IPSec L2L ××× 之 Router-to-ASA

Router-to-ASA LAN-to-LAN ×××

1.拓扑

2.步骤

1.基本连通性配置：

R5(config)#int f0/0

R5(config-if)#ip add 15.15.15.5 255.255.255.0

R5(config-if)#no sh

R5(config-if)#ex

R5(config)#ip route 0.0.0.0 0.0.0.0 15.15.15.1

R5(config)#int lo0

R5(config-if)#ip add 5.5.5.5 255.255.255.255

R5(config-if)#

R1(config)#int f0/0

R1(config-if)#ip add 15.15.15.1 255.255.255.0

R1(config-if)#no sh

R1(config-if)#int f1/0

R1(config-if)#ip add 16.16.16.1 255.255.255.0

R1(config-if)#no sh

R1(config-if)#ex

R1(config)#ip route 0.0.0.0 0.0.0.0 16.16.16.6

R1(config)#ip route 5.5.5.5 255.255.255.255 15.15.15.5

R6(config)#int f1/0

R6(config-if)#ip add 16.16.16.6 255.255.255.0

R6(config-if)#no sh

R6(config-if)#int f0/0

R6(config-if)#ip add 26.26.26.6 255.255.255.0

R6(config-if)#no sh

ciscoasa# conf t

ciscoasa(config)# int e0/0

ciscoasa(config-if)# ip add 26.26.26.2 255.255.255.0

ciscoasa(config-if)# no sh

ciscoasa(config-if)# nameif outside

INFO: Security level for "outside" set to 0 by default.

ciscoasa(config-if)# int e0/1

ciscoasa(config-if)# ip add 23.23.23.2 255.255.255.0

ciscoasa(config-if)# no sh

ciscoasa(config-if)# nameif inside

INFO: Security level for "inside" set to 100 by default.

ciscoasa(config-if)# ex

ciscoasa(config)# route outside 0 0 26.26.26.6

ciscoasa(config)# route inside 3.3.3.3 255.255.255.255 23.23.23.3

R3(config)#int f1/0

R3(config-if)#ip add 23.23.23.3 255.255.255.0

R3(config-if)#no sh

R3(config-if)#ex

R3(config)#ip route 0.0.0.0 0.0.0.0 23.23.23.2

R3(config-if)#ex

R3(config)#int lo0

R3(config-if)#ip add 3.3.3.3 255.255.255.255

R3(config-if)#ex

2.配置LAN-to-LAN ×××

1在ASA上配置IKE策略：

ciscoasa(config)# crypto isakmp policy 1

ciscoasa(config-isakmp-policy)# encryption 3des

ciscoasa(config-isakmp-policy)# authentication pre-share

ciscoasa(config-isakmp-policy)# group 2

ciscoasa(config-isakmp-policy)# hash sha

ciscoasa(config-isakmp-policy)# ex

2.2在ASA上定义认证标识：

ciscoasa(config)# tunnel-group 16.16.16.1 type ipsec-l2l

ciscoasa(config)# tunnel-group 16.16.16.1 ipsec-attributes

ciscoasa(config-tunnel-ipsec)# pre-shared-key cisco123

ciscoasa(config-tunnel-ipsec)# ex

ciscoasa(config)#

2.3在ASA上配置IPSec transform：

ciscoasa(config)# crypto ipsec transform-set myset esp-3des esp-sha-hmac

ciscoasa(config)#

2.4在ASA上定义感兴趣流量：

ciscoasa(config)# access-list *** permit ip 23.23.23.0 255.255.255.0 15.15.15.0 255.255.255.0

ciscoasa(config)# access-list *** permit ip 3.3.3.3 255.255.255.255 15.15.15.0 255.255.255.0

