本帖最后由 输入新用户名 于 2011-12-13 16:23 编辑
 4 天前 上传
下载附件 (51.6 KB)
1. 实现目标: 分部可以通过EZVPN的灵活的方式安全的和公司总部实现私网在互联网间的访问。
2. 配置步骤: 1) 预配(见TOP)
2) 实现EZVPNServer 3) 实现EZVPN客户端设置(软件和路由器)
4) 测试看效果
3. 配置 1) 预备
R1模拟总部内网设备
R1(config-if)#ip add 10.1.1.1 255.255.255.0
R1(config-if)#no sh
R1(config-if)#exit
R1(config)#ip route 0.0.0.0 0.0.0.010.1.1.254
R2模拟互联网设备
R2(config)#int f0/0
R2(config-if)#ip add 12.12.12.2255.255.255.0
R2(config-if)#no sh
R2(config-if)#exit
R2(config)#int f0/1
R2(config-if)#ip add 23.23.23.2255.255.255.0
R2(config-if)#no sh
R3模拟分部设备lookback 0 模拟为内网PC
R3(config)#int f0/1
R3(config-if)#ip add 23.23.23.3255.255.255.0
R3(config-if)#no sh
R3(config)#interface loopback 0
R3(config-if)#ip add 10.2.2.2 255.255.255.0
R3(config-if)#no sh
R3(config)#ip route 0.0.0.0 0.0.0.023.23.23.2
ASA模拟总部网关
ciscoasa(config)# int e0/0
ciscoasa(config-if)# ip add 10.1.1.254255.255.255.0
ciscoasa(config-if)# nameif inside
INFO: Security level for "inside"set to 100 by default.
ciscoasa(config-if)# no sh
ciscoasa(config-if)# int e0/1
ciscoasa(config-if)# ip add 12.12.12.1255.255.255.0
ciscoasa(config-if)# nameif outside
INFO: Security level for"outside" set to 0 by default.
ciscoasa(config-if)# no sh
ciscoasa(config)# route outside 0.0.0.00.0.0.0 12.12.12.2
ciscoasa(config)# policy-map global_policy
ciscoasa(config-pmap)# class inspection_default
ciscoasa(config-pmap-c)# inspect icmp
放行内到外的ICMP流量
2. 实现EZVPN Server
Xauth验证的账号
ciscoasa(config)# username xiaohua passwordxiaohua
配置ISAKMP策略
ciscoasa(config)# crypto isakmp enableoutside
ciscoasa(config)# crypto isakmp policy 1
ciscoasa(config-isakmp-policy)# encryption3des
ciscoasa(config-isakmp-policy)# group 2
ciscoasa(config-isakmp-policy)# hash md5
ciscoasa(config-isakmp-policy)#authentication pre-share
创建IP地址池用户客户模式分配
ciscoasa(config)# ip local pool POOL10.10.10.1-10.10.10.254 mask 255.255.255.0
定义为Client端推送的组策略
ciscoasa(config)# tunnel-group EZVPN typeipsec-ra
ciscoasa(config)# tunnel-group EZVPNipsec-attributes
ciscoasa(config-tunnel-ipsec)#pre-shared-key www.netconfed.com
ciscoasa(config)# tunnel-group EZVPNgeneral-attributes
ciscoasa(config-tunnel-general)#address-pool POOL
ciscoasa(config)# sh run all group-policy
group-policy DfltGrpPolicy internal
group-policy DfltGrpPolicy attributes
可以看到默认有组策略名为DfltGrpPolicy,所以就用默认的组策略名来定义push的策略。
ciscoasa(config)# group-policyDfltGrpPolicy attributes
ciscoasa(config-group-policy)# dns value11.11.11.11
ciscoasa(config-group-policy)# wins-server value22.22.22.22
创建IPsec转换集
ciscoasa(config)# crypto ipsectransform-set VPN_SET esp-3des esp-md5-hmac
创建动态加密图
ciscoasa(config)# crypto dynamic-map DYN 1set transform-set VPN_SET
ciscoasa(config)# crypto dynamic-map DYN 1set reverse-route
关联动态加密图和静态加密图
ciscoasa(config)# crypto map VPN_MAP 1ipsec-isakmp dynamic DYN
将静态加密图应用到接口
ciscoasa(config)# crypto map VPN_MAPinterface outside
3.客户端配置(路由器)
和前面IOS路由的EZVPN客户端配置一样!这里就不罗了八嗦了!
