防火墙下使用IPSec实现不同地域内网互通并且内网可访问公网
实验环境
实验目的
公司分部实现对总部内网的安全访问,并且实现访问外网
具体步骤
实现对总部内网的安全访问
1.规划网络、配置IP、配置路由
PC1
IP:192.168.1.1 掩码:24 网关:192.168.1.254
PC2
IP:172.16.1.1 掩码:24 网关:172.16.1.254
PC3
IP:200.1.3.1 掩码:24 网关:200.1.3.254
R1
<Huawei>sy
[Huawei]sy R1
[R1]int g0/0/0
[R1-GigabitEthernet0/0/0]ip add 200.1.1.2 24
[R1-GigabitEthernet0/0/0]int g0/0/1
[R1-GigabitEthernet0/0/1]ip add 200.1.2.2 24
[R1-GigabitEthernet0/0/1]q
[R1]ospf
[R1-ospf-1]ar 0 //area 0
[R1-ospf-1-area-0.0.0.0]network 200.1.1.0 0.0.0.255
[R1-ospf-1-area-0.0.0.0]network 200.1.2.0 0.0.0.255
[R1-ospf-1-area-0.0.0.0]q
[R1-ospf-1]q
[R1]int g0/0/2
[R1-GigabitEthernet0/0/2]ip add 200.1.3.254 24
[R1-GigabitEthernet0/0/2]os e a 0 //ospf enable area 0
FW1
#
interface GigabitEthernet1/0/0
undo shutdown
ip address 192.168.1.254 255.255.255.0
#
interface GigabitEthernet1/0/1
undo shutdown
ip address 200.1.1.1 255.255.255.0
#
ospf 1 router-id 200.1.1.1
area 0.0.0.0
network 200.1.1.0 0.0.0.255
FW2
#
interface GigabitEthernet1/0/0
undo shutdown
ip address 172.16.1.254 255.255.255.0
#
interface GigabitEthernet1/0/1
undo shutdown
ip address 200.1.2.1 255.255.255.0
#
ospf 1
area 0.0.0.0
network 200.1.2.0 0.0.0.255
2.配置IPSec
FW1
//接口添加安全域
#
firewall zone trust
set priority 85
add interface GigabitEthernet0/0/0
add interface GigabitEthernet1/0/0
#
firewall zone untrust
set priority 5
add interface GigabitEthernet1/0/1
//配置IPSec策略
#
acl number 3000
rule 5 permit ip source 192.168.1.0 0.0.0.255 destination 172.16.1.0 0.0.0.255
#
ipsec proposal 1
esp authentication-algorithm sha2-256
esp encryption-algorithm aes-256
#
ike proposal 1
encryption-algorithm aes-256
dh group14
authentication-algorithm sha2-256
authentication-method pre-share
integrity-algorithm hmac-sha2-256
prf hmac-sha2-256
#
ike peer FW2
pre-shared-key %^%#o|g(H(&6sJSbW[W=9HwA<8#=7(M{X1~iyxNCte5*%^%# //密码为huawei
ike-proposal 1
remote-address 200.1.2.1
#
ipsec policy runtime 10 isakmp
security acl 3000
ike-peer FW2
proposal 1
//配置静态路由
#
ip route-static 172.16.1.0 255.255.255.0 200.1.1.2
//接口加入策略
#
interface GigabitEthernet1/0/1
undo shutdown
ip address 200.1.1.1 255.255.255.0
ipsec policy runtime
FW2
//接口添加安全域
#
firewall zone trust
set priority 85
add interface GigabitEthernet0/0/0
add interface GigabitEthernet1/0/0
#
firewall zone untrust
set priority 5
add interface GigabitEthernet1/0/1
//配置IPSec策略
#
acl number 3000
rule 5 permit ip source 172.16.1.0 0.0.0.255 destination 192.168.1.0 0.0.0.255
#
ipsec proposal 1
esp authentication-algorithm sha2-256
esp encryption-algorithm aes-256
#
ike proposal 1
encryption-algorithm aes-256
dh group14
authentication-algorithm sha2-256
authentication-method pre-share
integrity-algorithm hmac-sha2-256
prf hmac-sha2-256
#
ike peer FW1
pre-shared-key %^%#-]>1EWJpd<GGqcMxAA+3dUwx@L"hi4*WB-N[,yXL%^%# //密码为huawei
ike-proposal 1
remote-address 200.1.1.1
#
ipsec policy runtime 10 isakmp
security acl 3000
ike-peer FW1
proposal 1
//配置静态路由
#
ip route-static 192.168.1.0 255.255.255.0 200.1.2.2
//接口加入策略
#
interface GigabitEthernet1/0/1
undo shutdown