ciscoasa(config)#

2.5在ASA上创建crypto map：

ciscoasa(config)# crypto map l2l 1 match address ***

ciscoasa(config)# crypto map l2l 1 set peer 16.16.16.1

ciscoasa(config)# crypto map l2l 1 set transform-set myset

ciscoasa(config)#

2.6在ASA上将crypto map和IKE策略应用于outside接口：

ciscoasa(config)# crypto map l2l interface outside

ciscoasa(config)# crypto isakmp enable outside

ciscoasa(config)#

3.配置R1的LAN-to-LAN ×××：

R1(config)#crypto isakmp policy 1

R1(config-isakmp)#en 3

R1(config-isakmp)#au p

R1(config-isakmp)#ha s

R1(config-isakmp)#gr 2

R1(config-isakmp)#ex

R1(config)#cry is key 0 cisco123 add 26.26.26.2

R1(config)#cry ipsec transform-set myset esp-3des esp-sha-hmac

R1(cfg-crypto-trans)#ex

R1(config)#access-list 100 permit ip 15.15.15.0 0.0.0.255 23.23.23.0 0.0.0.255

R1(config)#access-list 100 permit ip 15.15.15.0 0.0.0.255 3.3.3.3 0.0.0.0

R1(config)#crypto map l2l 1 ipsec-isakmp

% NOTE: This new crypto map will remain disabled until a peer

and a valid access list have been configured.

R1(config-crypto-map)#set peer 26.26.26.2

R1(config-crypto-map)#set transform-set myset

R1(config-crypto-map)#match address 100

R1(config-crypto-map)#ex

R1(config)#

R1(config)#int f1/0

R1(config-if)#crypto map l2l

R1(config-if)#

*Mar 1 00:39:21.987: %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is ON

R1(config-if)#

3.验证

R5 ping R3：

R5#ping 23.23.23.3

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 23.23.23.3, timeout is 2 seconds:

..!!!

Success rate is 60 percent (3/5), round-trip min/avg/max = 52/72/108 ms

R5#ping 3.3.3.3

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 3.3.3.3, timeout is 2 seconds:

.!!!!

Success rate is 80 percent (4/5), round-trip min/avg/max = 40/59/80 ms

R5#

R3 ping R5：

R3#ping 15.15.15.5

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 15.15.15.5, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 16/57/104 ms

R3#

1.查看R1上的IKE SA的peer：

R1#show crypto isakmp peers

Peer: 26.26.26.2 Port: 500 Local: 16.16.16.1

Phase1 id: 26.26.26.2

R1#

查看R1上的IKE SA：

R1#show crypto isakmp sa

dst src state conn-id slot status

26.26.26.2 16.16.16.1 QM_IDLE 1 0 ACTIVE

R1#

2.查看R1上的IPSec SA：

R1#show crypto ipsec sa

interface: FastEthernet1/0

Crypto map tag: l2l, local addr 16.16.16.1

protected vrf: (none)

local ident (addr/mask/prot/port): (15.15.15.0/255.255.255.0/0/0)

remote ident (addr/mask/prot/port): (3.3.3.3/255.255.255.255/0/0)

current_peer 26.26.26.2 port 500

PERMIT, flags={origin_is_acl,}

#pkts encaps: 4, #pkts encrypt: 4, #pkts digest: 4

#pkts decaps: 4, #pkts decrypt: 4, #pkts verify: 4

#pkts compressed: 0, #pkts decompressed: 0

#pkts not compressed: 0, #pkts compr. failed: 0

#pkts not decompressed: 0, #pkts decompress failed: 0

#send errors 1, #recv errors 0

local crypto endpt.: 16.16.16.1, remote crypto endpt.: 26.26.26.2

path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet1/0

current outbound spi: 0xEDC66567(3989202279)

inbound esp sas:

spi: 0xF74ECA08(4149135880)

transform: esp-3des esp-sha-hmac ,

in use settings ={Tunnel, }

conn id: 2003, flow_id: SW:3, crypto map: l2l

sa timing: remaining key lifetime (k/sec): (4558704/3324)

