案例介绍
本例介绍总部和分支机构三点、异厂商设备通过IPSec VPN互联,同时IPSec设备有NAT时如何建立IPSec隧道。全文分为:
组网拓扑
配置思路
配置步骤
结果验证
设备信息
共五个部份来介绍。
一、组网拓扑
某企业分为总部(A)和分支机构(B)、分支机构(C)。
如下图所示:
(建议在稿纸上画草图,标好端口及IP,以便后续配置查看)
组网如下:
总部(A)分别和分支机构(B)、分支机构(C)通过FW_A、FW_B和FW_C与Internet相连。
FW_A、FW_B和FW_C三点之间公网路由可达。
总部FW_A、分支机构FW_B、分支机构FW_C三点均为固定公网地址。
FW_A、FW_B和FW_C同时为NAT网关。
要求实现的需求如下:
PC1、PC2和PC3都可以直接访问公网。
FW_A和FW_B、FW_A和FW_C之间建立IPSec隧道。
分支机构PC2、PC3能与总部PC1之间进行安全通信。
二、配置思路
完成FW_A、FW_B和FW_C的接口、安全策略、路由等基本配置。
在FW_A、FW_B、FW_C上完成源NAT的配置。终端PC1、PC2、PC3经过NAT后可以访问Internet的数据。
在FW_A和FW_B、FW_A和FW_C上完成IPSec的配置。终端PC1和PC2、PC1和PC3经过IPSec隧道的数据流不需要经过NAT转换。
三、配置步骤
1、总部(A)设备基础配置
防火墙接口配置
interface GigabitEthernet1/0/0
undo shutdown
ip address 111.11.11.11 255.255.255.240
service-manage ping permit
service-manage ssh permit
interface GigabitEthernet1/0/1
undo shutdown
ip address 10.10.255.1 255.255.255.0
service-manage ping permit
service-manage ssh permit
service-manage telnet permit
quit
ip route-static 0.0.0.0 0.0.0.0 111.11.11.1
ip route-static 10.1.1.0 255.255.255.0 10.10.255.2
交换机接口配置
interface Ethernet0/0
no switchport
no shutdown
ip address 10.10.255.2 255.255.255.0
exit
exit
ping 10.10.255.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.10.255.1, timeout is 2 seconds:
...!!
Success rate is 40 percent (2/5), round-trip min/avg/max = 1/2/3 ms
configure terminal
interface Vlan1
shutdown
vlan 110
interface Vlan110
no shutdown
ip address 10.1.1.1 255.255.255.0
interface Ethernet0/1
no shutdown
switchport access vlan 110
exit
ip route 0.0.0.0 0.0.0.0 10.10.255.1
2、分支机构(B)设备基础配置
防火墙接口配置
int g0/0
no shutdown
nameif outside
security-level 0
ip add 223.23.23.23 255.255.255.240
int g0/1
no shutdown
nameif inside
security-level 100
ip add 10.20.255.1 255.255.255.0
quit
route outside 0.0.0.0 0.0.0.0 223.23.23.17
route inside 10.2.2.0 255.255.255.0 10.20.255.2
交换机接口配置
interface Ethernet0/0
no shdown
no switchport
ip add 10.20.255.2 255.255.255.0
int vlan 1
shut
vlan 100
int vlan 100
ip add 10.2.2.1 255.255.255.0
no shdown
exit
int e0/1
no shdown
switchport access vlan 100
exit
ip route 0.0.0.0 0.0.0.0 10.20.255.1
exit
ping 10.20.255.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.20.255.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/5 ms
3、分支机构(C)设备基础配置
防火墙接口配置
interface GigabitEthernet1/0/0
undo shutdown
ip address 123.13.13.13 255.255.255.0
service-manage ping permit
service-manage ssh permit
interface GigabitEthernet1/0/1
undo shutdown
ip address 10.30.255.1 255.255.255.0
service-manage ping permit
service-manage ssh permit
service-manage telnet permit
quit
ip route-static 0.0.0.0 0.0.0.0 123.13.13.1
ip route-static 10.3.3.0 255.255.255.0 10.30.255.2
交换机接口配置
interface Ethernet0/0
no switchport
no shutdown
ip address 10.30.255.2 255.255.255.0
exit
exit
ping 10.30.255.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.30.255.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/2 ms
configure terminal
interface Vlan1
shutdown
vlan 130
interface Vlan130
