PDF《ASA/PIX：有和没有 IPSec 隧道的 NTP 配置示例》

Device Management >

NTP,以便打开 ASDM 的NTP 配置页(如图 所示 ): 2. 单击 ADD 按钮添加 NTP 服务器,并在单击 ADD 按钮后显示的新窗口中提供所需属性,如IP 地址、接口名称(内部或外部)以及用于身份验证的密钥编号和密钥值(如屏幕截图所示). 然后,单击 OK. 注意 :?应为 ASA1 选择内部接口名称,为ASA2 选择外部接口名称.注意:?ASA 和NTP 服务器 中的 ntp authentication key 应相同.CLI 中的 ASA1 和ASA2 身份验证属性配置如下所示 :ASA1#ntp authentication-key

1 md5 cisco ntp trusted-key

1 ntp server 172.22.1.161 key

1 source inside ASA2#ntp authentication-key

1 md5 cisco ntp trusted-key

1 ntp server 172.22.1.161 key

1 source outside 3. 现在单击 Enable NTP Authentication 复选框,然后单击 Apply,即可完成 NTP 配置任务. 4. ASA1 CLI 配置 ASA1 ASA#show run : Saved ASA Version 7.1(1) ! hostname ASA1 domain-name default.domain.invalid enable password 8Ry2YjIyt7RRXU24 encrypted names ! interface Ethernet0 nameif outside security-level

0 ip address 10.10.10.1 255.255.255.0 !--- Configure the outside interface. ! interface Ethernet1 nameif inside security-level

100 ip address 172.22.1.163 255.255.255.0 !--- Configure the inside interface. ! !-- Output suppressed ! passwd 2KFQnbNIdI.2KYOU encrypted ftp mode passive dns server- group DefaultDNS domain-name default.domain.invalid access-list inside_nat0_outbound extended permit ip 172.22.1.0 255.255.255.0

172 .16.1.0 255.255.255.0 !--- This access list (inside_nat0_outbound) is used !--- with the nat zero command. This prevents traffic which !--- matches the access list from undergoing network address translation (NAT). !--- The traffic specified by this ACL is traffic that is to be encrypted and !--- sent across the VPN tunnel. This ACL is intentionally !- -- the same as (outside_cryptomap_20). !--- Two separate access lists should always be used in this configuration. access-list outside_cryptomap_20 extended permit ip 172.22.1.0 255.255.255.0

172 .16.1.0 255.255.255.0 !--- This access list (outside_cryptomap_20) is used !--- with the crypto map outside_map !--- to determine which traffic should be encrypted and sent !--- across the tunnel. !--- This ACL is intentionally the same as (inside_nat0_outbound). !-- - Two separate access lists should always be used in this configuration. pager lines

24 mtu inside

1500 mtu outside

1500 no failover asdm image flash:/asdm-511.bin !--- Enter this command to specify the location of the ASDM image. asdm history enable arp timeout

14400 nat (inside)

0 access-list inside_nat0_outbound !--- NAT

0 prevents NAT for networks specified in !--- the ACL inside_nat0_outbound. route outside 0.0.0.0 0.0.0.0 10.10.10.2

1 timeout xlate 3:00:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02 timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00 timeout uauth 0:05:00 absolute http server enable !--- Enter this command in order to enable the HTTPS server !--- for ASDM. http 172.22.1.1 255.255.255.255 inside !- -- Identify the IP addresses from which the security appliance !--- accepts HTTPS connections. no snmp-server location no snmp-server contact !--- PHASE

2 CONFIGURATION The encryption types for Phase

2 are defined here. crypto ipsec transform-set ESP-AES- 256-SHA esp-aes-256 esp-sha-hmac !--- Define the transform set for Phase 2. crypto map outside_map

20 match address outside_cryptomap_20 !--- Define which traffic should be sent to the IPsec peer. crypto map outside_map