GNS下ASA配置ipsec VPN 實驗
阿新 • • 發佈:2019-02-01
一、基礎配置
PC1的配置
Router>en
Router#conf t
Router(config)#hostname pc1 《==主機用路由器來模擬
pc1(config)#interface e0/0
pc1(config-if)#ip address 192.168.100.100 255.255.255.0
pc1(config-if)#no shutdown
pc1(config-if)#ex
pc1(config)#ip route 0.0.0.0 0.0.0.0 192.168.100.1
pc1(config)#end
pc1#
PC2的配置
Router>en
Router#conf t
Router(config)#hostname PC2
PC2(config)#interface e0/0
PC2(config-if)#ip address 172.16.100.100 255.255.255.0
PC2(config-if)#no shutdown
PC2(config)#ip route 0.0.0.0 0.0.0.0 172.16.100.1
PC2(config)#end
PC2#
internet的配置
Router>en
Router#conf t
Router(config)#hostname internet
internet(config)#interface e0/0
internet(config-if)#ip address 211.1.1.2 255.255.255.0
internet(config-if)#no shutdown
internet(config-if)#exit
internet(config)#interface e0/1
internet(config-if)#ip address 222.1.1.2 255.255.255.0
internet(config-if)#no shutdown
internet(config-if)#exit
internet(config)#interface loopback 0
internet(config-if)#ip address 100.100.100.100 255.255.255.0
internet(config-if)#exit
internet(config)#interface loopback 1
internet(config-if)#ip address 200.200.200.200 255.255.255.0
internet(config-if)#exit
internet(config)#line vty 0 4 《==開啟telnet用來測試 網路互通性
internet(config-line)#privilege level 15
internet(config-line)#no login
ASA1配置
ciscoasa> en
Password:
ciscoasa(config)# hostname ASA1
ASA1(config)# interface e0/0 《==配置外部介面
ASA1(config-if)# nameif outside
ASA1(config-if)# ip address 211.1.1.1 255.255.255.0
ASA1(config-if)# no shutdown
ASA1(config-if)# exit
ASA1(config)# interface e0/1 《==配置內部介面
ASA1(config-if)# nameif inside
ASA1(config-if)# ip address 192.168.100.1 255.255.255.0
ASA1(config-if)# no shutdown
ASA1(config-if)# end
ASA2配置
ciscoasa> en
Password:
ciscoasa# conf t
ciscoasa(config)# hostname ASA2
ASA2(config)# interface e0/0
ASA2(config-if)# nameif outside
ASA2(config-if)# ip address 222.1.1.1 255.255.255.0
ASA2(config-if)# no shutdown
ASA2(config-if)# exit
ASA2(config)# interface e0/1
ASA2(config-if)# nameif inside
ASA2(config-if)# ip address 172.16.100.1 255.255.255.0
ASA2(config-if)# no shutdown
ASA2(config-if)# exit
ASA2(config)#
二、路由 ACL NAT配置
ASA1配置
ASA1(config)# route outside 0 0 211.1.1.2 《==預設路由指向執行商
ASA1(config)# global (outside) 1 interface 《==配置內網去Internet的NAT 包括下一句
ASA1(config)# nat (inside) 1 0 0
ASA1(config)# access-list out2in permit icmp any any 《== ACL從外網到內網 放行icmp和VPN用到的相關協議(esp ah isakmp)
ASA1(config)# access-list out2in permit esp host 222.1.1.1 host 211.1.1.1
ASA1(config)# access-list out2in permit ah host 222.1.1.1 host 211.1.1.1
ASA1(config)# access-list out2in permit udp host 222.1.1.1 host 211.1.1.1 eq isakmp
ASA1(config)# access-group out2in in interface outside 《==應用ACL到outside 介面的入方向
ASA2配置
ASA2(config)# route outside 0 0 222.1.1.2
ASA2(config)# global (outside) 1 interface
ASA2(config)# nat (inside) 1 0 0
ASA2(config)# access-list out2in permit icmp any any
ASA2(config)# access-list out2in permit esp host 211.1.1.1 host 222.1.1.1