no shutdown
ip address 10.3.3.1 255.255.255.0
interface Ethernet0/1
no shutdown
switchport access vlan 130
exit
ip route 0.0.0.0 0.0.0.0 10.30.255.1
3、NAT配置
总部(A)防火墙NAT配置
[HQ-A]ip address-set to_Internet type object
[HQ-A-object-address-set-to_Internet] address 0 10.1.1.0 mask 24
[HQ-A-object-address-set-to_Internet]
[HQ-A-object-address-set-to_Internet]quit
[HQ-A]security-policy
[HQ-A-policy-security] default action permit
[HQ-A-policy-security]quit
[HQ-A]nat-policy
[HQ-A-policy-nat] rule name to_Internet
[HQ-A-policy-nat-rule-to_Internet] source-zone trust
[HQ-A-policy-nat-rule-to_Internet] destination-zone untrust
[HQ-A-policy-nat-rule-to_Internet] source-address address-set to_Internet
[HQ-A-policy-nat-rule-to_Internet] action nat easy-ip
[HQ-A-policy-nat-rule-to_Internet]qui
[HQ-A-policy-nat]qui
[HQ-A]
在总部(A)交换机上对公网地址发起ping操做
如下图所示:
在总部(A)防火墙上可看到内网地址已被NAT
如下图所示:
分支机构(B)防火墙NAT配置
Branch-B(config)# object network to-Internet
Branch-B(config-network-object)# subnet 0.0.0.0 0.0.0.0
Branch-B(config-network-object)# nat (inside,outside) dynamic interface
Branch-B(config-network-object)#
在分支机构(B)交换机上对公网地址发起ping操做
如下图所示:
在分支机构(B)防火墙上可看到内网地址已被NAT
如下图所示:
分支机构(C)防火墙NAT配置
[Branch-C]ip address-set to_Outside type object
[Branch-C-object-address-set-to_Outside] address 0 10.3.3.0 mask 24
[Branch-C-object-address-set-to_Outside]quit
[Branch-C]nat-policy
[Branch-C-policy-nat]rule name to_Internet
[Branch-C-policy-nat-rule-to_Internet] source-zone trust
[Branch-C-policy-nat-rule-to_Internet] destination-zone untrust
[Branch-C-policy-nat-rule-to_Internet] source-address address-set to_Outside
[Branch-C-policy-nat-rule-to_Internet] action nat easy-ip
[Branch-C-policy-nat-rule-to_Internet] qui
[Branch-C-policy-nat] qui
[Branch-C]security-policy
[Branch-C-policy-security] default action permit
[Branch-C-policy-security]
[Branch-C-policy-security]qui
[Branch-C]
在分支机构(C)交换机上对公网地址发起ping操做
如下图所示:
在分支机构(C)防火墙上可看到内网地址已被NAT
如下图所示:
4、总部(A)防火墙VPN配置
4.1、配置IPSec安全提议。缺省参数可不配置。
[HQ-A] ipsec proposal asa
[HQ-A-ipsec-proposal-tran1] esp authentication-algorithm md5
[HQ-A-ipsec-proposal-tran1] esp encryption-algorithm des
[HQ-A-ipsec-proposal-tran1] quit
[HQ-A] ipsec proposal USG_C
[HQ-A-ipsec-proposal-USG_C] esp authentication-algorithm md5
[HQ-A-ipsec-proposal-USG_C] esp encryption-algorithm des
[HQ-A-ipsec-proposal-USG_C] quit
4.2、配置IKE安全提议。缺省参数可不配置。
[HQ-A] ike proposal 1
[HQ-A-ike-proposal-1] encryption-algorithm 3des
[HQ-A-ike-proposal-1] prf hmac-sha1
[HQ-A-ike-proposal-1] authentication-algorithm sha1
[HQ-A-ike-proposal-1] authentication-method pre-share
[HQ-A-ike-proposal-1] integrity-algorithm hmac-sha1-96
[HQ-A-ike-proposal-1] dh group2
[HQ-A-ike-proposal-1] quit
[HQ-A] ike proposal 2
[HQ-A-ike-proposal-2] encryption-algorithm 3des
[HQ-A-ike-proposal-2] prf hmac-sha1
[HQ-A-ike-proposal-2] authentication-algorithm sha1
[HQ-A-ike-proposal-2] authentication-method pre-share
[HQ-A-ike-proposal-2] integrity-algorithm hmac-sha1-96
