思科防火牆PIX8.0 L2L VeiPiN私有專用網絡解決地址重疊測試（3）

時間 2021-01-02

標籤網絡 ide 測試 spa debug 3d orm 接口 md5 欄目系統網絡简体版

原文原文鏈接

一.概述
測試了兩種方法解決PIX8.0的地址重疊問題，始終以爲不是很完美，這幾天正好看ASA的NAT文檔，以爲能夠用nat (Outside，Inside）static這樣的靜態NAT來解決，正好機架能用，如是用機架進行測試。
二.基本思路：
A.兩端都爲ASA8.0，創建L2L私有專用網絡以後，配置內對外的靜態NAT
三.測試拓撲：網絡

四.基本配置：ide

A.ERP_HQ路由器：測試

interface GigabitEthernet0/0
ip address 172.16.1.3 255.255.255.0 secondary
ip address 172.16.1.2 255.255.255.0
no shut
ip route 0.0.0.0 0.0.0.0 172.16.1.1spa

B.ASA-HQ路由器：debug

interface GigabitEthernet0/0
nameif Inside
security-level 100
ip address 172.16.1.1 255.255.255.0
no shut
interface GigabitEthernet0/1
nameif Outside
security-level 0
ip address 202.100.1.1 255.255.255.03d

no shutorm

route Outside 0.0.0.0 0.0.0.0 202.100.1.10 1接口

C.Internet路由器：ip

interface GigabitEthernet0/0
ip address 202.100.1.10 255.255.255.0
no shut
interface GigabitEthernet0/1
ip address 202.100.2.10 255.255.255.0
no shutmd5

D.ASA-Banch:

route Outside 0.0.0.0 0.0.0.0 202.100.2.10 1

E.ERP_Branch路由器：

interface GigabitEthernet0/0
ip address 172.16.1.3 255.255.255.0 secondary
ip address 172.16.1.2 255.255.255.0

ip route 0.0.0.0 0.0.0.0 172.16.1.1

五.防火牆NAT配置：

A.ASA-HQ:

①動態PAT:

access-list PAT extended permit ip 172.16.0.0 255.255.0.0 any
nat (Inside) 1 access-list PAT

global (Outside) 1 interface

②靜態NAT:

static (Outside,Inside) 172.16.101.0 172.16.1.0 netmask 255.255.255.0
③NAT免除：

access-list NONAT extended permit ip 172.16.0.0 255.255.0.0 172.16.0.0 255.255.0.0

nat (Inside) 0 access-list NONAT

---備註：NAT免除須要包括靜態NAT以後的地址，不然進行一次靜態NAT以後，還會進行一次PAT,從而沒法撞擊感興趣流。

B.ASA-Branch:

①動態PAT:

access-list PAT extended permit ip 172.16.0.0 255.255.0.0 any
nat (Inside) 1 access-list PAT

global (Outside) 1 interface

②靜態NAT:

static (Outside,Inside) 172.16.100.0 172.16.1.0 netmask 255.255.255.0
③NAT免除：

access-list NONAT extended permit ip 172.16.0.0 255.255.0.0 172.16.0.0 255.255.0.0

nat (Inside) 0 access-list NONAT

---備註：NAT免除須要包括靜態NAT以後的地址，不然進行一次靜態NAT以後，還會進行一次PAT,從而沒法撞擊感興趣流。

六.防火牆L2L 私有專用網絡配置:

A.ASA-HQ:

①第一階段策略：

crypto isakmp policy 10
authentication pre-share
encryption 3des
hash md5
group 2

tunnel-group 202.100.2.1 type ipsec-l2l

tunnel-group 202.100.2.1 ipsec-attributes
pre-shared-key cisco

②第二階段轉換集：

crypto ipsec transform-set transet esp-des esp-md5-hmac

③感興趣流：

access-list VeiPiN extended permit ip 172.16.0.0 255.255.0.0 172.16.0.0 255.255.0.0

③配置crypto map並在接口調用：

crypto map crymap 10 match address VeiPiN

crypto map crymap 10 set peer 202.100.2.1

crypto map crymap 10 set transform-set transet

crypto isakmp enable Outside

B.ASA-Branch:

①第一階段策略：

crypto isakmp policy 10
authentication pre-share
encryption 3des
hash md5
group 2

tunnel-group 202.100.1.1 type ipsec-l2l

tunnel-group 202.100.1.1 ipsec-attributes
pre-shared-key cisco

②第二階段轉換集：

crypto ipsec transform-set transet esp-des esp-md5-hmac

③感興趣流：

access-list VeiPiN extended permit ip 172.16.0.0 255.255.0.0 172.16.0.0 255.255.0.0

