IPSEC VPN项目实战(附拓扑图配置、实验环境及视频讲解)
IPSEC VPN项目实战(附拓扑图配置、实验环境及视频讲解)
拓扑图:
实验环境:
该拓扑图分为四个部分最左边位总部Tiger HQ,中间的为ISP,右上角为分部Branch1,右下角为分部Branch2。总部和分部的边界设备用的是型号为USG 6000V的防火墙,都分别连接运营商的PE设备。总部内有vlan10和20,主机A和B属于vlan10,主机C和D属于vlan20。
需求:
1.各部分内网主机之间能够互相联通。
2.所有总部、分部内网主机要通过边界防火墙能够访问Internet。
3.总部的主机可以访问两个分部的主机,两个分部的主机也能访问总部的主机。
扫码可领取本次实验视频课程及实验环境。
网络设备具体配置信息:
总部部分:
SW1:
[SW1]int lo0
[SW1-LoopBack0]ip add 10.1.11.11 32
[SW1-LoopBack0]quit
[SW1]vlan batch 10 20 //创建vlan
[SW1]quit
[SW1]int g0/0/1
[SW1-GigabitEthernet0/0/1]port link-type trunk
[SW1-GigabitEthernet0/0/1]port trunk allow-pass vlan all
[SW1-GigabitEthernet0/0/1]quit
[SW1]int g0/0/2
[SW1-GigabitEthernet0/0/2]port link-type trunk
[SW1-GigabitEthernet0/0/2]port trunk allow-pass vlan all
[SW1-GigabitEthernet0/0/2]quit
[SW1]Int eth-trunk 12
[SW1-Eth-Trunk12]trunk port g0/0/23 to 0/0/24
[SW1-Eth-Trunk12]port link-type trunk
[SW1-Eth-Trunk12]port trunk allow-pass vlan all
[SW1]sto mode mstp
[SW1]stp region-configuration
[SW1-mst-]stp region-name Tigerlab
[SW1-mst-region]revision-level 1256
[SW1-mst-region]instance 10 vlan 10
[SW1-mst-region]instance 20 vlan 20
[SW1-mst-region]active region-configuration
[SW1]stp instance 10 root primary
[SW1]stp instance 20 root second
[SW1]int vlan 10
[SW1-vlanif10]ip add 10.1.10.11 24
[SW1-vlanif10]quit
[SW1]int vlan 20
[SW1-vlanif20]ip add 10.1.20.11 24
[SW1-vlanif20]quit
[SW1]int vlan 10
[SW1-vlanif10]vrrp vrid 10 virtual-ip 10.1.10.254
[SW1-vlanif10]vrrp vrid 10 priority 105
[SW1-vlanif10]quit
[SW1]int vlan 20
[SW1-vlanif20]vrrp vrid 20 virtual-ip 10.1.20.254
[SW1-vlanif20]quit
[SW1]vlan 111
[SW1-vlanif111]quit
[SW1]int g0/0/3
[SW1-GigabitEthernet0/0/3]port link-type access
[SW1-GigabitEthernet0/0/3]port default vlan 111
[SW1-GigabitEthernet0/0/3]stp egded-port enable
[SW1-GigabitEthernet0/0/3]quit
[SW1]stp bpdu-protection
[SW1]int vlan 111
[SW1-vlanif111]ip add 10.1.111.11 24
[SW1-vlanif111]quit
[SW1]ospf 10 router-id10.1.11.11
[SW1-ospf-10]area 0
[SW1-ospf-10-area-0.0.0.0]net 10.1.11.11 0.0.0.0
[SW1-ospf-10-area-0.0.0.0]net 10.1.111.11 0.0.0.0
[SW1-ospf-10-area-0.0.0.0]net 10.1.10.11 0.0.0.0
[SW1-ospf-10-area-0.0.0.0]net 10.1.20.11 0.0.0.0
检查stp的配置结果,display stp instance 10,可以看到vlan10是主根
SW2:
[SW2]int lo0
[SW2-LoopBack0]ip add 10.1.12.12 32
[SW2-LoopBack0]quit
[SW2]vlan batch 10 20
[SW2]int g0/0/1
[SW2-GigabitEthernet0/0/1]port link-type trunk
[SW2-GigabitEthernet0/0/1]port trunk allow-pass vlan all
[SW2-GigabitEthernet0/0/1]quit
[SW2]int g0/0/2
[SW2-GigabitEthernet0/0/2]port link-type trunk
[SW2-GigabitEthernet0/0/2]port trunk allow-pass vlan all
[SW2-GigabitEthernet0/0/2]quit
[SW2]int eth-trunk 12
[SW2-Eth-Trunk12]trunk port g0/0/23 to 0/0/24
[SW2-Eth-Trunk12]port link-type trunk
[SW2-Eth-Trunk12]port trunk allow-pass vlan all
[SW2]sto mode mstp
[SW2]stp region-configuration
[SW2-mst-]stp region-name Tigerlab
[SW2-mst-region]revision-level 1256
[SW2-mst-region]instance 10 vlan 10
[SW2-mst-region]instance 20 vlan 20
[SW2-mst-region]active region-configuration
[SW2]stp instance 20 root primary
[SW2]stp instance 10 root second
[SW2]int vlan 10
[SW2-vlanif10]ip add 10.1.20.12 24
[SW2-vlanif10]quit
[SW2]int vlan 20
[SW2-vlanif20]ip add 10.1.20.12 24
[SW2-vlanif20]quit
[SW2]int vlan 10
[SW2-vlanif10]vrrp vrid 10 virtual-ip 10.1.10.254
[SW2-vlanif10]quit
[SW2]int vlan 20
[SW2-vlanif20]vrrp vrid 20 virtual-ip 10.1.20.254
[SW2-vlanif20]vrrp vrid 20 priority 105
[SW2-vlanif20]quit
[SW2]vlan 112
[SW2-vlanif112]quit
[SW2]int g0/0/3
[SW2-GigabitEthernet0/0/3]port link-type access
[SW2-GigabitEthernet0/0/3]port default vlan 112
[SW2-GigabitEthernet0/0/3]stp egded-port enable
[SW2-GigabitEthernet0/0/3]quit
[SW2]stp bpdu-protection
[SW2]int vlan 112
[SW2-vlanif112]ip add 10.1.112.12 24
[SW2-vlanif112]quit
[SW2]ospf 10 router-id10.1.12.12
[SW2-ospf-10]area 0
[SW2-ospf-10-area-0.0.0.0]net 10.1.12.12 0.0.0.0
[SW2-ospf-10-area-0.0.0.0]net 10.1.112.12 0.0.0.0
[SW2-ospf-10-area-0.0.0.0]net 10.1.10.12 0.0.0.0
[SW2-ospf-10-area-0.0.0.0]net 10.1.20.12 0.0.0.0
(1)在SW1上,接下来验证一下端口的vlan情况,display port vlan
在SW1上检查一下vrrp的配置情况:display vrrp brief
SW3:
[SW3]int lo0
[SW3-LoopBack0]ip add 10.2.13.13 32
[SW3-LoopBack0]quit
[SW3]vlan batch 30 40
[SW3]int g0/0/1
[SW3-GigabitEthernet0/0/1]port link-type access
[SW3-GigabitEthernet0/0/1]port default vlan 30
[SW3-GigabitEthernet0/0/1]stp edged-port enable
[SW3-GigabitEthernet0/0/1]quit
[SW3]int g0/0/2
[SW3-GigabitEthernet0/0/2]port link-type access
[SW3-GigabitEthernet0/0/2]port default vlan 30
[SW3-GigabitEthernet0/0/2]stp edged-port enable
[SW3-GigabitEthernet0/0/2]quit
[SW3]int g0/0/3
[SW3-GigabitEthernet0/0/3]port link-type access
[SW3-GigabitEthernet0/0/3]port default vlan 40
[SW3-GigabitEthernet0/0/3]stp edged-port enable
[SW3-GigabitEthernet0/0/3]quit
[SW3]int g0/0/4
[SW3-GigabitEthernet0/0/4]port link-type access
[SW3-GigabitEthernet0/0/4]port default vlan 40
[SW3-GigabitEthernet0/0/4]stp edged-port enable
[SW3-GigabitEthernet0/0/4]quit
[SW3]stp bpdu-protection
[SW3]vlan 132
[SW3-vlanif112]quit
[SW3]int g0/0/24
[SW3-GigabitEthernet0/0/24]port link-type access
[SW3-GigabitEthernet0/0/24]port default vlan 132
[SW3-GigabitEthernet0/0/24]stp egded-port enable
[SW3-GigabitEthernet0/0/24]quit
[SW3]int vlan 132
[SW3-vlanif132]ip add 10.2.132.13 24
[SW3-vlanif132]quit
[SW3]int vlan 30
[SW3-vlanif30]ip add 10.2.30.254 24
[SW3-vlanif30]quit
[SW3]int vlan 40
[SW3-vlanif40]ip add 10.2.40.254 24
[SW3-vlanif40]quit
[SW3]ospf 10 router-id10.2.13.13
[SW3-ospf-10]area 0
[SW3-ospf-10-area-0.0.0.0]net 10.2.13.13 0.0.0.0
[SW3-ospf-10-area-0.0.0.0]net 10.2.30.254 0.0.0.0
[SW3-ospf-10-area-0.0.0.0]net 10.2.40.254 0.0.0.0
[SW3-ospf-10-area-0.0.0.0]net 10.2.132.13 0.0.0.0
SW4:
[SW4]int lo0
[SW4-LoopBack0]ip add 10.3.14.14 32
[SW4-LoopBack0]quit
[SW4]vlan batch 50
[SW4]int g0/0/1
[SW4-GigabitEthernet0/0/1]port link-type access
[SW4-GigabitEthernet0/0/1]port default vlan 50
[SW4-GigabitEthernet0/0/1]stp edged-port enable
[SW4-GigabitEthernet0/0/1]quit
[SW4]int g0/0/2
[SW4-GigabitEthernet0/0/2]port link-type access
[SW4-GigabitEthernet0/0/2]port default vlan 50
[SW4-GigabitEthernet0/0/2]stp edged-port enable
[SW4-GigabitEthernet0/0/2]quit
[SW4]int g0/0/3
[SW4-GigabitEthernet0/0/3]port link-type access
[SW4-GigabitEthernet0/0/2]port default vlan 50
[SW4-GigabitEthernet0/0/2]stp edged-port enable
[SW4]stp bpdu-protection
[SW4]vlan 143
[SW4-vlanif112]quit
[SW4]int g0/0/24
[SW4-GigabitEthernet0/0/24]port link-type access
[SW4-GigabitEthernet0/0/24]port default vlan 143
[SW4-GigabitEthernet0/0/24]stp egded-port enable
