说明:ASA1和ASA2模拟两个分支的边界Firewall,并在该Firewall上启用PAT和默认路由。A和B分别模拟两个内网的主机。ISP模拟ISP,并启用loopback0接口,模拟公网主机。
要求:在ASA1和ASA2之间建立Site to Site IPSec ×××,A和B能通过IPSec加密隧道用私网IP互访,但访问公网主机时不加密。
配置命令如下:
ASA1:
ciscoasa>en ciscoasa# conf t //基本配置部分 ciscoasa(config)# hostname ASA1 ASA1(config)# int e0/0 ASA1(config-if)# nameif outside ASA1(config-if)# security-level 0 ASA1(config-if)# ip add 209.165.200.225 255.255.255.224 ASA1(config-if)# no shut ASA1(config-if)# int e0/1 ASA1(config-if)# nameif inside ASA1(config-if)# security-level 100 ASA1(config-if)# ip add 192.168.1.1 255.255.255.0 ASA1(config-if)# no shut ASA1(config-if)# exit ASA1(config)# nat (inside) 1 0 0 ASA1(config)# global (outside) 1 interface ASA1(config)# route outside 0 0 209.165.200.231 ASA1(config)# policy-map global_policy ASA1(config-pmap)# class inspection_default ASA1(config-pmap-c)# inspect icmp //默认ASA不监控ICMP流量,在此外加上可以使内网ping通外网 ASA1(config-pmap-c)# end ASA1#conf t //1、启用ISAKMP ASA1(config)# crypto isakmp enable outside //2、创建ISAKMP策略 ASA1(config)# crypto isakmp policy 1 ASA1(config-isakmp-policy)# encryption aes-256 ASA1(config-isakmp-policy)# hash sha ASA1(config-isakmp-policy)# group 5 ASA1(config-isakmp-policy)# lifetime 86400 ASA1(config-isakmp-policy)# authentication pre-share ASA1(config-isakmp-policy)# exit //3、创建隧道组 ASA1(config)# tunnel-group 209.165.201.1 type ipsec-l2l ASA1(config)# tunnel-group 209.165.201.1 ipsec-attributes ASA1(config-tunnel-ipsec)# pre-shared-key cisco123 ASA1(config-tunnel-ipsec)# exit //4、定义IPSec策略 ASA1(config)# crypto ipsec transform-set AES-SHA esp-aes-256 esp-sha-hmac //5、创建加密映射集 ASA1(config)# access-list outside_cryptomap_1 remark To Encrypt Traffic from 192.168.1.0/24 to 10.10.1.0/24 ASA1(config)# access-list outside_cryptomap_1 extended permit ip 192.168.1.0 255.255.255.0 10.10.1.0 255.255.255.0 ASA1(config)# crypto map outside_map 1 match address outside_cryptomap_1 ASA1(config)# crypto map outside_map 1 set transform-set AES-SHA ASA1(config)# crypto map outside_map 1 set peer 209.165.201.1 ASA1(config)# crypto map outside_map interface outside //绕过NAT,为穿越×××隧道的流量建立NAT豁免规则 ASA1(config)# access-list inside_nat0_outbound remark To Bypass NAT from 192.168.1.0/24 to 10.10.1.0/24 ASA1(config)# access-list inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 10.10.1.0 255.255.255.0 ASA1(config)# nat (inside) 0 access-list inside_nat0_outbound ASA1(config)# wr
ASA2:
ciscoasa>en ciscoasa# conf t //基本配置部分 ciscoasa(config)# hostname ASA2 ASA2(config)# int e0/0 ASA2(config-if)# nameif outside ASA2(config-if)# security-level 0 ASA2(config-if)# ip add 209.165.201.1 255.255.255.224 ASA2(config-if)# no shut ASA2(config-if)# int e0/1 ASA2(config-if)# nameif inside ASA2(config-if)# security-level 100 ASA2(config-if)# ip add 10.10.1.1 255.255.255.0 ASA2(config-if)# no shut ASA2(config-if)# exit ASA2(config)# nat (inside) 1 0 0 ASA2(config)# global (outside) 1 interface