思科防火墙PIX8.0 L2LVPN解决地址重叠测试(2)

一.概述

如果用PIX或者ASA8.3之前的版本与路由器建立L2L VPN,解决地址重叠时优先考虑使用路由器解决,但是实际情况有可能两边都是PIX或者ASA8.3之前的版本,是否有方法解决地址重叠,又避免不能上互联网的问题呢?经过测试,还是有方法的。

二.基本思路:

A.首先解决地址重叠问题,必须两边看对方的地址是其他网段的地址。

B.因为PIX静态NAT比其他任何方式NAT都优先,所以需要避免使用静态NAT。

C.策略静态NAT比策略PAT优先级要高。

D.总部配置PAT和NAT0,NAT0的ACL把访问分部映射后的网络地址给排除

----这样就可以确保总部的主机解决地址重叠的问题的时候,不影响上互联网。

E.分部配置策略PAT和策略静态NAT,策略静态NAT的ACL只列出分部主机访问总部主机映射后的地址,策略静态NAT优先级比策略PAT优先级高,会先执行。

----这样就不会影响分部的主机上互联网。

----因为策略静态NAT不像静态NAT那样,对网段地址实现一对一的映射,所以这种方式只在两边网段少数主机相互需要VPN访问才方便配置,否则需要配置很多策略静态NAT(因为目前这种方式只能使用一对一的策略静态NAT)。

F.总部到分部的源地址没有做转换,为了能保证数据流正常进行,那就需要在分部防火墙的outside做转换,使得进入分部后源地址为其他网段的地址。

G.经过测试结果可以看出,Outside口到内网的NAT,是在VPN解密之后,而恰恰相反,Inside到outside的NAT是在VPN加密之前。

三.测试拓扑:

思科防火墙PIX8.0 L2LVPN解决地址重叠测试(2)

四.基本配置:

A.ERP_HQ路由器:

interface Ethernet0/0

ip address 172.16.1.2 255.255.255.0

no shut

ip route 0.0.0.0 0.0.0.0 172.16.1.1

B.PIX80_HQ防火墙:

interface Ethernet0

nameif Inside

security-level 100

ip address 172.16.1.1 255.255.255.0

no shut

interface Ethernet1

nameif Outside

security-level 0

ip address 202.100.1.1 255.255.255.0

no shut

route Outside 0.0.0.0 0.0.0.0 202.100.1.10

access-list OUTSIDE extended permit icmp any any

access-group OUTSIDE in interface Outside

C.Internet路由器:

interface Ethernet0/0

ip address 202.100.1.10 255.255.255.0

no shut

interface Ethernet0/1

ip address 202.100.2.10 255.255.255.0

no shut

D.PIX80_Branch防火墙:

interface Ethernet0

nameif Inside

security-level 100

ip address 172.16.1.1 255.255.255.0

no shut

interface Ethernet1

nameif Outside

security-level 0

ip address 202.100.2.1 255.255.255

no shut

route Outside 0.0.0.0 0.0.0.0 202.100.2.10

access-list OUTSIDE extended permit icmp any any

access-group OUTSIDE in interface Outside

E.ERP_Branch路由器:

interface Ethernet0/0

ip address 172.16.1.3 255.255.255.0 secondary

ip address 172.16.1.2 255.255.255.0

no shut

ip route 0.0.0.0 0.0.0.0 172.16.1.1

五.防火墙NAT配置:

A.PIX80_HQ防火墙:

①PAT:

access-list PAT extended permit ip 172.16.1.0 255.255.255.0 any

nat (Inside) 1 access-list PAT

global (Outside) 1 interface

②NAT免除:

access-list NAT0 extended permit ip host 172.16.1.2 host 10.1.2.2

nat (Inside) 0 access-list NAT0

B.PIX80_Branch防火墙:

①PAT:

access-list PAT extended permit ip 172.16.1.0 255.255.255.0 any

nat (Inside) 1 access-list PAT

global (Outside) 1 interface

②静态策略NAT:

access-list VPN-NAT extended permit ip host 172.16.1.2 host 10.1.1.2

static (Inside,Outside) 10.1.2.2  access-list VPN-NAT

③outside的NAT:

static (Outside,Inside) 10.1.1.2 172.16.1.2 netmask 255.255.255.255

----这样当总部未经NAT转换的172.16.1.2到底分别outside接口解密之后,进入内网地址就转换为10.1.1.2

六.L2L VPN配置:

A.PIX80_HQ防火墙:

