看一种更复杂的情况,就是在有配置访问控制列表,并有IPSec报文穿越NAT的情况下,IPSec报文在ACL/NAT/Routing的处理顺序。
在介绍案例之前,同样先给出总结后的报文执行顺序如下。
在下面的顺序表中,NAT分别做了local到global和global到local的地址转换,对应执行顺序也是不同的。
在下面的顺序表中,NAT分别做了local到global和global到local的地址转换,对应执行顺序也是不同的。
报文从内到外:
Inside-to-Outside
•check input access list
•routing
•NAT inside to outside (local to global translation)
•crypto (check map and mark for encryption)
•check output access list
•encryption
!报文从inside到outside的时候,(1) 首先是检查入借口的ACL,(2) 然后查找路由表,找到下一跳和出接口,(3) 接着是执行NAT转换,将local地址转换为global地址,报文这个时候到达出接口,(4) 触发crypto map,如果满足crypto中ACL,则启动ipsec VPN tunnel的建立,(5) 然后执行加密,转发加密的ESP报文。。。需要注意的是,匹配crypto map后,执行的接口出方向ACL检测,不针对匹配Crypto的加密报文。
报文从外到内:
Outside-to-Inside
Outside-to-Inside
•If IPSec then check input access list
•decryption - for CET or IPSec
•check input access list
•NAT outside to inside (global to local translation)
•routing
!报文从outside到inside的时候,(1) 首先判断如果报文匹配ipsec sa,执行解密(2) 然后执行入方向的ACL检测,不满足就drop,(3) 接着是执行NAT转换,将global地址转换为local地址,(4) 查找路由表,决定转换后的目标地址对应的出接口和下一跳。需要注意的是,第二步中的ACL检测是必须的,因为此时为非VPN报文,是常规的解密后的报文。
使用的拓扑仍然是下图所示,
不同的是,r1同时是一台NAT路由器,
r1的10.1.1.1和r3的10.2.2.3之间建立site to site 的ipsec tunnel。r1后的保护子网是172.1.1.1/32,r3后的保护子网是172.3.3.3/32。r1上配置有Static NAT,会将inside local地址172.1.1.1翻译为inside global地址20.1.1.10。
R1, R2, R3路由器的基本配置如下:
R1
!
! vpn的配置如下
crypto isakmp policy 2
hash md5
authentication pre-share
group 5
crypto isakmp key cisco1 address 10.2.2.3
!
!
crypto ipsec transform-set r1 esp-des esp-md5-hmac
!
crypto map r1map 1 ipsec-isakmp
set peer 10.2.2.3
set transform-set r1
match address 101
!
!
interface Loopback0
ip address 172.1.1.1 255.255.255.0
ip nat inside
!
interface FastEthernet0/0
no ip address
shutdown
duplex half
!
! vpn的配置如下
crypto isakmp policy 2
hash md5
authentication pre-share
group 5
crypto isakmp key cisco1 address 10.2.2.3
!
!
crypto ipsec transform-set r1 esp-des esp-md5-hmac
!
crypto map r1map 1 ipsec-isakmp
set peer 10.2.2.3
set transform-set r1
match address 101
!
!
interface Loopback0
ip address 172.1.1.1 255.255.255.0
ip nat inside
!
interface FastEthernet0/0
no ip address
shutdown
duplex half
!
! 接口上的nat配置和vpn配置
interface Ethernet1/0
ip address 10.1.1.1 255.255.255.0
ip nat outside
no ip route-cache cef
no ip route-cache
duplex half
crypto map r1map
!
interface Ethernet1/0
ip address 10.1.1.1 255.255.255.0
ip nat outside
no ip route-cache cef
no ip route-cache
duplex half
crypto map r1map
!
! 静态nat配置
ip nat inside source static 172.1.1.1 20.1.1.10
ip classless
ip route 0.0.0.0 0.0.0.0 10.1.1.2
no ip http server
no ip http secure-server
!
! vpn crypto map触发需要匹配的ACL
access-list 101 permit ip host 20.1.1.10 host 172.3.3.3
!
ip classless
ip route 0.0.0.0 0.0.0.0 10.1.1.2
no ip http server
no ip http secure-server
!
! vpn crypto map触发需要匹配的ACL
access-list 101 permit ip host 20.1.1.10 host 172.3.3.3
!
R2
! 因为是vpn,测试中所以不需要添加任何额外路由
interface Ethernet1/0
ip address 10.1.1.2 255.255.255.0
duplex half
!
interface Ethernet1/1
ip address 10.2.2.2 255.255.255.0
duplex half
!
interface Ethernet1/0
ip address 10.1.1.2 255.255.255.0
duplex half
!
interface Ethernet1/1
ip address 10.2.2.2 255.255.255.0
duplex half
!
R3
! 如下是vpn的配置
crypto isakmp policy 2
hash md5
authentication pre-share
group 5
crypto isakmp key cisco1 address 10.1.1.1
!
!
crypto ipsec transform-set r3 esp-des esp-md5-hmac
!
crypto map r3map 1 ipsec-isakmp
set peer 10.1.1.1
set transform-set r3
match address 101
!
!
interface Loopback0
ip address 172.3.3.3 255.255.255.0
!
crypto isakmp policy 2
hash md5
authentication pre-share
group 5
crypto isakmp key cisco1 address 10.1.1.1
!