R3(config)#crypto ipsec client ezvpn EZVPN
R3(config-crypto-ezvpn)#group EZVPN keywww.netconfed.com
R3(config-crypto-ezvpn)#mode client
R3(config-crypto-ezvpn)#peer 12.12.12.1
R3(config-crypto-ezvpn)#int f0/1
R3(config-if)#crypto ipsec client ezvpn EZVPNoutside
R3(config-if)#int lookback 0
R3(config-if)#crypto ipsec client ezvpnEZVPN inside
提示输入crypto ipsec client ezvpn xauth
*Mar 2 20:54:39.419: EZVPN(EZVPN): Pending XAuth Request, Please enter thefollowing command:
*Mar 2 20:54:39.419: EZVPN: crypto ipsec client ezvpn xauth
R3#
*Mar 2 20:54:48.558: %SYS-5-CONFIG_I: Configured from console by console
R3#crypto ipsec client ezvpn xauth
*Mar 2 20:54:49.419: EZVPN(EZVPN): Pending XAuth Request, Please enter thefollowing command:
*Mar 2 20:54:49.419: EZVPN: crypto ipsec client ezvpn xauth
R3#crypto ipsec client ezvpn xauth
Username: xiaohua
Password:
R3#
*Mar 2 20:54:58.422: %CRYPTO-6-EZVPN_CONNECTION_UP: (Client) User= Group=EZVPN Client_public_addr=23.23.23.3 Server_public_addr=12.12.12.1 Assigned_client_addr=10.10.10.1
R3#
*Mar 2 20:54:58.943: %LINEPROTO-5-UPDOWN: Line protocol on InterfaceLoopback10000, changed state to up
*Mar 2 20:54:59.263: %LINEPROTO-5-UPDOWN: Line protocol on Interface NVI0,changed state to up
可以看到提示EZVPN UP 分配了IP为10.10.10.1
R3#show crypto ipsec client ezvpn
Easy VPN Remote Phase: 6
Tunnel name : EZVPN
Inside interface list: Loopback0
Outside interface: FastEthernet0/1
Current State: IPSEC_ACTIVE
Last Event: MTU_CHANGED
Address: 10.10.10.1 (applied onLoopback10000)
Mask: 255.255.255.255
DNS Primary: 11.11.11.11
NBMS/WINS Primary: 22.22.22.22
Save Password: Disallowed
Current EzVPN Peer: 12.12.12.1
show crypto ipsec client ezvpn可以看到EZVPN 的IPSec ACTIVE!
同时看到分配的IP,DNS和Wins的IP。
4. 测试看效果 看IKE1的Sa
R3#show crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst src state conn-id slot status
12.12.12.1 23.23.23.3 QM_IDLE 1001 0 ACTIVE
IPv6 Crypto ISAKMP SA
看IPSec的Sa
R3#show crypto ipsec sa
interface: FastEthernet0/1
Crypto map tag: FastEthernet0/1-head-0, local addr 23.23.23.3
protected vrf: (none)
local ident(addr/mask/prot/port): (10.10.10.1/255.255.255.255/0/0)
remote ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
current_peer 12.12.12.1 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: 23.23.23.3, remote crypto endpt.: 12.12.12.1
path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/1
current outbound spi: 0x1D9D3AF7(496843511)
inbound esp sas:
spi: 0x682C3D33(1747729715)
transform: esp-3des esp-md5-hmac ,
in use settings ={Tunnel, }
conn id: 1, flow_id: SW:1, crypto map: FastEthernet0/1-head-0
sa timing: remaining key lifetime (k/sec): (4494145/28381)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0x1D9D3AF7(496843511)
transform: esp-3des esp-md5-hmac ,
in use settings ={Tunnel, }
conn id: 2, flow_id: SW:2, crypto map: FastEthernet0/1-head-0
sa timing: remaining key lifetime (k/sec): (4494145/28381)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE
outbound ah sas:
outbound pcp sas:
R3#
测试是否可以能够访问总部私网10.1.1.0/24
R3#ping 10.1.1.1 source loopback 0
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.1.1,timeout is 2 seconds:
Packet sent with a source address of10.2.2.2
!!!!!
Success rate is 100 percent (5/5),round-trip min/avg/max = 8/10/20 ms
R3#sh crypto ipsec sa
interface: FastEthernet0/1
Crypto map tag: FastEthernet0/1-head-0, local addr 23.23.23.3
protected vrf: (none)
local ident(addr/mask/prot/port): (10.10.10.1/255.255.255.255/0/0)
remote ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
current_peer 12.12.12.1 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 5, #pkts encrypt: 5, #pkts digest: 5 #pkts decaps:5, #pkts decrypt: 5, #pkts verify: 5
ok可以从10.2.2.2 能安全的访问10.1.1.1,有加密解密的流量!
