一.概述:
LAN-to-LAN的反向路由注入之前以为是将加密点关于感兴趣流的静态路由配置,注入到另外一个加密点,今天测试了一下,不是这样,因此记录下来。
二.测试思路和结果:
A.思路:
①配置PIX8.0的LAN-to-LAN IPSEC ×××
②验证 set reverse-route 是否需要两边都配才有效果,还是只需一边配置就有效果
③验证反向注入的路由条目是什么条目,是否与加密点的静态路由有关系
B.结果:
①set reverse-route只需一边配置就有效果,在哪个加密点配置,在哪个加密点上出现反向注入的静态路由
----当然,如果两边都配置,就两边都有
②注入的路由条目其实感兴趣流的目标网络,与加密点的静态路由是没有关系的,与是否建立了×××连接也没有关系
-----可以通过改变感兴趣流的掩码进行验证

-----对于路由器通过tunnel接口建立不需知道感兴趣流的L2L ×××,配置反向路由注入觉得应该是没有作业的

三.测试拓扑:
123938983.jpg
四.测试步骤:

----参照以前的博文:http://333234.blog.51cto.com/323234/1253465

A.基本配置:
①FW1:
----接口配置:

interface Ethernet0
nameif Inside
security-level 100
ip address 192.168.1.1 255.255.255.0
no shut
interface Ethernet1
nameif Outside
security-level 0
ip address 202.100.1.1 255.255.255.0
no shut
----路由配置:
route Outside 0.0.0.0 0.0.0.0 202.100.1.10
----策略配置:
access-list OUTSIDE extended permit icmp any any
access-group OUTSIDE in interface Outside
----PAT配置:
access-list PAT extended permit ip 192.168.0.0 255.255.0.0 any
access-list NONAT extended permit ip 192.168.0.0 255.255.0.0 172.16.0.0 255.255.0.0
global (Outside) 1 interface
nat (Inside) 0 access-list NONAT
nat (Inside) 1 access-list PAT
②FW2:
----接口配置:
interface Ethernet0
nameif Inside
security-level 100
ip address 172.16.1.1 255.255.255.0
no shut
interface Ethernet1
nameif Outside
security-level 0
ip address 202.100.2.1 255.255.255.0
no shut
----路由配置:
route Outside 0.0.0.0 0.0.0.0 202.100.2.10
----策略配置:
access-list OUTSIDE extended permit icmp any any
access-group OUTSIDE in interface Outside
----PAT配置:
access-list PAT extended permit ip 172.16.0.0 255.255.0.0 any
access-list NONAT extended permit ip 172.16.0.0 255.255.0.0 192.168.0.0 255.255.0.0
global (Outside) 1 interface
nat (Inside) 0 access-list NONAT
nat (Inside) 1 access-list PAT
B.×××配置:
①FW1:
----第一阶段策略:

crypto isakmp policy 10
authentication pre-share
encryption 3des
hash md5
group 2
tunnel-group 202.100.2.1 type ipsec-l2l
tunnel-group 202.100.2.1 ipsec-attributes
pre-shared-key cisco
----第二阶段转换集:
crypto ipsec transform-set transet esp-des esp-md5-hmac
----感兴趣流:
access-list ××× extended permit ip 192.168.0.0 255.255.0.0 172.16.0.0 255.255.0.0
④配置crypto map并应用、在接口开启isakmp:
crypto map crymap 20 match address ×××
crypto map crymap 20 set peer 202.100.2.1
crypto map crymap 20 set transform-set transet
crypto map crymap interface Outside
crypto isakmp enable Outside
①FW2:
----第一阶段策略:

crypto isakmp policy 10
authentication pre-share
encryption 3des
hash md5
group 2
tunnel-group 202.100.1.1 type ipsec-l2l
tunnel-group 202.100.1.1 ipsec-attributes
pre-shared-key cisco
----第二阶段转换集:
crypto ipsec transform-set transet esp-des esp-md5-hmac
----感兴趣流:
access-list ××× extended permit ip 172.16.0.0 255.255.0.0 192.168.0.0 255.255.0.0
④配置crypto map并应用、在接口开启isakmp:
crypto map crymap 20 match address ×××
crypto map crymap 20 set peer 202.100.1.1
crypto map crymap 20 set transform-set transet
crypto map crymap interface Outside
crypto isakmp enable Outside
C.测试:
①不用触发×××,查看防火墙的outside接口路由,可以看到只有一条默认路由
----因为没有配置反向路由注入
FW1(config)# show route outside

Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
* - candidate default, U - per-user static route, o - ODR
P - periodic downloaded static route

Gateway of last resort is 202.100.1.10 to network 0.0.0.0

C 202.100.1.0 255.255.255.0 is directly connected, Outside
S* 0.0.0.0 0.0.0.0 [1/0] via 202.100.1.10, Outside
FW1(config)#
②增加反向路由注入配置,也不用触发×××,可以看到outside多一条静态路由
FW1(config)# crypto map crymap 20 set reverse-route
FW1(config)# show route outside

Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
* - candidate default, U - per-user static route, o - ODR
P - periodic downloaded static route

Gateway of last resort is 202.100.1.10 to network 0.0.0.0

S 172.16.0.0 255.255.0.0 [1/0] via 202.100.1.10, Outside
C 202.100.1.0 255.255.255.0 is directly connected, Outside
S* 0.0.0.0 0.0.0.0 [1/0] via 202.100.1.10, Outside
③修改感兴趣流的ACL,静态路由也跟着变化
FW1(config)# access-list ××× extended permit ip 192.168.1.0 255.255.255.0 172.16.1.0 255.255.255.0
FW1(config)# show route outside

Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
* - candidate default, U - per-user static route, o - ODR
P - periodic downloaded static route

Gateway of last resort is 202.100.1.10 to network 0.0.0.0

S 172.16.0.0 255.255.0.0 [1/0] via 202.100.1.10, Outside
S 172.16.1.0 255.255.255.0 [1/0] via 202.100.1.10, Outside
C 202.100.1.0 255.255.255.0 is directly connected, Outside
S* 0.0.0.0 0.0.0.0 [1/0] via 202.100.1.10, Outside
----原有的感兴趣流没有删除,只是增加了一条更详细的ACL,静态路由也增加了一条更详细的路由
----由此可见,反向路由注入的条目只是的感兴趣流的目标网络有关,并且与是否触发×××也没有关系