IV size: 8 bytes

replay detection support: Y

Status: ACTIVE

inbound ah sas:

inbound pcp sas:

outbound esp sas:

spi: 0xEDC66567(3989202279)

transform: esp-3des esp-sha-hmac ,

in use settings ={Tunnel, }

conn id: 2004, flow_id: SW:4, crypto map: l2l

sa timing: remaining key lifetime (k/sec): (4558704/3322)

IV size: 8 bytes

replay detection support: Y

Status: ACTIVE

outbound ah sas:

outbound pcp sas:

protected vrf: (none)

local ident (addr/mask/prot/port): (15.15.15.0/255.255.255.0/0/0)

remote ident (addr/mask/prot/port): (23.23.23.0/255.255.255.0/0/0)

current_peer 26.26.26.2 port 500

PERMIT, flags={origin_is_acl,}

#pkts encaps: 8, #pkts encrypt: 8, #pkts digest: 8

#pkts decaps: 8, #pkts decrypt: 8, #pkts verify: 8

#pkts compressed: 0, #pkts decompressed: 0

#pkts not compressed: 0, #pkts compr. failed: 0

#pkts not decompressed: 0, #pkts decompress failed: 0

#send errors 1, #recv errors 0

local crypto endpt.: 16.16.16.1, remote crypto endpt.: 26.26.26.2

path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet1/0

current outbound spi: 0x86B6E2B8(2260132536)

inbound esp sas:

spi: 0xD2E1737B(3537990523)

transform: esp-3des esp-sha-hmac ,

in use settings ={Tunnel, }

conn id: 2001, flow_id: SW:1, crypto map: l2l

sa timing: remaining key lifetime (k/sec): (4461373/3309)

IV size: 8 bytes

replay detection support: Y

Status: ACTIVE

inbound ah sas:

inbound pcp sas:

outbound esp sas:

spi: 0x86B6E2B8(2260132536)

transform: esp-3des esp-sha-hmac ,

in use settings ={Tunnel, }

conn id: 2002, flow_id: SW:2, crypto map: l2l

sa timing: remaining key lifetime (k/sec): (4461373/3307)

IV size: 8 bytes

replay detection support: Y

Status: ACTIVE

outbound ah sas:

outbound pcp sas:

R1#

3.查看R5到R3的数据报路径走向：

R5#traceroute 3.3.3.3

Type escape sequence to abort.

Tracing the route to 3.3.3.3

1 15.15.15.1 24 msec 40 msec 8 msec

2 23.23.23.3 56 msec * 48 msec

R5#

说明了数据报经过隧道传输

4.查看ASA上的IKE SA 的peer：

ciscoasa(config)# show crypto isakmp sa

Active SA: 1

Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)

Total IKE SA: 1

1 IKE Peer: 16.16.16.1

Type : L2L Role : responder

Rekey : no State : MM_ACTIVE

ciscoasa(config)#

5.查看ASA上激活的隧道状态：

ciscoasa(config)# show crypto isakmp stats

Global IKE Statistics

Active Tunnels: 1

Previous Tunnels: 1

In Octets: 6624

In Packets: 68

In Drop Packets: 0

In Notifys: 61

In P2 Exchanges: 2

In P2 Exchange Invalids: 0

In P2 Exchange Rejects: 0

In P2 Sa Delete Requests: 0

Out Octets: 5992

Out Packets: 66

Out Drop Packets: 0

Out Notifys: 122

Out P2 Exchanges: 0

Out P2 Exchange Invalids: 0

Out P2 Exchange Rejects: 0

Out P2 Sa Delete Requests: 0

Initiator Tunnels: 0

Initiator Fails: 0

Responder Fails: 0

System Capacity Fails: 0

Auth Fails: 0

Decrypt Fails: 0

Hash Valid Fails: 0

No Sa Fails: 0

ciscoasa(config)#

6.查看ASA上的IPSec SA：

ciscoasa(config)# show crypto ipsec sa

interface: outside

Crypto map tag: l2l, seq num: 1, local addr: 26.26.26.2

access-list *** permit ip host 3.3.3.3 15.15.15.0 255.255.255.0

local ident (addr/mask/prot/port): (3.3.3.3/255.255.255.255/0/0)

