Router-to-ASA LAN-to-LAN ×××
1.拓扑
2.步骤
1.基本连通性配置:
R5(config)#int f0/0
R5(config-if)#ip add 15.15.15.5 255.255.255.0
R5(config-if)#no sh
R5(config-if)#ex
R5(config)#ip route 0.0.0.0 0.0.0.0 15.15.15.1
R5(config)#int lo0
R5(config-if)#ip add 5.5.5.5 255.255.255.255
R5(config-if)#
R1(config)#int f0/0
R1(config-if)#ip add 15.15.15.1 255.255.255.0
R1(config-if)#no sh
R1(config-if)#int f1/0
R1(config-if)#ip add 16.16.16.1 255.255.255.0
R1(config-if)#no sh
R1(config-if)#ex
R1(config)#ip route 0.0.0.0 0.0.0.0 16.16.16.6
R1(config)#ip route 5.5.5.5 255.255.255.255 15.15.15.5
R6(config)#int f1/0
R6(config-if)#ip add 16.16.16.6 255.255.255.0
R6(config-if)#no sh
R6(config-if)#int f0/0
R6(config-if)#ip add 26.26.26.6 255.255.255.0
R6(config-if)#no sh
ciscoasa# conf t
ciscoasa(config)# int e0/0
ciscoasa(config-if)# ip add 26.26.26.2 255.255.255.0
ciscoasa(config-if)# no sh
ciscoasa(config-if)# nameif outside
INFO: Security level for "outside" set to 0 by default.
ciscoasa(config-if)# int e0/1
ciscoasa(config-if)# ip add 23.23.23.2 255.255.255.0
ciscoasa(config-if)# no sh
ciscoasa(config-if)# nameif inside
INFO: Security level for "inside" set to 100 by default.
ciscoasa(config-if)# ex
ciscoasa(config)# route outside 0 0 26.26.26.6
ciscoasa(config)# route inside 3.3.3.3 255.255.255.255 23.23.23.3
R3(config)#int f1/0
R3(config-if)#ip add 23.23.23.3 255.255.255.0
R3(config-if)#no sh
R3(config-if)#ex
R3(config)#ip route 0.0.0.0 0.0.0.0 23.23.23.2
R3(config-if)#ex
R3(config)#int lo0
R3(config-if)#ip add 3.3.3.3 255.255.255.255
R3(config-if)#ex
2.配置LAN-to-LAN ×××
1在ASA上配置IKE策略:
ciscoasa(config)# crypto isakmp policy 1
ciscoasa(config-isakmp-policy)# encryption 3des
ciscoasa(config-isakmp-policy)# authentication pre-share
ciscoasa(config-isakmp-policy)# group 2
ciscoasa(config-isakmp-policy)# hash sha
ciscoasa(config-isakmp-policy)# ex
2.2在ASA上定义认证标识:
ciscoasa(config)# tunnel-group 16.16.16.1 type ipsec-l2l
ciscoasa(config)# tunnel-group 16.16.16.1 ipsec-attributes
ciscoasa(config-tunnel-ipsec)# pre-shared-key cisco123
ciscoasa(config-tunnel-ipsec)# ex
ciscoasa(config)#
2.3在ASA上配置IPSec transform:
ciscoasa(config)# crypto ipsec transform-set myset esp-3des esp-sha-hmac
ciscoasa(config)#
2.4在ASA上定义感兴趣流量:
ciscoasa(config)# access-list vpn permit ip 23.23.23.0 255.255.255.0 15.15.15.0 255.255.255.0
ciscoasa(config)# access-list vpn permit ip 3.3.3.3 255.255.255.255 15.15.15.0 255.255.255.0
ciscoasa(config)#
2.5在ASA上创建crypto map:
ciscoasa(config)# crypto map l2l 1 match address vpn
ciscoasa(config)# crypto map l2l 1 set peer 16.16.16.1
ciscoasa(config)# crypto map l2l 1 set transform-set myset
ciscoasa(config)#
2.6在ASA上将crypto map和IKE策略应用于outside接口:
ciscoasa(config)# crypto map l2l interface outside
ciscoasa(config)# crypto isakmp enable outside
ciscoasa(config)#
3.配置R1的LAN-to-LAN ×××:
R1(config)#crypto isakmp policy 1
R1(config-isakmp)#en 3
R1(config-isakmp)#au p
R1(config-isakmp)#ha s
R1(config-isakmp)#gr 2
R1(config-isakmp)#ex
R1(config)#cry is key 0 cisco123 add 26.26.26.2
R1(config)#cry ipsec transform-set myset esp-3des esp-sha-hmac
R1(cfg-crypto-trans)#ex
R1(config)#access-list 100 permit ip 15.15.15.0 0.0.0.255 23.23.23.0 0.0.0.255
R1(config)#access-list 100 permit ip 15.15.15.0 0.0.0.255 3.3.3.3 0.0.0.0
R1(config)#crypto map l2l 1 ipsec-isakmp
% NOTE: This new crypto map will remain disabled until a peer
and a valid access list have been configured.
