PDF《ASA/PIX：有和没有 IPSec 隧道的 NTP 配置示例》

20 set peer 10.20.20.1 !--- Sets the IPsec peer crypto map outside_map

20 set transform-set ESP- AES-256-SHA !--- Sets the IPsec transform set ESP-AES- 256-SHA !--- to be used with the crypto map entry outside_map . crypto map outside_map interface outside !--- Specifies the interface to be used with !--- the settings defined in this configuration. !--- PHASE

1 CONFIGURATION This configuration uses isakmp policy 10. !--- Policy

65535 is included in the config by default. !--- The configuration commands here define the Phase !---

1 policy parameters that are used. isakmp enable outside isakmp policy

10 authentication pre-share isakmp policy

10 encryption aes-256 isakmp policy

10 hash sha isakmp policy

10 group

5 isakmp policy

10 lifetime

86400 isakmp policy

65535 authentication pre- share isakmp policy

65535 encryption 3des isakmp policy

65535 hash sha isakmp policy

65535 group

2 isakmp policy

65535 lifetime

86400 tunnel-group 10.20.20.1 type ipsec- l2l !--- In order to create and manage the database of connection-specific !--- records for ipsec-l2l―IPsec (LAN-to-LAN) tunnels, use the command !--- tunnel-group in global configuration mode. !--- For L2L connections the name of the tunnel group MUST be the IP !--- address of the IPsec peer. tunnel-group 10.20.20.1 ipsec- attributes pre-shared-key * !--- Enter the pre-shared- key in order to configure the !--- authentication method. telnet timeout

5 ssh timeout

5 console timeout

0 ! class-map inspection_default match default-inspection- traffic ! ! policy-map global_policy class inspection_default inspect dns maximum-length

512 inspect ftp inspect h323 h225 inspect h323 ras inspect netbios inspect rsh inspect rtsp inspect skinny inspect esmtp inspect sqlnet inspect sunrpc inspect tftp inspect sip inspect xdmcp ! service-policy global_policy global !--- Define the NTP server autentication-key,Trusted-key !--- and the NTP server address for configuring NTP. ntp authentication-key

1 md5 * ntp trusted-key

1 !--- The NTP server source is to be mentioned as inside for ASA1 ntp server 172.22.1.161 key

1 source inside Cryptochecksum:ce7210254f4a0bd263a9072a4ccb7cf7 : end 此视频已发布到 Cisco 支持社区 ,该视频通过演示说明了将 ASA 配置为 NTP 客户端的步骤: 如何将 Cisco 自适应安全设备 (ASA) 配置为与 Network Time Protocol (NTP) 服务器同步时钟. ASA2 CLI 配置 ASA2 ASA Version 7.1(1) ! hostname ASA2 domain-name default.domain.invalid enable password 8Ry2YjIyt7RRXU24 encrypted names ! interface Ethernet0 nameif outside security-level

0 ip address 10.20.20.1 255.255.255.0 ! interface Ethernet1 nameif inside security-level

100 ip address 172.16.1.1 255.255.255.0 ! passwd 2KFQnbNIdI.2KYOU encrypted ftp mode passive dns server-group DefaultDNS domain-name default.domain.invalid access-list inside_nat0_outbound extended permit ip 172.16.1.0 255.255.255.0

172 .22.1.0 255.255.255.0 !--- Note that this ACL is a mirror of the inside_nat0_outbound !--- ACL on ASA1. access-list outside_cryptomap_20 extended permit ip 172.16.1.0 255.255.255.0

172 .22.1.0 255.255.255.0 !--- Note that this ACL is a mirror of the outside_cryptomap_20 !--- ACL on ASA1. pager lines

24 mtu inside

1500 mtu outside

1500 no failover asdm image flash:/asdm-511.bin no asdm history enable arp timeout

14400 nat (inside)

0 access- list inside_nat0_outbound timeout xlate 3:00:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02 timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00 timeout uauth 0:05:00 absolute http server enable http 0.0.0.0 0.0.0.0 inside no snmp-server location no snmp-server contact crypto ipsec transform- set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac crypto map outside_map