[SW4-GigabitEthernet0/0/24]quit
[SW4]int vlan 143
[SW4-vlanif132]ip add 10.3.143.14 24
[SW4-vlanif132]quit
[SW4]int vlan 50
[SW4-vlanif30]ip add 10.3.50.254 24
[SW4-vlanif30]quit
[SW4]ospf 10 router-id10.3.14.14
[SW4-ospf-10]area 0
[SW4-ospf-10-area-0.0.0.0]net 10.3.14.14 0.0.0.0
[SW4-ospf-10-area-0.0.0.0]net 10.2.50.254 0.0.0.0
[SW4-ospf-10-area-0.0.0.0]net 10.2.40.254 0.0.0.0
[SW4-ospf-10-area-0.0.0.0]net 10.2.143.14 0.0.0.0
SW5:
[SW5]vlan batch 10 20
[SW5]int g0/0/1
[SW5-GigabitEthernet0/0/1]port link-type trunk
[SW5-GigabitEthernet0/0/1]port trunk allow-pass vlan all
[SW5-GigabitEthernet0/0/1]quit
[SW5]int g0/0/2
[SW5-GigabitEthernet0/0/2]port link-type trunk
[SW5-GigabitEthernet0/0/2]port trunk allow-pass vlan all
[SW5-GigabitEthernet0/0/2]quit
[SW5]int e0/0/1
[SW5-Ethernet0/0/1]port link-type access
[SW5-Ethernet0/0/1]port default vlan 10
[SW5-Ethernet0/0/1]stp edged-port enable
[SW5-Ethernet0/0/1]quit
[SW5]int e0/0/2
[SW5-Ethernet0/0/2]port link-type access
[SW5-Ethernet0/0/2]port default vlan 20
[SW5-Ethernet0/0/2]stp edged-port enable
[SW5-Ethernet0/0/2]quit
[SW5]stp bpdu-protection
[SW5]sto mode mstp
[SW5]stp region-configuration
[SW5-mst-]stp region-name Tigerlab
[SW5-mst-region]revision-level 1256
[SW5-mst-region]instance 10 vlan 10
[SW5-mst-region]instance 20 vlan 20
[SW5-mst-region]active region-configuration
接下来验证一下端口的vlan情况,display port vlan。
SW6:
[SW6]vlan batch 10 20
[SW6]int g0/0/1
[SW6-GigabitEthernet0/0/1]port link-type trunk
[SW6-GigabitEthernet0/0/1]port trunk allow-pass vlan all
[SW6-GigabitEthernet0/0/1]quit
[SW6]int g0/0/2
[SW6-GigabitEthernet0/0/2]port link-type trunk
[SW6-GigabitEthernet0/0/2]port trunk allow-pass vlan all
[SW6-GigabitEthernet0/0/2]quit
[SW6]int e0/0/1
[SW6-Ethernet0/0/1]port link-type access
[SW6-Ethernet0/0/1]port default vlan 10
[SW6-Ethernet0/0/1]stp edged-port enable
[SW6-Ethernet0/0/1]quit
[SW6]int e0/0/2
[SW6-Ethernet0/0/2]port link-type access
[SW6-Ethernet0/0/2]port default vlan 20
[SW6-Ethernet0/0/2]stp edged-port enable
[SW6-Ethernet0/0/2]quit
[SW6]stp bpdu-protection
[SW6]sto mode mstp
[SW6]stp region-configuration
[SW6-mst-]stp region-name Tigerlab
[SW6-mst-region]revision-level 1256
[SW6-mst-region]instance 10 vlan 10
[SW6-mst-region]instance 20 vlan 20
[SW6-mst-region]active region-configuration
验证一下总部内主机与网关之间的连通性。
总部防火墙FW1:
[USG1]int lo0
[USG1-LoopBack0]ip add 10.1.1.1 32
[USG1-LoopBack0]quit
[USG1]int g1/0/0
[USG1-GigabitEthernet1/0/0 ]ip add 100.1.41.1 24
[USG1-GigabitEthernet1/0/0 ]quit
[USG1]int g1/0/1
[USG1-GigabitEthernet1/0/1 ]ip add 10.1.111.1 24
[USG1-GigabitEthernet1/0/1 ]quit
[USG1]int g1/0/2
[USG1-GigabitEthernet1/0/2 ]ip add 10.1.112.1 24
[USG1-GigabitEthernet1/0/2 ]quit
[USG1]firewall zone trust
[USG1-zone-trust]add int g1/0/1
[USG1-zone-trust]add int g1/0/2
[USG1-zone-trust]quit
[USG1]firewall zone untrust
[USG1-zone-untrust]add int g1/0/0
[USG1-zone-untrust]quit
[USG1]security-policy
[USG1-policy-security]rule name Inside
[USG1-policy-security-rule-Inside]source-zone trust
[USG1-policy-security-rule-Inside]destination-zone local
[USG1-policy-security-rule-Inside]source-zone local
[USG1-policy-security-rule-Inside]destination-zone trust
[USG1-policy-security-rule-Inside]access-authentication
[USG1-policy-security-rule-Inside]action permit
