动态PAT穿越路由器没有NAT-T IPSec ***一样能成功建立

一.概述：

  IPSec ***有多种穿越NAT的方法，NAT-T就是其中的一种。IPSec ***通常情况下，无法穿越NAT设备，主要原因是ESP流量不像TCP或UDP那样带有端口号。测试IPSec ***的第一阶段为aggressive-mode时，无意中发现在PIX/ASA默认没有开启NAT-T的情况下，IPSEC ***同样能建立，特记录下来。

二.基本思路：

A.路由器默认开启nat-t

B.思科PIX/ASA默认没有开启nat-t

C.如果想要采用NAT-T,需要两个加密点都启用NAT-T,加密点在探测到需要使用NAT-T时，会使用NAT-T

D.没有启用NAT-T ***能通，貌似是路由器的PAT比较智能，会自动PAT ESP流量

E.如果中间的PAT设备为防火墙，不启用NAT-T或相关的技术，应该穿越不了

三.测试拓扑：

四.基本配置：

A.R1：

interface Ethernet0/0
     ip address 192.168.1.1 255.255.255.0
     no shut

interface Loopback0
     ip address 192.168.2.1 255.255.255.0

ip route 0.0.0.0 0.0.0.0 192.168.1.2

B.R2:

interface Ethernet0/0
     ip address 192.168.1.2 255.255.255.0
     ip nat inside

     no shut

interface Ethernet0/1
     ip address 202.100.1.2 255.255.255.0
     ip nat outside

     no shut

ip route 0.0.0.0 0.0.0.0 202.100.1.3

ip access-list extended PAT
     permit ip any any

ip nat inside source list PAT interface Ethernet0/1 overload

C.R3:

interface Ethernet0/0
     ip address 202.100.1.3 255.255.255.0

     no shut

interface Ethernet0/1
     ip address 202.100.2.3 255.255.255.0

     no shut

D.PIX80:

interface Ethernet0
     nameif Inside
     security-level 100
     ip address 172.16.1.10 255.255.255.0

     no shut

interface Ethernet1
     nameif Outside
     security-level 0
     ip address 202.100.2.10 255.255.255.0

     no shut

route Outside 0.0.0.0 0.0.0.0 202.100.2.3

access-list PAT extended permit ip 172.16.1.0 255.255.255.0 any

nat (Inside) 1 access-list PAT

global (Outside) 1 interface

access-list OUTSIDE extended permit icmp any any  
access-group OUTSIDE in interface Outside

E.R4:

interface Ethernet0/0
     ip address 172.16.1.4 255.255.255.0

     no shut

ip route 0.0.0.0 0.0.0.0 172.16.1.10

五.***配置：

A.R1：

①第一阶段策略：

crypto isakmp policy 10
     encr 3des
     hash md5
     authentication pre-share
     group 2
crypto isakmp identity hostname
crypto isakmp keepalive 10 periodic
crypto isakmp peer address 202.100.2.10
     set aggressive-mode password cisco123
     set aggressive-mode client-endpoint fqdn R1

②第二阶段策略：

crypto ipsec transform-set transet esp-3des esp-md5-hmac

③配置感兴趣流：

ip access-list extended ***
     permit ip 192.168.2.0 0.0.0.255 172.16.1.0 0.0.0.255

④配置crypto map并在接口应用：

crypto map crymap 10 ipsec-isakmp
     set peer 202.100.2.3
     set transform-set transet
     set pfs group2
     match address ***
     reverse-route

B.PIX80：

①第一阶段策略：

crypto ikev1 policy 10
     authentication pre-share
     encryption 3des
     hash md5
     group 2

crypto isakmp identity hostname

tunnel-group 202.100.1.2 type ipsec-l2l
tunnel-group 202.100.1.2 ipsec-attributes
     ikev1 pre-shared-key cisco123

---备注：tunnel-group也可以用对方的FQDN

②第二阶段策略：

crypto map crymap 10 set transform-set transet

③配置感兴趣流并做NAT免除：

access-list *** extended permit ip 172.16.1.0 255.255.255.0 192.168.2.0 255.255.255.0

access-list NONAT extended permit ip 172.16.1.0 255.255.255.0 192.168.2.0 255.255.255.0

nat (Inside) 0 access-list NONAT

④ 配置crypto map 并在接口调用：

crypto map crymap 10 match address ***
crypto map crymap 10 set pfs
crypto map crymap 10 set peer 202.100.1.2
crypto map crymap 10 set transform-set transet
crypto map crymap 10 set phase1-mode aggressive
crypto map crymap 10 set reverse-route
crypto map crymap interface Outside

⑤在接口启用isakmp ：

crypto isakmp enable Outside

六.测试：

A.只能由PAT侧先触发***:

R4#ping 192.168.2.1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.2.1, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
R4#

R1#PING 172.16.1.4 SOUrce 192.168.2.1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.1.4, timeout is 2 seconds:
Packet sent with a source address of 192.168.2.1
..!!!
Success rate is 60 percent (3/5), round-trip min/avg/max = 28/85/136 ms

B.看到ESP流量直接封装在IP之下：

C.可以看到R2路由器自动进行了ESP的双向NAT：

R2#show ip nat translations
Pro Inside global      Inside local       Outside local      Outside global
esp 202.100.1.2:0      192.168.1.1:0      202.100.2.10:0     202.100.2.10:CEC6AC77
udp 202.100.1.2:1      192.168.1.1:500    202.100.2.10:500   202.100.2.10:500
esp 202.100.1.2:0      192.168.1.1:CCA11424 202.100.2.10:0   202.100.2.10:0
udp 202.100.1.2:500    202.100.1.2:500    202.100.2.10:500   202.100.2.10:500

D.在防火墙上启用NAT-T，清除SA重新连接，抓包可以看ESP封装在UDP之下：

---采用命令：crypto isakmp nat-traversal 10

R1#ping 172.16.1.4 source 192.168.2.1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.1.4, timeout is 2 seconds:
Packet sent with a source address of 192.168.2.1
.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 16/51/92 ms