配置ASA防火墙ipsc穿越nat使用nat-t

拓扑: pc 211.143.130.195 ---- 211.143.130.206 route 192.168.2.1 -- 192.168.2.100 out ASA in 10.1.50.254 --

vpn poll: 10.1.52.1 -50

ipsc穿越nat使了 : nat-t 命令:##
for Router :Ip nat inside source static udp 192.168.2.100 500 211.143.130.206 500
Ip nat inside source static udp 192.168.2.100 4500 211.143.130.206 4500
for ASA :ciscoasa(config)#isakmp nat-traversal
for Client：do not change





ciscoasa(config)# sh run
: Saved
:
ASA Version 8.2(1)
!
hostname ciscoasa
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface Ethernet0/0
nameif inside
security-level 100
ip address 10.1.50.254 255.255.255.0
!
interface Ethernet0/1
no nameif
no security-level
no ip address
!
interface Ethernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet0/3
nameif outside
security-level 0
ip address 192.168.2.100 255.255.255.0
!
interface Management0/0
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
management-only
!
ftp mode passive
access-list nonat extended permit ip any 10.1.52.0 255.255.255.0
access-list outside extended permit ip any any
access-list outside extended permit icmp any any
pager lines 24
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu management 1500
ip local pool POOL 10.1.52.1-10.1.52.50 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list nonat
nat (inside) 1 0.0.0.0 0.0.0.0
access-group outside in interface outside
route outside 0.0.0.0 0.0.0.0 192.168.2.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 192.168.1.0 255.255.255.0 management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set cisco esp-des esp-md5-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map dymap 10 set transform-set cisco
crypto map cisco 10 ipsec-isakmp dynamic dymap
crypto map cisco interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption des
hash md5
group 2
lifetime 86400
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd enable management
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
we

bvpn
username cisco password 3USUcOPFUiMCO4Jk encrypted
tunnel-group testgroup type remote-access
tunnel-group testgroup general-attributes
address-pool POOL
tunnel-group testgroup ipsec-attributes
pre-shared-key *
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:8e7c8649ff21632811a52092a97203d0
: end
ciscoasa(config)#


-----------



yourname#sh run
Building configuration...

Current configuration : 1554 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname yourname
!
boot-start-marker
boot-end-marker
!
logging buffered 51200 warnings
enable password cisco
!
no aaa new-model
ip cef
!
!
!
!
ip domain name https://www.sodocs.net/doc/ab3730831.html,
multilink bundle-name authenticated
!
!
username cisco password 0 cisco
archive
log config
hidekeys
!
!
!
!
!
interface FastEthernet0/0
description $ETH-LAN$$ETH-SW-LAUNCH$$INTF-INFO-FE 0$
ip address 192.168.2.1 255.255.255.0
ip nat inside
ip virtual-reassembly
duplex auto
speed auto
!
interface FastEthernet0/1
ip address 211.143.130.206 255.255.255.0
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 211.143.130.195
!
!
ip http server
ip http access-class 23
ip http authentication local
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat inside source list 1 interface FastEthernet0/1 overload
ip nat inside source static udp 192.168.2.100 500 211.143.130.206 500 extendable
ip nat inside source static udp 192.168.2.100 4500 211.143.130.206 4500 extendab
le
ip nat inside source static tcp 192.168.2.100 10000 211.143.130.206 10000 extend
able
!
access-list 1 permit 192.168.2.0 0.0.0.255
access-list 23 permit 10.10.10.0 0.0.0.7
!
!
control-plane
!
!
line con 0
login local
line aux 0
line vty 0 4
privilege level 15
login local
transport input telnet
line vty 5 15
privilege level 15
login local
transport input telnet
!
scheduler allocate 20000 1000
end

yourname#