(Lo:1.1.1.1)R1(F0/0:10.1.1.1)---------(E0/1:10.1.1.2)ASA(E0/2:100.1.1.2 )-----------(F0/0:100.1.1.1)R2(Lo:2.2.2.2)
R1#sh running-config
!
crypto isakmp policy 10
authentication pre-share
crypto isakmp key cisco address 100.1.1.1
!
crypto ipsec transform-set wk esp-des esp-md5-hmac
!
crypto map vpn 10 ipsec-isakmp
set peer 100.1.1.1
set transform-set wk
match address 101
!
interface Loopback0
ip address 1.1.1.1 255.255.255.0
!
interface FastEthernet0/0
ip address 10.1.1.1 255.255.255.0
duplex auto
speed auto
crypto map vpn
!
ip route 0.0.0.0 0.0.0.0 10.1.1.2
!
access-list 101 permit ip 1.1.1.0 0.0.0.255 2.2.2.0 0.0.0.255
ciscoasa(config)# sh running-config
interface Ethernet0/1
nameif outside
security-level 0
ip address 10.1.1.2 255.255.255.0
!
interface Ethernet0/2
nameif inside
security-level 100
ip address 100.1.1.2 255.255.255.0
!
access-list out extended permit icmp any any
access-list out extended permit esp host 10.1.1.1 host 100.1.1.1 (加密点之间的ESP流量)
access-list out extended permit udp host 10.1.1.1 host 100.1.1.1 eq isakmp (加密点之间的ISAKMP流量)
R2#sh running-config
crypto isakmp policy 10
authentication pre-share
crypto isakmp key cisco address 10.1.1.1
!
!
crypto ipsec transform-set wk esp-des esp-md5-hmac
!
crypto map vpn 10 ipsec-isakmp
set peer 10.1.1.1
set transform-set wk
match address 101
!
interface Loopback0
ip address 2.2.2.2 255.255.255.0
!
interface FastEthernet0/0
ip address 100.1.1.1 255.255.255.0
duplex auto
speed auto
crypto map vpn
!
ip route 0.0.0.0 0.0.0.0 100.1.1.2
!
access-list 101 permit ip 2.2.2.0 0.0.0.255 1.1.1.0 0.0.0.255