ipsec *** 实现了网络的拓展,防火墙实现了对网络流量的控制和过滤,因此会对IPSEC ***的通信产生影响。
默认ASA只对UDP/TCP流量维护状态会话,因此会丢弃返回的ESP流量。解决办法有两种
一 使用ACL放行ESP流量.
二 应用检查ipsec ***。
实验拓扑
R1配置:
crypto isakmp policy 10
encr 3des
authentication pre-share
group 2
crypto isakmp key cisco address 192.168.200.2 no-xauth
!
!
crypto ipsec transform-set trans esp-des esp-md5-hmac
!
crypto map r1 10 ipsec-isakmp
set peer 192.168.200.2
set transform-set trans
match address ***
!
interface Loopback0
ip address 1.1.1.1 255.255.255.0
!
interface FastEthernet0/0
ip address 192.168.100.1 255.255.255.0
duplex auto
speed auto
crypto map r1
ip route 0.0.0.0 0.0.0.0 192.168.100.254
!
ip access-list extended ***
permit ip 1.1.1.0 0.0.0.255 2.2.2.0 0.0.0.255
ASA配置:
interface Ethernet0/0
nameif outside
security-level 0
ip address 192.168.100.254 255.255.255.0
!
interface Ethernet0/1
nameif inside
security-level 100
ip address 192.168.200.254 255.255.255.0
R2配置:
crypto isakmp policy 10
encr 3des
authentication pre-share
group 2
crypto isakmp key cisco address 192.168.100.1 no-xauth
!
!
crypto ipsec transform-set trans esp-des esp-md5-hmac
!
crypto map r2 10 ipsec-isakmp
set peer 192.168.100.1
set transform-set trans
match address ***
!
!
!
!
interface Loopback0
ip address 2.2.2.2 255.255.255.0
!
interface FastEthernet0/0
ip address 192.168.200.2 255.255.255.0
duplex auto
speed auto
crypto map r2
!
ip route 0.0.0.0 0.0.0.0 192.168.200.254
!
!
!
!
ip access-list extended ***
permit ip 2.2.2.0 0.0.0.255 1.1.1.0 0.0.0.255
测试:
通过上面的测试可用看出R2加密了5个数据包包,但是没有解密数据包,R1不仅收到数据包并且解密了这些数据包,而且还加密了数据包并且返回。显然是ASA丢弃了返回的数据包。知道了原因解决问题就非常好办了。
使用第一种方法ACL放行ESP流量。
access-list out extended permit esp host 192.168.100.1 host 192.168.200.2
access-list out extended permit udp host 192.168.100.1 host 192.168.200.2 eq isakmp
access-group out in interface outside
测试:
这个方法为那些恶意用户提供了进入内部网络的的通道。我们可以使用IPSEC *** 检查引擎,避免第一方法的缺点。
policy-map type inspect ipsec-pass-thru myipsec
parameters
esp timeout 0:05:00
policy-map mypolicy
class class-default
inspect ipsec-pass-thru myipsec
service-policy mypolicy interface outside
测试: