一.概述
如果用PIX或者ASA8.3之前的版本与路由器建立L2L ×××,解决地址重叠时优先考虑使用路由器解决,但是实际情况有可能两边都是PIX或者ASA8.3之前的版本,是否有方法解决地址重叠,又避免不能上互联网的问题呢?经过测试,还是有方法的。
二.基本思路:
A.首先解决地址重叠问题,必须两边看对方的地址是其他网段的地址。
B.因为PIX静态NAT比其他任何方式NAT都优先,所以需要避免使用静态NAT。
C.策略静态NAT比策略PAT优先级要高。
D.总部配置PAT和NAT0,NAT0的ACL把访问分部映射后的网络地址给排除
----这样就可以确保总部的主机解决地址重叠的问题的时候,不影响上互联网。
E.分部配置策略PAT和策略静态NAT,策略静态NAT的ACL只列出分部主机访问总部主机映射后的地址,策略静态NAT优先级比策略PAT优先级高,会先执行。
----这样就不会影响分部的主机上互联网。
----因为策略静态NAT不像静态NAT那样,对网段地址实现一对一的映射,所以这种方式只在两边网段少数主机相互需要×××访问才方便配置,否则需要配置很多策略静态NAT(因为目前这种方式只能使用一对一的策略静态NAT)。
F.总部到分部的源地址没有做转换,为了能保证数据流正常进行,那就需要在分部防火墙的outside做转换,使得进入分部后源地址为其他网段的地址。
G.经过测试结果可以看出,Outside口到内网的NAT,是在×××解密之后,而恰恰相反,Inside到outside的NAT是在×××加密之前。
三.测试拓扑:
四.基本配置:
A.ERP_HQ路由器:
interface Ethernet0/0
ip address 172.16.1.2 255.255.255.0
no shut
ip route 0.0.0.0 0.0.0.0 172.16.1.1
B.PIX80_HQ防火墙:
interface Ethernet0
nameif Inside
security-level 100
ip address 172.16.1.1 255.255.255.0
no shut
interface Ethernet1
nameif Outside
security-level 0
ip address 202.100.1.1 255.255.255.0
no shut
route Outside 0.0.0.0 0.0.0.0 202.100.1.10
access-list OUTSIDE extended permit icmp any any
access-group OUTSIDE in interface Outside
C.Internet路由器:
interface Ethernet0/0
ip address 202.100.1.10 255.255.255.0
no shut
interface Ethernet0/1
ip address 202.100.2.10 255.255.255.0
no shut
D.PIX80_Branch防火墙:
interface Ethernet0
nameif Inside
security-level 100
ip address 172.16.1.1 255.255.255.0
no shut
interface Ethernet1
nameif Outside
security-level 0
ip address 202.100.2.1 255.255.255
no shut
route Outside 0.0.0.0 0.0.0.0 202.100.2.10
access-list OUTSIDE extended permit icmp any any
access-group OUTSIDE in interface Outside
E.ERP_Branch路由器:
interface Ethernet0/0
ip address 172.16.1.3 255.255.255.0 secondary
ip address 172.16.1.2 255.255.255.0
no shut
ip route 0.0.0.0 0.0.0.0 172.16.1.1
五.防火墙NAT配置:
A.PIX80_HQ防火墙:
①PAT:
access-list PAT extended permit ip 172.16.1.0 255.255.255.0 any
nat (Inside) 1 access-list PAT
global (Outside) 1 interface
②NAT免除:
access-list NAT0 extended permit ip host 172.16.1.2 host 10.1.2.2
nat (Inside) 0 access-list NAT0
B.PIX80_Branch防火墙:
①PAT:
access-list PAT extended permit ip 172.16.1.0 255.255.255.0 any
nat (Inside) 1 access-list PAT
global (Outside) 1 interface
②静态策略NAT:
access-list ×××-NAT extended permit ip host 172.16.1.2 host 10.1.1.2
static (Inside,Outside) 10.1.2.2 access-list ×××-NAT
③outside的NAT:
static (Outside,Inside) 10.1.1.2 172.16.1.2 netmask 255.255.255.255
----这样当总部未经NAT转换的172.16.1.2到底分别outside接口解密之后,进入内网地址就转换为10.1.1.2
六.L2L ×××配置:
A.PIX80_HQ防火墙:
①第一阶段策略:
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash md5
group 2
tunnel-group 202.100.2.1 type ipsec-l2l
tunnel-group 202.100.2.1 ipsec-attributes
pre-shared-key cisco
②第二阶段转换:
crypto ipsec transform-set transet esp-des esp-md5-hmac
③感兴趣流:
access-list ××× extended permit ip 172.16.1.0 255.255.255.0 10.1.2.0 255.255.0.0
也可以写得更详细:
access-list ××× extended permit ip host 172.16.1.2 host 10.1.2.2
④配置crypto map并应用:
crypto map crymap 10 match address ×××
crypto map crymap 10 set peer 202.100.2.1
crypto map crymap 10 set transform-set transet
crypto map crymap interface Outside
⑤在接口启用isakmp:
crypto isakmp enable Outside
B.PIX80_Branch防火墙:
①第一阶段策略:
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash md5
group 2
tunnel-group 202.100.1.1 type ipsec-l2l
tunnel-group 202.100.1.1 ipsec-attributes
pre-shared-key cisco
②第二阶段转换:
crypto ipsec transform-set transet esp-des esp-md5-hmac
③感兴趣流:
access-list ××× extended permit ip 10.1.2.0 255.255.255.0 172.16.1.0 255.255.0.0
也可以写得更详细:
access-list ××× extended permit ip host 10.1.2.2 host 172.16.1.2
④配置crypto map并应用:
crypto map crymap 10 match address ×××
crypto map crymap 10 set peer 202.100.1.1
crypto map crymap 10 set transform-set transet
crypto map crymap interface Outside
⑤在接口启用isakmp:
crypto isakmp enable Outside
七.测试:
A.连接公网测试:
①ERP_HQ路由器:
ERP_HQ#ping 202.100.1.10
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 202.100.1.10, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 20/94/292 ms
ERP_HQ#
Internet#debug ip icmp
ICMP packet debugging is on
Internet#
*Mar 2 07:36:11.648: ICMP: echo reply sent, src 202.100.1.10, dst 202.100.1.1
*Mar 2 07:36:11.768: ICMP: echo reply sent, src 202.100.1.10, dst 202.100.1.1
*Mar 2 07:36:11.856: ICMP: echo reply sent, src 202.100.1.10, dst 202.100.1.1
*Mar 2 07:36:12.096: ICMP: echo reply sent, src 202.100.1.10, dst 202.100.1.1
*Mar 2 07:36:12.132: ICMP: echo reply sent, src 202.100.1.10, dst 202.100.1.1
②ERP_Brach路由器:
ERP_Branch#ping 202.100.2.10
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 202.100.2.10, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 8/92/344 ms
ERP_Branch#
Internet#debug ip icmp
ICMP packet debugging is on
Internet#
*Mar 2 07:36:57.536: ICMP: echo reply sent, src 202.100.2.10, dst 202.100.2.1
*Mar 2 07:36:57.896: ICMP: echo reply sent, src 202.100.2.10, dst 202.100.2.1
*Mar 2 07:36:57.976: ICMP: echo reply sent, src 202.100.2.10, dst 202.100.2.1
*Mar 2 07:36:57.988: ICMP: echo reply sent, src 202.100.2.10, dst 202.100.2.1
*Mar 2 07:36:58.000: ICMP: echo reply sent, src 202.100.2.10, dst 202.100.2.1
B.×××访问测试:
①ERP_HQ路由器:
ERP_HQ#telnet 10.1.2.2
Trying 10.1.2.2 ... Open
User Access Verification
Password:
ERP_Branch>show users
Line User Host(s) Idle Location
0 con 0 idle 00:00:55
*130 vty 0 idle 00:00:00 10.1.1.2
Interface User Mode Idle Peer Address
ERP_Branch>
②ERP_Branch路由器:
ERP_Branch#telnet 10.1.1.2
Trying 10.1.1.2 ... Open
User Access Verification
Password:
ERP_HQ>show users
Line User Host(s) Idle Location
0 con 0 idle 00:00:17
*130 vty 0 idle 00:00:00 10.1.2.2
Interface User Mode Idle Peer Address
ERP_HQ>
---备注:这样配置完成后,其实只有ERP_HQ和ERP_Branch两设备之间才能正常都×××。
转载于:https://blog.51cto.com/333234/1241114
219
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
