思路路由器与ASA防火墙第一阶段以aggressive-mode建立×××测试-秋月博客

一.概述： L2L ×××第一阶段可以配置成aggressive-mode，因为aggressive-mode没有Main-mode安全，所以一般用在客户端拨号中。参考链接：http://netwo

.一.概述：. L2L ×××第一阶段可以配置成aggressive-mode，因为aggressive-mode没有Main-mode安全，所以一般用在客户端拨号中。..参考链接：...http://networkology.net/2013/06/24/ios-site-to-site-***-aggressive-mode-ccie-notes/..http://wenku.baidu.com/view/2bc4751f59eef8c75fbfb3ae.html
...http://bbs.51cto.com/thread-918833-1.html..二.基本思路：..A.测试路由器与防火墙以第一阶段aggressive-mode建立 L2L ×××..B.通过抓包确认协商过程中是否带有主机名..三.测试拓扑：.

.四.基本配置：..A.R1：..interface Ethernet0/0
ip address 192.168.1.1 255.255.255.0
no shut..ip route 0.0.0.0 0.0.0.0 192.168.1.2..B.R2:..interface Ethernet0/0
ip address 192.168.1.2 255.255.255.0
ip nat inside.. no shut..interface Ethernet0/1
ip address 202.100.1.2 255.255.255.0
ip nat outside.. no shut..ip route 0.0.0.0 0.0.0.0 202.100.1.3..ip access-list extended PAT
deny ip 192.168.1.0 0.0.0.255 172.16.1.0 0.0.0.255
permit ip 192.168.1.0 0.0.0.255 any..ip nat inside source list PAT interface Ethernet0/1 overload..C.R3:..interface Ethernet0/0
ip address 202.100.1.3 255.255.255.0
. no shut.interface Ethernet0/1
ip address 202.100.2.3 255.255.255.0
. no shut...D.ASA842:..interface GigabitEthernet0
nameif Inside
security-level 100
ip address 172.16.1.10 255.255.255.0
. no shut.interface GigabitEthernet1
nameif Outside
security-level 0
ip address 202.100.2.10 255.255.255.0
. no shut...route Outside 0.0.0.0 0.0.0.0 202.100.2.3..object network Inside_net
subnet 172.16.1.0 255.255.255.0
nat (Inside,Outside) dynamic interface..policy-map global_policy
class inspection_default.. inspect icmp ..E.R4:..interface Ethernet0/0
ip address 172.16.1.4 255.255.255.0
. no shut...ip route 0.0.0.0 0.0.0.0 172.16.1.10..五.×××配置：..A.R2：..①第一阶段策略：..crypto isakmp policy 10
encr 3des
hash md5
authentication pre-share
group 2..crypto isakmp key cisco123 hostname ASA842 （这个是多余的，不需要配置）..crypto isakmp identity hostname..crypto isakmp keepalive 10 periodic .crypto isakmp peer address 202.100.2.10
. set aggressive-mode password cisco123 .. set aggressive-mode client-endpoint ipv4-address 202.100.1.2 （这个必须有，否则无法从路由器这侧主动发起×××)..②第二阶段策略：..crypto ipsec transform-set transet esp-3des esp-md5-hmac ..③配置感兴趣流：..ip access-list extended ×××
permit ip 192.168.1.0 0.0.0.255 172.16.1.0 0.0.0.255..④配置crypto map并在接口应用：..crypto map crymap 10 ipsec-isakmp
set peer 202.100.2.3
set transform-set transet
set pfs group2
match address ×××
reverse-route..B.ASA842：..①第一阶段策略：..crypto ikev1 policy 10
authentication pre-share
encryption 3des
hash md5
group 2..crypto isakmp identity hostname..tunnel-group 202.100.1.2 type ipsec-l2l
tunnel-group 202.100.1.2 ipsec-attributes
ikev1 pre-shared-key cisco123..②第二阶段策略：..crypto ipsec ikev1 transform-set transet esp-3des esp-md5-hmac ..③配置感兴趣流并做NAT免除：..access-list ××× extended permit ip 172.16.1.0 255.255.255.0 192.168.1.0 255.255.255.0 ..object network Inside_net
subnet 172.16.1.0 255.255.255.0
object network Remote_net
subnet 192.168.1.0 255.255.255.0..nat (Inside,Outside) source static Inside_net Inside_net destination static Remote_net Remote_net..③配置crypto map 并在接口调用：..crypto map crymap 10 match address ×××..crypto map crymap 10 set pfs
crypto map crymap 10 set peer 202.100.1.2
crypto map crymap 10 set ikev1 phase1-mode aggressive
crypto map crymap 10 set ikev1 transform-set transet
crypto map crymap 10 set reverse-route..crypto map crymap interface Outside..④在接口启用IKEV1：..crypto ikev1 enable Outside .....六.抓包测试：...

A.第一阶段，aggressive mode一共三个包，第三个包才是加密的

..B.路由器 set aggressive-mode client-endpoint设置的是fqdn还是IP地址，只能决定路由器主动发起连接时使用的是什么..

-----如果防火墙侧主动发起，路由器都是以自己的主机名作为回复，而部署配置中的FQDN或IP

..C.路由器如果client-endpoint用的是IP，则路由器主动发起aggressive mode时用的是IP地址..D.路由器如果client-endpoint用的是fqdn,则路由器主动发起aggressive mode时用的是设置的FQDN地址..E.不管client-endpoint用的是fqdn，还是IP，如果由防火墙侧主动发起，路由器回复的identity都是自己的主机名......七.PIX8.0的配置：..---如果将ASA842改为PIX8.0，PIX的配置如下：..A.基本配置：..interface Ethernet0
nameif Inside
security-level 100
ip address 172.16.1.10 255.255.255.0
. no shut.interface Ethernet1
nameif Outside
security-level 0
ip address 202.100.2.10 255.255.255.0
.. no shut.route Outside 0.0.0.0 0.0.0.0 202.100.2.3....access-list PAT extended permit ip 172.16.1.0 255.255.255.0 any ...nat (Inside) 1 access-list PAT...global (Outside) 1 interface...access-list OUTSIDE extended permit icmp any any
access-group OUTSIDE in interface Outside
B.×××配置：...①第一阶段策略：...crypto isakmp policy 10
authentication pre-share
encryption 3des
hash md5
group 2...crypto isakmp identity hostname ...tunnel-group 202.100.1.2 type ipsec-l2l..tunnel-group 202.100.1.2 ipsec-attributes.. pre-shared-key cisco...---备注：tunnel-group也可以用对方的FQDN，....②第二阶段策略：...crypto map crymap 10 set transform-set transet...③配置感兴趣流并做NAT免除：....access-list ××× extended permit ip 172.16.1.0 255.255.255.0 192.168.1.0 255.255.255.0 ....access-list NONAT extended permit ip 172.16.1.0 255.255.255.0 192.168.1.0 255.255.255.0...nat (Inside) 0 access-list NONAT...④配置crypto map 并在接口调用：...crypto map crymap 10 match address ×××
crypto map crymap 10 set pfs
crypto map crymap 10 set peer 202.100.1.2
crypto map crymap 10 set transform-set transet
crypto map crymap 10 set phase1-mode aggressive group2（group2为默认值，show不会出现）
crypto map crymap 10 set reverse-route
crypto map crymap interface Outside
.⑤在接口启用isakmp：.crypto isakmp enable Outside.....

目录CONTENT

思路路由器与ASA防火墙第一阶段以aggressive-mode建立×××测试

评论区