本文共 4248 字,大约阅读时间需要 14 分钟。
一.概述:
LAN-to-LAN IPSEC ***如果两端内网地址重叠,互相不能访问,需要配置NAT,每端把对方看成是另外一个网络才能互访。路由器无法调整静态NAT和动态PAT优先级,导致配置静态NAT之后无法上公网,只能借助PBR,利用两种不同的配置NAT方法,把PAT上公网的流量与***的静态NAT流量分开。ASA8.3之后有twice NAT,能指定源和目的,本次测试ASA8.4如何用twice NAT来解决地址重叠的问题,参考链接: 。
经过测试,如果PIX8.0与路由器建立L2L IPSec ***,只能通过PIX这侧解决地址重叠问题,这时PIX内部的设备是无法通过PIX上公网的,主要原因在于跟路由器类似,静态NAT优先级很高,而PIX又无法配置PBR,把流量打到loopback口(pix8.0就根本无法配置loopback口)。
二.基本思路:
A.利用NAT优先于IPSEC特性,配置ASA8.4的twice NAT,使得两端内网可以互访。
B.因为twice NAT的目标地址为对方转换后的私网地址,所以PAT上公网与twice NAT能同时共存。
三.测试拓扑:
四.基本配置:
A.总部server路由器:
interface Ethernet0/0 ip address 10.1.1.2 255.255.255.0 no shut
ip route 0.0.0.0 0.0.0.0 10.1.1.1
B.总部ASA842防火墙:
interface GigabitEthernet0 nameif Inside security-level 100 ip address 10.1.1.1 255.255.255.0 no shutinterface GigabitEthernet1 nameif Outside security-level 0 ip address 202.100.1.1 255.255.255.0 no shut
route Outside 0.0.0.0 0.0.0.0 202.100.1.10
C.Internet路由器:
interface Ethernet0/0 ip address 202.100.1.10 255.255.255.0 no shutinterface Ethernet0/1 ip address 202.100.2.10 255.255.255.0 no shut
D.分支Branch路由器:
interface Ethernet0/0 ip address 10.1.1.1 255.255.255.0 no shutinterface Ethernet0/1 ip address 202.100.2.1 255.255.255.0
no shut
ip route 0.0.0.0 0.0.0.0 202.100.2.10
E.分支Inside路由器:
interface Ethernet0/0 ip address 10.1.1.2 255.255.255.0
no shut
ip route 0.0.0.0 0.0.0.0 10.1.1.1
五.L2L IPSEC ***配置:
A.总部ASA842防火墙:
①第一阶段策略:
crypto ikev1 policy 10 authentication pre-share encryption des hash md5 group 2
tunnel-group 202.100.2.1 type ipsec-l2ltunnel-group 202.100.2.1 ipsec-attributes ikev1 pre-shared-key cisco
crypto ikev1 enable Outside
crypto isakmp identity address
②第二阶段转换集:
crypto ipsec ikev1 transform-set transet esp-des esp-md5-hmac ③感兴趣流:
access-list *** extended permit ip 172.16.1.0 255.255.255.0 10.1.1.0 255.255.255.0 ---注意源地址为本地内网网络在ASA上映射后的地址,目标地址为对方的实际地址
④配置cryto map并应用:
crypto map crymap 10 match address ***crypto map crymap 10 set peer 202.100.2.1 crypto map crymap 10 set ikev1 transform-set transetcrypto map crymap 10 set reverse-routecrypto map crymap interface OutsideB.分支Branch路由器:
①第一阶段策略:
crypto isakmp policy 10 hash md5 authentication pre-share group 2
en des
crypto isakmp key cisco address 202.100.1.1
②第二阶段转换集:
crypto ipsec transform-set transet esp-des esp-md5-hmac ③感兴趣流:
ip access-list extended *** permit ip 10.1.1.0 0.0.0.255 172.16.1.0 0.0.0.255
---注意为本地的真实地址到对方映射后的地址,两边互为镜像。
④配置cryto map并应用:
crypto map crymap 10 ipsec-isakmp set peer 202.100.1.1 set transform-set transet match address ***
interface E0/1
crypto map crymap
六.NAT配置:
---L2L IPSEC ***因为感兴趣流为NAT之后的地址,这时***还不能通。
A.PAT上公网配置:
①总部ASA842防火墙:
object network Inside-pat subnet 10.1.1.0 255.255.255.0 nat (Inside,Outside) dynamic interface
测试:
对icmp进行审查:
policy-map global_policy class inspection_default inspect icmp
Server#ping 202.100.1.10Type escape sequence to abort.Sending 5, 100-byte ICMP Echos to 202.100.1.10, timeout is 2 seconds:!!!!!Success rate is 100 percent (5/5), round-trip min/avg/max = 1/62/132 m
②分支Branch路由器:
interface E0/0
ip nat enable
interface e0/1
ip nat enable
ip access-list extended Internet deny ip 10.1.1.0 0.0.0.255 172.16.1.0 0.0.0.255 permit ip 10.1.1.0 0.0.0.255 any
ip nat source list Internet interface Ethernet0/1 overload测试:
Inside#ping 202.100.2.10Type escape sequence to abort.Sending 5, 100-byte ICMP Echos to 202.100.2.10, timeout is 2 seconds:!!!!!Success rate is 100 percent (5/5), round-trip min/avg/max = 1/93/188 ms
B.总部ASA842的twice NAT配置:
object network Inside_Real subnet 10.1.1.0 255.255.255.0object network Inside_Mapped subnet 172.16.1.0 255.255.255.0object network Branch_Real subnet 10.1.1.0 255.255.255.0object network Branch_Mapped subnet 192.168.1.0 255.255.255.0nat (Inside,Outside) source static Inside_Real Inside_Mapped destination static Branch_Mapped Branch_Real
七.测试:
------总部的Server路由器既能上公网,又能访问对方。
Server#ping 192.168.1.2Type escape sequence to abort.Sending 5, 100-byte ICMP Echos to 192.168.1.2, timeout is 2 seconds:.!!!!Success rate is 80 percent (4/5), round-trip min/avg/max = 48/104/148 msServer#ping 202.100.1.10Type escape sequence to abort.Sending 5, 100-byte ICMP Echos to 202.100.1.10, timeout is 2 seconds:!!!!!Success rate is 100 percent (5/5), round-trip min/avg/max = 12/61/132 msServer#
转载地址:http://anavl.baihongyu.com/