ASA2(config)# route outside 0 0 209.165.201.2 ASA2(config)# policy-map global_policy ASA2(config-pmap)# class inspection_default ASA2(config-pmap-c)# inspect icmp //默认ASA不监控ICMP流量,在此外加上可以使内网ping通外网 ASA2(config-pmap-c)# end ASA2# wr //1、启用ISAKMP ASA2(config)# crypto isakmp enable outside //2、创建ISAKMP策略 ASA2(config)# crypto isakmp policy 1 ASA2(config-isakmp-policy)# encryption aes-256 ASA2(config-isakmp-policy)# hash sha ASA2(config-isakmp-policy)# group 5 ASA2(config-isakmp-policy)# lifetime 86400 ASA2(config-isakmp-policy)# authentication pre-share ASA2(config-isakmp-policy)# exit //3、创建隧道组 ASA2(config)# tunnel-group 209.165.200.225 type ipsec-l2l ASA2(config)# tunnel-group 209.165.200.225 ipsec-attributes ASA2(config-tunnel-ipsec)# pre-shared-key cisco123 ASA2(config-tunnel-ipsec)# exit //4、定义IPSec策略 ASA2(config)# crypto ipsec transform-set AES-SHA esp-aes-256 esp-sha-hmac //5、创建加密映射集 ASA2(config)# access-list outside_cryptomap_1 remark To Encrypt Traffic from 10.10.1.0/24 to 192.168.1.0/24 ASA2(config)# access-list outside_cryptomap_1 extended permit ip 10.10.1.0 255.255.255.0 192.168.1.0 255.255.255.0 ASA2(config)# crypto map outside_map 1 match address outside_cryptomap_1 ASA2(config)# crypto map outside_map 1 set transform-set AES-SHA ASA2(config)# crypto map outside_map 1 set peer 209.165.200.225 ASA2(config)# crypto map outside_map interface outside //绕过NAT,为穿越×××隧道的流量建立NAT豁免规则 ASA2(config)# access-list inside_nat0_outbound remark To Bypass NAT from 10.10.1.0/24 to 192.168.1.0/24 ASA2(config)# access-list inside_nat0_outbound extended permit ip 10.10.1.0 255.255.255.0 192.168.1.0 255.255.255.0 ASA2(config)# nat (inside) 0 access-list inside_nat0_outbound ASA2(config)# wr
ISP:
conf t int e0/0 ip add 209.165.200.231 255.255.255.224 no shut int e0/1 ip add 209.165.201.2 255.255.255.224 no shut int loopback 0 ip address 1.0.0.1 255.255.255.255 no shut exit ip http server line vty 0 4 no login exit enable password cisco end wr
A:
conf t int f0/0 ip add 192.168.1.2 255.255.255.0 no shut exit no ip routing ip default-gateway 192.168.1.1 end wr
B:
conf t int f0/0 ip add 10.10.1.2 255.255.255.0 no shut exit no ip routing ip default-gateway 10.10.1.1 end wr
Site TO Site ×××的监控与排错:
sh crypto isakmp sa detail //若ISAKMP协商成功,应看到阶段1状态为MM_ACTIVE(State: MM_ACTIVE)。还会显示出IPSec隧道的类型、阶段1的策略、隧道对端的IP等信息。
sh crypto ipsec sa
//检查IPSec SA的状态,包括协商的代理(将被加密的网络),以及IPSec引擎加密/解密数据包的实际数量等信息。
show crypto accelerator statistics
//查看加密加速器的计数器信息,来监测通过加速卡的数据包数量。
show ***-sessiondb summary
//显示所有活动的×××会话,其中包括远程访问连接。
ASA1# debug crypto isakmp 127 ASA1# debug crypto ipsec 127 //调试时可使用这两条debug命令来开启调度。默认情况下的debug level(调试等级)会被设置为1,最高等级为255。这里手工将调度等级增加到127。 提示:在定义隧道组预共享密钥后,出于安全性方面的考虑,安全设备不会在配置(sh run)中显示预配置的密钥。若确实需要查看密钥的内容,可将运行配置文件拷贝到flash中,并通过“more”命令来查看,如下所示:
本文出自 “银凯的博客” 博客,请务必保留此出处http://yinkai.blog.51cto.com/3813923/1564301
6160
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
