PIX8.0与两个PIX8.0建立L2L ×××

一.概述 一台PIX/ASA与另外两台PIX建立L2L的×××，如果可能的话，让两个分支站点通过总部访问对方。二.基本思路：A.一个crypto map配置不同的序号，分别匹配不同的peerB.之前

.

一.概述

  一台PIX/ASA与另外两台PIX建立L2L的×××，如果可能的话，让两个分支站点通过总部访问对方。

二.基本思路：

A.一个crypto map配置不同的序号，分别匹配不同的peer

B.之前由于想偷懒，把所有加密点感兴趣流配成相同的192.168.0.0/16,导致×××出现问题

C.如果防火墙后面有多个网络，建议配置反向路由注入，并把注入的静态路由重分布到动态路由

三.测试拓扑：

四.基本配置：

A.HQ-PIX80:

①接口配置：

interface Ethernet0
nameif Outside
security-level 0
ip address 202.100.1.1 255.255.255.0
no shut
interface Ethernet1
nameif Inside
security-level 100
ip address 192.168.1.1 255.255.255.0

no shut

②路由配置：

route Outside 0.0.0.0 0.0.0.0 202.100.1.10

③策略配置:

access-list OUTSIDE extended permit icmp any any
access-group OUTSIDE in interface Outside

④PAT配置：

access-list PAT extended permit ip 192.168.1.0 255.255.255.0 any
access-list NONAT extended permit ip 192.168.1.0 255.255.255.0 192.168.0.0 255.255.0.0
global (Outside) 1 interface
nat (Inside) 0 access-list NONAT
nat (Inside) 1 access-list PAT

B.Branch1-PIX80:

①接口配置：

interface Ethernet0
nameif Outside
security-level 0
ip address 202.100.2.1 255.255.255.0
no shut
interface Ethernet1
nameif Inside
security-level 100
ip address 192.168.2.1 255.255.255.0
no shut

②路由配置：

route Outside 0.0.0.0 0.0.0.0 202.100.2.10

③策略配置:

access-list OUTSIDE extended permit icmp any any
access-group OUTSIDE in interface Outside

④PAT配置：

access-list PAT extended permit ip 192.168.2.0 255.255.255.0 any
access-list NONAT extended permit ip 192.168.2.0 255.255.255.0 192.168.0.0 255.255.0.0
global (Outside) 1 interface
nat (Inside) 0 access-list NONAT
nat (Inside) 1 access-list PAT

C.Branch2-PIX80:

①接口配置：

interface Ethernet0
nameif Outside
security-level 0
ip address 202.100.3.1 255.255.255.0
no shut
interface Ethernet1
nameif Inside
security-level 100
ip address 192.168.3.1 255.255.255.0
no shut

②路由配置：

route Outside 0.0.0.0 0.0.0.0 202.100.3.10

③策略配置:

access-list OUTSIDE extended permit icmp any any
access-group OUTSIDE in interface Outside

④PAT配置：

access-list PAT extended permit ip 192.168.3.0 255.255.255.0 any
access-list NONAT extended permit ip 192.168.3.0 255.255.255.0 192.168.0.0 255.255.0.0
global (Outside) 1 interface
nat (Inside) 0 access-list NONAT
nat (Inside) 1 access-list PAT

五.L2L ×××配置：

A.HQ-PIX80：

①第一阶段策略：

crypto isakmp policy 10
authentication pre-share
encryption 3des
hash md5
group 2

tunnel-group 202.100.2.1 type ipsec-l2l
tunnel-group 202.100.2.1 ipsec-attributes
pre-shared-key cisco
tunnel-group 202.100.3.1 type ipsec-l2l
tunnel-group 202.100.3.1 ipsec-attributes
pre-shared-key cisco

②第二阶段转换集：

crypto ipsec transform-set transet esp-des esp-md5-hmac

③感兴趣流：

access-list ×××-BRACH1 extended permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0
access-list ×××-BRACH2 extended permit ip 192.168.1.0 255.255.255.0 192.168.3.0 255.255.255.0

④配置crypto map并应用、在接口开启isakmp：

crypto map crymap 20 match address ×××-BRACH1
crypto map crymap 20 set peer 202.100.2.1
crypto map crymap 20 set transform-set transet
crypto map crymap 30 match address ×××-BRACH2
crypto map crymap 30 set peer 202.100.3.1
crypto map crymap 30 set transform-set transet
crypto map crymap interface Outside
crypto isakmp enable Outside

B.Branch1-PIX80：

①第一阶段策略：

crypto isakmp policy 10
authentication pre-share
encryption 3des
hash md5
group 2

tunnel-group 202.100.1.1 type ipsec-l2l
tunnel-group 202.100.1.1 ipsec-attributes
pre-shared-key cisco
②第二阶段转换集：

crypto ipsec transform-set transet esp-des esp-md5-hmac

③感兴趣流：

access-list ××× extended permit ip 192.168.2.0 255.255.255.0 192.168.0.0 255.255.0.0

④配置crypto map并应用、在接口开启isakmp：

crypto map crymap 10 match address ×××
crypto map crymap 10 set peer 202.100.1.1
crypto map crymap 10 set transform-set transet

crypto map crymap interface Outside
crypto isakmp enable Outside

C.Branch2-PIX80：

①第一阶段策略：

crypto isakmp policy 10
authentication pre-share
encryption 3des
hash md5
group 2

tunnel-group 202.100.1.1 type ipsec-l2l
tunnel-group 202.100.1.1 ipsec-attributes
pre-shared-key cisco
②第二阶段转换集：

crypto ipsec transform-set transet esp-des esp-md5-hmac

③感兴趣流：

access-list ××× extended permit ip 192.168.3.0 255.255.255.0 192.168.0.0 255.255.0.0

④配置crypto map并应用、在接口开启isakmp：

crypto map crymap 10 match address ×××
crypto map crymap 10 set peer 202.100.1.1
crypto map crymap 10 set transform-set transet

crypto map crymap interface Outside
crypto isakmp enable Outside

六.测试：

A.ping测试：

B.show查看：

HQ-PIX80# show crypto isakmp sa

  Active SA: 2
   Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 2

1   IKE Peer: 202.100.2.1
   Type    : L2L             Role    : initiator
   Rekey   : no              State   : MM_ACTIVE
2   IKE Peer: 202.100.3.1
   Type    : L2L             Role    : initiator
   Rekey   : no              State   : MM_ACTIVE
HQ-PIX80# show crypto ipsec stats

IPsec Global Statistics
-----------------------
Active tunnels: 2
Previous tunnels: 10
Inbound
   Bytes: 2736
   Decompressed bytes: 2736
   Packets: 57
   Dropped packets: 0
   Replay failures: 0
   Authentications: 57
   Authentication failures: 0
   Decryptions: 57
   Decryption failures: 0
   Decapsulated fragments needing reassembly: 0
Outbound
   Bytes: 3600
   Uncompressed bytes: 3600
   Packets: 75
   Dropped packets: 0
   Authentications: 75
   Authentication failures: 0
   Encryptions: 75
   Encryption failures: 0
   Fragmentation successes: 0
       Pre-fragmentation successses: 0
       Post-fragmentation successes: 0
   Fragmentation failures: 0
       Pre-fragmentation failures: 0
       Post-fragmentation failures: 0
   Fragments created: 0
   PMTUs sent: 0
   PMTUs rcvd: 0
Protocol failures: 0
Missing SA failures: 0
System capacity failures: 0

七.分支通过总部访问其他分支：

A.修改感兴趣流：

①HQ-PIX80：

access-list ×××-BRACH1 extended permit ip 192.168.0.0 255.255.0.0 192.168.2.0 255.255.255.0
access-list ×××-BRACH2 extended permit ip 192.168.0.0 255.255.0.0 192.168.3.0 255.255.255.0
---备注：往分支的目标地址需要写明细，否则总部无法根据流量来匹配×××隧道

②Brach1-PIX80：

access-list ××× extended permit ip 192.168.2.0 255.255.255.0 192.168.0.0 255.255.0.0

---按之前写的目标地址为汇总地址，包括其他分支的地址

③Brach1-PIX80：

access-list ××× extended permit ip 192.168.3.0 255.255.255.0 192.168.0.0 255.255.0.0

---按之前写的目标地址为汇总地址，包括其他分支的地址

B.测试：

①VPC测试：

VPC测试出现问题，分部无法ping通另外分支的地址
②用路由器测试：

VPC用路由器，测试正常，下面是测试结果：

R3#ping 192.168.3.18  

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.3.18, timeout is 2 seconds:
....!
Success rate is 20 percent (1/5), round-trip min/avg/max = 1236/1236/1236 ms
R3#
*Mar  1 03:14:22.831: ICMP: echo reply rcvd, src 192.168.3.18, dst 192.168.2.18

R3#telnet 192.168.3.18
Trying 192.168.3.18 ... Open


User Access Verification

Password:
R5>show users
   Line       User       Host(s)              Idle       Location
  0 con 0                idle                 02:52:18  
* 66 vty 0                idle                 00:00:00 192.168.2.18

 Interface    User               Mode         Idle     Peer Address

.