拓扑图如上。说明:ASA1、2、3模拟分支边界网关,并启用PAT。R1、2、3模拟各内网设备。要求:在ASA1、2、3上配置Site to Site ×××,实现全互联并配置反向路由注入(RRI),R
.
拓扑图如上。
说明:ASA1、2、3模拟分支边界网关,并启用PAT。R1、2、3模拟各内网设备。
要求:在ASA1、2、3上配置Site to Site ×××,实现全互联并配置反向路由注入(RRI),R1、2、3可以使用私有IP加密通信,不要求使用loopback IP通信;R1、2、3上有去往各私网的路由(通过RRI)。
配置如下:
ASA1:
ciscoasa>en ciscoasa# conf t//基本配置部分ciscoasa(config)# hostname ASA1ASA1(config)# int e0/0ASA1(config-if)# nameif outsideASA1(config-if)# security-level 0ASA1(config-if)# ip add 209.165.200.225 255.255.255.224ASA1(config-if)# no shutASA1(config-if)# int e0/1ASA1(config-if)# nameif insideASA1(config-if)# security-level 100ASA1(config-if)# ip add 192.168.1.1 255.255.255.0ASA1(config-if)# no shutASA1(config-if)# exitASA1(config)# nat (inside) 1 0 0ASA1(config)# global (outside) 1 interfaceASA1(config)# route outside 0 0 209.165.200.227ASA1(config)# policy-map global_policyASA1(config-pmap)# class inspection_defaultASA1(config-pmap-c)# inspect icmp //默认ASA不监控ICMP流量,在此外加上可以使内网ping通外网ASA1(config-pmap-c)# endASA1#conf t//1、启用ISAKMPASA1(config)# crypto isakmp enable outside//2、创建ISAKMP策略ASA1(config)# crypto isakmp policy 1ASA1(config-isakmp-policy)# encryption aes-256ASA1(config-isakmp-policy)# hash shaASA1(config-isakmp-policy)# group 5ASA1(config-isakmp-policy)# lifetime 86400ASA1(config-isakmp-policy)# authentication pre-shareASA1(config-isakmp-policy)# exit//3、创建隧道组ASA1(config)# tunnel-group 209.165.201.1 type ipsec-l2lASA1(config)# tunnel-group 209.165.201.1 ipsec-attributesASA1(config-tunnel-ipsec)# pre-shared-key cisco123ASA1(config-tunnel-ipsec)# exitASA1(config)# tunnel-group 209.165.202.129 type ipsec-l2lASA1(config)# tunnel-group 209.165.202.129 ipsec-attributesASA1(config-tunnel-ipsec)# pre-shared-key cisco123ASA1(config-tunnel-ipsec)# exit//4、定义IPSec策略ASA1(config)# crypto ipsec transform-set AES-SHA esp-aes-256 esp-sha-hmac//5、创建加密映射集ASA1(config)# access-list outside_cryptomap_1 remark To Encrypt Traffic from 192.168.1.0/24 to 10.10.1.0/24ASA1(config)# access-list outside_cryptomap_1 extended permit ip 192.168.1.0 255.255.255.0 10.10.1.0 255.255.255.0ASA1(config)# access-list outside_cryptomap_2 remark To Ecrypto Traffic from 192.168.1.0/24 to 172.16.1.0/24ASA1(config)# access-list outside_cryptomap_2 extended permit ip 192.168.1.0 255.255.255.0 172.16.1.0 255.255.255.0ASA1(config)# crypto map outside_map 1 match address outside_cryptomap_1ASA1(config)# crypto map outside_map 1 set transform-set AES-SHAASA1(config)# crypto map outside_map 1 set peer 209.165.201.1ASA1(config)# crypto map outside_map 1 set reverse-route //配置RRI(反向路由注入)ASA1(config)# crypto map outside_map 2 match address outside_cryptomap_2ASA1(config)# crypto map outside_map 2 set transform-set AES-SHAASA1(config)# crypto map outside_map 2 set peer 209.165.202.129ASA1(config)# crypto map outside_map 2 set reverse-route //配置RRI(反向路由注入)ASA1(config)# crypto map outside_map interface outside//6、启用OSPF动态路由并向内网路由器重新发布路由ASA1(config)# router ospf 100ASA1(config-router)# area 0ASA1(config-router)# network 192.168.0.0 255.255.0.0 area 0ASA1(config-router)# redistribute static subnets //将子网静态路由重发布到OSPF网络ASA1(config-router)# exit//7、绕过NAT,为穿越×××隧道的流量建立NAT豁免规则ASA1(config)# access-list inside_nat0_outbound remark To Bypass NAT from 192.168.1.0/24 to 10.10.1.0/24ASA1(config)# access-list inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 10.10.1.0 255.255.255.0ASA1(config)# access-list inside_nat0_outbound remark To Bypass NAT from 192.168.1.0/24 to 172.16.1.0/24ASA1(config)# access-list inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 172.16.1.0 255.255.255.0ASA1(config)# nat (inside) 0 access-list inside_nat0_outboundASA1(config)# wr
ASA2:
ciscoasa>en ciscoasa# conf t//基本配置部分ciscoasa(config)# hostname ASA2ASA2(config)# int e0/0ASA2(config-if)# nameif outsideASA2(config-if)# security-level 0ASA2(config-if)# ip add 209.165.201.1 255.255.255.224ASA2(config-if)# no shutASA2(config-if)# int e0/1ASA2(config-if)# nameif insideASA2(config-if)# security-level 100ASA2(config-if)# ip add 10.10.1.1 255.255.255.0ASA2(config-if)# no shutASA2(config-if)# exitASA2(config)# nat (inside) 1 0 0ASA2(config)# global (outside) 1 interfaceASA2(config)# route outside 0 0 209.165.201.2ASA2(config)# policy-map global_policyASA2(config-pmap)# class inspection_defaultASA2(config-pmap-c)# inspect icmp //默认ASA不监控ICMP流量,在此外加上可以使内网ping通外网ASA2(config-pmap-c)# endASA2# wr//1、启用ISAKMPASA2(config)# crypto isakmp enable outside//2、创建ISAKMP策略ASA2(config)# crypto isakmp policy 1ASA2(config-isakmp-policy)# encryption aes-256ASA2(config-isakmp-policy)# hash shaASA2(config-isakmp-policy)# group 5ASA2(config-isakmp-policy)# lifetime 86400ASA2(config-isakmp-policy)# exit//3、创建隧道组ASA2(config)# tunnel-group 209.165.200.225 type ipsec-l2lASA2(config)# tunnel-group 209.165.200.225 ipsec-attributesASA2(config-tunnel-ipsec)# pre-shared-key cisco123ASA2(config-tunnel-ipsec)# exitASA2(config)# tunnel-group 209.165.202.129 type ipsec-l2lASA2(config)# tunnel-group 209.165.202.129 ipsec-attributesASA2(config-tunnel-ipsec)# pre-shared-key cisco123ASA2(config-tunnel-ipsec)# exit//4、定义IPSec策略ASA2(config)# crypto ipsec transform-set AES-SHA esp-aes-256 esp-sha-hmac//5、创建加密映射集ASA2(config)# access-list outside_cryptomap_1 remark To Encrypto Traffic from 10.10.1.0/24 to 192.168.1.0/24ASA2(config)# access-list outside_cryptomap_1 extended permit ip 10.10.1.0 255.255.255.0 192.168.1.0 255.255.255.0ASA2(config)# access-list outside_cryptomap_2 remark To Encrypto Traffic from 10.10.1.0/24 to 172.16.1.0/24ASA2(config)# access-list outside_cryptomap_2 extended permit ip 10.10.1.0 255.255.255.0 172.16.1.0 255.255.255.0ASA2(config)# crypto map