思科防火牆PIX8.0 L2L VeiPiN解決地址重疊測試（2）

一.概述
   若是用PIX或者ASA8.3以前的版本與路由器創建L2L VeiPiN,解決地址重疊時優先考慮使用路由器解決，可是實際狀況有可能兩邊都是PIX或者ASA8.3以前的版本，是否有方法解決地址重疊，又避免不能上互聯網的問題呢？通過測試，仍是有方法的。
二.基本思路：
A.首先解決地址重疊問題，必須兩邊看對方的地址是其餘網段的地址。
B.由於PIX靜態NAT比其餘任何方式NAT都優先，因此須要避免使用靜態NAT。
C.策略靜態NAT比策略PAT優先級要高。
D.總部配置PAT和NAT0，NAT0的ACL把訪問分部映射後的網絡地址給排除
----這樣就能夠確保總部的主機解決地址重疊的問題的時候，不影響上互聯網。
E.分部配置策略PAT和策略靜態NAT,策略靜態NAT的ACL只列出分部主機訪問總部主機映射後的地址，策略靜態NAT優先級比策略PAT優先級高，會先執行。
----這樣就不會影響分部的主機上互聯網。
----由於策略靜態NAT不像靜態NAT那樣，對網段地址實現一對一的映射，因此這種方式只在兩邊網段少數主機相互須要VeiPiN訪問才方便配置，不然須要配置不少策略靜態NAT(由於目前這種方式只能使用一對一的策略靜態NAT)。
F.總部到分部的源地址沒有作轉換，爲了能保證數據流正常進行，那就須要在分部防火牆的outside作轉換，使得進入分部後源地址爲其餘網段的地址。
G.通過測試結果能夠看出，Outside口到內網的NAT，是在VeiPiN解密以後，而偏偏相反，Inside到outside的NAT是在VeiPiN加密以前。
三.測試拓撲：

四.基本配置：
A.ERP_HQ路由器：
interface Ethernet0/0
ip address 172.16.1.2 255.255.255.0
no shut
ip route 0.0.0.0 0.0.0.0 172.16.1.1
B.PIX80_HQ防火牆：
interface Ethernet0
nameif Inside
security-level 100
ip address 172.16.1.1 255.255.255.0
no shut
interface Ethernet1
nameif Outside
security-level 0
ip address 202.100.1.1 255.255.255.0
no shut
route Outside 0.0.0.0 0.0.0.0 202.100.1.10
access-list OUTSIDE extended permit icmp any any
access-group OUTSIDE in interface Outside
C.Internet路由器：
interface Ethernet0/0
ip address 202.100.1.10 255.255.255.0
no shut      
interface Ethernet0/1
ip address 202.100.2.10 255.255.255.0
no shut
D.PIX80_Branch防火牆:
interface Ethernet0
nameif Inside
security-level 100
ip address 172.16.1.1 255.255.255.0
no shut
interface Ethernet1
nameif Outside
security-level 0
ip address 202.100.2.1 255.255.255
no shut
route Outside 0.0.0.0 0.0.0.0 202.100.2.10
access-list OUTSIDE extended permit icmp any any
access-group OUTSIDE in interface Outside
E.ERP_Branch路由器：
interface Ethernet0/0
ip address 172.16.1.3 255.255.255.0 secondary
ip address 172.16.1.2 255.255.255.0
no shut
ip route 0.0.0.0 0.0.0.0 172.16.1.1
五.防火牆NAT配置：
A.PIX80_HQ防火牆：
①PAT:
access-list PAT extended permit ip 172.16.1.0 255.255.255.0 any
nat (Inside) 1 access-list PAT
global (Outside) 1 interface
②NAT免除：
access-list NAT0 extended permit ip host 172.16.1.2 host 10.1.2.2
nat (Inside) 0 access-list NAT0
B.PIX80_Branch防火牆:
①PAT:
access-list PAT extended permit ip 172.16.1.0 255.255.255.0 any
nat (Inside) 1 access-list PAT
global (Outside) 1 interface
②靜態策略NAT:
access-list VeiPiN-NAT extended permit ip host 172.16.1.2 host 10.1.1.2
static (Inside,Outside) 10.1.2.2  access-list VeiPiN-NAT
③outside的NAT:
static (Outside,Inside) 10.1.1.2 172.16.1.2 netmask 255.255.255.255
----這樣當總部未經NAT轉換的172.16.1.2到底分別outside接口解密以後，進入內網地址就轉換爲10.1.1.2
六.L2L VeiPiN配置：
A.PIX80_HQ防火牆：
①第一階段策略：
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash md5
group 2
tunnel-group 202.100.2.1 type ipsec-l2l
tunnel-group 202.100.2.1 ipsec-attributes
pre-shared-key cisco
②第二階段轉換：
crypto ipsec transform-set transet esp-des esp-md5-hmac
③感興趣流：
access-list VeiPiN extended permit ip 172.16.1.0 255.255.255.0 10.1.2.0 255.255.0.0
也能夠寫得更詳細：
access-list VeiPiN extended permit ip host 172.16.1.2 host 10.1.2.2
④配置crypto map並應用：
crypto map crymap 10 match address VeiPiN