[USG1-policy-security-rule-Inside]quit
[USG1-policy-security]quit
[USG1]int g1/0/1
[USG1-GigabitEthernet1/0/1]service-manage ping permit
[USG1-GigabitEthernet1/0/1 ]quit
[USG1]int g1/0/2
[USG1-GigabitEthernet1/0/2 ]service-manage ping permit
[USG1-GigabitEthernet1/0/2 ]quit
[USG1]ospf 10 router-id 10.1.1.1
[USG1-ospf-10]area 0
[USG1-ospf-10-area-0.0.0.0]net 10.1.1.1 0.0.0.0
[USG1-ospf-10-area-0.0.0.0]net 10.1.111.1 0.0.0.0
[USG1-ospf-10-area-0.0.0.0]net 10.1.112.1 0.0.0.0
[USG1]ip route-static 0.0.0.0 0.0.0.0 GigabitEthernet 1/0/0 100.1.41.4
[USG1]security-policy
[USG1-policy-security]rule name Internet
[USG1-policy-security-rule-Internet]source-zone trust
[USG1-policy-security-rule-Internet]destination-zone untrust
[USG1-policy-security-rule-Internet]source-address 10.1.0.0 16
[USG1-policy-security-rule-Internet]action permit
[USG1]nat-policy
[USG1-policy-nat]rule name 0
[USG1-policy-nat-rule-0]source-zone trust
[USG1-policy-nat-rule-0]destination-zone untrust
[USG1-policy-nat-rule-0]destination-address 10.2.0.0 16
[USG1-policy-nat-rule-0]destination-address 10.3.0.0 16
[USG1-policy-nat-rule-0]action no-nat
[USG1-policy-nat]rule name Internet
[USG1-policy-nat-rule-Internet]source-zone trust
[USG1-policy-nat-rule-Internet]destination-zone untrust
[USG1-policy-nat-rule-Internet]source-address 10.1.0.0 16
[USG1-policy-nat-rule-Internet]egress-interface GigabitEthernet 1/0/0
[USG1-policy-nat-rule-Internet]action source-natm easy-ip
[USG1]ospf 10
[USG1-ospf-10]default-route-advertise
[USG1]security-policy
[USG1-policy-security]rule name IPSec
[USG1-policy-security-rule-IPSec]source-zone untrust
[USG1-policy-security-rule-IPSec]destination-zone local
[USG1-policy-security-rule-IPSec]source-address any
[USG1-policy-security-rule-IPSec]destination-address 100.1.41.1 32
[USG1-policy-security-rule-IPSec]service esp
[USG1-policy-security-rule-IPSec]service protocol udp source-port 500 destination-port 500
[USG1-policy-security-rule-IPSec]service protocol udp source-port 4500 destination-port 4500
[USG1-policy-security-rule-IPSec]action permit
[USG1-policy-security-rule-IPSec]quit
[USG1-policy-security]rule name IPSec-OUT
[USG1-policy-security-rule-IPSec-OUT]source-zone local
[USG1-policy-security-rule-IPSec-OUT]destination-zone untrust
[USG1-policy-security-rule-IPSec-OUT]source-address 100.1.41.1 32
[USG1-policy-security-rule-IPSec-OUT]destination-address any
[USG1-policy-security-rule-IPSec-OUT]service esp
[USG1-policy-security-rule-IPSec-OUT]service protocol udp source-port 500 destination-port 500
[USG1-policy-security-rule-IPSec-OUT]service protocol udp source-port 4500 destination-port 4500
[USG1-policy-security-rule-IPSec-OUT]action permit
[USG1-policy-security-rule-IPSec-OUT]quit
[USG1-policy-security]rule name IPSec-DATA
[USG1-policy-security-rule-IPSec-DATA]source-zone trust
[USG1-policy-security-rule-IPSec-DATA]destination-zone untrust
[USG1-policy-security-rule-IPSec-DATA]source-zone untrust
[USG1-policy-security-rule-IPSec-DATA]destination-zone trust
[USG1-policy-security-rule-IPSec-DATA]source-address 10.1.0.0 16
[USG1-policy-security-rule-IPSec-DATA]]destination-address 10.2.0.0 16
[USG1-policy-security-rule-IPSec-DATA]]destination-address 10.3.0.0 16
[USG1-policy-security-rule-IPSec-DATA]source-address 10.2.0.0 16
