ASA8.0 L2L ××× and OSPF

原创

碧云天 2012-05-13 22:09:46 博主文章分类：ASA实验 ©著作权

©著作权归作者所有：来自51CTO博客作者碧云天的原创作品，请联系作者获取转载授权，否则将追究法律责任

1.拓扑图：

参考：http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00804acfea.shtml

ASA不支持GRE,但是可以使用单播方式跑OSPF，并且能够被ESP封装。

2.接口配置：
R1:
R1(config)#int f0/0
R1(config-if)#ip add 10.1.1.2 255.255.255.0
R1(config-if)#no sh

R1(config-if)#int l0
R1(config-if)#ip add 1.1.1.1 255.255.255.0
R1(config-if)#

ASA1:
ASA1(config)# int e0/0
ASA1(config-if)# ip add 10.1.1.1 255.255.255.0
ASA1(config-if)# nameif inside
INFO: Security level for "inside" set to 100 by default.
ASA1(config-if)# no sh

ASA1(config-if)# int e0/1
ASA1(config-if)# ip add 60.1.1.1 255.255.255.0
ASA1(config-if)# nameif outside
INFO: Security level for "outside" set to 0 by default.
ASA1(config-if)# no sh

R3：
R3(config)#int f0/0
R3(config-if)#ip add 60.1.1.2 255.255.255.0
R3(config-if)#no sh

R3(config-if)#int f0/1
R3(config-if)#ip add 202.1.1.2 255.255.255.0
R3(config-if)#no sh

ASA2：
ASA2(config)# int e0/0
ASA2(config-if)# ip add 20.1.1.1 255.255.255.0
ASA2(config-if)# nameif inside
INFO: Security level for "inside" set to 100 by default.
ASA2(config-if)# no sh
ASA2(config-if)# exit

ASA2(config)# int e0/1
ASA2(config-if)# ip add 202.1.1.1 255.255.255.0
ASA2(config-if)# nameif outside
INFO: Security level for "outside" set to 0 by default.
ASA2(config-if)# no sh
ASA2(config-if)#

R2：
R2(config)#int f0/0
R2(config-if)#ip add 20.1.1.2 255.255.255.0
R2(config-if)#no sh
R2(config-if)#

R2(config-if)#int l0
R2(config-if)#ip add 2.2.2.2 255.255.255.0
R2(config-if)#

2.静态路由配置:
R1(config)#ip route 0.0.0.0 0.0.0.0 10.1.1.1
ASA1(config)# route outside 0 0 60.1.1.2
ASA2(config)# route outside 0 0 202.1.1.2
R2(config)#ip route 0.0.0.0 0.0.0.0 20.1.1.1

3.防火墙NAT及策略配置:
ASA1(config)# nat (inside) 1 0 0
ASA1(config)# global (outside) 1 interface
ASA1(config)# nat-control
ASA1(config)# access-list outside permit icmp any any echo-reply
ASA1(config)# access-group outside in interface outside

ASA2(config)# nat (inside) 1 0 0
ASA2(config)# global (outside) 1 interface
ASA2(config)# nat-control
ASA2(config)# access-list outside permit icmp any any echo-reply
ASA2(config)# access-group outside in interface outside

4.互联网访问测试：

R1#ping 202.1.1.1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 202.1.1.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 76/99/128 ms
R1#

R2#ping 60.1.1.1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 60.1.1.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 20/51/104 ms
R2#

5.L2L ×××配置:

ASA1：
A.第一阶段：
ASA1(config)# isakmp policy 10
ASA1(config-isakmp-policy)# authentication pre-share
ASA1(config-isakmp-policy)# encryption 3des
ASA1(config-isakmp-policy)# hash md5
ASA1(config-isakmp-policy)# group 2
ASA1(config-isakmp-policy)# exit
ASA1(config)# isakmp enable outside

ASA1(config)# tunnel-group 202.1.1.1 type ipsec-l2l
ASA1(config)# tunnel-group 202.1.1.1 ipsec-attributes
ASA1(config-tunnel-ipsec)# pre-shared-key cisco

B.第二阶段：
ASA1(config)# crypto ipsec transform-set transet esp-3des esp-md5-hmac

C.配置感兴趣流：
ASA1(config)#access-list outside_cryptomap_10 extended permit ip 10.1.1.0 255.255.255.0 20.1.1.0 255.255.255.0

D.配置crypto MAP:
ASA1(config)# crypto map crymap 10 match address outside_cryptomap_10
ASA1(config)# crypto map crymap 10 set peer 202.1.1.1
ASA1(config)# crypto map crymap 10 set transform-set transet

E.应用crypto MAP:
ASA1(config)# crypto map crymap interface outside

F.nat免除：
ASA1(config)# access-list nonat extended permit ip 10.1.1.0 255.255.255.0 20.1.1.0 255.255.255.0
ASA1(config)# nat (inside) 0 access-list nonat