ASA2(config)# access-list out2in permit ah host 211.1.1.1 host 222.1.1.1
ASA1(config)# access-list out2in permit udp host 211.1.1.1 host 222.1.1.1 eq isakmp
ASA2(config)# access-group out2in in interface outside
pc1#ping 100.100.100.100 《==此時PC1可以 ping telnet internet 上的100.100.100.100
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 100.100.100.100, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 8/21/56 ms
pc1#100.100.100.100
Trying 100.100.100.100 ... Open
internet#exit
[Connection to 100.100.100.100 closed by foreign host]
PC2#ping 100.100.100.100 《==此時PC2也可以 ping telnet internet 上的100.100.100.100
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 100.100.100.100, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 8/24/44 ms
PC2#100.100.100.100
Trying 100.100.100.100 ... Open
internet#exit
[Connection to 100.100.100.100 closed by foreign host]
三、配置VPN及其它
ASA1配置
ASA1(config)# access-list vpn permit ip 192.168.100.0 255.255.255.0 172.16.100.0 255.255.255.0 《== 定義感興趣流量
ASA1(config)# nat (inside) 0 access-list vpn 《==感興趣流量不做NAT
ASA1(config)# crypto isakmp policy 10 《== 配置IKE階段一isakmp 策略
ASA1(config-isakmp-policy)# authentication pre-share
ASA1(config-isakmp-policy)# encryption des
ASA1(config-isakmp-policy)# hash md5
ASA1(config-isakmp-policy)# lifetime 86400
ASA1(config-isakmp-policy)# group 2
ASA1(config)# crypto isakmp key 12345678 address 222.1.1.1 《==配置預共享金鑰是12345678
ASA1(config)# crypto isakmp enable outside
ASA1(config)# crypto ipsec transform-set mytrans esp-des esp-md5-hmac 《==配置階段二 ipsec變換集
ASA1(config)# crypto map vpn 10 ipsec-isakmp 《== 配置VPN MAP
ASA1(config)# crypto map vpn 10 match address vpn
ASA1(config)# crypto map vpn 10 set peer 222.1.1.1
ASA1(config)# crypto map vpn 10 set transform-set mytrans
ASA1(config)# crypto map vpn interface outside 《== 應用VPN MAP到介面上
ASA2配置 《==類似ASA1的配置 兩邊引數要一樣
ASA2(config)# access-list vpn permit ip 172.16.100.0 255.255.255.0 192.168.100.0 255.255.255.0
ASA2(config)# nat (inside) 0 access-list vpn
ASA2(config)#
ASA2(config)# crypto isakmp policy 10
ASA2(config-isakmp-policy)# authentication pre-share
ASA2(config-isakmp-policy)# encryption des
ASA2(config-isakmp-policy)# hash md5
ASA2(config-isakmp-policy)# lifetime 86400
ASA2(config-isakmp-policy)# group 2
ASA2(config-isakmp-policy)#
ASA2(config-isakmp-policy)# crypto isakmp key 12345678 address 211.1.1.1
ASA2(config)# crypto isakmp enable outside
ASA2(config)# crypto ipsec transform-set mytrans esp-des esp-md5-hmac
ASA2(config)#
ASA2(config)# crypto map vpn 10 ipsec-isakmp
ASA2(config)# crypto map vpn 10 match address vpn
ASA2(config)# crypto map vpn 10 set peer 211.1.1.1
ASA2(config)# crypto map vpn 10 set transform-set mytrans
ASA2(config)# crypto map vpn interface outside
四、驗證配置
pc1#ping 172.16.100.100 《==主機1可以ping 通分支內網的主機2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.100.100, timeout is 2 seconds:
.!!!! 《==第一個包不通 是用來啟用VPN隧道
Success rate is 80 percent (4/5), round-trip min/avg/max = 20/34/48 ms
pc1#
