一.概述
一台PIX/ASA与另外两台PIX建立L2L的×××,如果可能的话,让两个分支站点通过总部访问对方。
二.基本思路:
A.一个crypto map配置不同的序号,分别匹配不同的peer
B.之前由于想偷懒,把所有加密点感兴趣流配成相同的192.168.0.0/16,导致×××出现问题
C.如果防火墙后面有多个网络,建议配置反向路由注入,并把注入的静态路由重分布到动态路由
三.测试拓扑:
四.基本配置:
A.HQ-PIX80:
①接口配置:
interface Ethernet0
nameif Outside
security-level 0
ip address 202.100.1.1 255.255.255.0
no shut
interface Ethernet1
nameif Inside
security-level 100
ip address 192.168.1.1 255.255.255.0
no shut
②路由配置:
route Outside 0.0.0.0 0.0.0.0 202.100.1.10
③策略配置:
access-list OUTSIDE extended permit icmp any any
access-group OUTSIDE in interface Outside
④PAT配置:
access-list PAT extended permit ip 192.168.1.0 255.255.255.0 any
access-list NONAT extended permit ip 192.168.1.0 255.255.255.0 192.168.0.0 255.255.0.0
global (Outside) 1 interface
nat (Inside) 0 access-list NONAT
nat (Inside) 1 access-list PAT
B.Branch1-PIX80:
①接口配置:
interface Ethernet0
nameif Outside
security-level 0
ip address 202.100.2.1 255.255.255.0
no shut
interface Ethernet1
nameif Inside
security-level 100
ip address 192.168.2.1 255.255.255.0
no shut
②路由配置:
route Outside 0.0.0.0 0.0.0.0 202.100.2.10
③策略配置:
access-list OUTSIDE extended permit icmp any any
access-group OUTSIDE in interface Outside
④PAT配置:
access-list PAT extended permit ip 192.168.2.0 255.255.255.0 any
access-list NONAT extended permit ip 192.168.2.0 255.255.255.0 192.168.0.0 255.255.0.0
global (Outside) 1 interface
nat (Inside) 0 access-list NONAT
nat (Inside) 1 access-list PAT
C.Branch2-PIX80:
①接口配置:
interface Ethernet0
nameif Outside
security-level 0
ip address 202.100.3.1 255.255.255.0
no shut
interface Ethernet1
nameif Inside
security-level 100
ip address 192.168.3.1 255.255.255.0
no shut
②路由配置:
route Outside 0.0.0.0 0.0.0.0 202.100.3.10
③策略配置:
access-list OUTSIDE extended permit icmp any any
access-group OUTSIDE in interface Outside
④PAT配置:
access-list PAT extended permit ip 192.168.3.0 255.255.255.0 any
access-list NONAT extended permit ip 192.168.3.0 255.255.255.0 192.168.0.0 255.255.0.0
global (Outside) 1 interface
nat (Inside) 0 access-list NONAT
nat (Inside) 1 access-list PAT
五.L2L ×××配置:
A.HQ-PIX80:
①第一阶段策略:
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash md5
group 2
tunnel-group 202.100.2.1 type ipsec-l2l
tunnel-group 202.100.2.1 ipsec-attributes
pre-shared-key cisco
tunnel-group 202.100.3.1 type ipsec-l2l
tunnel-group 202.100.3.1 ipsec-attributes
pre-shared-key cisco
②第二阶段转换集:
crypto ipsec transform-set transet esp-des esp-md5-hmac
③感兴趣流:
access-list ×××-BRACH1 extended permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0
access-list ×××-BRACH2 extended permit ip 192.168.1.0 255.255.255.0 192.168.3.0 255.255.255.0
④配置crypto map并应用、在接口开启isakmp:
crypto map crymap 20 match address ×××-BRACH1
crypto map crymap 20 set peer 202.100.2.1
crypto map crymap 20 set transform-set transet
crypto map crymap 30 match address ×××-BRACH2
crypto map crymap 30 set peer 202.100.3.1
crypto map crymap 30 set transform-set transet
crypto map crymap interface Outside
crypto isakmp enable Outside
B.Branch1-PIX80:
①第一阶段策略:
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash md5
group 2
tunnel-group 202.100.1.1 type ipsec-l2l
tunnel-group 202.100.1.1 ipsec-attributes
pre-shared-key cisco
②第二阶段转换集:
