思科防火墙ASA8.4 L2L***解决地址重叠测试

一.概述:

   LAN-to-LAN IPSEC ***如果两端内网地址重叠,互相不能访问,需要配置NAT,每端把对方看成是另外一个网络才能互访。路由器无法调整静态NAT和动态PAT优先级,导致配置静态NAT之后无法上公网,只能借助PBR,利用两种不同的配置NAT方法,把PAT上公网的流量与***的静态NAT流量分开。ASA8.3之后有twice NAT,能指定源和目的,本次测试ASA8.4如何用twice NAT来解决地址重叠的问题,参考链接:https://supportforums.cisco.com/docs/DOC-13429

   经过测试,如果PIX8.0与路由器建立L2L IPSec ***,只能通过PIX这侧解决地址重叠问题,这时PIX内部的设备是无法通过PIX上公网的,主要原因在于跟路由器类似,静态NAT优先级很高,而PIX又无法配置PBR,把流量打到loopback口(pix8.0就根本无法配置loopback口)。

二.基本思路:

A.利用NAT优先于IPSEC特性,配置ASA8.4的twice NAT,使得两端内网可以互访。

B.因为twice NAT的目标地址为对方转换后的私网地址,所以PAT上公网与twice NAT能同时共存。

三.测试拓扑:

183426935.jpg

四.基本配置:

A.总部server路由器:

interface Ethernet0/0
ip address 10.1.1.2 255.255.255.0
no shut

ip route 0.0.0.0 0.0.0.0 10.1.1.1

B.总部ASA842防火墙:

interface GigabitEthernet0
nameif Inside
security-level 100
ip address 10.1.1.1 255.255.255.0
no shut
interface GigabitEthernet1
nameif Outside
security-level 0
ip address 202.100.1.1 255.255.255.0
no shut

route Outside 0.0.0.0 0.0.0.0 202.100.1.10

C.Internet路由器:

interface Ethernet0/0
ip address 202.100.1.10 255.255.255.0
no shut
interface Ethernet0/1
ip address 202.100.2.10 255.255.255.0
no shut

D.分支Branch路由器:

interface Ethernet0/0
ip address 10.1.1.1 255.255.255.0
no shut
interface Ethernet0/1
ip address 202.100.2.1 255.255.255.0

no shut

ip route 0.0.0.0 0.0.0.0 202.100.2.10

E.分支Inside路由器:

interface Ethernet0/0
ip address 10.1.1.2 255.255.255.0

no shut

ip route 0.0.0.0 0.0.0.0 10.1.1.1

五.L2L IPSEC ***配置:

A.总部ASA842防火墙:

①第一阶段策略:

crypto ikev1 policy 10
authentication pre-share
encryption des
hash md5
group 2

tunnel-group 202.100.2.1 type ipsec-l2l
tunnel-group 202.100.2.1 ipsec-attributes
ikev1 pre-shared-key cisco

crypto ikev1 enable Outside

crypto isakmp identity address

②第二阶段转换集:

crypto ipsec ikev1 transform-set transet esp-des esp-md5-hmac
③感兴趣流:

access-list *** extended permit ip 172.16.1.0 255.255.255.0 10.1.1.0 255.255.255.0
---注意源地址为本地内网网络在ASA上映射后的地址,目标地址为对方的实际地址

④配置cryto map并应用:

crypto map crymap 10 match address ***
crypto map crymap 10 set peer 202.100.2.1
crypto map crymap 10 set ikev1 transform-set transet
crypto map crymap 10 set reverse-route
crypto map crymap interface Outside
B.分支Branch路由器:

①第一阶段策略:

crypto isakmp policy 10
hash md5
authentication pre-share
group 2

en des

crypto isakmp key cisco address 202.100.1.1

②第二阶段转换集:

crypto ipsec transform-set transet esp-des esp-md5-hmac
③感兴趣流:

ip access-list extended ***
permit ip 10.1.1.0 0.0.0.255 172.16.1.0 0.0.0.255

---注意为本地的真实地址到对方映射后的地址,两边互为镜像。

④配置cryto map并应用:

crypto map crymap 10 ipsec-isakmp
set peer 202.100.1.1
set transform-set transet
match address ***

interface E0/1

crypto map crymap

六.NAT配置:

---L2L IPSEC ***因为感兴趣流为NAT之后的地址,这时***还不能通。

A.PAT上公网配置:

①总部ASA842防火墙:

object network Inside-pat
subnet 10.1.1.0 255.255.255.0
nat (Inside,Outside) dynamic interface

测试:

对icmp进行审查:

policy-map global_policy
class inspection_default
 inspect icmp

Server#ping 202.100.1.10
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 202.100.1.10, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/62/132 m

②分支Branch路由器:

interface E0/0

ip nat enable

interface e0/1

ip nat enable

ip access-list extended Internet
deny   ip 10.1.1.0 0.0.0.255 172.16.1.0 0.0.0.255
permit ip 10.1.1.0 0.0.0.255 any

ip nat source list Internet interface Ethernet0/1 overload
测试:

Inside#ping 202.100.2.10
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 202.100.2.10, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/93/188 ms

B.总部ASA842的twice NAT配置:

object network Inside_Real
subnet 10.1.1.0 255.255.255.0
object network Inside_Mapped
subnet 172.16.1.0 255.255.255.0
object network Branch_Real
subnet 10.1.1.0 255.255.255.0
object network Branch_Mapped
subnet 192.168.1.0 255.255.255.0
nat (Inside,Outside) source static Inside_Real Inside_Mapped destination static Branch_Mapped Branch_Real

七.测试:

------总部的Server路由器既能上公网,又能访问对方。

Server#ping 192.168.1.2

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.1.2, timeout is 2 seconds:
.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 48/104/148 ms
Server#ping 202.100.1.10

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 202.100.1.10, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 12/61/132 ms
Server#

相关资源:asa8.42镜像文件
已标记关键词 清除标记
相关推荐
<p> <br /></p> <p> 本课程适合学习完NA/NP课程或有相应水平人士。 </p> <p> 本课程介绍思科安全产品ASA的配置方法与部署方法。同时介绍技术特点与部署环境的主要应用,问题及解决办法。本课程介绍了基本的图型化配置方法与命令行配置方法,使用虚拟机版本8.42,基本与真实机器无差别。 </p> <p> 本课程主要讲解的安全技术如下: </p> <p> ACL,对像组,穿越ASA,MPF,NAT,PAT,透明防火墙,多模式防火,冗余,A/S,A/A等技术介绍,同时简单介绍了关于ASA配置路由协议的命令。 </p> <p> <span style="font-size:12px;">                                                 </span><span style="font-size:12px;"><img alt="" src="/files/course/2019/01-03/1039379c4868990589.png" /></span><span style="font-size:12px;">     </span> </p> <p> <strong>课件截图:</strong> </p> <p> <strong><img src="https://img-bss.csdn.net/201903040515262803.png" alt="" /><br /></strong> </p> <p> <strong><br /></strong> </p> <p> <strong><img src="https://img-bss.csdn.net/201903040515391097.png" alt="" /><br /></strong> </p> <p> <strong><img src="https://img-bss.csdn.net/201903040515495395.png" alt="" /><br /></strong> </p> <p> <strong><img src="https://img-bss.csdn.net/201903040515594259.png" alt="" /><br /></strong> </p> <p> <strong><br /></strong> </p> <p> <strong><img src="https://img-bss.csdn.net/201903040515045052.png" alt="" /><br /></strong> </p>
©️2020 CSDN 皮肤主题: 大白 设计师:CSDN官方博客 返回首页