!
crypto ipsec transform-set r3 esp-des esp-md5-hmac
!
crypto map r3map 1 ipsec-isakmp
set peer 10.1.1.1
set transform-set r3
match address 101
!
!
interface Loopback0
ip address 172.3.3.3 255.255.255.0
!
! 接口上的vpn配置
interface Ethernet1/1
ip address 10.2.2.3 255.255.255.0
duplex half
crypto map r3map
!
ip classless
ip route 0.0.0.0 0.0.0.0 10.2.2.2
no ip http server
no ip http secure-server
!
! 触发crypto map需要满足的ACL
access-list 101 permit ip host 172.3.3.3 host 20.1.1.10
!
interface Ethernet1/1
ip address 10.2.2.3 255.255.255.0
duplex half
crypto map r3map
!
ip classless
ip route 0.0.0.0 0.0.0.0 10.2.2.2
no ip http server
no ip http secure-server
!
! 触发crypto map需要满足的ACL
access-list 101 permit ip host 172.3.3.3 host 20.1.1.10
!
测试如下,使用环回扣的扩展ping。为了方便大家看到报文的处理顺序,本人下面抓到的log是对应配置一个错误的VPN ACL的情况,这样可以让大家看到crypto map的匹配log。(上面的路由器配置是没有问题的)
r1#ping
Protocol [ip]:
Target IP address: 172.3.3.3
Repeat count [5]:
Datagram size [100]:
Timeout in seconds [2]:
Extended commands [n]: y
Source address or interface: 172.1.1.1
Type of service [0]:
Set DF bit in IP header? [no]:
Validate reply data? [no]:
Data pattern [0xABCD]:
Loose, Strict, Record, Timestamp, Verbose[none]:
Sweep range of sizes [n]:
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.3.3.3, timeout is 2 seconds:
Packet sent with a source address of 172.1.1.1
Protocol [ip]:
Target IP address: 172.3.3.3
Repeat count [5]:
Datagram size [100]:
Timeout in seconds [2]:
Extended commands [n]: y
Source address or interface: 172.1.1.1
Type of service [0]:
Set DF bit in IP header? [no]:
Validate reply data? [no]:
Data pattern [0xABCD]:
Loose, Strict, Record, Timestamp, Verbose[none]:
Sweep range of sizes [n]:
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.3.3.3, timeout is 2 seconds:
Packet sent with a source address of 172.1.1.1
*Oct 12 22:38:59.619: IP: tableid=0, s=172.1.1.1 (local), d=172.3.3.3 (Ethernet1/0), routed via FIB
*Oct 12 22:38:59.619: IP: s=172.1.1.1 (local), d=172.3.3.3 (Ethernet1/0), len 100, sending
*Oct 12 22:38:59.619: NAT: s=172.1.1.1->20.1.1.10, d=172.3.3.3 [50]
*Oct 12 22:38:59.619: IP: s=10.1.1.10 (local), d=172.3.3.3 (Ethernet1/0), len 100, output crypto map check failed.
*Oct 12 22:38:59.619: IP: s=172.1.1.1 (local), d=172.3.3.3 (Ethernet1/0), len 100, sending
*Oct 12 22:38:59.619: NAT: s=172.1.1.1->20.1.1.10, d=172.3.3.3 [50]
*Oct 12 22:38:59.619: IP: s=10.1.1.10 (local), d=172.3.3.3 (Ethernet1/0), len 100, output crypto map check failed.
从以上报文分析可以看出,报文从inside到outside的过程中,(1) 首先会查找路由表,找到到达对端保护子网的路由决定下一跳和出接口,(2) 然后执行NAT转换,local地址172.1.1.1会转换成global地址20.1.1.10,(3) 最后是匹配vpn的crypto map。
最后给出在Cisco IOS中,报文从inside到outside以及从outside到inside的完整匹配顺序。
从内到外:
Inside-to-Outside
•If IPSec then check input access list
•If IPSec then check input access list
•decryption - for CET (Cisco Encryption Technology) or IPSec
•check input access list
•check input rate limits
•input accounting
•redirect to web cache
•policy routing
•routing
•NAT inside to outside (local to global translation)
•crypto (check map and mark for encryption)
•check output access list
•inspect (Context-based Access Control (CBAC))
•TCP intercept
•encryption
•Queueing
从外到内:
Outside-to-Inside
Outside-to-Inside
•If IPSec then check input access list
•decryption - for CET or IPSec
•check input access list
•check input rate limits
•input accounting
•redirect to web cache
•NAT outside to inside (global to local translation)
•policy routing
•routing
•crypto (check map and mark for encryption)
•check output access list
•inspect CBAC
•TCP intercept
•encryption
•Queueing
NAT技术应用范围非常的广泛,NAT是一种3层,4层甚至7层的技术。NAT在Cisco路由器IOS的实现和Cisco ASA/PIX防火墙的实现又是不同的。除了Cisco以外,其他厂商的NAT也有很多灵活的实现和部署。
如果后面有时间,我会再写一些NAT的应用,看看NAT如何兼容应用层协议 (比如DNS协议,ICMP协议,ESP协议,SIP协议等等) 以及如何部署满足客户的特殊需求的 (比如NAT机制的负载均衡等等)。
本文转自jasonccier 51CTO博客,原文链接:http://blog.51cto.com/jasonccie/404369,如需转载请自行联系原作者
803
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