ASA2：
A.第一阶段：
ASA2(config)# isakmp policy 10
ASA2(config-isakmp-policy)# authentication pre-share
ASA2(config-isakmp-policy)# encryption 3des
ASA2(config-isakmp-policy)# hash md5
ASA2(config-isakmp-policy)# group 2
ASA2(config-isakmp-policy)# exit
ASA2(config)# isakmp enable outside

ASA2(config)# tunnel-group 60.1.1.1 type ipsec-l2l
ASA2(config)# tunnel-group 60.1.1.1 ipsec-attributes
ASA2(config-tunnel-ipsec)# pre-shared-key cisco

B.第二阶段：
ASA2(config)# crypto ipsec transform-set transet esp-3des esp-md5-hmac

C.配置感兴趣流：
ASA2(config)#access-list outside_cryptomap_10 extended permit ip 20.1.1.0 255.255.255.0 10.1.1.0 255.255.255.0

D.配置crypto MAP:
ASA2(config)# crypto map crymap 10 match address outside_cryptomap_10
ASA2(config)# crypto map crymap 10 set peer 60.1.1.1
ASA2(config)# crypto map crymap 10 set transform-set transet

E.应用crypto MAP:
ASA2(config)# crypto map crymap interface outside

F.nat免除：
ASA2(config)# access-list nonat extended permit ip 20.1.1.0 255.255.255.0 10.1.1.0 255.255.255.0
ASA2(config)# nat (inside) 0 access-list nonat

6.×××测试:

R1#ping 20.1.1.2

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 20.1.1.2, timeout is 2 seconds:
.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 36/77/128 ms
R1#

R2#ping 10.1.1.2

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.1.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 32/63/144 ms
R2#

ASA1# show crypto isakmp sa

   Active SA: 1
    Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 1

1   IKE Peer: 202.1.1.1
    Type    : L2L             Role    : initiator
    Rekey   : no              State   : MM_ACTIVE
ASA1#

ASA2(config)# show crypto isakmp sa

   Active SA: 1
    Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 1

1   IKE Peer: 60.1.1.1
    Type    : L2L             Role    : responder
    Rekey   : no              State   : MM_ACTIVE
ASA2(config)#

ASA1# show crypto ipsec sa
interface: outside
    Crypto map tag: crymap, seq num: 10, local addr: 60.1.1.1

      access-list L2L permit ip 10.1.1.0 255.255.255.0 20.1.1.0 255.255.255.0
      local ident (addr/mask/prot/port): (10.1.1.0/255.255.255.0/0/0)
      remote ident (addr/mask/prot/port): (20.1.1.0/255.255.255.0/0/0)
      current_peer: 202.1.1.1

      #pkts encaps: 9, #pkts encrypt: 9, #pkts digest: 9
      #pkts decaps: 9, #pkts decrypt: 9, #pkts verify: 9
      #pkts compressed: 0, #pkts decompressed: 0
      #pkts not compressed: 9, #pkts comp failed: 0, #pkts decomp failed: 0
      #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
      #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
      #send errors: 0, #recv errors: 0

      local crypto endpt.: 60.1.1.1, remote crypto endpt.: 202.1.1.1

      path mtu 1500, ipsec overhead 58, media mtu 1500
      current outbound spi: 68D18521

    inbound esp sas:
      spi: 0x1BA22A87 (463612551)
         transform: esp-3des esp-md5-hmac none
         in use settings ={L2L, Tunnel, }
         slot: 0, conn_id: 4096, crypto-map: crymap
         sa timing: remaining key lifetime (kB/sec): (3824999/28571)
         IV size: 8 bytes
         replay detection support: Y
    outbound esp sas:
      spi: 0x68D18521 (1758561569)
         transform: esp-3des esp-md5-hmac none
         in use settings ={L2L, Tunnel, }
         slot: 0, conn_id: 4096, crypto-map: crymap
         sa timing: remaining key lifetime (kB/sec): (3824999/28571)
         IV size: 8 bytes
         replay detection support: Y

ASA1#

ASA2(config)# show crypto ipsec stats

IPsec Global Statistics
-----------------------
Active tunnels: 1
Previous tunnels: 1
Inbound
    Bytes: 900
    Decompressed bytes: 900
    Packets: 9
    Dropped packets: 0
    Replay failures: 0
    Authentications: 9
    Authentication failures: 0
    Decryptions: 9
    Decryption failures: 0
    Decapsulated fragments needing reassembly: 0
Outbound
    Bytes: 900
    Uncompressed bytes: 900
    Packets: 9
    Dropped packets: 0
    Authentications: 9
    Authentication failures: 0
    Encryptions: 9
    Encryption failures: 0
    Fragmentation successes: 0
        Pre-fragmentation successses: 0
        Post-fragmentation successes: 0
    Fragmentation failures: 0
        Pre-fragmentation failures: 0
        Post-fragmentation failures: 0
    Fragments created: 0
    PMTUs sent: 0
    PMTUs rcvd: 0
Protocol failures: 0
Missing SA failures: 0
System capacity failures: 0