R1(config-crypto-map)#set peer 26.26.26.2
R1(config-crypto-map)#set transform-set myset
R1(config-crypto-map)#match address 100
R1(config-crypto-map)#ex
R1(config)#
R1(config)#int f1/0
R1(config-if)#crypto map l2l
R1(config-if)#
*Mar 1 00:39:21.987: %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is ON
R1(config-if)#
3.验证
R5 ping R3:
R5#ping 23.23.23.3
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 23.23.23.3, timeout is 2 seconds:
..!!!
Success rate is 60 percent (3/5), round-trip min/avg/max = 52/72/108 ms
R5#ping 3.3.3.3
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 3.3.3.3, timeout is 2 seconds:
.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 40/59/80 ms
R5#
R3 ping R5:
R3#ping 15.15.15.5
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 15.15.15.5, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 16/57/104 ms
R3#
1.查看R1上的IKE SA的peer:
R1#show crypto isakmp peers
Peer: 26.26.26.2 Port: 500 Local: 16.16.16.1
Phase1 id: 26.26.26.2
R1#
查看R1上的IKE SA:
R1#show crypto isakmp sa
dst src state conn-id slot status
26.26.26.2 16.16.16.1 QM_IDLE 1 0 ACTIVE
R1#
2.查看R1上的IPSec SA:
R1#show crypto ipsec sa
interface: FastEthernet1/0
Crypto map tag: l2l, local addr 16.16.16.1
protected vrf: (none)
local ident (addr/mask/prot/port): (15.15.15.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (3.3.3.3/255.255.255.255/0/0)
current_peer 26.26.26.2 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 4, #pkts encrypt: 4, #pkts digest: 4
#pkts decaps: 4, #pkts decrypt: 4, #pkts verify: 4
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 1, #recv errors 0
local crypto endpt.: 16.16.16.1, remote crypto endpt.: 26.26.26.2
path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet1/0
current outbound spi: 0xEDC66567(3989202279)
inbound esp sas:
spi: 0xF74ECA08(4149135880)
transform: esp-3des esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 2003, flow_id: SW:3, crypto map: l2l
sa timing: remaining key lifetime (k/sec): (4558704/3324)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0xEDC66567(3989202279)
transform: esp-3des esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 2004, flow_id: SW:4, crypto map: l2l
sa timing: remaining key lifetime (k/sec): (4558704/3322)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE
outbound ah sas:
outbound pcp sas:
protected vrf: (none)
local ident (addr/mask/prot/port): (15.15.15.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (23.23.23.0/255.255.255.0/0/0)
current_peer 26.26.26.2 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 8, #pkts encrypt: 8, #pkts digest: 8
#pkts decaps: 8, #pkts decrypt: 8, #pkts verify: 8
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 1, #recv errors 0
local crypto endpt.: 16.16.16.1, remote crypto endpt.: 26.26.26.2
path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet1/0
current outbound spi: 0x86B6E2B8(2260132536)
inbound esp sas:
spi: 0xD2E1737B(3537990523)
transform: esp-3des esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 2001, flow_id: SW:1, crypto map: l2l
sa timing: remaining key lifetime (k/sec): (4461373/3309)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0x86B6E2B8(2260132536)
transform: esp-3des esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 2002, flow_id: SW:2, crypto map: l2l
sa timing: remaining key lifetime (k/sec): (4461373/3307)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE
outbound ah sas:
outbound pcp sas:
R1#
3.查看R5到R3的数据报路径走向:
R5#traceroute 3.3.3.3
Type escape sequence to abort.