ASA1# show crypto isakmp sa 《==可以在下面的輸出看出isamkp的安全關聯(SA)已經建立
Active SA: 1
Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 1
1 IKE Peer: 222.1.1.1
Type : L2L Role : initiator
Rekey : no State : MM_ACTIVE
ASA1# show crypto ipsec sa 《== 從下面輸出可以看到 IKE階段二ipsec的的安全關聯也建立 並且有4個包被加密解密
interface: outside
Crypto map tag: vpn, seq num: 10, local addr: 211.1.1.1
access-list vpn permit ip 192.168.100.0 255.255.255.0 172.16.100.0 255.255.255.0
local ident (addr/mask/prot/port): (192.168.100.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (172.16.100.0/255.255.255.0/0/0)
current_peer: 222.1.1.1
#pkts encaps: 4, #pkts encrypt: 4, #pkts digest: 4 《==ping5個包 加密解密4個 第一個ping用來啟用VPN隧道 所以沒有加密解密
#pkts decaps: 4, #pkts decrypt: 4, #pkts verify: 4
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 4, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#send errors: 0, #recv errors: 0
local crypto endpt.: 211.1.1.1, remote crypto endpt.: 222.1.1.1
path mtu 1500, ipsec overhead 58, media mtu 1500
current outbound spi: 18D04FD9
inbound esp sas:
spi: 0xA8F42FA1 (2834575265)
transform: esp-des esp-md5-hmac none
in use settings ={L2L, Tunnel, }
slot: 0, conn_id: 4096, crypto-map: vpn
sa timing: remaining key lifetime (kB/sec): (3824999/28782)
IV size: 8 bytes
replay detection support: Y
outbound esp sas:
spi: 0x18D04FD9 (416305113)
transform: esp-des esp-md5-hmac none
in use settings ={L2L, Tunnel, }
slot: 0, conn_id: 4096, crypto-map: vpn
sa timing: remaining key lifetime (kB/sec): (3824999/28782)
IV size: 8 bytes
replay detection support: Y
ASA1#
PC1的配置
Router>en
Router#conf t
Router(config)#hostname pc1 《==主機用路由器來模擬
pc1(config)#interface e0/0
pc1(config-if)#ip address 192.168.100.100 255.255.255.0
pc1(config-if)#no shutdown
pc1(config-if)#ex
pc1(config)#ip route 0.0.0.0 0.0.0.0 192.168.100.1
pc1(config)#end
pc1#
PC2的配置
Router>en
Router#conf t
Router(config)#hostname PC2
PC2(config)#interface e0/0
PC2(config-if)#ip address 172.16.100.100 255.255.255.0
PC2(config-if)#no shutdown
PC2(config)#ip route 0.0.0.0 0.0.0.0 172.16.100.1
PC2(config)#end
PC2#
internet的配置
Router>en
Router#conf t
Router(config)#hostname internet
internet(config)#interface e0/0
internet(config-if)#ip address 211.1.1.2 255.255.255.0
internet(config-if)#no shutdown
internet(config-if)#exit
internet(config)#interface e0/1
internet(config-if)#ip address 222.1.1.2 255.255.255.0
internet(config-if)#no shutdown
internet(config-if)#exit
internet(config)#interface loopback 0
internet(config-if)#ip address 100.100.100.100 255.255.255.0
internet(config-if)#exit
internet(config)#interface loopback 1
internet(config-if)#ip address 200.200.200.200 255.255.255.0
internet(config-if)#exit
internet(config)#line vty 0 4 《==開啟telnet用來測試 網路互通性
internet(config-line)#no login
ASA1配置
ciscoasa> en
Password:
ciscoasa(config)# hostname ASA1
ASA1(config)# interface e0/0 《==配置外部介面
ASA1(config-if)# nameif outside
ASA1(config-if)# ip address 211.1.1.1 255.255.255.0
ASA1(config-if)# no shutdown
ASA1(config-if)# exit