①第一阶段策略:

crypto isakmp policy 10

authentication pre-share

encryption 3des

hash md5

group 2

tunnel-group 202.100.2.1 type ipsec-l2l

tunnel-group 202.100.2.1 ipsec-attributes

pre-shared-key cisco

②第二阶段转换:

crypto ipsec transform-set transet esp-des esp-md5-hmac

③感兴趣流:

access-list VPN extended permit ip 172.16.1.0 255.255.255.0 10.1.2.0 255.255.0.0

也可以写得更详细:

access-list VPN extended permit ip host 172.16.1.2 host 10.1.2.2

④配置crypto map并应用:

crypto map crymap 10 match address VPN

crypto map crymap 10 set peer 202.100.2.1

crypto map crymap 10 set transform-set transet

crypto map crymap interface Outside

⑤在接口启用isakmp:

crypto isakmp enable Outside

B.PIX80_Branch防火墙:

①第一阶段策略:

crypto isakmp policy 10

authentication pre-share

encryption 3des

hash md5

group 2

tunnel-group 202.100.1.1 type ipsec-l2l

tunnel-group 202.100.1.1 ipsec-attributes

pre-shared-key cisco

②第二阶段转换:

crypto ipsec transform-set transet esp-des esp-md5-hmac

③感兴趣流:

access-list VPN extended permit ip  10.1.2.0 255.255.255.0 172.16.1.0 255.255.0.0

也可以写得更详细:

access-list VPN extended permit ip host 10.1.2.2 host 172.16.1.2

④配置crypto map并应用:

crypto map crymap 10 match address VPN

crypto map crymap 10 set peer 202.100.1.1

crypto map crymap 10 set transform-set transet

crypto map crymap interface Outside

⑤在接口启用isakmp:

crypto isakmp enable Outside

七.测试:

A.连接公网测试:

①ERP_HQ路由器:

ERP_HQ#ping 202.100.1.10

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 202.100.1.10, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 20/94/292 ms

ERP_HQ#

Internet#debug ip icmp

ICMP packet debugging is on

Internet#

*Mar  2 07:36:11.648: ICMP: echo reply sent, src 202.100.1.10, dst 202.100.1.1

*Mar  2 07:36:11.768: ICMP: echo reply sent, src 202.100.1.10, dst 202.100.1.1

*Mar  2 07:36:11.856: ICMP: echo reply sent, src 202.100.1.10, dst 202.100.1.1

*Mar  2 07:36:12.096: ICMP: echo reply sent, src 202.100.1.10, dst 202.100.1.1

*Mar  2 07:36:12.132: ICMP: echo reply sent, src 202.100.1.10, dst 202.100.1.1

②ERP_Brach路由器:

ERP_Branch#ping 202.100.2.10

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 202.100.2.10, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 8/92/344 ms

ERP_Branch#

Internet#debug ip icmp

ICMP packet debugging is on

Internet#

*Mar  2 07:36:57.536: ICMP: echo reply sent, src 202.100.2.10, dst 202.100.2.1

*Mar  2 07:36:57.896: ICMP: echo reply sent, src 202.100.2.10, dst 202.100.2.1

*Mar  2 07:36:57.976: ICMP: echo reply sent, src 202.100.2.10, dst 202.100.2.1

*Mar  2 07:36:57.988: ICMP: echo reply sent, src 202.100.2.10, dst 202.100.2.1

*Mar  2 07:36:58.000: ICMP: echo reply sent, src 202.100.2.10, dst 202.100.2.1

B.VPN访问测试:

①ERP_HQ路由器:

ERP_HQ#telnet 10.1.2.2

Trying 10.1.2.2 ... Open

User Access Verification

Password:

ERP_Branch>show users

Line       User       Host(s)              Idle       Location

0 con 0                idle                 00:00:55

*130 vty 0                idle                 00:00:00 10.1.1.2

Interface    User               Mode         Idle     Peer Address

ERP_Branch>

②ERP_Branch路由器:

ERP_Branch#telnet 10.1.1.2

Trying 10.1.1.2 ... Open

User Access Verification

Password:

ERP_HQ>show users

Line       User       Host(s)              Idle       Location

0 con 0                idle                 00:00:17

*130 vty 0                idle                 00:00:00 10.1.2.2

Interface    User               Mode         Idle     Peer Address

ERP_HQ>

---备注:这样配置完成后,其实只有ERP_HQ和ERP_Branch两设备之间才能正常都VPN。

本文转自 碧云天 51CTO博客,原文链接:http://blog.51cto.com/333234/1241114如需转载请自行联系原作者

上一篇:【云计算的1024种玩法】配置 Web应用防火墙 防患攻击与未然
下一篇:ADSL Modem防火墙完全攻略