[USG1-policy-security-rule-IPSec-DATA]source-address 10.3.0.0 16
[USG1-policy-security-rule-IPSec-DATA]destination-address 10.1.0.0 16
[USG1-policy-security-rule-IPSec-DATA]action permit
[USG1-policy-security-rule-IPSec-DATA]quit
[USG1-policy-security]quit
[USG1]ike proposal 10
[USG1-ike-proposal-10]encryption-algorithm aes-256
[USG1-ike-proposal-10]authentication-algorithm sha2-512
[USG1-ike-proposal-10]authentication-method pre-share
[USG1-ike-proposal-10]dh group14
[USG1-ike-proposal-10]quit
[USG1]ike peer Hub
[USG1-ike-peer-Hub]ike-proposal 10
[USG1-ike-peer-Hub]exchange-mode main
[USG1-ike-peer-Hub]undo version 2
[USG1-ike-peer-Hub]nat traversal
[USG1-ike-peer-Hub]pre-shared-key Cisco12345
[USG1]ipsec proposal ESP
[USG1-ipsec-proposal-ESP]transform esp
[USG1-ipsec-proposal-ESP]esp authentication-algorithm sha2-512
[USG1-ipsec-proposal-ESP]espencrption-algorithm aes-256
[USG1]ipsec policy-template T 10
[USG1-ipsec-policy-template-T-10]ike-peer Hub
[USG1-ipsec-policy-template-T-10] proposal ESP
[USG1-ipsec-policy-template-T-10]tunnel local 100.1.41.1
[USG1]ipsec policy Tigerlab 10 isakmp template T
[USG1]int g1/0/0
[USG1-GigabitEthernet1/0/0 ]ipsec policy Tigerlab
(1)做到这里检查一下防火墙能否ping通交换机:
(2)在防火墙上查看ospf邻居和路由:display ospf peer brief、display ip routing-table protocol ospf
(3)在防火墙上ping内网的主机:
分支Branch1的防火墙FW2:
[USG2]int lo0
[USG2-LoopBack0]ip add 10.2.2.2 32
[USG2-LoopBack0]quit
[USG2]int g1/0/0
[USG2-GigabitEthernet1/0/0 ]ip add 100.1.52.2 24
[USG2-GigabitEthernet1/0/0 ]quit
[USG2]int g1/0/1
[USG2-GigabitEthernet1/0/1 ]ip add 10.2.132.2 24
[USG2-GigabitEthernet1/0/1 ]quit
[USG2]firewall zone trust
[USG2-zone-trust]add int g1/0/1
[USG2-zone-trust]quit
[USG2]firewall zone untrust
[USG2-zone-untrust]add int g1/0/0
[USG2-zone-untrust]quit
[USG2]security-policy
[USG2-policy-security]rule name Inside
[USG2-policy-security-rule-Inside]source-zone trust
[USG2-policy-security-rule-Inside]destination-zone local
[USG2-policy-security-rule-Inside]source-zone local
[USG2-policy-security-rule-Inside]destination-zone trust
[USG2-policy-security-rule-Inside]access-authentication
[USG2-policy-security-rule-Inside]action permit
[USG2-policy-security-rule-Inside]quit
[USG2-policy-security]quit
[USG2]int g1/0/1
[USG2-GigabitEthernet1/0/1]service-manage ping permit
[USG2-GigabitEthernet1/0/1 ]quit
[USG2]ospf 10 router-id 10.2.2.2
[USG2-ospf-10]area 0
[USG2-ospf-10-area-0.0.0.0]net 10.2.2.2 0.0.0.0
[USG2-ospf-10-area-0.0.0.0]net 10.2.132.2 0.0.0.0
[USG2]ip route-static 0.0.0.0 0.0.0.0 GigabitEthernet 1/0/0 100.1.52.5
[USG2]security-policy
[USG2-policy-security]rule name Internet
[USG2-policy-security-rule-Internet]source-zone trust
[USG2-policy-security-rule-Internet]destination-zone untrust
[USG2-policy-security-rule-Internet]source-address 10.2.0.0 16
[USG2-policy-security-rule-Internet]action permit
[USG2]nat-policy
[USG2-policy-nat]rule name 0
[USG2-policy-nat-rule-0]source-zone trust
[USG2-policy-nat-rule-0]destination-zone untrust
[USG2-policy-nat-rule-0]destination-address 10.1.0.0 16
[USG2-policy-nat-rule-0]action no-nat
[USG2-policy-nat]rule name Internet
[USG2-policy-nat-rule-Internet]source-zone trust
[USG2-policy-nat-rule-Internet]destination-zone untrust