测试是否可以NAT访问互联网
R3#ping23.23.23.2 source loopback 0
Type escapesequence to abort. Sending 5,100-byte ICMP Echos to 23.23.23.2, timeout is 2 seconds: Packet sentwith a source address of 10.2.2.2 .....
Success rate is0 percent (0/5)
R3#show cryptoipsec sa
interface:FastEthernet0/1 Crypto map tag: FastEthernet0/1-head-0,local addr 23.23.23.3
protected vrf: (none)
local ident (addr/mask/prot/port): (10.10.10.1/255.255.255.255/0/0) remote ident (addr/mask/prot/port) 0.0.0.0/0.0.0.0/0/0) current_peer 12.12.12.1 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 10, #pkts encrypt: 10, #pktsdigest: 10 #pkts decaps: 5, #pkts decrypt: 5, #pktsverify: 5
R3#sh ip nattranslations Pro Insideglobal Inside local Outside local Outside global icmp10.10.10.1:2 10.2.2.2:2 23.23.23.2:2 23.23.23.2:2
可以看到不能访问总部私网10.1.1.1,是因为将源IP转成了10.10.10.1走了VPN,走了VPN隧道加密了,但是回不来流量。和前面IOS路由器上的效果是一样的!
如何解决?
和前面IOS路由器的方式相似,就是要做分离隧道!
定义下发给Client的分离隧道的ACL,注意目标IP网段是分配地址
access-list VPNextended permit ip 10.1.1.0 255.255.255.0 10.10.10.0 255.255.255.0
在group-policy组里修改分离隧道为匹配具体ACL来实现
ciscoasa(config)#group-policy DfltGrpPolicy attributes ciscoasa(config-group-policy)#split-tunnel-policy tunnelspecified ciscoasa(config-group-policy)#split-tunnel-network-list value VPN
断开Client端的EZVPN,重新连接
R3#clear cryptoipsec client ezvpn R3#crypto ipsecclient ezvpn xauth R3#show cryptoipsec client ezvpn Easy VPN RemotePhase: 6
Tunnel name :EZVPN Insideinterface list: Loopback0 Outsideinterface: FastEthernet0/1 Current State:IPSEC_ACTIVE Last Event:MTU_CHANGED Address:10.10.10.1 (applied on Loopback10000) Mask:255.255.255.255 DNS Primary:11.11.11.11 NBMS/WINSPrimary: 22.22.22.22 Save Password isallowed Split TunnelList: 1 Address : 10.1.1.0
Mask : 255.255.255.0
Protocol : 0x0
Source Port: 0
Dest Port : 0
Current EzVPNPeer: 12.12.12.1 OK,可以看到分离隧道的策略成功获取!
测试看效果!
走互联网测试
R3#ping23.23.23.2 source loopback 0
Type escapesequence to abort. Sending 5,100-byte ICMP Echos to 23.23.23.2, timeout is 2 seconds: Packet sentwith a source address of 10.2.2.2 !!!!!
Success rate is100 percent (5/5), round-trip min/avg/max = 4/4/4 ms
R3#show ip nattranslations Pro Insideglobal Inside local Outside local Outside global icmp23.23.23.3:3 10.2.2.2:3 23.23.23.2:3 23.23.23.2:3
R3#show cryptoipsec sa
interface:FastEthernet0/1 Crypto map tag: FastEthernet0/1-head-0,local addr 23.23.23.3
protected vrf: (none)
local ident (addr/mask/prot/port): (10.10.10.1/255.255.255.255/0/0) remote ident (addr/mask/prot/port)0.0.0.0/0.0.0.0/0/0) current_peer 12.12.12.1 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 0, #pkts encrypt: 0, #pktsdigest: 0 #pkts decaps: 0, #pkts decrypt: 0, #pktsverify: 0 #pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr.failed: 0 #pkts not decompressed: 0, #pkts decompressfailed: 0 OK!看到访问互联网23.23.23.2能通,有NAT转换,没有加密!成功!
再来测试VPN流量!
R3#ping10.1.1.1 source loopback 0
Type escapesequence to abort. Sending 5,100-byte ICMP Echos to 10.1.1.1, timeout is 2 seconds: Packet sentwith a source address of 10.2.2.2 !!!!!