ASA1(config)# interface e0/1 《==配置內部介面
ASA1(config-if)# ip address 192.168.100.1 255.255.255.0
ASA1(config-if)# no shutdown
ASA1(config-if)# end
ASA2配置
ciscoasa> en
Password:
ciscoasa# conf t
ciscoasa(config)# hostname ASA2
ASA2(config)# interface e0/0
ASA2(config-if)# nameif outside
ASA2(config-if)# ip address 222.1.1.1 255.255.255.0
ASA2(config-if)# no shutdown
ASA2(config-if)# exit
ASA2(config)# interface e0/1
ASA2(config-if)# nameif inside
ASA2(config-if)# ip address 172.16.100.1 255.255.255.0
ASA2(config-if)# no shutdown
ASA2(config-if)# exit
ASA2(config)#
二、路由 ACL NAT配置
ASA1配置
ASA1(config)# route outside 0 0 211.1.1.2 《==預設路由指向執行商
ASA1(config)# global (outside) 1 interface 《==配置內網去Internet的NAT 包括下一句
ASA1(config)# nat (inside) 1 0 0
ASA1(config)# access-list out2in permit icmp any any 《== ACL從外網到內網 放行icmp和VPN用到的相關協議(esp ah isakmp)
ASA1(config)# access-list out2in permit esp host 222.1.1.1 host 211.1.1.1
ASA1(config)# access-list out2in permit ah host 222.1.1.1 host 211.1.1.1
ASA1(config)# access-list out2in permit udp host 222.1.1.1 host 211.1.1.1 eq isakmp
ASA1(config)# access-group out2in in interface outside 《==應用ACL到outside 介面的入方向
ASA2配置
ASA2(config)# route outside 0 0 222.1.1.2
ASA2(config)# global (outside) 1 interface
ASA2(config)# nat (inside) 1 0 0
ASA2(config)# access-list out2in permit icmp any any
ASA2(config)# access-list out2in permit esp host 211.1.1.1 host 222.1.1.1
ASA2(config)# access-list out2in permit ah host 211.1.1.1 host 222.1.1.1
ASA1(config)# access-list out2in permit udp host 211.1.1.1 host 222.1.1.1 eq isakmp
ASA2(config)# access-group out2in in interface outside
pc1#ping 100.100.100.100 《==此時PC1可以 ping telnet internet 上的100.100.100.100
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 100.100.100.100, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 8/21/56 ms
pc1#100.100.100.100
Trying 100.100.100.100 ... Open
internet#exit
[Connection to 100.100.100.100 closed by foreign host]
PC2#ping 100.100.100.100 《==此時PC2也可以 ping telnet internet 上的100.100.100.100
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 100.100.100.100, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 8/24/44 ms
PC2#100.100.100.100
Trying 100.100.100.100 ... Open
internet#exit
[Connection to 100.100.100.100 closed by foreign host]
三、配置VPN及其它
ASA1配置
ASA1(config)# access-list vpn permit ip 192.168.100.0 255.255.255.0 172.16.100.0 255.255.255.0 《== 定義感興趣流量
ASA1(config)# nat (inside) 0 access-list vpn 《==感興趣流量不做NAT
ASA1(config)# crypto isakmp policy 10 《== 配置IKE階段一isakmp 策略
ASA1(config-isakmp-policy)# authentication pre-share
ASA1(config-isakmp-policy)# encryption des
ASA1(config-isakmp-policy)# hash md5
ASA1(config-isakmp-policy)# lifetime 86400
ASA1(config-isakmp-policy)# group 2
ASA1(config)# crypto isakmp key 12345678 address 222.1.1.1 《==配置預共享金鑰是12345678
ASA1(config)# crypto isakmp enable outside
ASA1(config)# crypto ipsec transform-set mytrans esp-des esp-md5-hmac 《==配置階段二 ipsec變換集