[USG2-policy-nat-rule-Internet]source-address 10.2.0.0 16
[USG2-policy-nat-rule-Internet]egress-interface GigabitEthernet 1/0/0
[USG2-policy-nat-rule-Internet]action source-natm easy-ip
[USG2]ospf 10
[USG2-ospf-10]default-route-advertise
[USG2]security-policy
[USG2-policy-security]rule name IPSec-IN
[USG2-policy-security-rule-IPSec-IN]source-zone untrust
[USG2-policy-security-rule-IPSec-IN]destination-zone local
[USG2-policy-security-rule-IPSec-IN]source-address 100.1.41.1 32
[USG2-policy-security-rule-IPSec-IN]destination-address any
[USG2-policy-security-rule-IPSec-IN]service esp
[USG2-policy-security-rule-IPSec-IN]service protocol udp source-port 500 destination-port 500
[USG2-policy-security-rule-IPSec-IN]service protocol udp source-port 4500 destination-port 4500
[USG2-policy-security-rule-IPSec-IN]action permit
[USG2-policy-security-rule-IPSec-IN]quit
[USG2-policy-security]rule name IPSec-OUT
[USG2-policy-security-rule-IPSec-OUT]source-zone local
[USG2-policy-security-rule-IPSec-OUT]destination-zone untrust
[USG2-policy-security-rule-IPSec-OUT]source-address any
[USG2-policy-security-rule-IPSec-OUT]destination-address 100.1.41.1 32
[USG2-policy-security-rule-IPSec-OUT]service esp
[USG2-policy-security-rule-IPSec-OUT]service protocol udp source-port 500 destination-port 500
[USG2-policy-security-rule-IPSec-OUT]service protocol udp source-port 4500 destination-port 4500
[USG2-policy-security-rule-IPSec-OUT]action permit
[USG2-policy-security]rule name IPSec-DATA
[USG2-policy-security-rule-IPSec-DATA]source-zone trust
[USG2-policy-security-rule-IPSec-DATA]destination-zone untrust
[USG2-policy-security-rule-IPSec-DATA]source-zone untrust
[USG2-policy-security-rule-IPSec-DATA]destination-zone trust
[USG2-policy-security-rule-IPSec-DATA]source-address 10.1.0.0 16
[USG2-policy-security-rule-IPSec-DATA]]destination-address 10.2.0.0 16
[USG2-policy-security-rule-IPSec-DATA]source-address 10.2.0.0 16
[USG2-policy-security-rule-IPSec-DATA]destination-address 10.1.0.0 16
[USG2-policy-security-rule-IPSec-DATA]action permit
[USG2]ike proposal 10
[USG2-ike-proposal-10]encryption-algorithm aes-256
[USG2-ike-proposal-10]authentication-algorithm sha2-512
[USG2-ike-proposal-10]authentication-method pre-share
[USG2-ike-proposal-10]dh group14
[USG2-ike-proposal-10]quit
[USG2]ike peer Speak1
[USG2-ike-peer-Speak1]ike-proposal 10
[USG2-ike-peer-Speak1]exchange-mode main
[USG2-ike-peer-Speak1]undo version 2
[USG2-ike-peer-Speak1]nat traversal
[USG2-ike-peer-Speak1]remote-address 100.1.41.1
[USG2-ike-peer-Speak1]pre-shared-key Cisco12345
[USG2]ipsec proposal ESP
[USG2-ipsec-proposal-ESP]transform esp
[USG2-ipsec-proposal-ESP]esp authentication-algorithm sha2-512
[USG2-ipsec-proposal-ESP]espencrption-algorithm aes-256
[USG2]acl number 3000
[USG2-acl-adv-3000] rule 10 permit ip source 10.2.0.0 0.0.255.255 destination 10.1.0.0 0.0.255.255
[USG2]ipsec policy Tigerlab 10 isakmp
[USG2-ipsec-policy-isakmp-Tigerlab-10]ike-peer Spoke1
[USG2-ipsec-policy-isakmp-Tigerlab-10]proposal ESP
[USG2-ipsec-policy-isakmp-Tigerlab-10]security acl 3000
[USG2]int g1/0/0
[USG2-GigabitEthernet1/0/0 ]ipsec policy Tigerlab
测试在防火墙上ping内网的主机,可以看到已经全部ping通。
分支Branch2的防火墙FW3:
[USG3]int lo0
[USG3-LoopBack0]ip add 10.3.3.3 32
[USG3-LoopBack0]quit
[USG3]int g1/0/0