crypto ipsec transform-set transet esp-des esp-md5-hmac
③感兴趣流:
access-list ××× extended permit ip 192.168.2.0 255.255.255.0 192.168.0.0 255.255.0.0
④配置crypto map并应用、在接口开启isakmp:
crypto map crymap 10 match address ×××
crypto map crymap 10 set peer 202.100.1.1
crypto map crymap 10 set transform-set transet
crypto map crymap interface Outside
crypto isakmp enable Outside
C.Branch2-PIX80:
①第一阶段策略:
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash md5
group 2
tunnel-group 202.100.1.1 type ipsec-l2l
tunnel-group 202.100.1.1 ipsec-attributes
pre-shared-key cisco
②第二阶段转换集:
crypto ipsec transform-set transet esp-des esp-md5-hmac
③感兴趣流:
access-list ××× extended permit ip 192.168.3.0 255.255.255.0 192.168.0.0 255.255.0.0
④配置crypto map并应用、在接口开启isakmp:
crypto map crymap 10 match address ×××
crypto map crymap 10 set peer 202.100.1.1
crypto map crymap 10 set transform-set transet
crypto map crymap interface Outside
crypto isakmp enable Outside
六.测试:
A.ping测试:
B.show查看:
HQ-PIX80# show crypto isakmp sa
Active SA: 2
Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 2
1 IKE Peer: 202.100.2.1
Type : L2L Role : initiator
Rekey : no State : MM_ACTIVE
2 IKE Peer: 202.100.3.1
Type : L2L Role : initiator
Rekey : no State : MM_ACTIVE
HQ-PIX80# show crypto ipsec stats
IPsec Global Statistics
-----------------------
Active tunnels: 2
Previous tunnels: 10
Inbound
Bytes: 2736
Decompressed bytes: 2736
Packets: 57
Dropped packets: 0
Replay failures: 0
Authentications: 57
Authentication failures: 0
Decryptions: 57
Decryption failures: 0
Decapsulated fragments needing reassembly: 0
Outbound
Bytes: 3600
Uncompressed bytes: 3600
Packets: 75
Dropped packets: 0
Authentications: 75
Authentication failures: 0
Encryptions: 75
Encryption failures: 0
Fragmentation successes: 0
Pre-fragmentation successses: 0
Post-fragmentation successes: 0
Fragmentation failures: 0
Pre-fragmentation failures: 0
Post-fragmentation failures: 0
Fragments created: 0
PMTUs sent: 0
PMTUs rcvd: 0
Protocol failures: 0
Missing SA failures: 0
System capacity failures: 0
七.分支通过总部访问其他分支:
A.修改感兴趣流:
①HQ-PIX80:
access-list ×××-BRACH1 extended permit ip 192.168.0.0 255.255.0.0 192.168.2.0 255.255.255.0
access-list ×××-BRACH2 extended permit ip 192.168.0.0 255.255.0.0 192.168.3.0 255.255.255.0
---备注:往分支的目标地址需要写明细,否则总部无法根据流量来匹配×××隧道
②Brach1-PIX80:
access-list ××× extended permit ip 192.168.2.0 255.255.255.0 192.168.0.0 255.255.0.0
---按之前写的目标地址为汇总地址,包括其他分支的地址
③Brach1-PIX80:
access-list ××× extended permit ip 192.168.3.0 255.255.255.0 192.168.0.0 255.255.0.0
---按之前写的目标地址为汇总地址,包括其他分支的地址
B.测试:
①VPC测试:
VPC测试出现问题,分部无法ping通另外分支的地址
②用路由器测试:
VPC用路由器,测试正常,下面是测试结果:
R3#ping 192.168.3.18
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.3.18, timeout is 2 seconds:
....!
Success rate is 20 percent (1/5), round-trip min/avg/max = 1236/1236/1236 ms
R3#
*Mar 1 03:14:22.831: ICMP: echo reply rcvd, src 192.168.3.18, dst 192.168.2.18
R3#telnet 192.168.3.18
Trying 192.168.3.18 ... Open
User Access Verification
Password:
R5>show users
Line User Host(s) Idle Location
0 con 0 idle 02:52:18
* 66 vty 0 idle 00:00:00 192.168.2.18
Interface User Mode Idle Peer Address
转载于:https://blog.51cto.com/333234/1253465
1227
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
