1.2 Cấu hình IPSec VPN Site to Site

    Code:
        
    ciscoasa# show running-config [B]crypto[/B]
        crypto ipsec ikev1 transform-set [B]ESP-DES-SHA[/B] esp-des esp-sha-hmac
        crypto map [B]ASA-DrayTek [/B]10 match address [B]VPN_Traffic[/B]
        crypto map [B]ASA-DrayTek[/B] 10 set connection-type answer-only
        crypto map [B]ASA-DrayTek[/B] 10 set peer 200.200.200.2
        crypto map [B]ASA-DrayTek[/B] 10 set ikev1 transform-set [B]ESP-DES-SHA[/B]
        crypto map [B]ASA-DrayTek[/B] interface outside
        crypto [B]ikev1 [/B]enable outside
        crypto [B]ikev1 [/B]policy 150
         authentication [B]pre-share[/B]
         encryption des
         hash sha
         group 1
         lifetime 86400
    
    
        
    ciscoasa# show running-config [B]group-policy[/B]
        group-policy[B] GP_Lab_VPN_ASA_DrayTek[/B] internal
        group-policy [B]GP_Lab_VPN_ASA_DrayTek[/B] attributes
         vpn-tunnel-protocol ikev1
    
    
         
    ciscoasa# show running-config [B]tunnel-group[/B]
        tunnel-group 200.200.200.2 type ipsec-l2l
        tunnel-group 200.200.200.2 general-attributes
         default-group-policy [B]GP_Lab_VPN_ASA_DrayTek[/B]
        tunnel-group 200.200.200.2 ipsec-attributes
         ikev1 pre-shared-key [B]svuit.com[/B]
        
    
    
    

    3.2 Cấu hình trên DrayTek 2820:

    3.2 Cấu hình trên DrayTek 2820:

    [​IMG]





    [​IMG]



    [​IMG]




    [​IMG]





    [​IMG]



    IV. Kết quả:
    [​IMG]
     
    Last edited: Aug 30, 2014

Share This Page