Cisco ipsec-vpn对边缘设备的流量控制

1、  实验拓扑：

2、  实验说明：

R1是A公司边缘站点内的业务路由器，主营业务的网络为1.1.1.1/24;

R2是A公司的边缘站点路由器，负责与B公司建立×××通道和传输加密数据；

R3是互联网中的路由器；

R4是B公司的边缘站点路由器，负责与A公司建立×××通道和传输加密数据；

R5是B公司边缘站点内的业务路由器，主营业务的网络为2.2.2.2/24;

现要求：R1仅可以通过×××访问R5的HTTP业务（R5上：ip http server）

R5仅可以通过×××访问R1的TELNET业务；其他业务不允许通过×××访问；

3、实验配置：

R1#show run

no ip domain lookup

!

username cisco password 0 cisco

!

interface Loopback0

 ipaddress 1.1.1.1 255.255.255.0

!

interface FastEthernet0/0

 ipaddress 192.168.1.1 255.255.255.0

 duplex auto

 speed auto

!

router ospf 10

 log-adjacency-changes

 network 1.1.1.0 0.0.0.255 area 0

 network 192.168.1.0 0.0.0.255 area 0

!

ip forward-protocol nd

!

line con 0

 exec-timeout 0 0

 logging synchronous

line aux 0

line vty 0 4

 password cisco

 login local

 transport input telnet

 

R2#show run

crypto isakmp policy 10

 encr3des

 hashmd5

 authentication pre-share

 group 2

crypto isakmp key cisco address202.100.1.18

!

crypto ipsec transform-set ccna ah-md5-hmacesp-3des

!

crypto map ccna 10 ipsec-isakmp

 setpeer 202.100.1.18

 setip access-group crypto.inbound in

 setip access-group crypto.outbound out

 settransform-set ccna

 match address vpn

!

interface FastEthernet0/0

 ipaddress 192.168.1.2 255.255.255.0

 duplex auto

 speed auto

!

interface FastEthernet0/1

 ipaddress 202.100.1.1 255.255.255.248

 ipaccess-group site1.inbound in

 ipaccess-group site1.outbound out

 duplex auto

 speed auto

 crypto map ccna

!

router ospf 10

 log-adjacency-changes

 network 192.168.1.0 0.0.0.255 area 0

 default-information originate always

!

ip forward-protocol nd

ip route 0.0.0.0 0.0.0.0 202.100.1.2

!

no ip http server

no ip http secure-server

!

ip access-list extended crypto.inbound

 permit tcp 2.2.2.0 0.0.0.255 eq www 1.1.1.00.0.0.255

 permit tcp 2.2.2.0 0.0.0.255 1.1.1.0 0.0.0.255eq telnet

ip access-list extended crypto.outbound

 permit tcp 1.1.1.0 0.0.0.255 eq telnet 2.2.2.00.0.0.255

 permit tcp 1.1.1.0 0.0.0.255 2.2.2.0 0.0.0.255eq www

ip access-list extended site1.inbound

 permit esp host 202.100.1.18 host 202.100.1.1

 permit ahp host 202.100.1.18 host 202.100.1.1

ip access-list extended site1.outbound

 permit esp host 202.100.1.1 host 202.100.1.18

 permit ahp host 202.100.1.1 host 202.100.1.18

ip access-list extended vpn

 permit ip 1.1.1.0 0.0.0.255 2.2.2.0 0.0.0.255

 

R3#show run

interface FastEthernet0/0

 ipaddress 202.100.1.17 255.255.255.248

 duplex auto

 speed auto

!

interface FastEthernet0/1

 ipaddress 202.100.1.2 255.255.255.248

 duplex auto

 speed auto

 

R4#show run

crypto isakmp policy 10

 encr3des

 hashmd5

 authentication pre-share

 group 2

crypto isakmp key cisco address 202.100.1.1

!

crypto ipsec transform-set ccna ah-md5-hmacesp-3des

!

crypto map ccna 10 ipsec-isakmp

 setpeer 202.100.1.1

 set ip access-group crypto.inbound in   

set ip access-group crypto.outbound out

 settransform-set ccna

 match address vpn

!

interface FastEthernet0/0

 ipaddress 202.100.1.18 255.255.255.248

 ipaccess-group site1.inbound in            

 ipaccess-group site1.outbound out

 duplex auto

 speed auto

 crypto map ccna

!

interface FastEthernet0/1

 ipaddress 192.168.2.2 255.255.255.0

 duplex auto

 speed auto

!

router ospf 10

 log-adjacency-changes

 network 192.168.2.0 0.0.0.255 area 0

 default-information originate always

!

ip forward-protocol nd

ip route 0.0.0.0 0.0.0.0 202.100.1.17

!

no ip http server

no ip http secure-server

!

ip access-list extended crypto.inbound      

 permit tcp 1.1.1.0 0.0.0.255 eq telnet 2.2.2.00.0.0.255

 permit tcp 1.1.1.0 0.0.0.255 2.2.2.0 0.0.0.255eq www

ip access-list extended crypto.outbound     

 permit tcp 2.2.2.0 0.0.0.255 eq www 1.1.1.00.0.0.255

 permit tcp 2.2.2.0 0.0.0.255 1.1.1.0 0.0.0.255eq telnet

ip access-list extended site1.inbound      

 permit esp host 202.100.1.1 host 202.100.1.18

 permit ahp host 202.100.1.1 host 202.100.1.18

ip access-list extended site1.outbound   

 permit esp host 202.100.1.18 host 202.100.1.1

 permit ahp host 202.100.1.18 host 202.100.1.1

ip access-list extended vpn

 permit ip 2.2.2.0 0.0.0.255 1.1.1.0 0.0.0.255

R5#showrun

interface Loopback0

 ipaddress 2.2.2.2 255.255.255.0

!

