Lab instructions
This lab will show you how to configure site-to-site IPSEC ××× using the new Packet Tracer 6.1 ASA 5505 firewall. By default, the ASA 5505 firewall denies the traffic entering the outside interface if no explicit ACL has been defined to allow the traffic. This default behaviour helps protecting the enterprise network from the internet during the ××× configuration.
In this lab, a small branch office will be securely connected to the enterprise campus over the internet using a broadband DSL connection. Not routing protocol traffic is needed between the two sites.
Campus addressing scheme :
Campus IP addresses : 172.16.0.0/17
DC : 172.16.0.0/18
Users : 172.16.64.0/20
DMZ : 172.16.96.0/21
Network devices : 172.16.252.0/23
L3 P2p links : 172.16.254.0/24
Branch office 1 IP subnet : 172.16.129.0/24
Enterprise internet IP addresses : 134.95.56.16/28
IPSEC ××× configuration to apply :
ESP Encryption : AES-256
AH hash algorithm : SHA
Pre shared key : SHAREDSECRET
Solution
ASA configuration
Campus network - ASA 5505 IPSEC ××× headend device configuration .
interface Vlan1
nameif inside
security-level 100
ip address 172.16.254.254 255.255.255.252
!
interface Vlan2
nameif outside
security-level 0
ip address 134.95.56.17 255.255.255.240
!
object network BRANCH01_NETWORK
subnet 172.16.129.0 255.255.255.0
object network BRANCH_NETWORK
subnet 172.16.128.0 255.255.128.0
object network CAMPUS_NETWORK
subnet 172.16.0.0 255.255.128.0
object network PRIVATE_NETWORK
subnet 176.16.0.0 255.255.0.0
!
route outside 172.16.129.0 255.255.255.0 134.95.56.18 1
route inside 172.16.0.0 255.255.128.0 172.16.254.253 1
!
access-list BRANCH01_TRAFFIC extended permit tcp object CAMPUS_NETWORK object BRANCH01_NETWORK
access-list BRANCH01_TRAFFIC extended permit icmp object CAMPUS_NETWORK object BRANCH01_NETWORK
access-list ENTERPRISE_PRIVATE-TRAFFIC extended permit tcp object PRIVATE_NETWORK object PRIVATE_NETWORK
access-list ENTERPRISE_PRIVATE-TRAFFIC extended permit icmp object BRANCH_NETWORK object CAMPUS_NETWORK
!
!
access-group ENTERPRISE_PRIVATE-TRAFFIC out interface inside
!
crypto ipsec ikev1 transform-set L2L esp-aes 256 esp-sha-hmac
!
crypto map BRANCH1 1 match address BRANCH01_TRAFFIC
crypto map BRANCH1 1 set peer 134.95.56.18
crypto map BRANCH1 1 set security-association lifetime seconds 86400
crypto map BRANCH1 1 set ikev1 transform-set L2L
crypto map BRANCH1 interface outside
crypto ikev1 enable outside
crypto ikev1 policy 1
encr aes
authentication pre-share
group 2
!
tunnel-group 134.95.56.18 type ipsec-l2l
tunnel-group 134.95.56.18 ipsec-attributes
ikev1 pre-shared-key SHAREDSECRET
!
The ENTERPRISE_PRIVATE-TRAFFIC access-group is important to allow the IP traffic through the firewall from remote subnets to the inside subnets. The traffic wiill be blocked by the ASA if this access-list is not configured and applied to the inside vlan interface.
Branch office n°1 - ASA 5505 remote device configuration
interface Vlan1
nameif inside
security-level 100
ip address 172.16.129.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address 134.95.56.18 255.255.255.240
!
object network BRANCH01_NETWORK
subnet 172.16.129.0 255.255.255.0
object network BRANCH_NETWORK
subnet 172.16.128.0 255.255.128.0
object network CAMPUS_NETWORK
subnet 172.16.0.0 255.255.128.0
object network PRIVATE_NETWORK
subnet 176.16.0.0 255.255.0.0
!
route outside 172.16.0.0 255.255.128.0 134.95.56.17 1
!
access-list PRIVATE_TRAFFIC extended permit tcp object BRANCH01_NETWORK object CAMPUS_NETWORK
access-list PRIVATE_TRAFFIC extended permit icmp object BRANCH01_NETWORK object CAMPUS_NETWORK
access-list ENTERPRISE_PRIVATE-TRAFFIC extended permit tcp object PRIVATE_NETWORK object PRIVATE_NETWORK
access-list ENTERPRISE_PRIVATE-TRAFFIC extended permit icmp object CAMPUS_NETWORK object BRANCH_NETWORK
!
!
access-group ENTERPRISE_PRIVATE-TRAFFIC out interface inside
!