ASA1(config)# crypto map vpn 10 ipsec-isakmp 《== 配置VPN MAP
ASA1(config)# crypto map vpn 10 match address vpn
ASA1(config)# crypto map vpn 10 set peer 222.1.1.1
ASA1(config)# crypto map vpn 10 set transform-set mytrans
ASA1(config)# crypto map vpn interface outside 《== 應用VPN MAP到介面上
ASA2配置 《==類似ASA1的配置 兩邊引數要一樣
ASA2(config)# access-list vpn permit ip 172.16.100.0 255.255.255.0 192.168.100.0 255.255.255.0
ASA2(config)# nat (inside) 0 access-list vpn
ASA2(config)#
ASA2(config)# crypto isakmp policy 10
ASA2(config-isakmp-policy)# authentication pre-share
ASA2(config-isakmp-policy)# encryption des
ASA2(config-isakmp-policy)# hash md5
ASA2(config-isakmp-policy)# lifetime 86400
ASA2(config-isakmp-policy)# group 2
ASA2(config-isakmp-policy)#
ASA2(config-isakmp-policy)# crypto isakmp key 12345678 address 211.1.1.1
ASA2(config)# crypto isakmp enable outside
ASA2(config)# crypto ipsec transform-set mytrans esp-des esp-md5-hmac
ASA2(config)#
ASA2(config)# crypto map vpn 10 ipsec-isakmp
ASA2(config)# crypto map vpn 10 match address vpn
ASA2(config)# crypto map vpn 10 set peer 211.1.1.1
ASA2(config)# crypto map vpn 10 set transform-set mytrans
ASA2(config)# crypto map vpn interface outside
四、驗證配置
pc1#ping 172.16.100.100 《==主機1可以ping 通分支內網的主機2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.100.100, timeout is 2 seconds:
.!!!! 《==第一個包不通 是用來啟用VPN隧道
Success rate is 80 percent (4/5), round-trip min/avg/max = 20/34/48 ms
pc1#
ASA1# show crypto isakmp sa 《==可以在下面的輸出看出isamkp的安全關聯(SA)已經建立
Active SA: 1
Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 1
1 IKE Peer: 222.1.1.1
Type : L2L Role : initiator
Rekey : no State : MM_ACTIVE
ASA1# show crypto ipsec sa 《== 從下面輸出可以看到 IKE階段二ipsec的的安全關聯也建立 並且有4個包被加密解密
interface: outside
Crypto map tag: vpn, seq num: 10, local addr: 211.1.1.1
access-list vpn permit ip 192.168.100.0 255.255.255.0 172.16.100.0 255.255.255.0
local ident (addr/mask/prot/port): (192.168.100.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (172.16.100.0/255.255.255.0/0/0)
current_peer: 222.1.1.1
#pkts encaps: 4, #pkts encrypt: 4, #pkts digest: 4 《==ping5個包 加密解密4個 第一個ping用來啟用VPN隧道 所以沒有加密解密
#pkts decaps: 4, #pkts decrypt: 4, #pkts verify: 4
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 4, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#send errors: 0, #recv errors: 0
local crypto endpt.: 211.1.1.1, remote crypto endpt.: 222.1.1.1
path mtu 1500, ipsec overhead 58, media mtu 1500
current outbound spi: 18D04FD9
inbound esp sas:
spi: 0xA8F42FA1 (2834575265)
transform: esp-des esp-md5-hmac none
in use settings ={L2L, Tunnel, }
slot: 0, conn_id: 4096, crypto-map: vpn
sa timing: remaining key lifetime (kB/sec): (3824999/28782)
IV size: 8 bytes
replay detection support: Y
outbound esp sas:
spi: 0x18D04FD9 (416305113)
transform: esp-des esp-md5-hmac none
in use settings ={L2L, Tunnel, }
slot: 0, conn_id: 4096, crypto-map: vpn
sa timing: remaining key lifetime (kB/sec): (3824999/28782)
IV size: 8 bytes
replay detection support: Y
ASA1#