两分公支的IPSec***流量走总部测试

一.概述：

在论坛上看到一个朋友发帖希望两个分支的IPSEC ***流量经过总部，如是搭建拓扑测试了一下，因为跑两个VM版的ASA8.42机器性能不过，所以用PIX8.0来代替ASA,应该主要配置都跟ASA8.0差不多。

二.基本思路：

A.两个分支的互访流量利用已有的到总公司的IPSec ***连接

B.修改感兴趣，使得分支到分支的流量能走总部再到分支

三.测试拓扑：

四.基本配置：

A.广州总部防火墙FW1 ：

interface Ethernet0
nameif Inside
security-level 100
ip address 192.168.1.1 255.255.255.0
no shut
interface Ethernet1
nameif Outside
security-level 0
ip address 1.1.1.1 255.255.255.252

no shut

route Outside 0.0.0.0 0.0.0.0 1.1.1.2

access-list Outside extended permit icmp any any

access-group Outside in interface Outside

same-security-traffic permit intra-interface

----因为后续需要两分支的流量即走Outside进，又走Outside接口出，即接口反弹流量，所以需要相同接口流量访问。

B.广州总部网关路由器GZWG:

interface Ethernet0/0
ip address 1.1.1.2 255.255.255.252
ip nat inside

no shut

interface Ethernet0/1
ip address 202.100.1.2 255.255.255.252
ip nat outside

no shut

ip access-list extended PAT
permit ip host 1.1.1.1 any
permit ip 192.168.1.0 0.0.0.255 any

ip route 0.0.0.0 0.0.0.0 202.100.1.1
ip route 192.168.1.0 255.255.255.0 1.1.1.1

ip nat inside source list PAT interface Ethernet0/1 overload

ip nat inside source static udp 1.1.1.1 4500 interface Ethernet0/1 4500
ip nat inside source static udp 1.1.1.1 500 interface Ethernet0/1 500

C.运营商路由器ISP:

interface Ethernet0/0
ip address 202.100.1.1 255.255.255.252

no shut

interface Ethernet0/1
ip address 202.100.1.9 255.255.255.252

no shut

interface Ethernet0/2
ip address 202.100.1.5 255.255.255.252

no shut

D.北京分支网关路由器BJGW:

interface Ethernet0/0
ip address 2.2.2.1 255.255.255.252
ip nat inside

no shut

interface Ethernet0/1
ip address 202.100.1.10 255.255.255.252
ip nat outside

no shut

ip route 0.0.0.0 0.0.0.0 202.100.1.9
ip route 192.168.2.0 255.255.255.0 2.2.2.2

ip access-list extended PAT

permit ip host 2.2.2.2 any

permit ip 192.168.2.0 0.0.0.255 any

ip nat inside source list PAT interface Ethernet0/1 overload

ip nat inside source static udp 2.2.2.2 4500 interface Ethernet0/1 4500
ip nat inside source static udp 2.2.2.2 500 interface Ethernet0/1 500

---如果不配置静态PAT,则不能由总部直接向这边发起***访问。

E. 北京分支防火墙FW2：

interface Ethernet0
nameif Inside
security-level 100
ip address 192.168.2.1 255.255.255.0

no shut

interface Ethernet1
nameif Outside
security-level 0
ip address 2.2.2.2 255.255.255.252

no shut

route Outside 0.0.0.0 0.0.0.0 2.2.2.1 1

access-list Outside extended permit icmp any any

access-group Outside in interface Outside

F. 上海分支网关路由器SHGW：

interface Ethernet0/0
ip address 192.168.3.1 255.255.255.0
ip nat inside

no shut

interface Ethernet0/1
ip address 202.100.1.6 255.255.255.252
ip nat outside

no shut

ip route 0.0.0.0 0.0.0.0 202.100.1.5

ip access-list extended PAT
deny ip 192.168.3.0 0.0.0.255 192.168.1.0 0.0.0.255
deny ip 192.168.3.0 0.0.0.255 192.168.2.0 0.0.0.255
permit ip 192.168.3.0 0.0.0.255 any

ip nat inside source list PAT interface Ethernet0/1 overload

G.访问互联网测试：

①广州总部访问互联网：

ISP#debug ip icmp

ICMP packet debugging is on
ISP#
*Mar 1 02:44:21.135: ICMP: echo reply sent, src 202.100.1.1, dst 202.100.1.2
*Mar 1 02:44:22.411: ICMP: echo reply sent, src 202.100.1.1, dst 202.100.1.2
*Mar 1 02:44:23.467: ICMP: echo reply sent, src 202.100.1.1, dst 202.100.1.2
*Mar 1 02:44:24.659: ICMP: echo reply sent, src 202.100.1.1, dst 202.100.1.2
*Mar 1 02:44:25.743: ICMP: echo reply sent, src 202.100.1.1, dst 202.100.1.2

②北京分支访问互联网测试：

ISP#debug ip icmp
ICMP packet debugging is on
ISP#
*Mar 1 02:46:28.855: ICMP: echo reply sent, src 202.100.1.9, dst 202.100.1.10
*Mar 1 02:46:30.151: ICMP: echo reply sent, src 202.100.1.9, dst 202.100.1.10
*Mar 1 02:46:31.363: ICMP: echo reply sent, src 202.100.1.9, dst 202.100.1.10
*Mar 1 02:46:32.427: ICMP: echo reply sent, src 202.100.1.9, dst 202.100.1.10
*Mar 1 02:46:33.631: ICMP: echo reply sent, src 202.100.1.9, dst 202.100.1.10
③上海分支访问互联网测试：

ISP#debug ip icmp
ICMP packet debugging is on

ISP#

*Mar 1 02:48:03.875: ICMP: echo reply sent, src 202.100.1.5, dst 202.100.1.6
*Mar 1 02:48:05.003: ICMP: echo reply sent, src 202.100.1.5, dst 202.100.1.6
*Mar 1 02:48:06.115: ICMP: echo reply sent, src 202.100.1.5, dst 202.100.1.6
*Mar 1 02:48:07.183: ICMP: echo reply sent, src 202.100.1.5, dst 202.100.1.6
*Mar 1 02:48:08.279: ICMP: echo reply sent, src 202.100.1.5, dst 202.100.1.6

五.***配置：

A.广州总部防火墙：

①第一阶段策略：

crypto isakmp policy 10
authentication pre-share
encryption des
hash md5
group 2

tunnel-group 202.100.1.6 type ipsec-l2l
tunnel-group 202.100.1.6 ipsec-attributes
pre-shared-key cisco
tunnel-group 202.100.1.10 type ipsec-l2l
tunnel-group 202.100.1.10 ipsec-attributes
pre-shared-key cisco

②第二阶段转换集：

crypto ipsec transform-set transet esp-des esp-md5-hmac

③配置感兴趣流：

access-list ***-GZ-to-BJ extended permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0
access-list ***-GZ-to-BJ extended permit ip 192.168.3.0 255.255.255.0 192.168.2.0 255.255.255.0
access-list ***-GZ-to-SH extended permit ip 192.168.1.0 255.255.255.0 192.168.3.0 255.255.255.0
access-list ***-GZ-to-SH extended permit ip 192.168.2.0 255.255.255.0 192.168.3.0 255.255.255.0

③配置crypto map并在接口调用：

crypto map crymap 10 match address ***-GZ-to-SH
crypto map crymap 10 set peer 202.100.1.6
crypto map crymap 10 set transform-set transet
crypto map crymap 20 match address ***-GZ-to-BJ
crypto map crymap 20 set peer 202.100.1.10
crypto map crymap 20 set transform-set transet
crypto map crymap interface Outside

crypto isakmp enable Outside

B.北京分支防火墙：

①第一阶段策略：

crypto isakmp policy 10
authentication pre-share
encryption des
hash md5
group 2

tunnel-group 202.100.1.2 type ipsec-l2l
tunnel-group 202.100.1.2 ipsec-attributes
pre-shared-key cisco

②第二阶段转换集：

crypto ipsec transform-set transet esp-des esp-md5-hmac

③配置感兴趣流：

access-list *** extended permit ip 192.168.2.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list *** extended permit ip 192.168.2.0 255.255.255.0 192.168.3.0 255.255.255.0

③配置crypto map并在接口调用：

crypto map crymap 10 match address ***
crypto map crymap 10 set peer 202.100.1.2
crypto map crymap 10 set transform-set transet
crypto map crymap interface Outside
crypto isakmp enable Outside

C.上海分支路由器：

①第一阶段策略：

crypto isakmp policy 10
hash md5
authentication pre-share
group 2
crypto isakmp key cisco address 202.100.1.2

②第二阶段转换集：

crypto ipsec transform-set transet esp-des esp-md5-hmac

③配置感兴趣流：

ip access-list extended ***
permit ip 192.168.3.0 0.0.0.255 192.168.1.0 0.0.0.255
permit ip 192.168.3.0 0.0.0.255 192.168.2.0 0.0.0.255

③配置crypto map并在接口调用：

crypto map crymap 10 ipsec-isakmp
set peer 202.100.1.2
set transform-set transet
match address ***
crypto map crymap

interface Ethernet0/1
crypto map crymap

六.***测试：

A.北京分支访问广州总部：

BJpix# show crypto isakmp sa

Active SA: 1
Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 1

1 IKE Peer: 202.100.1.2
Type : L2L Role : initiator
Rekey : no State : MM_ACTIVE

B.上海分支访问广州总部：

SHGW#show crypto isakmp sa
dst src state conn-id slot status
202.100.1.2 202.100.1.6 QM_IDLE 1 0 ACTIVE

SHGW#show crypto engine connections active

ID Interface IP-Address State Algorithm Encrypt Decrypt
1 Ethernet0/1 202.100.1.6 set HMAC_MD5+DES_56_CB 0 0
2001 Ethernet0/1 202.100.1.6 set DES+MD5 4 0
2002 Ethernet0/1 202.100.1.6 set DES+MD5 0 4

C.北京和上海通过总部进行互访：

SHGW#show crypto engine connections active

ID Interface IP-Address State Algorithm Encrypt Decrypt
1 Ethernet0/1 202.100.1.6 set HMAC_MD5+DES_56_CB 0 0
2 Ethernet0/1 202.100.1.6 set HMAC_MD5+DES_56_CB 0 0
2001 Ethernet0/1 202.100.1.6 set DES+MD5 4 0
2002 Ethernet0/1 202.100.1.6 set DES+MD5 0 4
2003 Ethernet0/1 202.100.1.6 set DES+MD5 4 0
2004 Ethernet0/1 202.100.1.6 set DES+MD5 0 3

SHGW#show crypto isakmp sa
dst src state conn-id slot status
202.100.1.2 202.100.1.6 QM_IDLE 2 0 ACTIVE