crypto map crymap 10 set peer 202.100.2.1
crypto map crymap 10 set transform-set transet
crypto map crymap interface Outside
⑤在接口啓用isakmp：
crypto isakmp enable Outside
B.PIX80_Branch防火牆：
①第一階段策略：
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash md5
group 2
tunnel-group 202.100.1.1 type ipsec-l2l
tunnel-group 202.100.1.1 ipsec-attributes
pre-shared-key cisco
②第二階段轉換：
crypto ipsec transform-set transet esp-des esp-md5-hmac
③感興趣流：
access-list VeiPiN extended permit ip  10.1.2.0 255.255.255.0 172.16.1.0 255.255.0.0
也能夠寫得更詳細：
access-list VeiPiN extended permit ip host 10.1.2.2 host 172.16.1.2
④配置crypto map並應用：
crypto map crymap 10 match address VeiPiN
crypto map crymap 10 set peer 202.100.1.1
crypto map crymap 10 set transform-set transet
crypto map crymap interface Outside
⑤在接口啓用isakmp：
crypto isakmp enable Outside
七.測試：
A.鏈接公網測試：
①ERP_HQ路由器：
ERP_HQ#ping 202.100.1.10
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 202.100.1.10, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 20/94/292 ms
ERP_HQ#
Internet#debug ip icmp
ICMP packet debugging is on
Internet#
*Mar  2 07:36:11.648: ICMP: echo reply sent, src 202.100.1.10, dst 202.100.1.1
*Mar  2 07:36:11.768: ICMP: echo reply sent, src 202.100.1.10, dst 202.100.1.1
*Mar  2 07:36:11.856: ICMP: echo reply sent, src 202.100.1.10, dst 202.100.1.1
*Mar  2 07:36:12.096: ICMP: echo reply sent, src 202.100.1.10, dst 202.100.1.1
*Mar  2 07:36:12.132: ICMP: echo reply sent, src 202.100.1.10, dst 202.100.1.1
②ERP_Brach路由器：
ERP_Branch#ping 202.100.2.10
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 202.100.2.10, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 8/92/344 ms
ERP_Branch#
Internet#debug ip icmp
ICMP packet debugging is on
Internet#
*Mar  2 07:36:57.536: ICMP: echo reply sent, src 202.100.2.10, dst 202.100.2.1
*Mar  2 07:36:57.896: ICMP: echo reply sent, src 202.100.2.10, dst 202.100.2.1
*Mar  2 07:36:57.976: ICMP: echo reply sent, src 202.100.2.10, dst 202.100.2.1
*Mar  2 07:36:57.988: ICMP: echo reply sent, src 202.100.2.10, dst 202.100.2.1
*Mar  2 07:36:58.000: ICMP: echo reply sent, src 202.100.2.10, dst 202.100.2.1
B.VeiPiN訪問測試：
①ERP_HQ路由器：
ERP_HQ#telnet 10.1.2.2  
Trying 10.1.2.2 ... Open

User Access Verification

Password:
ERP_Branch>show users
   Line       User       Host(s)              Idle       Location
  0 con 0                idle                 00:00:55  
*130 vty 0                idle                 00:00:00 10.1.1.2

 Interface    User               Mode         Idle     Peer Address

ERP_Branch>
②ERP_Branch路由器：
ERP_Branch#telnet 10.1.1.2
Trying 10.1.1.2 ... Open


User Access Verification

Password:
ERP_HQ>show users
   Line       User       Host(s)              Idle       Location
  0 con 0                idle                 00:00:17  
*130 vty 0                idle                 00:00:00 10.1.2.2

 Interface    User               Mode         Idle     Peer Address

ERP_HQ>

---備註：這樣配置完成後，其實只有ERP_HQ和ERP_Branch兩設備之間才能正常都×××。