outside_map 1 match address outside_cryptomap_1ASA2(config)# crypto map outside_map 1 set transform-set AES-SHAASA2(config)# crypto map outside_map 1 set peer 209.165.200.225ASA2(config)# crypto map outside_map 1 set reverse-routeASA2(config)# crypto map outside_map 2 match address outside_cryptomap_2ASA2(config)# crypto map outside_map 2 set transform-set AES-SHAASA2(config)# crypto map outside_map 2 set peer 209.165.202.129ASA2(config)# crypto map outside_map 2 set reverse-routeASA2(config)# crypto map outside_map interface outside//6、启用OSPF动态路由并向内网路由器重新发布路由ASA2(config)# router ospf 100ASA2(config-router)# network 10.10.1.0 255.255.255.0 area 0ASA2(config-router)# area 0ASA2(config-router)# redistribute static subnets //将子网静态路由重发布到OSPF网络ASA2(config-router)# exit//7、绕过NAT,为穿越×××隧道的流量建立NAT豁免规则ASA2(config)# access-list inside_nat0_outbound remark To Bypass NAT from 10.10.1.0/24 to 192.168.1.0/24ASA2(config)# access-list inside_nat0_outbound extended permit ip 10.10.1.0 255.255.255.0 192.168.1.0 255.255.255.0ASA2(config)# access-list inside_nat0_outbound remark To Bypass NAT from 10.10.1.0/24 to 172.16.1.0/24ASA2(config)# access-list inside_nat0_outbound extended permit ip 10.10.1.0 255.255.255.0 172.16.1.0 255.255.255.0ASA2(config)# nat (inside) 0 access-list inside_nat0_outboundASA2(config)# wr
ASA3:
ciscoasa>en ciscoasa# conf t//基本配置部分ciscoasa(config)# hostname ASA3ASA3(config)# int e0/0ASA3(config-if)# nameif outsideASA3(config-if)# security-level 0ASA3(config-if)# ip add 209.165.202.129 255.255.255.224ASA3(config-if)# no shutASA3(config-if)# int e0/1ASA3(config-if)# nameif insideASA3(config-if)# security-level 100ASA3(config-if)# ip add 172.16.1.1 255.255.255.0ASA3(config-if)# no shutASA3(config-if)# exitASA3(config)# nat (inside) 1 0 0ASA3(config)# global (outside) 1 interfaceASA3(config)# route outside 0 0 209.165.202.130ASA3(config)# policy-map global_policyASA3(config-pmap)# class inspection_defaultASA3(config-pmap-c)# inspect icmp //默认ASA不监控ICMP流量,在此外加上可以使内网ping通外网ASA3(config-pmap-c)# endASA3# config t //IPSec配置脚本:crypto isakmp enable outsidecrypto isakmp policy 1 encryption aes-256 hash sha group 5 authentication pre-share lifetime 86400 exittunnel-group 209.165.200.225 type ipsec-l2ltunnel-group 209.165.200.225 ipsec-attributes pre-shared-key cisco123 exittunnel-group 209.165.201.1 type ipsec-l2ltunnel-group 209.165.201.1 ipsec-attributes pre-shared-key cisco123 exitcrypto ipsec transform-set AES-SHA esp-aes-256 esp-sha-hmacaccess-list outside_cryptomap_1 remark TO Encrypt Traffic from 172.16.1.0/24 to 192.168.1.0/24access-list outside_cryptomap_1 extended permit ip 172.16.1.0 255.255.255.0 192.168.1.0 255.255.255.0access-list outside_cryptomap_2 remark To Encrypt Traffic from 172.16.1.0/24 to 10.10.1.0/24access-list outside_cryptomap_2 extended permit ip 