ASA2(config)#

8.动态路由配置：

A.感兴趣流增加OSPF流量:
ASA1(config)#access-list outside_cryptomap_10 extended permit ospf interface outside host 202.1.1.1
ASA2(config)#access-list outside_cryptomap_10 extended permit ospf interface outside host 60.1.1.1

B.R1动态路由配置:
R1(config)#router ospf 1
R1(config-router)#router-id 1.1.1.1
R1(config-router)#net 10.1.1.2 0.0.0.0 a 0

C.ASA1动态路由配置：

ASA1(config-router)# int e0/1
ASA1(config-if)# ospf network point-to-point non-broadcast
ASA1(config-if)# ospf message-digest-key 10 md5 cisco
ASA1(config)# router ospf 1
ASA1(config-router)# net 10.1.1.1 255.255.255.255 a 0
ASA1(config-router)# net 60.1.1.1 255.255.255.255 a 0
ASA1(config-router)# neighbor 202.1.1.1 interface outside
INFO: Neighbor command will take effect after network-type is enabled
on the interface

D.ASA2动态路由配置：
ASA2(config-router)# int e0/1
ASA2(config-if)# ospf network point-to-point non-broadcast
ASA2(config-if)# ospf message-digest-key 10 md5
ASA2(config)# router ospf 1
ASA2(config-router)# net 20.1.1.0 255.255.255.0 a 0
ASA2(config-router)# net 202.1.1.1 255.255.255.255 a 0
ASA2(config-router)# neighbor 60.1.1.1 interface outside
INFO: Neighbor command will take effect after network-type is enabled
on the interface

E.R2动态路由配置：
R2(config)#router ospf 1
R2(config-router)#router-id 2.2.2.2
R2(config-router)#net 20.1.1.0 0.0.0.255 a 0
R2(config-router)#net 2.2.2.0 0.0.0.255 a 0

8.动态路由验证：

ASA1# show ospf nei

Neighbor ID     Pri   State           Dead Time   Address         Interface
1.1.1.1           1   FULL/BDR        0:00:39     10.1.1.2        inside
202.1.1.1         1   FULL/ -        0:00:38     202.1.1.1       outside
ASA1#

ASA2# show ospf neighbor

Neighbor ID     Pri   State           Dead Time   Address         Interface
2.2.2.2           1   FULL/BDR        0:00:36     20.1.1.2        inside
60.1.1.1          1   FULL/ -        0:00:30     60.1.1.1        outside
ASA2#

R1#show ip route ospf
     2.0.0.0/32 is subnetted, 1 subnets
O       2.2.2.2 [110/31] via 10.1.1.1, 00:04:42, FastEthernet0/0
     20.0.0.0/24 is subnetted, 1 subnets
O       20.1.1.0 [110/30] via 10.1.1.1, 00:04:42, FastEthernet0/0
O    202.1.1.0/24 [110/30] via 10.1.1.1, 00:04:42, FastEthernet0/0
     60.0.0.0/24 is subnetted, 1 subnets
O       60.1.1.0 [110/20] via 10.1.1.1, 00:05:47, FastEthernet0/0
R1#

R2#show ip route ospf
     1.0.0.0/32 is subnetted, 1 subnets
O       1.1.1.1 [110/31] via 20.1.1.1, 00:05:16, FastEthernet0/0
O    202.1.1.0/24 [110/20] via 20.1.1.1, 00:05:36, FastEthernet0/0
     10.0.0.0/24 is subnetted, 1 subnets
O       10.1.1.0 [110/30] via 20.1.1.1, 00:05:16, FastEthernet0/0
     60.0.0.0/24 is subnetted, 1 subnets
O       60.1.1.0 [110/30] via 20.1.1.1, 00:05:16, FastEthernet0/0
R2#

9.总结：

A.思科网站的配置ASA的OSPF配置不应该把对方的互联网网段也发布出去（多余配置），same-security-traffic permit intra-interface的配置也是多余的

B.虽然能通过单播方式使的OSPF邻居能够成功建立，并交换路由信息，但是如果内网网络无法汇聚，配置感兴趣流和NAT免除将是一场噩梦。

C.实际使用中如果加密站点之间可以避免使用动态路由协议的话，尽量避免。

D.如下图所示内部跑动态路由协议，ASA2增加内网回指路由，R2将默认路由重分布到OSPF，把去对方的地址送到ASA上即可，
----------NAT免除和感兴趣流需要做相应的改动，设置为两个站点的汇总网络的地址