本文共 6431 字,大约阅读时间需要 21 分钟。
一.概述
一台PIX/ASA与另外两台PIX建立L2L的***,如果可能的话,让两个分支站点通过总部访问对方。
二.基本思路:
A.一个crypto map配置不同的序号,分别匹配不同的peer
B.之前由于想偷懒,把所有加密点感兴趣流配成相同的192.168.0.0/16,导致***出现问题
C.如果防火墙后面有多个网络,建议配置反向路由注入,并把注入的静态路由重分布到动态路由
三.测试拓扑:
四.基本配置:
A.HQ-PIX80:
①接口配置:
interface Ethernet0 nameif Outside security-level 0 ip address 202.100.1.1 255.255.255.0 no shutinterface Ethernet1 nameif Inside security-level 100 ip address 192.168.1.1 255.255.255.0
no shut
②路由配置:
route Outside 0.0.0.0 0.0.0.0 202.100.1.10
③策略配置:
access-list OUTSIDE extended permit icmp any any access-group OUTSIDE in interface Outside
④PAT配置:
access-list PAT extended permit ip 192.168.1.0 255.255.255.0 any access-list NONAT extended permit ip 192.168.1.0 255.255.255.0 192.168.0.0 255.255.0.0 global (Outside) 1 interfacenat (Inside) 0 access-list NONATnat (Inside) 1 access-list PAT
B.Branch1-PIX80:
①接口配置:
interface Ethernet0 nameif Outside security-level 0 ip address 202.100.2.1 255.255.255.0 no shutinterface Ethernet1 nameif Inside security-level 100 ip address 192.168.2.1 255.255.255.0 no shut
②路由配置:
route Outside 0.0.0.0 0.0.0.0 202.100.2.10
③策略配置:
access-list OUTSIDE extended permit icmp any any access-group OUTSIDE in interface Outside
④PAT配置:
access-list PAT extended permit ip 192.168.2.0 255.255.255.0 any access-list NONAT extended permit ip 192.168.2.0 255.255.255.0 192.168.0.0 255.255.0.0 global (Outside) 1 interfacenat (Inside) 0 access-list NONATnat (Inside) 1 access-list PAT
C.Branch2-PIX80:
①接口配置:
interface Ethernet0 nameif Outside security-level 0 ip address 202.100.3.1 255.255.255.0 no shutinterface Ethernet1 nameif Inside security-level 100 ip address 192.168.3.1 255.255.255.0 no shut
②路由配置:
route Outside 0.0.0.0 0.0.0.0 202.100.3.10
③策略配置:
access-list OUTSIDE extended permit icmp any any access-group OUTSIDE in interface Outside
④PAT配置:
access-list PAT extended permit ip 192.168.3.0 255.255.255.0 any access-list NONAT extended permit ip 192.168.3.0 255.255.255.0 192.168.0.0 255.255.0.0 global (Outside) 1 interfacenat (Inside) 0 access-list NONATnat (Inside) 1 access-list PAT
五.L2L ***配置:
A.HQ-PIX80:
①第一阶段策略:
crypto isakmp policy 10 authentication pre-share encryption 3des hash md5 group 2
tunnel-group 202.100.2.1 type ipsec-l2ltunnel-group 202.100.2.1 ipsec-attributes pre-shared-key ciscotunnel-group 202.100.3.1 type ipsec-l2ltunnel-group 202.100.3.1 ipsec-attributes pre-shared-key cisco
②第二阶段转换集:
crypto ipsec transform-set transet esp-des esp-md5-hmac
③感兴趣流:
access-list ***-BRACH1 extended permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0 access-list ***-BRACH2 extended permit ip 192.168.1.0 255.255.255.0 192.168.3.0 255.255.255.0
④配置crypto map并应用、在接口开启isakmp:
crypto map crymap 20 match address ***-BRACH1crypto map crymap 20 set peer 202.100.2.1 crypto map crymap 20 set transform-set transetcrypto map crymap 30 match address ***-BRACH2crypto map crymap 30 set peer 202.100.3.1 crypto map crymap 30 set transform-set transetcrypto map crymap interface Outsidecrypto isakmp enable Outside
B.Branch1-PIX80:
①第一阶段策略:
crypto isakmp policy 10 authentication pre-share encryption 3des hash md5 group 2
tunnel-group 202.100.1.1 type ipsec-l2ltunnel-group 202.100.1.1 ipsec-attributes pre-shared-key cisco②第二阶段转换集:
crypto ipsec transform-set transet esp-des esp-md5-hmac
③感兴趣流:
access-list *** extended permit ip 192.168.2.0 255.255.255.0 192.168.0.0 255.255.0.0
④配置crypto map并应用、在接口开启isakmp:
crypto map crymap 10 match address ***crypto map crymap 10 set peer 202.100.1.1 crypto map crymap 10 set transform-set transet
crypto map crymap interface Outsidecrypto isakmp enable Outside
C.Branch2-PIX80:
①第一阶段策略:
crypto isakmp policy 10 authentication pre-share encryption 3des hash md5 group 2
tunnel-group 202.100.1.1 type ipsec-l2ltunnel-group 202.100.1.1 ipsec-attributes pre-shared-key cisco②第二阶段转换集:
crypto ipsec transform-set transet esp-des esp-md5-hmac
③感兴趣流:
access-list *** extended permit ip 192.168.3.0 255.255.255.0 192.168.0.0 255.255.0.0
④配置crypto map并应用、在接口开启isakmp:
crypto map crymap 10 match address ***crypto map crymap 10 set peer 202.100.1.1 crypto map crymap 10 set transform-set transet
crypto map crymap interface Outsidecrypto isakmp enable Outside
六.测试:
A.ping测试:
B.show查看:
HQ-PIX80# show crypto isakmp sa Active SA: 2 Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)Total IKE SA: 21 IKE Peer: 202.100.2.1 Type : L2L Role : initiator Rekey : no State : MM_ACTIVE 2 IKE Peer: 202.100.3.1 Type : L2L Role : initiator Rekey : no State : MM_ACTIVE HQ-PIX80# show crypto ipsec stats IPsec Global Statistics-----------------------Active tunnels: 2Previous tunnels: 10Inbound Bytes: 2736 Decompressed bytes: 2736 Packets: 57 Dropped packets: 0 Replay failures: 0 Authentications: 57 Authentication failures: 0 Decryptions: 57 Decryption failures: 0 Decapsulated fragments needing reassembly: 0Outbound Bytes: 3600 Uncompressed bytes: 3600 Packets: 75 Dropped packets: 0 Authentications: 75 Authentication failures: 0 Encryptions: 75 Encryption failures: 0 Fragmentation successes: 0 Pre-fragmentation successses: 0 Post-fragmentation successes: 0 Fragmentation failures: 0 Pre-fragmentation failures: 0 Post-fragmentation failures: 0 Fragments created: 0 PMTUs sent: 0 PMTUs rcvd: 0Protocol failures: 0Missing SA failures: 0System capacity failures: 0
七.分支通过总部访问其他分支:
A.修改感兴趣流:
①HQ-PIX80:
access-list ***-BRACH1 extended permit ip 192.168.0.0 255.255.0.0 192.168.2.0 255.255.255.0 access-list ***-BRACH2 extended permit ip 192.168.0.0 255.255.0.0 192.168.3.0 255.255.255.0---备注:往分支的目标地址需要写明细,否则总部无法根据流量来匹配***隧道
②Brach1-PIX80:
access-list *** extended permit ip 192.168.2.0 255.255.255.0 192.168.0.0 255.255.0.0
---按之前写的目标地址为汇总地址,包括其他分支的地址
③Brach1-PIX80:
access-list *** extended permit ip 192.168.3.0 255.255.255.0 192.168.0.0 255.255.0.0
---按之前写的目标地址为汇总地址,包括其他分支的地址
B.测试:
①VPC测试:
VPC测试出现问题,分部无法ping通另外分支的地址②用路由器测试:
VPC用路由器,测试正常,下面是测试结果:
R3#ping 192.168.3.18 Type escape sequence to abort.Sending 5, 100-byte ICMP Echos to 192.168.3.18, timeout is 2 seconds:....!Success rate is 20 percent (1/5), round-trip min/avg/max = 1236/1236/1236 msR3#*Mar 1 03:14:22.831: ICMP: echo reply rcvd, src 192.168.3.18, dst 192.168.2.18
R3#telnet 192.168.3.18Trying 192.168.3.18 ... OpenUser Access VerificationPassword: R5>show users Line User Host(s) Idle Location 0 con 0 idle 02:52:18 * 66 vty 0 idle 00:00:00 192.168.2.18 Interface User Mode Idle Peer Address
转载地址:http://lzxao.baihongyu.com/