[HQ-A-ike-proposal-2] dh group2
[HQ-A-ike-proposal-2] quit
4.3、配置IKE peer。
[HQ-A] ike peer asa
[HQ-A-ike-peer-asa] ike-proposal 1
[HQ-A-ike-peer-asa] remote-address 223.23.23.23
[HQ-A-ike-peer-asa] pre-shared-key Cisco@123
[HQ-A-ike-peer-asa] quit
[HQ-A] ike peer USG_C
[HQ-A-ike-peer-USG_C] ike-proposal 2
[HQ-A-ike-peer-USG_C] remote-address 123.13.13.13
[HQ-A-ike-peer-USG_C] pre-shared-key Cisco@123
[HQ-A-ike-peer-USG_C] quit
4.4、定义被保护的数据流
[HQ-A] acl 3000
[HQ-A-acl-adv-3000] rule 10 permit ip source 10.1.1.0 0.0.0.255 destination 10.2.2.0 0.0.0.255
[HQ-A-acl-adv-3000] quit
[HQ-A] acl 3005
[HQ-A-acl-adv-3005] rule 10 permit ip source 10.1.1.0 0.0.0.255 destination 10.3.3.0 0.0.0.255
[HQ-A-acl-adv-3005] quit
4.5、配置IPSec策略。
[HQ-A] ipsec policy ipsec 10 isakmp
[HQ-A-ipsec-policy-isakmp-ipsec-10] security acl 3000
[HQ-A-ipsec-policy-isakmp-ipsec-10] proposal asa
[HQ-A-ipsec-policy-isakmp-ipsec-10] ike-peer asa
[HQ-A-ipsec-policy-isakmp-ipsec-10] quit
[HQ-A] ipsec policy ipsec 20 isakmp
[HQ-A-ipsec-policy-isakmp-ipsec-20] security acl 3005
[HQ-A-ipsec-policy-isakmp-ipsec-20] proposal USG_C
[HQ-A-ipsec-policy-isakmp-ipsec-20] ike-peer USG_C
[HQ-A-ipsec-policy-isakmp-ipsec-20] quit
4.6、在接口GE1/0/0上应用IPSec策略组
[HQ-A] interface GigabitEthernet 1/0/0
[HQ-A-GigabitEthernet1/0/0] ipsec policy ipsec
[HQ-A-GigabitEthernet1/0/0] quit
5、分支机构(B)防火墙VPN配置
5.1、配置IKE
Branch-B(config)# crypto ikev1 enable outside
Branch-B(config)# crypto ikev1 policy 1
Branch-B(config-ikev1-policy)# authentication pre-share
Branch-B(config-ikev1-policy)# encryption 3des
Branch-B(config-ikev1-policy)# hash sha
Branch-B(config-ikev1-policy)# group 2
Branch-B(config-ikev1-policy)# lifetime 86400
Branch-B(config-ikev1-policy)# quit
Branch-B(config)tunnel-group 111.11.11.11 type ipsec-l2l
Branch-B(config)# tunnel-group 111.11.11.11 ipsec-attributes
Branch-B(config-tunnel-ipsec)# ikev1 pre-shared-key Cisco@123
Branch-B(config-tunnel-ipsec)# quit
5.2、配置IPSec
Branch-B(config)# crypto ipsec ikev1 transform-set trans esp-des esp-md5-hmac
Branch-B(config)# quit
5.3、定义感兴趣流
Branch-B(config)# access-list to-HQ EXtended PERmit ip 10.2.2.0 255.255.255.0 10.1.1.0 255.255.255.0
Branch-B(config)# quit
5.4、关联IPSec策略
Branch-B(config)# crypto map l2l 10 match address to-HQ
Branch-B(config)# crypto map l2l 10 set peer 111.11.11.11
Branch-B(config)# crypto map l2l 10 set ikev1 transform-set trans
Branch-B(config)# quit
5.5、在outside接口上调用l2l策略
Branch-B(config)# crypto map l2l interface outside
6、分支机构(C)防火墙VPN配置
6.1、配置IPSec安全提议。缺省参数可不配置。
[Branch-C] ipsec proposal USG_A
[Branch-C-ipsec-proposal-USG_A] esp authentication-algorithm md5
[Branch-C-ipsec-proposal-USG_A] esp encryption-algorithm des
[Branch-C-ipsec-proposal-USG_A] quit
6.2、配置IKE安全提议。缺省参数可不配置。
[Branch-C] ike proposal 2
[Branch-C-ike-proposal-2] encryption-algorithm 3des
[Branch-C-ike-proposal-2] prf hmac-sha1
[Branch-C-ike-proposal-2] authentication-algorithm sha1
[Branch-C-ike-proposal-2] authentication-method pre-share