Success rate is100 percent (5/5), round-trip min/avg/max = 8/8/8 ms
R3#show cryptoipsec sa
interface:FastEthernet0/1 Crypto map tag: FastEthernet0/1-head-0,local addr 23.23.23.3
protected vrf: (none)
local ident (addr/mask/prot/port): (10.10.10.1/255.255.255.255/0/0) remote ident (addr/mask/prot/port)0.0.0.0/0.0.0.0/0/0) current_peer 12.12.12.1 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 5, #pkts encrypt: 5, #pktsdigest: 5 #pkts decaps: 5, #pkts decrypt: 5, #pktsverify: 5 #pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr.failed: 0 #pkts not decompressed: 0, #pkts decompressfailed: 0 #send errors 0, #recv errors 0
local crypto endpt.: 23.23.23.3, remotecrypto endpt.: 12.12.12.1 path mtu 1500, ip mtu 1500, ip mtu idbFastEthernet0/1 current outbound spi:0x51B99F3D(1371119421)
inbound esp sas:
spi: 0x39EA4D51(971656529)
transform: esp-3des esp-md5-hmac ,
R3#sh ip nat translations Pro Insideglobal Inside local Outside local Outside global icmp10.10.10.1:4 10.2.2.2:4 10.1.1.1:4 10.1.1.1:4
OK!VPN流量有加密有解密,有NAT转换,转成分配IP10.10.100.1.成功!
好现在看看EZVPN Server端的RRI
ciscoasa# shroute
Codes: C -connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP D - EIGRP, EX - EIGRP external, O -OSPF, IA - OSPF inter area N1 - OSPF NSSA external type 1, N2 - OSPFNSSA external type 2 E1 - OSPF external type 1, E2 - OSPFexternal type 2, E - EGP i - IS-IS, L1 - IS-IS level-1, L2 -IS-IS level-2, ia - IS-IS inter area * - candidate default, U - per-userstatic route, o - ODR P - periodic downloaded static route
Gateway of lastresort is not set
S 23.23.23.0 255.255.255.0 [1/0] via12.12.12.2, outside C 127.0.0.0 255.255.0.0 is directlyconnected, cplane C 10.1.1.0 255.255.255.0 is directlyconnected, inside S 10.10.10.1 255.255.255.255 [1/0] via12.12.12.2, outside C 12.12.12.0 255.255.255.0 is directlyconnected, outside 可以看到有一条到10.10.10.1/32的静态路由被临时插入。
最后实现现实总部VPN和NAT的分离!
先配置PAT ciscoasa(config)#nat (inside) 1 0.0.0.0 0.0.0.0 ciscoasa(config)#global (outside) 1 interface INFO: outsideinterface address added to PAT pool
再用 NAT 0来实现PAT和VPN流量分离!
access-list NONAT extended permit ip 10.1.1.0 255.255.255.0 10.10.10.0 255.255.255.0 ciscoasa(config)#nat (inside) 0 access-list NONAT 测试!
R1#ping23.23.23.2 Type escapesequence to abort. Sending 5,100-byte ICMP Echos to 23.23.23.2, timeout is 2 seconds: !!!!!
Type escapesequence to abort. Sending 5,100-byte ICMP Echos to 23.23.23.2, timeout is 2 seconds: !!!!!
Success rate is100 percent (5/5), round-trip min/avg/max = 1/2/10 ms ciscoasa# shxlate 1 in use, 1most used PAT Global 12.12.12.1(1)Local 10.1.1.1 ICMP id 0 OK!R1可以访问互联网
R1#ping10.10.10.1
Type escapesequence to abort. Sending 5,100-byte ICMP Echos to 10.10.10.1, timeout is 2 seconds: !!!!!
Success rate is100 percent (5/5), round-trip min/avg/max = 8/8/8 ms
ciscoasa# sh crypto ipsec sa interface utside Crypto map tag: DYN, seq num: 1, localaddr: 12.12.12.1
local ident (addr/mask/prot/port)0.0.0.0/0.0.0.0/0/0) remote ident (addr/mask/prot/port)10.10.10.1/255.255.255.255/0/0) current_peer: 23.23.23.3, username:xiaohua dynamic allocated peer ip: 10.10.10.1
#pkts encaps: 10, #pkts encrypt: 10,#pkts digest: 10 #pkts decaps: 10, #pkts decrypt: 10,#pkts verify: 10 OK!总部可以访问分部私网10.10.10.1,有加密解密流量!
成功!
那Cisco VPN Client软件和网络扩展模式和前面IOSEZVPN的实现是一样的,就略了! 好了!ASA防火墙的EZVPN实验就到处结束!
| 
简体中文
英语
日语
韩语
法语
西班牙语
越南语
泰语
阿拉伯语
俄语
葡萄牙语
德语
意大利语
希腊语
荷兰语
波兰语
保加利亚语
爱沙尼亚语
丹麦语
芬兰语
捷克语
罗马尼亚语
斯洛文尼亚语
瑞典语
匈牙利语
繁体中文
文言文
发表于 2011-12-13 16:07:41
置顶卡
喧嚣卡
变色卡
千斤顶
