拓扑结构
1,VPN配置
采用web方式配置。
FW1配置
FW2配置
Vpn 协商策略
security-policy
rule name untrust2local_vpn
source-zone untrust
destination-zone local
source-address 1.1.1.2 32
destination-address 1.1.1.1 32
service protocol udp destination-port 500
service protocol udp source-port 500
action permit
rule name local2untrust_vpn
source-zone local
destination-zone untrust
source-address 1.1.1.1 32
destination-address 1.1.1.2 32
service protocol udp destination-port 500
service protocol udp source-port 500
action permit
Nat Server
一正一反,出入自如
[FW1]nat server web protocol tcp global 1.1.1.1 9980 inside 192.168.2.2 80
[FW1]display firewall server-map
Current Total Server-map : 2
Type: Nat Server, ANY -> 1.1.1.1:9980[192.168.2.2:80], Zone:---, protocol:tcp
Vpn: public -> public
Type: Nat Server Reverse, 192.168.2.2[1.1.1.1] -> ANY, Zone:---, protocol:tcp
Vpn: public -> public, counter: 1
Nat Server, any -> 1.1.1.1:9980[10.1.1.2:80]为正向Server-map表项,其作用为入。在公网用户访问服务器时对报文的目的地址做转换。Nat Server Reverse, 10.1.1.2[1.1.1.1] -> any为反向Server-map表项,其作用为出。当私网服务器主动访问公网时,可以直接使用这个表项将报文的源地址由私网地址转换为公网地址,而不用再单独为服务器配置源NAT策略。这就是防火墙NAT Server做的非常贴心的地方了,一条命令同时打通了私网服务器和公网之间出入两个方向的地址转换通道。
先关闭默认安全策略,用互联网访问内网主机,查看会话表
tcp VPN: public --> public ID: c487f663b50b23061df5c21e60d
Zone: untrust --> trust TTL: 00:20:00 Left: 00:19:45
Interface: GigabitEthernet1/0/0 NextHop: 192.168.2.2 MAC: 000c-2924-9304
<--packets: 1 bytes: 48 --> packets: 254 bytes: 10,176
1.1.2.2:1047 --> 1.1.1.1:9980[192.168.2.2:80] PolicyName: default
配置untrust到trust的安全策略
rule name accesswebserver
source-zone untrust
destination-zone trust
destination-address 192.168.2.2 32
service protocol tcp destination-port 80
action permit
外网主机可以访问内网服务器
内网主机访问internet,NAT策略
rule name internet
source-zone trust
egress-interface GigabitEthernet1/0/1
source-address 192.168.2.0 24
action nat easy-ip
————————————————————————————
总部服务器还不能访问internet,还需要配置trust到untrust安全策略
先关闭默认安全策略,用内网主机访问外网web服务,查看会话表
http VPN: public --> public ID: c487f663b5125f028635c21e99d
Zone: trust --> untrust TTL: 00:20:00 Left: 00:19:50
Interface: GigabitEthernet1/0/1 NextHop: 1.1.1.2 MAC: 00e0-fc04-1b46
<--packets: 1256 bytes: 50,624 --> packets: 8 bytes: 1,112
192.168.2.2:53677[1.1.1.1:2049] --> 1.1.2.2:80 PolicyName: default
配置trust到untrust安全策略,只允许访问web服务。
rule name trut2untrust
source-zone trust
destination-zone untrust
source-address 192.168.2.0 24
service http
action permit
————————————————————————
服务器访问分部的web服务器
查看会话表
esp VPN: public --> public ID: c487f663b4be750539b5c21ec47
Zone: untrust --> local TTL: 00:10:00 Left: 00:09:55
Interface: InLoopBack0 NextHop: 127.0.0.1 MAC: 0000-0000-0000
<--packets: 0 bytes: 0 --> packets: 1 bytes: 124
1.1.1.2:0 --> 1.1.1.1:0 PolicyName: default
添加untrust 到local安全策略,允许esp报文通过
rule name untrust2local
source-zone untrust
destination-zone local
source-address 1.1.1.2 32
destination-address 1.1.1.1 32
action permit
[FW1]nat server web protocol tcp global 1.1.1.1 9980 inside 192.168.2.2 80 no-reverse
[FW1]dis firewall session table
Current Total Sessions : 13
http VPN: public --> public 192.168.2.2:53521[1.1.1.1:53521] --> 10.0.0.2:80