当前位置:首页 >> 信息与通信 >>

ASA8.4 VPN试验系列一


ASA8.4 VPN 试验系列一:IKEv1 L2L
最近一直在研究 CCNP Security Firewall v1.0, 现在基本算是研究完毕了! 发现 Cisco ASA 8.4 的变化特别大,真的是越来越像 checkpoint 防火墙了,不管是 NAT 还是最近才出现的全局 访问控制列表,都和 cp 防火墙如出一辙。Firewall v1.0 研究完毕后,下

一个研究目标就是 VPN v1.0,主要介绍 ASA 上的 VPN。ASA8.4 之后的 VPN 变化也特别大,主要是 IKEv2 的 引入,IOS15.1T(现在好像还下载不了)也开始支持 IKEv2 了。可以看出来 IKEv2 是一个 必然的趋势,所以最近我会花不少时间来研究它。当然研究新技术之前,先了解一下在 ASA8.4 如何配置传统的 IKEv1 的 VPN 是很有必要的。下面我就对 ASA8.4 上传统 IKEv1 L2LVPN 进行介绍。(ASA8.4 后续 VPN 试验会陆续推出) 试验会陆续推出)

试验拓扑: 试验拓扑:

Outside 路由器配置: 路由器配置:
hostname Outside ! boot-start-marker boot-end-marker ! enable password cisco

! no aaa new-model memory-size iomem 25 ip cef ! ! ! ! no ip domain lookup ! multilink bundle-name authenticated ! ! ! ! ! archive log config hidekeys ! ! crypto isakmp policy 10 authentication pre-share crypto isakmp key cisco address 202.100.1.10 ! ! crypto ipsec transform-set cisco esp-des esp-md5-hmac ! crypto map cisco 10 ipsec-isakmp set peer 202.100.1.10

set transform-set cisco match address vpn ! ! ! ! ! ! interface Loopback0 ip address 1.1.1.1 255.255.255.255 ! interface FastEthernet0 ip address 202.100.1.1 255.255.255.0 speed auto crypto map cisco ! ip forward-protocol nd ip route 0.0.0.0 0.0.0.0 202.100.1.10 ! ! no ip http server no ip http secure-server ! ip access-list extended vpn permit ip host 1.1.1.1 host 2.2.2.2 ! ! ! ! control-plane

! ! line con 0 line aux 0 line vty 0 4 password cisco login line vty 5 15 password cisco login ! end

ASA 配置: 配置:
hostname ASA enable password 8Ry2YjIyt7RRXU24 encrypted passwd 2KFQnbNIdI.2KYOU encrypted names ! interface Ethernet0/0 nameif Outside security-level 0 ip address 202.100.1.10 255.255.255.0 ! interface Ethernet0/1 nameif Inside security-level 100

ip address 10.1.1.10 255.255.255.0 ! interface Ethernet0/2 shutdown no nameif no security-level no ip address ! interface Ethernet0/3 shutdown no nameif no security-level no ip address ! interface Management0/0 shutdown no nameif no security-level no ip address management-only ! ftp mode passive object network Inside-Router-Loop0 subnet 2.2.2.0 255.255.255.0 object network Remote-vpn-address subnet 1.1.1.0 255.255.255.0 access-list vpn extended permit ip host 2.2.2.2 host 1.1.1.1 (感兴趣流) pager lines 24 mtu Outside 1500 mtu Inside 1500

no failover icmp unreachable rate-limit 1 burst-size 1 no asdm history enable arp timeout 14400

nat (Inside,Outside) source static Inside-Router-Loop0 Inside-Router-Loop0 destination static Remote-vpn-address Remote-vpn-address(使用 Twice identity NAT 旁路掉 VPN 感 ( 兴趣流) 兴趣流)
!

object network Inside-Router-Loop0(普通上网用 PAT) ( ) nat (Inside,Outside) dynamic interface
route Outside 0.0.0.0 0.0.0.0 202.100.1.1 1(解决路由问题) (解决路由问题) route Inside 2.2.2.2 255.255.255.255 10.1.1.1 1

timeout xlate 3:00:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02 timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00 timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00 timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute timeout tcp-proxy-reassembly 0:01:00 dynamic-access-policy-record DfltAccessPolicy no snmp-server location no snmp-server contact crypto ipsec ikev1 transform-set cisco esp-des esp-md5-hmac (第二阶段转换集) 第二阶段转换集) crypto map cry-map 10 match address vpn (crypto map 配置) 配置) crypto map cry-map 10 set peer 202.100.1.1

crypto map cry-map 10 set ikev1 transform-set cisco crypto map cry-map interface Outside (调用 crypto map 到外部接口) 到外部接口) crypto ikev1 enable Outside (外部接口激活 IKEv1) ) crypto ikev1 policy 1 (IKEv1 第一阶段策略) 第一阶段策略) authentication pre-share encryption des hash sha group 1 lifetime 86400 telnet timeout 5 ssh timeout 5 console timeout 0 threat-detection basic-threat threat-detection statistics access-list no threat-detection statistics tcp-intercept webvpn anyconnect-essentials tunnel-group 202.100.1.1 type ipsec-l2l (tunnel-group 配置) 配置) tunnel-group 202.100.1.1 ipsec-attributes ikev1 pre-shared-key cisco ! class-map inspection_default match default-inspection-traffic ! ! policy-map type inspect dns preset_dns_map parameters message-length maximum client auto message-length maximum 512 policy-map global_policy

class inspection_default inspect dns preset_dns_map inspect ftp inspect h323 h225 inspect h323 ras inspect rsh inspect rtsp inspect esmtp inspect sqlnet inspect skinny inspect sunrpc inspect xdmcp inspect sip inspect netbios inspect tftp inspect ip-options ! service-policy global_policy global prompt hostname context Cryptochecksum:1b511154bb6ceb038c38677ae2b15c67 : end

Inside 路由器配置: 路由器配置:
hostname Inside ! boot-start-marker boot-end-marker

! ! no aaa new-model ip cef ! ! ! ! ! multilink bundle-name authenticated ! ! ! ! ! archive log config hidekeys ! ! ! ! ! ! ! interface Loopback0 ip address 2.2.2.2 255.255.255.255 ! interface FastEthernet0 ip address 10.1.1.1 255.255.255.0

speed auto ! ip forward-protocol nd ip route 0.0.0.0 0.0.0.0 10.1.1.10 ! ! no ip http server no ip http secure-server ! ! ! ! control-plane ! ! line con 0 line aux 0 line vty 0 4 ! end


相关文章:
更多相关标签: