×××配置例項_07:站點到站點IPSEC ×××之NAT-T
一,***_Site1ASA防火牆配置:
***site1#showrun
:Saved
:
ASAVersion8.0(2)
!
hostname***site1
enablepassword8Ry2YjIyt7RRXU24encrypted
names
!
interfaceEthernet0/0
nameifInside
security-level100
ipaddress1.1.1.10255.255.255.0
!
interfaceEthernet0/1
nameifOutside
security-level0
ipaddress200.200.200.10255.255.255.0
!
passwd2KFQnbNIdI.2KYOUencrypted
bootconfigdisk0:/.private/startup-config
access-list***extendedpermitip1.1.1.0255.255.255.02.2.2.0255.255.255.0
pagerlines24
mtuInside1500
mtuOutside1500
nofailover
icmpunreachablerate-limit1burst-size1
noasdmhistoryenable
arptimeout14400
routeOutside0.0.0.00.0.0.0200.200.200.11
timeoutxlate3:00:00
timeoutconn1:00:00half-closed0:10:00udp0:02:00icmp0:00:02
timeoutsunrpc0:10:00h3230:05:00h2251:00:00mgcp0:05:00mgcp-pat0:05:00
timeoutuauth0:05:00absolute
dynamic-access-policy-recordDfltAccessPolicy
nosnmp-serverlocation
nosnmp-servercontact
snmp-serverenabletrapssnmpauthenticationlinkuplinkdowncoldstart
cryptoipsectransform-settransesp-desesp-md5-hmac
cryptomapTo_site210matchaddress***
cryptomapTo_site210settransform-settrans
cryptomapTo_site2interfaceOutside##應用於介面
cryptoisakmpenableOutside
cryptoisakmppolicy10##第一階段策略
authenticationpre-share
encryption3des
hashmd5
group2
lifetime86400
telnettimeout5
sshtimeout5
consoletimeout0
threat-detectionbasic-threat
threat-detectionstatisticsaccess-list
!
!
tunnel-group200.200.200.1typeipsec-l2l
tunnel-group200.200.200.1ipsec-attributes
pre-shared-key*
prompthostnamecontext
Cryptochecksum:8c0bea924e29019fe86a165e36681f9e
:end
***site1#
二,NATASA防火牆配置:
NAT(config)#showrun
:Saved
:
ASAVersion8.0(2)
!
hostnameNAT
enablepassword8Ry2YjIyt7RRXU24encrypted
names
!
interfaceEthernet0/0
shutdown
nonameif
nosecurity-level
noipaddress
!
interfaceEthernet0/1
nameifOutside
security-level0
ipaddress200.200.200.1255.255.255.0
!
passwd2KFQnbNIdI.2KYOUencrypted
bootconfigdisk0:/.private/startup-config
ftpmodepassive
access-listpermitipanyextendedpermitipanyany
pagerlines24
mtuOutside1500
mtuInside1500
nofailover
icmpunreachablerate-limit1burst-size1
noasdmhistoryenable
arptimeout14400
global(Outside)1interface##區域網NAT地址轉換配置
nat(Inside)1192.168.100.0255.255.255.0
access-grouppermitipanyininterfaceOutside#這條配置可以取消
timeoutxlate3:00:00
timeoutconn1:00:00half-closed0:10:00udp0:02:00icmp0:00:02
timeoutsunrpc0:10:00h3230:05:00h2251:00:00mgcp0:05:00mgcp-pat0:05:00
timeoutsip0:30:00sip_media0:02:00sip-invite0:03:00sip-disconnect0:02:00
timeoutuauth0:05:00absolute
dynamic-access-policy-recordDfltAccessPolicy
nosnmp-serverlocation
nosnmp-servercontact
snmp-serverenabletrapssnmpauthenticationlinkuplinkdowncoldstart
telnettimeout5
sshtimeout5
consoletimeout0
threat-detectionbasic-threat
threat-detectionstatisticsaccess-list
!
!
prompthostnamecontext
Cryptochecksum:366b276abed33dbaa0556052715f1d8b
:end
NAT(config)#
三,***_Site2路由器配置:
***site2#showrun
Buildingconfiguration...
Currentconfiguration:1488bytes
!
version12.4
servicetimestampsdebugdatetimemsec
servicetimestampslogdatetimemsec
noservicepassword-encryption
!
hostname***site2
!
boot-start-marker
boot-end-marker
!
!
noaaanew-model
memory-sizeiomem5
!
!
ipcef
noipdomainlookup
ipdomainnamelab.local
!
!
ipauth-proxymax-nodata-conns3
ipadmissionmax-nodata-conns3
!
cryptoisakmppolicy10#第一階段協商策略
encr3des
hashmd5
authenticationpre-share
group2
cryptoisakmpkeyciscoaddress200.200.200.10
!
!
cryptoipsectransform-settransesp-desesp-md5-hmac
!
cryptomapTo_site110ipsec-isakmp
setpeer200.200.200.10
settransform-settrans
matchaddress***
!
interfaceLoopback0
ipaddress2.2.2.2255.255.255.0
!
interfaceFastEthernet2/0
ipaddress192.168.100.1255.255.255.0
duplexauto
speedauto
cryptomapTo_site1
!
noiphttpserver
noiphttpsecure-server
!
ipforward-protocolnd
iproute0.0.0.00.0.0.0192.168.100.10
!
!
!
ipaccess-listextended***
permitip2.2.2.00.0.0.2551.1.1.00.0.0.255
!
***site2#
四,鏈路測試:
***site2#ping1.1.1.1so2.2.2.2##必須得先SITE2發起連線。
Typeescapesequencetoabort.
