1.测试拓扑:
参见:http://333234.blog.51cto.com/323234/958557的测试拓扑
有隧道分离时不用配置NAT免除,可以参考如下博文:http://blog.sina.com.cn/s/blog_52ddfea30100ux80.html
Site-to-Site ***从总部ASA上公网的配置参考如下链接:http://www.packetu.com/2013/04/02/cisco-asa-8-4-***-dealing-with-internet-hairpin-traffic/
2.基本思路:
A.same-security-traffic permit intra-interface
---因为分支机构从总部上互联网,流量只是从ASA的outside口进出,所以开启流量相在同安全数级别的同一接口进出
B.在总部ASA上针对分支机构内部流量做PAT
---假定分支机构192.168.1.0/24
object network ***net
subnet 192.168.1.0 255.255.255.0
nat (outside,outside) dynamic interface
C.因为没有配置隧道分离,还需配置NAT免除
object network insidenet
subnet 10.1.1.0 255.255.255.0
object network ***net
subnet 192.168.1.0 255.255.255.0
nat (inside,outside) source static insidenet insidenet destination static ***net ***net
或:
nat (inside,any) source static insidenet insidenet destination static ***net ***net no-proxy-arp
3.基本配置:
A.R1:
interface FastEthernet1/0
ip address 10.1.1.1 255.255.255.0
no shut
ip route 0.0.0.0 0.0.0.0 10.1.1.10
B.R2:
interface FastEthernet1/0
ip address 202.100.1.2 255.255.255.0
no shut
interface FastEthernet0/0
ip address 209.165.201.2 255.255.255.0
no shut
interface FastEthernet0/1
ip address 202.100.2.2 255.255.255.0
no shut
C.R3:
interface FastEthernet0/0
ip address 209.165.201.10 255.255.255.0
no shut
ip route 0.0.0.0 0.0.0.0 209.165.201.2
D.ASA:
interface G0
nameif inside
security-level 100
ip address 10.1.1.10 255.255.255.0
no shut
interface G1
nameif outside
security-level 0
ip address 202.100.1.10 255.255.255.0
no shut
route outside 0 0 202.100.1.2
route Inside 0.0.0.0 0.0.0.0 10.1.1.10 tunneled
policy-map global_policy
class inspection_default
inspect icmp
object network insidnet
subnet 10.1.1.0 255.255.255.0
nat (inside,outside) dynamic interface
4.ASA Ez***配置:
A.第一阶段:
crypto ikev1 policy 10
authen pre
enc 3de
has md
grou 2
exit
crypto ikev1 enable outside
B.1.5阶段:
ip local pool ez***-pool 192.168.1.1-192.168.1.254
tunnel-group ezgroup type remote-access
tunnel-group ezgroup general-attributes
address-pool ez***-pool
exit
tunnel-group ezgroup ipsec-attributes
ikev1 pre-shared-key cisco
username ccsp password ccsp
C.第二阶段:
crypto ipsec ikev1 transform-set transet esp-des esp-md5-hmac
D.CRYPTO MAP:
crypto dynamic-map dymap 10 set ikev1 transform-set transet
crypto dynamic-map dymap 10 set reverse-route
crypto map crymap 10 ipsec-isakmp dynamic dymap
E.应用crypto map:
crypto map crymap interface outside
F.配置NAT免除:
object network insidenet
subnet 10.1.1.0 255.255.255.0
object network ***net
subnet 192.168.1.0 255.255.255.0
nat (inside,outside) source static insidenet insidenet destination static ***net ***net
G.配置相同接口的数据通讯和PAT:
same-security-traffic permit intra-interface
object network ***net
subnet 192.168.1.0 255.255.255.0
nat (outside,outside) dynamic interface
----备注:如果配置了隧道分离,则不需要这个配置
5.PC Ez***K客户端配置:
A.客户端拨号配置:
B.客户端拨号,输入用户名和密码后,能够成功连接:
C.能够ping通内网R1:
D.能够ping通互联网主机:
E.从R3的debug信息看,已经做了地址转换:
R3#
*Mar 1 00:06:36.591: ICMP: echo reply sent, src 209.165.201.10, dst 202.100.1.10
*Mar 1 00:06:36.599: ICMP: echo reply sent, src 209.165.201.10, dst 202.100.1.10
R3#
*Mar 1 00:06:38.883: ICMP: echo reply sent, src 209.165.201.10, dst 202.100.1.10
R3#
*Mar 1 00:06:40.247: ICMP: echo reply sent, src 209.165.201.10, dst 202.100.1.10