172.16.1.0 255.255.255.0 10.10.1.0 255.255.255.0crypto map outside_map 1 match address outside_cryptomap_1crypto map outside_map 1 set transform-set AES-SHAcrypto map outside_map 1 set peer 209.165.200.225crypto map outside_map 1 set reverse-routecrypto map outside_map 2 match address outside_cryptomap_2crypto map outside_map 2 set transform-set AES-SHAcrypto map outside_map 2 set peer 209.165.201.1crypto map outside_map 2 set reverse-routecrypto map outside_map interface outsiderouter ospf 100 area 0 network 172.16.0.0 255.255.0.0 area 0 redistribute static subnets exitaccess-list inside_nat0_outbound remark To Bypass NAT from 172.16.1.0/24 to 192.168.1.0/24access-list inside_nat0_outbound extended permit ip 172.16.1.0 255.255.255.0 192.168.1.0 255.255.255.0access-list inside_nat0_outbound remark To Bypass from 172.16.1.0/24 to 10.10.1.0/24access-list inside_nat0_outbound extended permit ip 172.16.1.0 255.255.255.0 10.10.1.0 255.255.255.0nat (inside) 0 access-list inside_nat0_outboundwr
R1:
conf tint f0/0 ip add 192.168.1.2 255.255.255.0 no shut exitint loopback 0 ip address 192.168.2.1 255.255.255.0 no shutdown exitip route 0.0.0.0 0.0.0.0 192.168.1.1router ospf 100network 192.168.0.0 255.255.0.0 area 0endwr
R2:
conf tint f0/0 ip add 10.10.1.2 255.255.255.0 no shut exitint loopback 0 ip add 10.10.2.1 255.255.255.255 no shut exitrouter ospf 100 network 10.10.0.0 255.255.0.0 area 0 exitip route 0.0.0.0 0.0.0.0 10.10.1.1endwr
R3:
conf tint f0/0 ip add 172.16.1.2 255.255.255.0 no shut exitint loopback 0 ip add 172.16.2.1 255.255.255.255 no shut exitrouter ospf 100 network 172.16.0.0 255.255.0.0 area 0 exitip route 0.0.0.0 0.0.0.0 172.16.1.1endwr
ISP:
conf tint e0/0 ip add 209.165.200.227 255.255.255.224 no shutint e0/1 ip add 209.165.201.2 255.255.255.224 no shutint e0/2 ip add 209.165.202.130 255.255.255.224 no shutint loopback 0 ip address 1.0.0.1 255.255.255.255 no shut exitip http serverline vty 0 4 no login exitenable password ciscoendwr
验证:
提示:
1、反向路由注入(RRI)是一种利用路由协议,将远端网络信息分发到本地网络的技术。通过使用RRI,Cisco ASA可以自动将穿越隧道的远端私有网络以静态路由的方式添加到其路由表中,然后使用OSPF将这些路由宣告给本地私有网络中的邻居。
2、隧道组(Tunnel-group)也称为连接配置文件,它定义了一个站点到站点隧道或远程防问隧道,并用来映射分配给指定IPSec对等体的属性。远程访问连接配置文件用于终结所有类型的远程访问×××隧道,比如IPSec、IPSec上的L2TP和SSL ×××。对于站点到站点IPSec隧道来说,应该使用远端×××设备的IP地址作为隧道组的名称。对于那些IP地址没有被定义为隧道组的IPSec设备来说,若两个设备的预共享密钥相匹配,那么安全设备就会尝试将远端设备映射到称为DefaultL2LGroup的默认站点到站点组中。
3、对于加密/转换变换集(Crypto Transform Sets)定义了用于传输数据包的加密类型和散列算法类型。它提供了数据认证、机密性和完整性的功能。IPsec转换集会在快速模式中进行协商。Cisco ASA只支持以ESP作为封装协议,并不支持AH。
Cisco ASA默认提供了10个加密变换集,也可以直接调用而不自己额外定义,如下图:
加密变换集只本地有效。在变换集中定义了加密(Encryption)算法、散列(Hash)算法及模式(Mode)。其中在加密中Cisco ASA会使用一个专用的硬件加速器来执行IKE请求,使用效强(如AES 256比特)的加密和使用较弱的加密算法(如DES)对于性能的影响几乎相同,所以建议使用效强的加密算法。在散列算法中可以选择SHA-1、MD5和空,建议使用SHA-1,因为它比MD5更加安全。模式是一种封闭模式,可以选择传输模式或隧道模式。传输模式用于加密和认证源于×××对等体的数据包,隧道模式用于加密和认证源于×××设备所连主机的IP数据包。