[Branch-C-ike-proposal-2] integrity-algorithm hmac-sha1-96
[Branch-C-ike-proposal-2] dh group2
[Branch-C-ike-proposal-2] quit
6.3、配置IKE peer。
[Branch-C] ike peer USG_A
[Branch-C-ike-peer-USG_A] ike-proposal 2
[Branch-C-ike-peer-USG_A] remote-address 111.11.11.11
[Branch-C-ike-peer-USG_A] pre-shared-key Cisco@123
[Branch-C-ike-peer-USG_A] quit
6.4、定义被保护的数据流
[Branch-C] acl 3005
[Branch-C-acl-adv-3005] rule 10 permit ip source 10.3.3.0 0.0.0.255 destination 10.1.1.0 0.0.0.255
[Branch-C-acl-adv-3005] quit
6.5、配置IPSec策略。
[Branch-C] ipsec policy ipsec 20 isakmp
[Branch-C-ipsec-policy-isakmp-ipsec-20] security acl 3005
[Branch-C-ipsec-policy-isakmp-ipsec-20] proposal USG_A
[Branch-C-ipsec-policy-isakmp-ipsec-20] ike-peer USG_A
[Branch-C-ipsec-policy-isakmp-ipsec-20] quit
6.6、在接口GE1/0/0上应用IPSec策略组
[Branch-C] interface GigabitEthernet 1/0/0
[Branch-C-GigabitEthernet1/0/0] ipsec policy ipsec
[Branch-C-GigabitEthernet1/0/0] quit
7、NAT穿越
7.1、在总部(A)防火墙上定义10.1.1.0/24到10.2.2.0/24、10.1.1.0/24到10.3.3.0/24的流量不进行NAT转换,从VPN隧道转发。
配置如下:
[HQ-A]ip address-set local_address type object
[HQ-A-object-address-set-local_address] address 0 10.1.1.0 mask 24
[HQ-A-object-address-set-remote_address]quit
[HQ-A] ip address-set remote_address type object
[HQ-A-object-address-set-remote_address] address 0 10.2.2.0 mask 24
[HQ-A-object-address-set-remote_address] address 1 10.3.3.0 mask 24
[HQ-A-object-address-set-remote_address]quit
[HQ-A]
[HQ-A]nat-policy
[HQ-A-policy-nat] rule name nonat
[HQ-A-policy-nat-rule-nonat] source-zone trust
[HQ-A-policy-nat-rule-nonat] destination-zone untrust
[HQ-A-policy-nat-rule-nonat] source-address address-set local_address
[HQ-A-policy-nat-rule-nonat] destination-address address-set remote_address
[HQ-A-policy-nat-rule-nonat] action no-nat
7.2、在分支机构(B)防火墙上定义10.2.2.0/24到10.1.1.0/24的流量不进行NAT转换,从VPN隧道转发。
配置如下:
Branch-B(config)# object network local-address
Branch-B(config-network-object)# subnet 10.2.2.0 255.255.255.0
Branch-B(config-network-object)# quit
Branch-B(config)# object network remote-address
Branch-B(config-network-object)# subnet 10.1.1.0 255.255.255.0
Branch-B(config-network-object)# quit
Branch-B(config)# nat (inside,outside) source static local-address local-address destination static remote-address remote-address
7.3、在分支机构(C)防火墙上定义10.3.3.0/24到10.1.1.0/24的流量不进行NAT转换,从VPN隧道转发。
配置如下:
ip address-set local_address type object
address 0 10.3.3.0 mask 24
quit
ip address-set remote_address type object
address 0 10.1.1.0 mask 24
quit
nat-policy
rule name nonat
source-zone trust
destination-zone untrust
source-address address-set local_address
destination-address address-set remote_address
action no-nat
五、结果验证
1、发起ping操做
在总部交换机和分支机构交换机上带网关地址发起ping操做。
如下图所示:
2、查看IKE信息
在总部(A)防火墙上可看到相应的IKE信息。
如下图所示:
在分支机构(B)防火墙上可看到IKE已协商成功,IPSec也已建立成功。
如下图所示:
在分支机构(C)防火墙上也可看到相应的IKE信息。
如下图所示:
六、设备信息
本实验中
USG设备版本:Version 5.160
ASA设备版本:Version 9.4(1)200
交换机设备版本:无特殊要求,支持三层即可
领取专属 10元无门槛券
私享最新 技术干货