[USG3-GigabitEthernet1/0/0 ]ip add 100.1.63.3 24
[USG3-GigabitEthernet1/0/0 ]quit
[USG3]int g1/0/1
[USG3-GigabitEthernet1/0/1 ]ip add 10.3.143.3 24
[USG3-GigabitEthernet1/0/1 ]quit
[USG3]firewall zone trust
[USG3-zone-trust]add int g1/0/1
[USG3-zone-trust]quit
[USG3]firewall zone untrust
[USG3-zone-untrust]add int g1/0/0
[USG3-zone-untrust]quit
[USG3]security-policy
[USG3-policy-security]rule name Inside
[USG3-policy-security-rule-Inside]source-zone trust
[USG3-policy-security-rule-Inside]destination-zone local
[USG3-policy-security-rule-Inside]source-zone local
[USG3-policy-security-rule-Inside]destination-zone trust
[USG3-policy-security-rule-Inside]access-authentication
[USG3-policy-security-rule-Inside]action permit
[USG3-policy-security-rule-Inside]quit
[USG3-policy-security]quit
[USG3]int g1/0/1
[USG3-GigabitEthernet1/0/1]service-manage ping permit
[USG3-GigabitEthernet1/0/1 ]quit
[USG3]ospf 10 router-id 10.3.3..3
[USG3-ospf-10]area 0
[USG3-ospf-10-area-0.0.0.0]net 10.3.3.3 0.0.0.0
[USG3-ospf-10-area-0.0.0.0]net 10.3.143.3 0.0.0.0
[USG3]ip route-static 0.0.0.0 0.0.0.0 GigabitEthernet 1/0/0 100.1.63.6
[USG3]security-policy
[USG3-policy-security]rule name Internet
[USG3-policy-security-rule-Internet]source-zone trust
[USG3-policy-security-rule-Internet]destination-zone untrust
[USG3-policy-security-rule-Internet]source-address 10.3.0.0 16
[USG3-policy-security-rule-Internet]action permit
[USG3]nat-policy
[USG3-policy-nat]rule name 0
[USG3-policy-nat-rule-0]source-zone trust
[USG3-policy-nat-rule-0]destination-zone untrust
[USG3-policy-nat-rule-0]destination-address 10.1.0.0 16
[USG3-policy-nat-rule-0]action no-nat
[USG3-policy-nat]rule name Internet
[USG3-policy-nat-rule-Internet]source-zone trust
[USG3-policy-nat-rule-Internet]destination-zone untrust
[USG3-policy-nat-rule-Internet]source-address 10.3.0.0 16
[USG3-policy-nat-rule-Internet]egress-interface GigabitEthernet 1/0/0
[USG3-policy-nat-rule-Internet]action source-natm easy-ip
[USG3]ospf 10
[USG3-ospf-10]default-route-advertise
[USG3]security-policy
[USG3-policy-security]rule name IPSec-IN
[USG3-policy-security-rule-IPSec-IN]source-zone untrust
[USG3-policy-security-rule-IPSec-IN]destination-zone local
[USG3-policy-security-rule-IPSec-IN]source-address 100.1.41.1 32
[USG3-policy-security-rule-IPSec-IN]destination-address any
[USG3-policy-security-rule-IPSec-IN]service esp
[USG3-policy-security-rule-IPSec-IN]service protocol udp source-port 500 destination-port 500
[USG3-policy-security-rule-IPSec-IN]service protocol udp source-port 4500 destination-port 4500
[USG3-policy-security-rule-IPSec-IN]action permit
[USG3-policy-security-rule-IPSec-IN]quit
[USG3-policy-security]rule name IPSec-OUT
[USG3-policy-security-rule-IPSec-OUT]source-zone local
[USG3-policy-security-rule-IPSec-OUT]destination-zone untrust
[USG3-policy-security-rule-IPSec-OUT]source-address any
[USG3-policy-security-rule-IPSec-OUT]destination-address 100.1.41.1 32
[USG3-policy-security-rule-IPSec-OUT]service esp
[USG3-policy-security-rule-IPSec-OUT]service protocol udp source-port 500 destination-port 500
[USG3-policy-security-rule-IPSec-OUT]service protocol udp source-port 4500 destination-port 4500
[USG3-policy-security-rule-IPSec-OUT]action permit
[USG3-policy-security]rule name IPSec-DATA
[USG3-policy-security-rule-IPSec-DATA]source-zone trust
[USG3-policy-security-rule-IPSec-DATA]destination-zone untrust
[USG3-policy-security-rule-IPSec-DATA]source-zone untrust
[USG3-policy-security-rule-IPSec-DATA]destination-zone trust
[USG3-policy-security-rule-IPSec-DATA]source-address 10.1.0.0 16
[USG3-policy-security-rule-IPSec-DATA]]destination-address 10.3.0.0 16
[USG3-policy-security-rule-IPSec-DATA]source-address 10.3.0.0 16
[USG3-policy-security-rule-IPSec-DATA]destination-address 10.1.0.0 16
[USG3-policy-security-rule-IPSec-DATA]action permit
[USG3]ike proposal 10
[USG3-ike-proposal-10]encryption-algorithm aes-256
[USG3-ike-proposal-10]authentication-algorithm sha2-512
[USG3-ike-proposal-10]authentication-method pre-share
[USG3-ike-proposal-10]dh group14
[USG3]ike peer Speak2
[USG3-ike-peer-Speak2]ike-proposal 10
[USG3-ike-peer-Speak2]exchange-mode main
[USG3-ike-peer-Speak2]undo version 2
[USG3-ike-peer-Speak2]nat traversal
[USG3-ike-peer-Speak2]remote-address 100.1.41.1
[USG3-ike-peer-Speak2]pre-shared-key Cisco12345
[USG3]ipsec proposal ESP
[USG3-ipsec-proposal-ESP]transform esp
[USG3-ipsec-proposal-ESP]esp authentication-algorithm sha2-512
[USG3-ipsec-proposal-ESP]espencrption-algorithm aes-256
[USG3]acl number 3000
[USG3-acl-adv-3000] rule 10 permit ip source 10.3.0.0 0.0.255.255 destination 10.1.0.0 0.0.255.255
[USG3]ipsec policy Tigerlab 10 isakmp
[USG3-ipsec-policy-isakmp-Tigerlab-10]ike-peer Spoke2
[USG3-ipsec-policy-isakmp-Tigerlab-10]proposal ESP
[USG3-ipsec-policy-isakmp-Tigerlab-10]security acl 3000
[USG3]int g1/0/0
[USG3-GigabitEthernet1/0/0 ]ipsec policy Tigerlab
ISP部分:
AR4:
[AR4]int lo0
[AR4-LoopBack0]ip add 10.1.4.4 32
[AR4-LoopBack0]quit
[AR4]itn g0/0/0
[AR4-GigabitEthernet0/0/0 ]ip add 100.1.41.4 24
[AR4-GigabitEthernet0/0/0 ]quit
[AR4]itn g0/0/1
[AR4-GigabitEthernet0/0/1 ]ip add 100.1.100.4 24
[AR4-GigabitEthernet0/0/1 ]quit
[AR4]ospf 10 router-id 10.1.4.4
[AR4-ospf-10]area 0
[AR4-ospf-10-area-0.0.0.0]net 10.1.4.4 0.0.0.0
[AR4-ospf-10-area-0.0.0.0]net 10.1.41.4 0.0.0.0
[AR4-ospf-10-area-0.0.0.0]net 100.1.100.4 0.0.0.0
AR5:
[AR5]int lo0
[AR5-LoopBack0]ip add 10.1.5.5 32
[AR5-LoopBack0]quit
[AR5]itn g0/0/0
[AR5-GigabitEthernet0/0/0 ]ip add 100.1.52.5 24
[AR5-GigabitEthernet0/0/0 ]quit
[AR5]itn g0/0/1
[AR5-GigabitEthernet0/0/1 ]ip add 100.1.100.5 24
[AR5-GigabitEthernet0/0/1 ]quit
[AR5]ospf 10 router-id 10.1.5.5
[AR5-ospf-10]area 0
[AR5-ospf-10-area-0.0.0.0]net 10.1.5.5 0.0.0.0
[AR5-ospf-10-area-0.0.0.0]net 10.1.52.5 0.0.0.0
[AR5-ospf-10-area-0.0.0.0]net 100.1.100.5 0.0.0.05
AR6
[AR6]int lo0
[AR6-LoopBack0]ip add 10.1.6.6 32
[AR6-LoopBack0]quit
[AR6]itn g0/0/0
[AR6-GigabitEthernet0/0/0 ]ip add 100.1.63.6 24
[AR6-GigabitEthernet0/0/0 ]quit
[AR6]itn g0/0/1
[AR6-GigabitEthernet0/0/1 ]ip add 100.1.100.6 24
[AR6-GigabitEthernet0/0/1 ]quit
[AR6]itn g0/0/2
[AR6-GigabitEthernet0/0/2 ]ip add 100.1.36.6 24
[AR6-GigabitEthernet0/0/2 ]quit
[AR6]ospf 10 router-id 10.1.6.6
[AR6-ospf-10]area 0
[AR6-ospf-10-area-0.0.0.0]net 10.1.6.6 0.0.0.0
[AR6-ospf-10-area-0.0.0.0]net 10.1.63.6 0.0.0.0
[AR6-ospf-10-area-0.0.0.0]net 100.1.100.6 0.0.0.0
[AR6-ospf-10-area-0.0.0.0]net 100.1.36.6 0.0.0.0
测试
(1)各区域主机是否能ping通isp的服务器,可以看到总部和分部的主机都能够ping通isp的服务器。
(2)总部与分部之间的联通测试。
可以看到总部已经可以与分部之间通讯,实验到这里就结束了。