remote ident (addr/mask/prot/port): (15.15.15.0/255.255.255.0/0/0)

current_peer: 16.16.16.1

#pkts encaps: 4, #pkts encrypt: 4, #pkts digest: 4

#pkts decaps: 7, #pkts decrypt: 7, #pkts verify: 7

#pkts compressed: 0, #pkts decompressed: 0

#pkts not compressed: 4, #pkts comp failed: 0, #pkts decomp failed: 0

#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0

#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0

#send errors: 0, #recv errors: 0

local crypto endpt.: 26.26.26.2, remote crypto endpt.: 16.16.16.1

path mtu 1500, ipsec overhead 58, media mtu 1500

current outbound spi: F74ECA08

inbound esp sas:

spi: 0xEDC66567 (3989202279)

transform: esp-3des esp-sha-hmac none

in use settings ={L2L, Tunnel, }

slot: 0, conn_id: 4096, crypto-map: l2l

sa timing: remaining key lifetime (kB/sec): (4274999/2863)

IV size: 8 bytes

replay detection support: Y

outbound esp sas:

spi: 0xF74ECA08 (4149135880)

transform: esp-3des esp-sha-hmac none

in use settings ={L2L, Tunnel, }

slot: 0, conn_id: 4096, crypto-map: l2l

sa timing: remaining key lifetime (kB/sec): (4274999/2863)

IV size: 8 bytes

replay detection support: Y

Crypto map tag: l2l, seq num: 1, local addr: 26.26.26.2

access-list *** permit ip 23.23.23.0 255.255.255.0 15.15.15.0 255.255.255.0

local ident (addr/mask/prot/port): (23.23.23.0/255.255.255.0/0/0)

remote ident (addr/mask/prot/port): (15.15.15.0/255.255.255.0/0/0)

current_peer: 16.16.16.1

#pkts encaps: 10, #pkts encrypt: 10, #pkts digest: 10

#pkts decaps: 8, #pkts decrypt: 8, #pkts verify: 8

#pkts compressed: 0, #pkts decompressed: 0

#pkts not compressed: 10, #pkts comp failed: 0, #pkts decomp failed: 0

#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0

#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0

#send errors: 0, #recv errors: 0

local crypto endpt.: 26.26.26.2, remote crypto endpt.: 16.16.16.1

path mtu 1500, ipsec overhead 58, media mtu 1500

current outbound spi: D2E1737B

inbound esp sas:

spi: 0x86B6E2B8 (2260132536)

transform: esp-3des esp-sha-hmac none

in use settings ={L2L, Tunnel, }

slot: 0, conn_id: 4096, crypto-map: l2l

sa timing: remaining key lifetime (kB/sec): (4274999/2851)

IV size: 8 bytes

replay detection support: Y

outbound esp sas:

spi: 0xD2E1737B (3537990523)

transform: esp-3des esp-sha-hmac none

in use settings ={L2L, Tunnel, }

slot: 0, conn_id: 4096, crypto-map: l2l

sa timing: remaining key lifetime (kB/sec): (4274999/2851)

IV size: 8 bytes

replay detection support: Y

ciscoasa(config)#

4.测试NAT对×××的影响：

1.在ASA上配置NAT：

ciscoasa(config)# nat (inside) 1 0 0

ciscoasa(config)# global (outside) 1 interface

INFO: outside interface address added to PAT pool

ciscoasa(config)#

2.从R5 ping R3肯定不通啦：

R5#ping 3.3.3.3

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 3.3.3.3, timeout is 2 seconds:

.....