interface FastEthernet0/1

 ipaddress 192.168.2.1 255.255.255.0

 duplex auto

 speed auto

!

router ospf 10

 log-adjacency-changes

 network 2.2.2.0 0.0.0.255 area 0

 network 192.168.2.0 0.0.0.255 area 0

!

ip forward-protocol nd

!

ip http server

4、实验结果数据：

R1#show ip route

Codes: C - connected, S - static, R - RIP,M - mobile, B - BGP

      D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area

      N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2

      E1 - OSPF external type 1, E2 - OSPF external type 2

      i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2

      ia - IS-IS inter area, * - candidate default, U - per-user static route

      o - ODR, P - periodic downloaded static route

 

Gateway of last resort is 192.168.1.2 tonetwork 0.0.0.0

    1.0.0.0/24 is subnetted, 1 subnets

C      1.1.1.0 is directly connected, Loopback0

C   192.168.1.0/24 is directly connected, FastEthernet0/0

O*E2 0.0.0.0/0 [110/1] via 192.168.1.2,01:20:44, FastEthernet0/0

 

R2#showip route

Codes: C - connected, S - static, R - RIP,M - mobile, B - BGP

      D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area

      N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2

      E1 - OSPF external type 1, E2 - OSPF external type 2

      i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2

      ia - IS-IS inter area, * - candidate default, U - per-user static route

      o - ODR, P - periodic downloaded static route

 

Gateway of last resort is 202.100.1.2 tonetwork 0.0.0.0

    1.0.0.0/32 is subnetted, 1 subnets

O      1.1.1.1 [110/11] via 192.168.1.1, 01:21:14, FastEthernet0/0

    202.100.1.0/29 is subnetted, 1 subnets

C      202.100.1.0 is directly connected, FastEthernet0/1

C   192.168.1.0/24 is directly connected, FastEthernet0/0

S*  0.0.0.0/0 [1/0] via 202.100.1.2

 

R2#showcrypto isakmp sa

dst             src             state          conn-id slot status

202.100.1.18    202.100.1.1     QM_IDLE              1    0 ACTIVE

 

R2#showcrypto engine connections active

  IDInterface            IP-Address      State Algorithm           Encrypt  Decrypt

   1FastEthernet0/1      202.100.1.1     set   HMAC_MD5+3DES_56_C        0        0

2001 FastEthernet0/1      202.100.1.1     set   MD5+3DES                158        0

2002 FastEthernet0/1      202.100.1.1     set   MD5+3DES                  0      182

 

R4#showip route

Codes: C - connected, S - static, R - RIP,M - mobile, B - BGP

      D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area

      N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2

      E1 - OSPF external type 1, E2 - OSPF external type 2

      i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2

      ia - IS-IS inter area, * - candidate default, U - per-user static route

      o - ODR, P - periodic downloaded static route

 

Gateway of last resort is 202.100.1.17 tonetwork 0.0.0.0

    2.0.0.0/32 is subnetted, 1 subnets

O      2.2.2.2 [110/11] via 192.168.2.1, 01:17:48, FastEthernet0/1

    202.100.1.0/29 is subnetted, 1 subnets

C      202.100.1.16 is directly connected, FastEthernet0/0

C   192.168.2.0/24 is directly connected, FastEthernet0/1

S*  0.0.0.0/0 [1/0] via 202.100.1.17

 

R4#showcrypto isakmp sa

dst             src             state          conn-id slot status

202.100.1.18    202.100.1.1     QM_IDLE              1    0 ACTIVE

 

R4#showcrypto engine connections active

  IDInterface            IP-Address      State Algorithm           Encrypt  Decrypt

   1FastEthernet0/0      202.100.1.18    set   HMAC_MD5+3DES_56_C        0        0

2001 FastEthernet0/0      202.100.1.18    set   MD5+3DES                202        0

2002 FastEthernet0/0      202.100.1.18    set   MD5+3DES                  0      144

 

R5#showip route

Codes: C - connected, S - static, R - RIP,M - mobile, B - BGP

      D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area

      N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2

      E1 - OSPF external type 1, E2 - OSPF external type 2

      i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2

      ia - IS-IS inter area, * - candidate default, U - per-user static route

      o - ODR, P - periodic downloaded static route

Gateway of last resort is 192.168.2.2 tonetwork 0.0.0.0

 

    2.0.0.0/24 is subnetted, 1 subnets

C      2.2.2.0 is directly connected, Loopback0

C   192.168.2.0/24 is directly connected, FastEthernet0/1

O*E2 0.0.0.0/0 [110/1] via 192.168.2.2,01:19:23, FastEthernet0/1

 

2、业务测试：

R1#telnet2.2.2.2 80 /source-interface loopback 0

Trying 2.2.2.2, 80 ... Open

get /

HTTP/1.1 400 Bad Request

Date: Fri, 01 Mar 2002 01:30:54 GMT

Server: cisco-IOS

Connection: close

Accept-Ranges: none

 

400 Bad Request              //测试到R5的HTTP业务端口是正常的

 

R5#telnet1.1.1.1 /source-interface loopback 0

Trying 1.1.1.1 ... Open

 

 

User Access Verification

 

Username:                  //测试到R1的TELNET业务端口也是正常的

 

R1#ping 2.2.2.2 source 1.1.1.1

 

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 2.2.2.2,timeout is 2 seconds:

Packet sent with a source address of1.1.1.1

.....

Success rate is 0 percent (0/5)         //测试PING业务不通也是正常的

（总结：本次实验主要是针对边缘站点的配置，边缘站点在此次的实验中，起到了过滤流量的重要作用，这样站点间访问不仅安全，

还能节省站点间的链路带宽，通过ACL过滤站点间流量是很重要的）