Site To Site (ASA - Router)
Bạn đang xem bản rút gọn của tài liệu. Xem và tải ngay bản đầy đủ của tài liệu tại đây (527.96 KB, 19 trang )
Site-to-site (ASA-Router)
Mục đích bài Lab: thực hiện IPsec VPN site-to-site dùng pre-shared key giữa ASA (hoặc
Pix) với router.
So sánh được sự giống và khác nhau về việc cấu hình VPN giữa ASA và router.
Mô hình Lab
PIX (Hoặc ASA)
Code:
PIX# sh run
: Saved
:
PIX Version 8.0(3)
!
hostname PIX
enable password 8Ry2YjIyt7RRXU24 encrypted
names
!
interface Ethernet0
nameif outside
security-level 0
ip address 101.0.0.2 255.0.0.0
!
interface Ethernet1
nameif inside
security-level 100
ip address 192.168.1.10 255.255.255.0
!
interface Ethernet2
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet3
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet4
shutdown
no nameif
no security-level
no ip address
!
passwd 2KFQnbNIdI.2KYOU encrypted
ftp mode passive
access-list mangbaove extended permit ip 192.168.1.0 255.255.255.0
172.16.1.0 255.255.255.0
pager lines 24
mtu outside 1500
mtu inside 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
route outside 0.0.0.0 0.0.0.0 101.0.0.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat
0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sipdisconnect 0:02:00
timeout uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set myset esp-3des esp-sha-hmac
crypto map mymap 10 match address mangbaove
crypto map mymap 10 set peer 102.0.0.2
crypto map mymap 10 set transform-set myset
crypto map mymap interface outside
crypto isakmp enable outside
crypto isakmp policy 1
authentication pre-share
encryption aes
hash sha
group 2
lifetime 86400
crypto isakmp policy 65535
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet timeout 5
ssh timeout 5
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
tunnel-group 102.0.0.2 type ipsec-l2l
tunnel-group 102.0.0.2 ipsec-attributes
pre-shared-key * (key = 123)
!
!
prompt hostname context
Cryptochecksum:d242d7a4aeb945878985b984c431bf62
: end
PIX#
PIX(config)# tunnel-group 102.0.0.2 type ?
configure mode commands/options:
ipsec-l2l
IPSec Site to Site group
ipsec-ra
IPSec Remote Access group (DEPRECATED)
remote-access Remote access (IPSec) group
PIX(config)# tunnel-group 102.0.0.2 type ipsec-l2l
PIX# sh route
Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS
inter area
* - candidate default, U - per-user static route, o - ODR
P - periodic downloaded static route
Gateway of last resort is 101.0.0.1 to network 0.0.0.0
C
C
S*
101.0.0.0 255.0.0.0 is directly connected, outside
192.168.1.0 255.255.255.0 is directly connected, inside
0.0.0.0 0.0.0.0 [1/0] via 101.0.0.1, outside
Cho client khởi tạo traffic ban đầu (interest)
Router R2
Code:
R2#sh run
Building configuration...
Current configuration : 1156 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname R2
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
!
resource policy
!
memory-size iomem 5
ip cef
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
crypto isakmp policy 10
encr aes
authentication pre-share
group 2
crypto isakmp key 123 address 101.0.0.2
!
!
crypto ipsec transform-set myset esp-3des esp-sha-hmac
!
crypto map mymap 10 ipsec-isakmp
set peer 101.0.0.2
set transform-set myset
match address 101
reverse-route
!
!
!
!
interface Loopback1
ip address 2.2.2.2 255.0.0.0
!
interface Loopback2
ip address 172.16.1.1 255.255.255.0
!
interface FastEthernet0/0
ip address 102.0.0.2 255.0.0.0
duplex auto
speed auto
crypto map mymap
!
interface FastEthernet0/1
no ip address
shutdown
duplex auto
speed auto
!
ip route 0.0.0.0 0.0.0.0 102.0.0.1
!
!
ip http server
no ip http secure-server
!
access-list 101 permit ip 172.16.1.0 0.0.0.255 192.168.1.0 0.0.0.255
!
!
!
!
control-plane
!
!
!
!
!
!
!
!
!
!
line con 0
exec-timeout 0 0
logging synchronous
line aux 0
line vty 0 4
login
!
!
end
R2#sh ip ro
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS
level-2
ia - IS-IS inter area, * - candidate default, U - per-user
static route
o - ODR, P - periodic downloaded static route
Gateway of last resort is 102.0.0.1 to network 0.0.0.0
C
C
C
S
S*
102.0.0.0/8 is directly connected, FastEthernet0/0
2.0.0.0/8 is directly connected, Loopback1
172.16.0.0/24 is subnetted, 1 subnets
172.16.1.0 is directly connected, Loopback2
192.168.1.0/24 [1/0] via 101.0.0.2
0.0.0.0/0 [1/0] via 102.0.0.1
ISP
Code:
ISP#sh ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS
level-2
ia - IS-IS inter area, * - candidate default, U - per-user
static route
o - ODR, P - periodic downloaded static route
Gateway of last resort is not set
C
C
102.0.0.0/8 is directly connected, FastEthernet0/1
101.0.0.0/8 is directly connected, FastEthernet0/0
ISP#sh run
Building configuration...