Success rate is 0 percent (0/5)

R5#

3.R3 ping R5也不通：

R3#ping 15.15.15.5

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 15.15.15.5, timeout is 2 seconds:

.....

Success rate is 0 percent (0/5)

R3#

4.在ASA上配置ACL使感兴趣的流量绕过NAT：

ciscoasa(config)# access-list nonat extended permit ip 23.23.23.0 255.255.255.0 15.15.15.0 255.255.255.0

ciscoasa(config)# access-list nonat extended permit ip 3.3.3.3 255.255.255.255 15.15.15.0 255.255.255.0

ciscoasa(config)# nat (inside) 0 access-list nonat

ciscoasa(config)#

5.再次从R3 ping R5，通了：

R3#ping 15.15.15.5

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 15.15.15.5, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 20/53/112 ms

R3#

6.R5 ping R3：

R5#ping 3.3.3.3

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 3.3.3.3, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 20/46/76 ms

R5#

说明：由于配置了R3到R5的流量在ASA上不被转换，所以R5和R3之间的通信流量能够用过IPSec ×××穿越Internet。

注意：加密点，通信点，ACL流量过滤是三个关键点。

转载于:https://blog.51cto.com/henuxzy/1029640

IPSec L2L ××× 之 Router-to-ASA相关推荐

华为USG Firewall Ipsec L2L
*需要解决的问题 1.Untrust local inbound /esp ike (做策略放行IKE/ESP流量) policy interzone local untrust inbound po ...
如何在ASA防火墙上实现ipsec ***
博主QQ:819594300 博客地址:http://zpf666.blog.51cto.com/ 有什么疑问的朋友可以联系博主,博主会帮你们解答,谢谢支持! 本文章介绍三个部分内容: ①ipsec ...
Cisco ASA防火墙实现IPSec 虚拟专用网，可跟做！！！
通过博文CIsco路由器实现IPSec 虚拟专用网原理及配置详解已经初步了解IPSec 虚拟专用网的原理以及如何在Cisco的路由器上实现IPSec 虚拟专用网技术.千万不要以为在CIsco路由器可以 ...
IPsec ***基础：认识IPsec ***
1.IPSEC 提供了下列服务: 数据的机密性----------这是通过加密来防止数据遭受窃听***. 数据的完整性和验证--------通过HMAC功能来验证数据包没有被损坏,并通过一个有效地对等 ...
学习笔记——IPSec
目录一.整个IPsec工作过程二.IKE阶段1 三.IKE阶段2 四.IPsec协议五.华为设备配置命令 (一)安全提议 xxx proposal (二)IKE对等体 ike peer (三 ...
网络协议 — IPSec 安全隧道协议族
目录文章目录目录 IPSec 安全隧道协议族封装协议 Authentication Header 协议 Encapsulating Security Payload 协议封装模式 Transp ...
Cisco配置IPsec与NAT问题
实验拓扑实验要求 1.实现pc4能够通过R3和R1建立的IPsec通道与1.0网段通信,但pc4不能与公网(R2)通信 2.实现pc3能够与公网(R2)进行通信,但不能通过R3与R1建立的IPsec ...
××× 笔记（持续更新中。。）
加密历史以前:安全的算法现代:安全的密钥解密:最好的方法从密钥管理和密钥分发中寻找机会, 而不是从算法本身入手因此,一个密码系统的成功与否的关键是密钥的生成,分发,管理加密安全不存在绝对的 ...
CCIE Security证
前言:CCIE Security在网络安全领域,可以简单理解为硬件层面的安全防护,以防御为核心,组建网络安全的基石. 文章目录一.知识 1.1. 防火墙 1.1.1. 定义分类概念命令 VPN ...

IPSec L2L ××× 之 Router-to-ASA

IPSec L2L ××× 之 Router-to-ASA相关推荐

最新文章

热门文章