一.概述
测试了两种方法解决PIX8.0的地址重叠问题,始终觉得不是很完美,这几天正好看ASA的NAT文档,觉得可以用nat (Outside,Inside)static这样的静态NAT来解决,正好机架能用,如是用机架进行测试。
二.基本思路:
A.两端都为ASA8.0,建立L2L ×××之后,配置内对外的静态NAT
三.测试拓扑:
四.基本配置:
A.ERP_HQ路由器:
interface GigabitEthernet0/0
ip address 172.16.1.3 255.255.255.0 secondary
ip address 172.16.1.2 255.255.255.0
no shut
ip route 0.0.0.0 0.0.0.0 172.16.1.1
B.ASA-HQ路由器:
interface GigabitEthernet0/0
nameif Inside
security-level 100
ip address 172.16.1.1 255.255.255.0
no shut
interface GigabitEthernet0/1
nameif Outside
security-level 0
ip address 202.100.1.1 255.255.255.0
no shut
route Outside 0.0.0.0 0.0.0.0 202.100.1.10 1
C.Internet路由器:
interface GigabitEthernet0/0
ip address 202.100.1.10 255.255.255.0
no shut
interface GigabitEthernet0/1
ip address 202.100.2.10 255.255.255.0
no shut
D.ASA-Banch:
interface GigabitEthernet0/0
nameif Inside
security-level 100
ip address 172.16.1.1 255.255.255.0
no shut
interface GigabitEthernet0/1
nameif Outside
security-level 0
ip address 202.100.2.1 255.255.255.0
no shut
route Outside 0.0.0.0 0.0.0.0 202.100.2.10 1
E.ERP_Branch路由器:
interface GigabitEthernet0/0
ip address 172.16.1.3 255.255.255.0 secondary
ip address 172.16.1.2 255.255.255.0
ip route 0.0.0.0 0.0.0.0 172.16.1.1
五.防火墙NAT配置:
A.ASA-HQ:
①动态PAT:
access-list PAT extended permit ip 172.16.0.0 255.255.0.0 any
nat (Inside) 1 access-list PAT
global (Outside) 1 interface
②静态NAT:
static (Outside,Inside) 172.16.101.0 172.16.1.0 netmask 255.255.255.0
③NAT免除:
access-list NONAT extended permit ip 172.16.0.0 255.255.0.0 172.16.0.0 255.255.0.0
nat (Inside) 0 access-list NONAT
---备注:NAT免除需要包括静态NAT之后的地址,否则进行一次静态NAT之后,还会进行一次PAT,从而无法撞击感兴趣流。
B.ASA-Branch:
①动态PAT:
access-list PAT extended permit ip 172.16.0.0 255.255.0.0 any
nat (Inside) 1 access-list PAT
global (Outside) 1 interface
②静态NAT:
static (Outside,Inside) 172.16.100.0 172.16.1.0 netmask 255.255.255.0
③NAT免除:
access-list NONAT extended permit ip 172.16.0.0 255.255.0.0 172.16.0.0 255.255.0.0
nat (Inside) 0 access-list NONAT
---备注:NAT免除需要包括静态NAT之后的地址,否则进行一次静态NAT之后,还会进行一次PAT,从而无法撞击感兴趣流。
六.防火墙L2L ×××配置:
A.ASA-HQ:
①第一阶段策略:
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash md5
group 2
tunnel-group 202.100.2.1 type ipsec-l2l
tunnel-group 202.100.2.1 ipsec-attributes
pre-shared-key cisco
②第二阶段转换集:
crypto ipsec transform-set transet esp-des esp-md5-hmac
③感兴趣流:
access-list ××× extended permit ip 172.16.0.0 255.255.0.0 172.16.0.0 255.255.0.0
③配置crypto map并在接口调用:
crypto map crymap 10 match address ×××
crypto map crymap 10 set peer 202.100.2.1
crypto map crymap 10 set transform-set transet
crypto isakmp enable Outside
B.ASA-Branch:
①第一阶段策略:
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash md5
group 2
tunnel-group 202.100.1.1 type ipsec-l2l
tunnel-group 202.100.1.1 ipsec-attributes
pre-shared-key cisco
②第二阶段转换集:
crypto ipsec transform-set transet esp-des esp-md5-hmac
③感兴趣流:
access-list ××× extended permit ip 172.16.0.0 255.255.0.0 172.16.0.0 255.255.0.0
③配置crypto map并在接口调用:
crypto map crymap 10 match address ×××
crypto map crymap 10 set peer 202.100.1.1
crypto map crymap 10 set transform-set transet
crypto isakmp enable Outside
七.测试:
A.从ERP_HQ访问ERP_Branch:
ERP_HQ#PING 172.16.101.3
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.101.3, timeout is 2 seconds:
.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 1/2/4 ms
ERP_HQ#te
*Jul 10 03:34:15.142: ICMP: echo reply rcvd, src 172.16.101.3, dst 172.16.1.2
*Jul 10 03:34:15.146: ICMP: echo reply rcvd, src 172.16.101.3, dst 172.16.1.2
*Jul 10 03:34:15.146: ICMP: echo reply rcvd, src 172.16.101.3, dst 172.16.1.2
*Jul 10 03:34:15.150: ICMP: echo reply rcvd, src 172.16.101.3, dst 172.16.1.2
ERP_Branch(config-line)#
*Mar 31 14:57:59.470: ICMP: echo reply sent, src 172.16.1.3, dst 172.16.100.2
*Mar 31 14:57:59.474: ICMP: echo reply sent, src 172.16.1.3, dst 172.16.100.2
*Mar 31 14:57:59.474: ICMP: echo reply sent, src 172.16.1.3, dst 172.16.100.2
*Mar 31 14:57:59.478: ICMP: echo reply sent, src 172.16.1.3, dst 172.16.100.2
ERP_HQ#telnet 172.16.101.3
Trying 172.16.101.3 ... Open
User Access Verification
Password:
ERP_Branch>show users
Line User Host(s) Idle Location
*514 vty 0 idle 00:00:00 172.16.100.2
Interface User Mode Idle Peer Address
ERP_Branch>
B.从ERP_Branch访问ERP_HQ:
ERP_Branch#ping 172.16.100.3
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.100.3, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms
ERP_Branch#
*Mar 31 15:15:51.374: ICMP: echo reply rcvd, src 172.16.100.3, dst 172.16.1.2
*Mar 31 15:15:51.374: ICMP: echo reply rcvd, src 172.16.100.3, dst 172.16.1.2
*Mar 31 15:15:51.378: ICMP: echo reply rcvd, src 172.16.100.3, dst 172.16.1.2
*Mar 31 15:15:51.378: ICMP: echo reply rcvd, src 172.16.100.3, dst 172.16.1.2
*Mar 31 15:15:51.378: ICMP: echo reply rcvd, src 172.16.100.3, dst 172.16.1.2
ERP_HQ(config-line)#
*Jul 10 03:52:07.029: ICMP: echo reply sent, src 172.16.1.3, dst 172.16.101.2
*Jul 10 03:52:07.033: ICMP: echo reply sent, src 172.16.1.3, dst 172.16.101.2
*Jul 10 03:52:07.033: ICMP: echo reply sent, src 172.16.1.3, dst 172.16.101.2
*Jul 10 03:52:07.037: ICMP: echo reply sent, src 172.16.1.3, dst 172.16.101.2
*Jul 10 03:52:07.037: ICMP: echo reply sent, src 172.16.1.3, dst 172.16.101.2
ERP_Branch#telnet 172.16.100.3
Trying 172.16.100.3 ... Open
User Access Verification
Password:
ERP_HQ>show users
Line User Host(s) Idle Location
0 con 0 idle 00:01:24
*514 vty 0 idle 00:00:00 172.16.101.2
Interface User Mode Idle Peer Address
ERP_HQ>
---备注:这种方式唯一的缺陷就是不能访问对方与自己IP地址主机号相同的地址。
---用ASA的 packet-tracer显示drop,如下:
ASA-Branch# packet-tracer input Outside icmp 172.16.1.2 8 0 172.16.1.2
Phase: 1
Type: FLOW-LOOKUP
Subtype:
Result: ALLOW
Config:
Additional Information:
Found no matching flow, creating a new flow
Phase: 2
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 172.16.1.0 255.255.255.0 Inside
Result:
input-interface: Outside
input-status: up
input-line-status: up
output-interface: Inside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (sp-security-failed) Slowpath security checks failed
C.互联网访问两边都正常:
ERP_HQ#ping 202.100.1.10
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 202.100.1.10, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms
ERP_HQ#
*Jul 10 04:03:59.073: ICMP: echo reply rcvd, src 202.100.1.10, dst 172.16.1.2
*Jul 10 04:03:59.073: ICMP: echo reply rcvd, src 202.100.1.10, dst 172.16.1.2
*Jul 10 04:03:59.073: ICMP: echo reply rcvd, src 202.100.1.10, dst 172.16.1.2
*Jul 10 04:03:59.073: ICMP: echo reply rcvd, src 202.100.1.10, dst 172.16.1.2
*Jul 10 04:03:59.077: ICMP: echo reply rcvd, src 202.100.1.10, dst 172.16.1.2
Internet#debug ip icmp
ICMP packet debugging is on
Internet#
*Aug 2 14:28:00.205: ICMP: echo reply sent, src 202.100.1.10, dst 202.100.1.1
*Aug 2 14:28:00.209: ICMP: echo reply sent, src 202.100.1.10, dst 202.100.1.1
*Aug 2 14:28:00.209: ICMP: echo reply sent, src 202.100.1.10, dst 202.100.1.1
*Aug 2 14:28:00.209: ICMP: echo reply sent, src 202.100.1.10, dst 202.100.1.1
*Aug 2 14:28:00.209: ICMP: echo reply sent, src 202.100.1.10, dst 202.100.1.1
ERP_Branch#ping 202.100.2.10
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 202.100.2.10, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/4 ms
ERP_Branch#
*Mar 31 15:32:55.286: ICMP: echo reply rcvd, src 202.100.2.10, dst 172.16.1.2
*Mar 31 15:32:55.290: ICMP: echo reply rcvd, src 202.100.2.10, dst 172.16.1.2
*Mar 31 15:32:55.290: ICMP: echo reply rcvd, src 202.100.2.10, dst 172.16.1.2
*Mar 31 15:32:55.290: ICMP: echo reply rcvd, src 202.100.2.10, dst 172.16.1.2
*Mar 31 15:32:55.290: ICMP: echo reply rcvd, src 202.100.2.10, dst 172.16.1.2
Internet#debug ip icmp
ICMP packet debugging is on
Internet#
*Aug 2 14:28:41.561: ICMP: echo reply sent, src 202.100.2.10, dst 202.100.2.1
*Aug 2 14:28:41.565: ICMP: echo reply sent, src 202.100.2.10, dst 202.100.2.1
*Aug 2 14:28:41.565: ICMP: echo reply sent, src 202.100.2.10, dst 202.100.2.1
*Aug 2 14:28:41.565: ICMP: echo reply sent, src 202.100.2.10, dst 202.100.2.1
*Aug 2 14:28:41.569: ICMP: echo reply sent, src 202.100.2.10, dst 202.100.2.1
转载于:https://blog.51cto.com/333234/1243952
扫一扫
174
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