Sending5,100-byteICMPEchosto1.1.1.1,timeoutis2seconds:
Packetsentwithasourceaddressof2.2.2.2
!!!!!
Successrateis100percent(5/5),round-tripmin/avg/max=16/30/56ms
***site2#
五,配置、狀態檢視:
1,***_site1:
***site1#showcryptoisakmsa
ActiveSA:1
RekeySA:0(Atunnelwillreport1Activeand1RekeySAduringrekey)
TotalIKESA:1
1IKEPeer:200.200.200.1
Type:L2LRole:responder
Rekey:noState:MM_ACTIVE
***site1#showcryptoipsecsa
interface:Outside
Cryptomaptag:To_site2,seqnum:10,localaddr:200.200.200.10
access-list***permitip1.1.1.0255.255.255.02.2.2.0255.255.255.0
localident(addr/mask/prot/port):(1.1.1.0/255.255.255.0/0/0)
remoteident(addr/mask/prot/port):(2.2.2.0/255.255.255.0/0/0)
current_peer:200.200.200.1
#pktsencaps:9,#pktsencrypt:9,#pktsdigest:9
#pktsdecaps:9,#pktsdecrypt:9,#pktsverify:9
#pktscompressed:0,#pktsdecompressed:0
#pktsnotcompressed:9,#pktscompfailed:0,#pktsdecompfailed:0
#pre-fragsuccesses:0,#pre-fragfailures:0,#fragmentscreated:0
#PMTUssent:0,#PMTUsrcvd:0,#decapsulatedfrgsneedingreassembly:0
#senderrors:0,#recverrors:0
localcryptoendpt.:200.200.200.10/4500,remotecryptoendpt.:200.200.200.1/1028
pathmtu1500,ipsecoverhead66,mediamtu1500
currentoutboundspi:A2F8B2E5
inboundespsas:
spi:0xF173ACD3(4050889939)
transform:esp-desesp-md5-hmacnone
inusesettings={L2L,Tunnel,NAT-T-Encaps,}#通過TUNNEL模式,NAT-T封裝
slot:0,conn_id:16384,crypto-map:To_site2
satiming:remainingkeylifetime(kB/sec):(4274999/3509)
IVsize:8bytes
replaydetectionsupport:Y
outboundespsas:
spi:0xA2F8B2E5(2734207717)
transform:esp-desesp-md5-hmacnone
inusesettings={L2L,Tunnel,NAT-T-Encaps,}
slot:0,conn_id:16384,crypto-map:To_site2
satiming:remainingkeylifetime(kB/sec):(4274999/3505)
IVsize:8bytes
replaydetectionsupport:Y
***site1#
2,***_site2:
***site2#showcryptoisakmpsa
dstsrcstateconn-idslotstatus
200.200.200.10192.168.100.1QM_IDLE10ACTIVE
***site2#showcryptoengineconnectionsac
IDInterfaceIP-AddressStateAlgorithmEncryptDecrypt
1FastEthernet2/0192.168.100.1setHMAC_MD5+3DES_56_C00
2001FastEthernet2/0192.168.100.1setDES+MD590
2002FastEthernet2/0192.168.100.1setDES+MD509
***site2#showcryptoipsecsa
interface:FastEthernet2/0
Cryptomaptag:To_site1,localaddr192.168.100.1
protectedvrf:(none)
localident(addr/mask/prot/port):(2.2.2.0/255.255.255.0/0/0)
remoteident(addr/mask/prot/port):(1.1.1.0/255.255.255.0/0/0)
current_peer200.200.200.10port4500
PERMIT,flags={origin_is_acl,}
#pktsencaps:69,#pktsencrypt:69,#pktsdigest:69
#pktsdecaps:38,#pktsdecrypt:38,#pktsverify:38
#pktscompressed:0,#pktsdecompressed:0
#pktsnotcompressed:0,#pktscompr.failed:0
#pktsnotdecompressed:0,#pktsdecompressfailed:0
#senderrors3,#recverrors0
localcryptoendpt.:192.168.100.1,remotecryptoendpt.:200.200.200.10
pathmtu1500,ipmtu1500,ipmtuidbFastEthernet2/0
currentoutboundspi:0xF173ACD3(4050889939)
inboundespsas:
spi:0xA2F8B2E5(2734207717)
transform:esp-desesp-md5-hmac,
inusesettings={TunnelUDP-Encaps,}#路由器上顯示通過TUNNEL模式,UDP封裝。
connid:2002,flow_id:SW:2,cryptomap:To_site1
satiming:remainingkeylifetime(k/sec):(4553817/3251)
IVsize:8bytes
replaydetectionsupport:Y
Status:ACTIVE
inboundahsas:
inboundpcpsas:
outboundespsas:
spi:0xF173ACD3(4050889939)
transform:esp-desesp-md5-hmac,
inusesettings={TunnelUDP-Encaps,}
connid:2001,flow_id:SW:1,cryptomap:To_site1
satiming:remainingkeylifetime(k/sec):(4553817/3250)
IVsize:8bytes
replaydetectionsupport:Y
Status:ACTIVE
outboundahsas:
outboundpcpsas:
***site2#
3,NAT:
NAT#showx#顯示NAT轉換內容
1inuse,2mostused
PATGlobal200.200.200.1(1028)Local192.168.100.1(4500)
NAT#shownat
NATpoliciesonInterfaceInside:
matchipInside192.168.100.0255.255.255.0Outsideany
dynamictranslationtopool1(200.200.200.1[InterfacePAT])
translate_hits=7,untranslate_hits=0
matchipInside192.168.100.0255.255.255.0Insideany
dynamictranslationtopool1(Nomatchingglobal)
translate_hits=0,untranslate_hits=0
NAT#
轉載於:https://blog.51cto.com/ccie18405/1216746