!
crypto ipsec ikev1 transform-set L2L esp-aes 256 esp-sha-hmac
!
crypto map BRANCH1 1 match address PRIVATE_TRAFFIC
crypto map BRANCH1 1 set peer 134.95.56.17
crypto map BRANCH1 1 set security-association lifetime seconds 86400
crypto map BRANCH1 1 set ikev1 transform-set L2L
crypto map BRANCH1 interface outside
crypto ikev1 enable outside
crypto ikev1 policy 1
encr aes
authentication pre-share
group 2
!
tunnel-group 134.95.56.17 type ipsec-l2l
tunnel-group 134.95.56.17 ipsec-attributes
ikev1 pre-shared-key SHAREDSECRET
!
Check the IPSEC tunnel establishment using show commands
Use show crypto isakmp sa to shows the Internet Security Association Management Protocol (ISAKMP) security associations (SAs) built between the two firewalls. and show crypto ipsec sa to check IPSEC security associations and monitor encrypted traffic statistics
ASA-CAMPUS-×××#show crypto isakmp sa
IKEv1 SAs:
Active SA: 1
Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 1
1 IKE Peer: 134.95.56.18
Type : L2L Role : Initiator
Rekey : no State : QM_IDLE
There are no IKEv2 SAs
ASA-CAMPUS-×××#show crypto ipsec sa
interface: outside
Crypto map tag: BRANCH1, seq num: 1, local addr 134.95.56.17
permit tcp object CAMPUS_NETWORK object BRANCH01_NETWORK
local ident (addr/mask/prot/port): (172.16.0.0/255.255.128.0/6/0)
remote ident (addr/mask/prot/port): (172.16.129.0/255.255.255.0/6/0)
current_peer 134.95.56.18
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 6, #pkts decrypt: 6, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#send errors 0, #recv errors 0
local crypto endpt.: 134.95.56.17/0, remote crypto endpt.:134.95.56.18/0
path mtu 1500, ip mtu, ipsec overhead 78, media mtu 1500
current outbound spi: 0x6386132D(1669731117)
current inbound spi: 0x04B729EA(1669731117)
inbound esp sas:
spi: 0x04B729EA(79112682)
transform: esp-aes 256 esp-sha-hmac no compression
in use settings ={L2L, Tunnel, }
slot: 0, conn id: 2007, crypto map: BRANCH1
sa timing: remaining key lifetime (k/sec): (4525504/85906)
IV size: 16 bytes
replay detection support: N
Anti replay bitmap:
0x00000000 0x0000001F
outbound esp sas:
spi: 0x6386132D(1669731117)
transform: esp-aes 256 esp-sha-hmac no compression
in use settings ={L2L, Tunnel, }
slot: 0, conn id: 2008, crypto map: BRANCH1
sa timing: remaining key lifetime (k/sec): (4525504/85906)
IV size: 16 bytes
replay detection support: N
Anti replay bitmap:
0x00000000 0x00000001
Crypto map tag: BRANCH1, seq num: 1, local addr 134.95.56.17
permit icmp object CAMPUS_NETWORK object BRANCH01_NETWORK
local ident (addr/mask/prot/port): (172.16.0.0/255.255.128.0/1/0)
remote ident (addr/mask/prot/port): (172.16.129.0/255.255.255.0/1/0)
current_peer 134.95.56.18
#pkts encaps: 7, #pkts encrypt: 7, #pkts digest: 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#send errors 1, #recv errors 0
local crypto endpt.: 134.95.56.17/0, remote crypto endpt.:134.95.56.18/0
path mtu 1500, ip mtu, ipsec overhead 78, media mtu 1500
current outbound spi: 0x6386132D(1669731117)
current inbound spi: 0x04B729EA(1669731117)
inbound esp sas:
spi: 0x04B729EA(79112682)
transform: esp-aes 256 esp-sha-hmac no compression
in use settings ={L2L, Tunnel, }
slot: 0, conn id: 2007, crypto map: BRANCH1
sa timing: remaining key lifetime (k/sec): (4525504/85906)
IV size: 16 bytes
replay detection support: N
Anti replay bitmap:
0x00000000 0x0000001F
outbound esp sas:
spi: 0x6386132D(1669731117)
transform: esp-aes 256 esp-sha-hmac no compression
in use settings ={L2L, Tunnel, }
slot: 0, conn id: 2008, crypto map: BRANCH1
sa timing: remaining key lifetime (k/sec): (4525504/85906)
IV size: 16 bytes
replay detection support: N
Anti replay bitmap:
0x00000000 0x00000001
源文档 <http://wwwkmhcpx.cn
转载于:https://blog.51cto.com/23015/1733697
3156
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