Tracing the route to 3.3.3.3
1 15.15.15.1 24 msec 40 msec 8 msec
2 23.23.23.3 56 msec * 48 msec
R5#
说明了数据报经过隧道传输
4.查看ASA上的IKE SA 的peer:
ciscoasa(config)# show crypto isakmp sa
Active SA: 1
Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 1
1 IKE Peer: 16.16.16.1
Type : L2L Role : responder
Rekey : no State : MM_ACTIVE
ciscoasa(config)#
5.查看ASA上激活的隧道状态:
ciscoasa(config)# show crypto isakmp stats
Global IKE Statistics
Active Tunnels: 1
Previous Tunnels: 1
In Octets: 6624
In Packets: 68
In Drop Packets: 0
In Notifys: 61
In P2 Exchanges: 2
In P2 Exchange Invalids: 0
In P2 Exchange Rejects: 0
In P2 Sa Delete Requests: 0
Out Octets: 5992
Out Packets: 66
Out Drop Packets: 0
Out Notifys: 122
Out P2 Exchanges: 0
Out P2 Exchange Invalids: 0
Out P2 Exchange Rejects: 0
Out P2 Sa Delete Requests: 0
Initiator Tunnels: 0
Initiator Fails: 0
Responder Fails: 0
System Capacity Fails: 0
Auth Fails: 0
Decrypt Fails: 0
Hash Valid Fails: 0
No Sa Fails: 0
ciscoasa(config)#
6.查看ASA上的IPSec SA:
ciscoasa(config)# show crypto ipsec sa
interface: outside
Crypto map tag: l2l, seq num: 1, local addr: 26.26.26.2
access-list vpn permit ip host 3.3.3.3 15.15.15.0 255.255.255.0
local ident (addr/mask/prot/port): (3.3.3.3/255.255.255.255/0/0)
remote ident (addr/mask/prot/port): (15.15.15.0/255.255.255.0/0/0)
current_peer: 16.16.16.1
#pkts encaps: 4, #pkts encrypt: 4, #pkts digest: 4
#pkts decaps: 7, #pkts decrypt: 7, #pkts verify: 7
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 4, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#send errors: 0, #recv errors: 0
local crypto endpt.: 26.26.26.2, remote crypto endpt.: 16.16.16.1
path mtu 1500, ipsec overhead 58, media mtu 1500
current outbound spi: F74ECA08
inbound esp sas:
spi: 0xEDC66567 (3989202279)
transform: esp-3des esp-sha-hmac none
in use settings ={L2L, Tunnel, }
slot: 0, conn_id: 4096, crypto-map: l2l
sa timing: remaining key lifetime (kB/sec): (4274999/2863)
IV size: 8 bytes
replay detection support: Y
outbound esp sas:
spi: 0xF74ECA08 (4149135880)
transform: esp-3des esp-sha-hmac none
in use settings ={L2L, Tunnel, }
slot: 0, conn_id: 4096, crypto-map: l2l
sa timing: remaining key lifetime (kB/sec): (4274999/2863)
IV size: 8 bytes
replay detection support: Y
Crypto map tag: l2l, seq num: 1, local addr: 26.26.26.2
access-list vpn permit ip 23.23.23.0 255.255.255.0 15.15.15.0 255.255.255.0
local ident (addr/mask/prot/port): (23.23.23.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (15.15.15.0/255.255.255.0/0/0)
current_peer: 16.16.16.1
#pkts encaps: 10, #pkts encrypt: 10, #pkts digest: 10
#pkts decaps: 8, #pkts decrypt: 8, #pkts verify: 8
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 10, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#send errors: 0, #recv errors: 0
local crypto endpt.: 26.26.26.2, remote crypto endpt.: 16.16.16.1
path mtu 1500, ipsec overhead 58, media mtu 1500
current outbound spi: D2E1737B
inbound esp sas:
spi: 0x86B6E2B8 (2260132536)
transform: esp-3des esp-sha-hmac none
in use settings ={L2L, Tunnel, }
slot: 0, conn_id: 4096, crypto-map: l2l
sa timing: remaining key lifetime (kB/sec): (4274999/2851)
IV size: 8 bytes
replay detection support: Y
outbound esp sas:
spi: 0xD2E1737B (3537990523)
transform: esp-3des esp-sha-hmac none
in use settings ={L2L, Tunnel, }
slot: 0, conn_id: 4096, crypto-map: l2l
sa timing: remaining key lifetime (kB/sec): (4274999/2851)
IV size: 8 bytes
replay detection support: Y
ciscoasa(config)#
4.测试NAT对×××的影响:
1.在ASA上配置NAT:
ciscoasa(config)# nat (inside) 1 0 0
ciscoasa(config)# global (outside) 1 interface
INFO: outside interface address added to PAT pool
ciscoasa(config)#
2.从R5 ping R3肯定不通啦:
R5#ping 3.3.3.3
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 3.3.3.3, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
R5#
3.R3 ping R5也不通:
R3#ping 15.15.15.5
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 15.15.15.5, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
R3#
4.在ASA上配置ACL使感兴趣的流量绕过NAT:
ciscoasa(config)# access-list nonat extended permit ip 23.23.23.0 255.255.255.0 15.15.15.0 255.255.255.0
ciscoasa(config)# access-list nonat extended permit ip 3.3.3.3 255.255.255.255 15.15.15.0 255.255.255.0
ciscoasa(config)# nat (inside) 0 access-list nonat
ciscoasa(config)#
5.再次从R3 ping R5,通了:
R3#ping 15.15.15.5
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 15.15.15.5, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 20/53/112 ms
R3#
6.R5 ping R3:
R5#ping 3.3.3.3
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 3.3.3.3, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 20/46/76 ms
R5#
说明:由于配置了R3到R5的流量在ASA上不被转换,所以R5和R3之间的通信流量能够用过IPSec ×××穿越Internet。
注意:加密点,通信点,ACL流量过滤是三个关键点。