Current configuration : 637 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname ISP
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
!
resource policy
!
memory-size iomem 5
ip cef
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
interface FastEthernet0/0
ip address 101.0.0.1 255.0.0.0
duplex auto
speed auto
!
interface FastEthernet0/1
ip address 102.0.0.1 255.0.0.0
duplex auto
speed auto
!
!
!
ip http server
no ip http secure-server
!
!
!
!
!
control-plane
!
!
!
!
!
!
!
!
!
!
line con 0
exec-timeout 0 0
logging synchronous
line aux 0
line vty 0 4
!
!
end
Link
/>Site-site VPN (Router-Router)
Mô hình
R3#ping 192.168.1.10 source 172.16.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.1.10, timeout is 2 seconds:
Packet sent with a source address of 172.16.1.1
.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 20/69/136 ms
R3#sh cry
R3#sh crypto isa
R3#sh crypto isakmp sa
dst src state conn-id slot status
101.0.0.2 102.0.0.2 QM_IDLE 1 0 ACTIVE
R3#sh ip ro
R3#sh ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route
Gateway of last resort is 102.0.0.1 to network 0.0.0.0
C 102.0.0.0/8 is directly connected, FastEthernet0/0
C 2.0.0.0/8 is directly connected, Loopback1
172.16.0.0/24 is subnetted, 1 subnets
C 172.16.1.0 is directly connected, Loopback2
S* 0.0.0.0/0 [1/0] via 102.0.0.1
Cấu hình
R1
Code:
R1#sh run
Building configuration...
Current configuration : 1087 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname R1
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
!
resource policy
!
memory-size iomem 5
ip cef
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
crypto isakmp policy 1
encr aes
authentication pre-share
group 2
crypto isakmp key 123 address 102.0.0.2
!
!
crypto ipsec transform-set myset esp-3des esp-sha-hmac
!
crypto map mymap 10 ipsec-isakmp
set peer 102.0.0.2
set transform-set myset
match address 101
reverse-route
!
!
!
!
interface FastEthernet0/0
ip address 101.0.0.2 255.0.0.0
duplex auto
speed auto
crypto map mymap
!
interface FastEthernet0/1
ip address 192.168.1.10 255.255.255.0
duplex auto
speed auto
!
ip route 0.0.0.0 0.0.0.0 101.0.0.1
!
!
ip http server
no ip http secure-server
!
ip access-list extended protected
!
access-list 101 permit ip 192.168.1.0 0.0.0.255 172.16.1.0 0.0.0.255
!
!
!
!
control-plane
!
!
!
!
!
!
!
!
!
!
line con 0
exec-timeout 0 0
logging synchronous
line aux 0
line vty 0 4
!
!
end
R1#sh ip ro
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS
level-2
ia - IS-IS inter area, * - candidate default, U - per-user
static route
o - ODR, P - periodic downloaded static route
Gateway of last resort is 101.0.0.1 to network 0.0.0.0
C
C
S*
101.0.0.0/8 is directly connected, FastEthernet0/0
192.168.1.0/24 is directly connected, FastEthernet0/1
0.0.0.0/0 [1/0] via 101.0.0.1
R3
Code:
R3#sh run
Building configuration...
Current configuration : 1149 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname R3
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
!
resource policy
!
memory-size iomem 5
ip cef
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
crypto isakmp policy 10
encr aes
authentication pre-share
group 2
crypto isakmp key 123 address 101.0.0.2
!
!
crypto ipsec transform-set myset esp-3des esp-sha-hmac
!
crypto map mymap 10 ipsec-isakmp
set peer 101.0.0.2
set transform-set myset
match address 101
reverse-route
!
!
!
!
interface Loopback1
ip address 2.2.2.2 255.0.0.0
!
interface Loopback2
ip address 172.16.1.1 255.255.255.0
!
interface FastEthernet0/0
ip address 102.0.0.2 255.0.0.0
duplex auto
speed auto
crypto map mymap
!
interface FastEthernet0/1
no ip address
shutdown
duplex auto
speed auto
!
ip route 0.0.0.0 0.0.0.0 102.0.0.1
!
!
ip http server
no ip http secure-server
!
access-list 101 permit ip 172.16.1.0 0.0.0.255 192.168.1.0 0.0.0.255
!
!
!
!
control-plane
!
!
!
!
!
!
!
!
!
!
line con 0
exec-timeout 0 0
logging synchronous
line aux 0
line vty 0 4
!
!
end
R3#sh ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS
level-2
ia - IS-IS inter area, * - candidate default, U - per-user
static route
o - ODR, P - periodic downloaded static route
Gateway of last resort is 102.0.0.1 to network 0.0.0.0
C
C
C
S*
102.0.0.0/8 is directly connected, FastEthernet0/0
2.0.0.0/8 is directly connected, Loopback1
172.16.0.0/24 is subnetted, 1 subnets
172.16.1.0 is directly connected, Loopback2
0.0.0.0/0 [1/0] via 102.0.0.1
ISP
Code:
ISP#sh ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS
level-2
ia - IS-IS inter area, * - candidate default, U - per-user
static route
o - ODR, P - periodic downloaded static route
Gateway of last resort is not set
C
102.0.0.0/8 is directly connected, FastEthernet0/1
C
101.0.0.0/8 is directly connected, FastEthernet0/0
ISP#sh ip int br
Interface
IP-Address
OK? Method Status
Protocol
FastEthernet0/0
up
FastEthernet0/1
101.0.0.1
YES manual up
102.0.0.1
YES manual up
up
Link
/>