ip address 200.1.2.1 255.255.255.0
ipsec policy runtime
3.配置安全策略
FW1
//定义服务
#
ip service-set isakmp type object 16
service 0 protocol udp source-port 500
//配置安全策略
#
security-policy
rule name t_u
source-zone trust
source-zone untrust
destination-zone trust
destination-zone untrust
source-address 172.16.1.0 mask 255.255.255.0
source-address 192.168.1.0 mask 255.255.255.0
destination-address 172.16.1.0 mask 255.255.255.0
destination-address 192.168.1.0 mask 255.255.255.0
action permit
rule name u_l
source-zone untrust
destination-zone local
source-address 200.1.2.1 mask 255.255.255.255
destination-address 200.1.1.1 mask 255.255.255.255
service esp
action permit
rule name isakmp
source-zone local
source-zone untrust
destination-zone local
destination-zone untrust
source-address 200.1.1.1 mask 255.255.255.255
source-address 200.1.2.1 mask 255.255.255.255
destination-address 200.1.1.1 mask 255.255.255.255
destination-address 200.1.2.1 mask 255.255.255.255
service isakmp
action permit
FW2
//定义服务
#
ip service-set isakmp type object 16
service 0 protocol udp source-port 500
//配置安全策略
#
security-policy
rule name t_u
source-zone trust
source-zone untrust
destination-zone trust
destination-zone untrust
source-address 172.16.1.0 mask 255.255.255.0
source-address 192.168.1.0 mask 255.255.255.0
destination-address 172.16.1.0 mask 255.255.255.0
destination-address 192.168.1.0 mask 255.255.255.0
service icmp
action permit
rule name u_l
source-zone untrust
destination-zone local
source-address 200.1.1.1 mask 255.255.255.255
destination-address 200.1.2.1 mask 255.255.255.255
service esp
action permit
rule name isakmp
source-zone local
source-zone untrust
destination-zone local
destination-zone untrust
source-address 200.1.1.1 mask 255.255.255.255
source-address 200.1.2.1 mask 255.255.255.255
destination-address 200.1.1.1 mask 255.255.255.255
destination-address 200.1.2.1 mask 255.255.255.255
service isakmp
action permit
在上步结果上实现访问外网
1.配置NAT策略
FW1
//创建地址池
#
nat address-group 1 0
mode pat
section 0 200.1.1.10 200.1.1.10
//创建NAT策略
#
nat-policy
rule name no_nat
source-zone trust
destination-zone untrust
source-address 192.168.1.0 mask 255.255.255.0
destination-address 172.16.1.0 mask 255.255.255.0
action no-nat
rule name nat
source-zone trust
destination-zone untrust
source-address 192.168.1.0 mask 255.255.255.0
action source-nat address-group 1
//建立默认路由
#
ip route-static 0.0.0.0 0.0.0.0 200.1.1.2
2.配置NAT的安全策略
FW1
//配置NAT的安全策略
#
security-policy
rule name nat
source-zone trust
destination-zone untrust
source-address 192.168.1.0 mask 255.255.255.0
action permit
测试和结果分析
公司分部实现对总部内网的安全访问,并且实现访问外网
-
内网间的安全访问
内网主机1 ping 内网主机2
对应线路抓包
通过以上结果可以得知,内网的安全访问成功实现。
-
内网实现访问外网
主机1ping 主机2(私网)、主机1ping 主机3(公网)
通过以上结果可知,在内网主机互通的基础上实现了内网主机对公网的访问,实验要求的目的实现成功。
总结
在配置NAT时会发生NAT配置完成后无法访问内网(不同地域)的问题,出现该问题的原因的是数据包首先进行了NAT地址转换,导致无法匹配IPSec的安全策略,从而导致数据包无法正确转发。
问题的解决是在NAT策略中加入一个不转换的策略(no-nat),使数据可以正常转发。由于配置的先后问题会导致nat策略会先于no-nat策略,这会使得数据包首先匹配nat策略,又由于nat策略也会使访问内网的数据包地址转换,而使得no-nat策略无效,需使用“rule move no_nat before nat”命令将no-nat策略提前于nat策略,从而使流量先匹配no-nat策略后匹配nat策略。