两分公支的IPSec×××流量走总部测试-秋月博客

一.概述：在论坛上看到一个朋友发帖希望两个分支的IPSEC ×××流量经过总部，如是搭建拓扑测试了一下，因为跑两个VM版的ASA8.42机器性能不过，所以用PIX8.0来代替ASA,应该主要配置都跟

..一.概述：. 在论坛上看到一个朋友发帖希望两个分支的IPSEC ×××流量经过总部，如是搭建拓扑测试了一下，因为跑两个VM版的ASA8.42机器性能不过，所以用PIX8.0来代替ASA,应该主要配置都跟ASA8.0差不多。.二.基本思路：..A.两个分支的互访流量利用已有的到总公司的IPSec ×××连接..B.修改感兴趣，使得分支到分支的流量能走总部再到分支..三.测试拓扑：....四.基本配置：..A.广州总部防火墙FW1：..interface Ethernet0
nameif Inside
security-level 100
ip address 192.168.1.1 255.255.255.0
no shut
interface Ethernet1
nameif Outside
security-level 0
ip address 1.1.1.1 255.255.255.252 .. no shut..route Outside 0.0.0.0 0.0.0.0 1.1.1.2..access-list Outside extended permit icmp any any..access-group Outside in interface Outside ..same-security-traffic permit intra-interface..----因为后续需要两分支的流量即走Outside进，又走Outside接口出，即接口反弹流量，所以需要相同接口流量访问。..B.广州总部网关路由器GZWG:..interface Ethernet0/0
ip address 1.1.1.2 255.255.255.252
ip nat inside
. no shut.interface Ethernet0/1
ip address 202.100.1.2 255.255.255.252
ip nat outside
. no shut...ip access-list extended PAT
permit ip host 1.1.1.1 any
permit ip 192.168.1.0 0.0.0.255 any..ip route 0.0.0.0 0.0.0.0 202.100.1.1
ip route 192.168.1.0 255.255.255.0 1.1.1.1..ip nat inside source list PAT interface Ethernet0/1 overload..ip nat inside source static udp 1.1.1.1 4500 interface Ethernet0/1 4500
ip nat inside source static udp 1.1.1.1 500 interface Ethernet0/1 500..C.运营商路由器ISP:..interface Ethernet0/0
ip address 202.100.1.1 255.255.255.252
. no shut.interface Ethernet0/1
ip address 202.100.1.9 255.255.255.252
. no shut.interface Ethernet0/2
ip address 202.100.1.5 255.255.255.252
. no shut...D.北京分支网关路由器BJGW:..interface Ethernet0/0
ip address 2.2.2.1 255.255.255.252
ip nat inside
. no shut.interface Ethernet0/1
ip address 202.100.1.10 255.255.255.252
ip nat outside.. no shut..ip route 0.0.0.0 0.0.0.0 202.100.1.9
ip route 192.168.2.0 255.255.255.0 2.2.2.2..ip access-list extended PAT... permit ip host 2.2.2.2 any. permit ip 192.168.2.0 0.0.0.255 any

ip nat inside source list PAT interface Ethernet0/1 overload

ip nat inside source static udp 2.2.2.2 4500 interface Ethernet0/1 4500
ip nat inside source static udp 2.2.2.2 500 interface Ethernet0/1 500

---如果不配置静态PAT,则不能由总部直接向这边发起×××访问。

..E. 北京分支防火墙FW2：..interface Ethernet0
nameif Inside
security-level 100
ip address 192.168.2.1 255.255.255.0 ... no shut.interface Ethernet1
nameif Outside
security-level 0
ip address 2.2.2.2 255.255.255.252 .. no shut..route Outside 0.0.0.0 0.0.0.0 2.2.2.1 1..access-list Outside extended permit icmp any any ..access-group Outside in interface Outside
.F. 上海分支网关路由器SHGW：...interface Ethernet0/0
ip address 192.168.3.1 255.255.255.0
ip nat inside
. no shut.interface Ethernet0/1
ip address 202.100.1.6 255.255.255.252
ip nat outside
. no shut...ip route 0.0.0.0 0.0.0.0 202.100.1.5..ip access-list extended PAT
deny ip 192.168.3.0 0.0.0.255 192.168.1.0 0.0.0.255
deny ip 192.168.3.0 0.0.0.255 192.168.2.0 0.0.0.255
permit ip 192.168.3.0 0.0.0.255 any..ip nat inside source list PAT interface Ethernet0/1 overload..G.访问互联网测试：..

..①广州总部访问互联网：..

..ISP#debug ip icmp ..ICMP packet debugging is on
ISP#
*Mar 1 02:44:21.135: ICMP: echo reply sent, src 202.100.1.1, dst 202.100.1.2
*Mar 1 02:44:22.411: ICMP: echo reply sent, src 202.100.1.1, dst 202.100.1.2
*Mar 1 02:44:23.467: ICMP: echo reply sent, src 202.100.1.1, dst 202.100.1.2
*Mar 1 02:44:24.659: ICMP: echo reply sent, src 202.100.1.1, dst 202.100.1.2
*Mar 1 02:44:25.743: ICMP: echo reply sent, src 202.100.1.1, dst 202.100.1.2..②北京分支访问互联网测试：..

..ISP#debug ip icmp
ICMP packet debugging is on
ISP#
*Mar 1 02:46:28.855: ICMP: echo reply sent, src 202.100.1.9, dst 202.100.1.10
*Mar 1 02:46:30.151: ICMP: echo reply sent, src 202.100.1.9, dst 202.100.1.10
*Mar 1 02:46:31.363: ICMP: echo reply sent, src 202.100.1.9, dst 202.100.1.10
*Mar 1 02:46:32.427: ICMP: echo reply sent, src 202.100.1.9, dst 202.100.1.10
*Mar 1 02:46:33.631: ICMP: echo reply sent, src 202.100.1.9, dst 202.100.1.10
③上海分支访问互联网测试：..

...ISP#debug ip icmp
ICMP packet debugging is on..ISP#.*Mar 1 02:48:03.875: ICMP: echo reply sent, src 202.100.1.5, dst 202.100.1.6
*Mar 1 02:48:05.003: ICMP: echo reply sent, src 202.100.1.5, dst 202.100.1.6
*Mar 1 02:48:06.115: ICMP: echo reply sent, src 202.100.1.5, dst 202.100.1.6
*Mar 1 02:48:07.183: ICMP: echo reply sent, src 202.100.1.5, dst 202.100.1.6
*Mar 1 02:48:08.279: ICMP: echo reply sent, src 202.100.1.5, dst 202.100.1.6
.五.×××配置：...A.广州总部防火墙：..①第一阶段策略：..crypto isakmp policy 10
authentication pre-share
encryption des
hash md5
group 2..tunnel-group 202.100.1.6 type ipsec-l2l
tunnel-group 202.100.1.6 ipsec-attributes
pre-shared-key cisco
tunnel-group 202.100.1.10 type ipsec-l2l
tunnel-group 202.100.1.10 ipsec-attributes
pre-shared-key cisco..②第二阶段转换集：..crypto ipsec transform-set transet esp-des esp-md5-hmac ..③配置感兴趣流：..access-list ×××-GZ-to-BJ extended permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0
access-list ×××-GZ-to-BJ extended permit ip 192.168.3.0 255.255.255.0 192.168.2.0 255.255.255.0
access-list ×××-GZ-to-SH extended permit ip 192.168.1.0 255.255.255.0 192.168.3.0 255.255.255.0
access-list ×××-GZ-to-SH extended permit ip 192.168.2.0 255.255.255.0 192.168.3.0 255.255.255.0..③配置crypto map并在接口调用：.crypto map crymap 10 match address ×××-GZ-to-SH
crypto map crymap 10 set peer 202.100.1.6
crypto map crymap 10 set transform-set transet
crypto map crymap 20 match address ×××-GZ-to-BJ
crypto map crymap 20 set peer 202.100.1.10
crypto map crymap 20 set transform-set transet
crypto map crymap interface Outside
.crypto isakmp enable Outside ..B.北京分支防火墙：..①第一阶段策略：..crypto isakmp policy 10
authentication pre-share
encryption des
hash md5
group 2..tunnel-group 202.100.1.2 type ipsec-l2l
tunnel-group 202.100.1.2 ipsec-attributes
pre-shared-key cisco..②第二阶段转换集：..crypto ipsec transform-set transet esp-des esp-md5-hmac..③配置感兴趣流：..access-list ××× extended permit ip 192.168.2.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list ××× extended permit ip 192.168.2.0 255.255.255.0 192.168.3.0 255.255.255.0..③配置crypto map并在接口调用：..crypto map crymap 10 match address ×××
crypto map crymap 10 set peer 202.100.1.2
crypto map crymap 10 set transform-set transet
crypto map crymap interface Outside
crypto isakmp enable Outside..C.上海分支路由器：..①第一阶段策略：..crypto isakmp policy 10
hash md5
authentication pre-share
group 2
crypto isakmp key cisco address 202.100.1.2..②第二阶段转换集：..crypto ipsec transform-set transet esp-des esp-md5-hmac..③配置感兴趣流：..ip access-list extended ×××
permit ip 192.168.3.0 0.0.0.255 192.168.1.0 0.0.0.255
permit ip 192.168.3.0 0.0.0.255 192.168.2.0 0.0.0.255
.③配置crypto map并在接口调用：...crypto map crymap 10 ipsec-isakmp
set peer 202.100.1.2
set transform-set transet
match address ×××
crypto map crymap..interface Ethernet0/1
crypto map crymap..六.×××测试：..A.北京分支访问广州总部：..

..BJpix# show crypto isakmp sa

Active SA: 1
Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 1

1 IKE Peer: 202.100.1.2
Type : L2L Role : initiator
Rekey : no State : MM_ACTIVE ..B.上海分支访问广州总部：..

..SHGW#show crypto isakmp sa
dst src state conn-id slot status
202.100.1.2 202.100.1.6 QM_IDLE 1 0 ACTIVE

SHGW#show crypto engine connections active

ID Interface IP-Address State Algorithm Encrypt Decrypt
1 Ethernet0/1 202.100.1.6 set HMAC_MD5+DES_56_CB 0 0
2001 Ethernet0/1 202.100.1.6 set DES+MD5 4 0
2002 Ethernet0/1 202.100.1.6 set DES+MD5 0 4
..C.北京和上海通过总部进行互访：..

..SHGW#show crypto engine connections active

ID Interface IP-Address State Algorithm Encrypt Decrypt
1 Ethernet0/1 202.100.1.6 set HMAC_MD5+DES_56_CB 0 0
2 Ethernet0/1 202.100.1.6 set HMAC_MD5+DES_56_CB 0 0
2001 Ethernet0/1 202.100.1.6 set DES+MD5 4 0
2002 Ethernet0/1 202.100.1.6 set DES+MD5 0 4
2003 Ethernet0/1 202.100.1.6 set DES+MD5 4 0
2004 Ethernet0/1 202.100.1.6 set DES+MD5 0 3

SHGW#show crypto isakmp sa
dst src state conn-id slot status
202.100.1.2 202.100.1.6 QM_IDLE 2 0 ACTIVE
......

目录CONTENT

两分公支的IPSec×××流量走总部测试

评论区