③配置crypto map並在接口調用：

crypto map crymap 10 match address VeiPiN

crypto map crymap 10 set peer 202.100.1.1

crypto map crymap 10 set transform-set transet

crypto isakmp enable Outside

七.測試:

A.從ERP_HQ訪問ERP_Branch：

ERP_HQ#PING 172.16.101.3

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.101.3, timeout is 2 seconds:
.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 1/2/4 ms
ERP_HQ#te
*Jul 10 03:34:15.142: ICMP: echo reply rcvd, src 172.16.101.3, dst 172.16.1.2
*Jul 10 03:34:15.146: ICMP: echo reply rcvd, src 172.16.101.3, dst 172.16.1.2
*Jul 10 03:34:15.146: ICMP: echo reply rcvd, src 172.16.101.3, dst 172.16.1.2

*Jul 10 03:34:15.150: ICMP: echo reply rcvd, src 172.16.101.3, dst 172.16.1.2

ERP_Branch(config-line)#
*Mar 31 14:57:59.470: ICMP: echo reply sent, src 172.16.1.3, dst 172.16.100.2
*Mar 31 14:57:59.474: ICMP: echo reply sent, src 172.16.1.3, dst 172.16.100.2
*Mar 31 14:57:59.474: ICMP: echo reply sent, src 172.16.1.3, dst 172.16.100.2
*Mar 31 14:57:59.478: ICMP: echo reply sent, src 172.16.1.3, dst 172.16.100.2

ERP_HQ#telnet 172.16.101.3
Trying 172.16.101.3 ... Open

User Access Verification

Password:
ERP_Branch>show users
Line User Host(s) Idle Location
*514 vty 0 idle 00:00:00 172.16.100.2

Interface User Mode Idle Peer Address

ERP_Branch>

B.從ERP_Branch訪問ERP_HQ：

ERP_Branch#ping 172.16.100.3

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.100.3, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms
ERP_Branch#
*Mar 31 15:15:51.374: ICMP: echo reply rcvd, src 172.16.100.3, dst 172.16.1.2
*Mar 31 15:15:51.374: ICMP: echo reply rcvd, src 172.16.100.3, dst 172.16.1.2
*Mar 31 15:15:51.378: ICMP: echo reply rcvd, src 172.16.100.3, dst 172.16.1.2
*Mar 31 15:15:51.378: ICMP: echo reply rcvd, src 172.16.100.3, dst 172.16.1.2
*Mar 31 15:15:51.378: ICMP: echo reply rcvd, src 172.16.100.3, dst 172.16.1.2

ERP_HQ(config-line)#
*Jul 10 03:52:07.029: ICMP: echo reply sent, src 172.16.1.3, dst 172.16.101.2
*Jul 10 03:52:07.033: ICMP: echo reply sent, src 172.16.1.3, dst 172.16.101.2
*Jul 10 03:52:07.033: ICMP: echo reply sent, src 172.16.1.3, dst 172.16.101.2
*Jul 10 03:52:07.037: ICMP: echo reply sent, src 172.16.1.3, dst 172.16.101.2
*Jul 10 03:52:07.037: ICMP: echo reply sent, src 172.16.1.3, dst 172.16.101.2

ERP_Branch#telnet 172.16.100.3
Trying 172.16.100.3 ... Open

User Access Verification

Password:
ERP_HQ>show users
Line User Host(s) Idle Location
0 con 0 idle 00:01:24
*514 vty 0 idle 00:00:00 172.16.101.2

Interface User Mode Idle Peer Address

ERP_HQ>

---備註：這種方式惟一的缺陷就是不能訪問對方與本身IP地址主機號相同的地址。

---用ASA的 packet-tracer顯示drop，以下：

ASA-Branch# packet-tracer input Outside icmp 172.16.1.2 8 0 172.16.1.2

Phase: 1
Type: FLOW-LOOKUP
Subtype:
Result: ALLOW
Config:
Additional Information:
Found no matching flow, creating a new flow

Phase: 2
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 172.16.1.0 255.255.255.0 Inside

Result:
input-interface: Outside
input-status: up
input-line-status: up
output-interface: Inside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (sp-security-failed) Slowpath security checks failed

C.互聯網訪問兩邊都正常：

ERP_HQ#ping 202.100.1.10Type escape sequence to abort.Sending 5, 100-byte ICMP Echos to 202.100.1.10, timeout is 2 seconds:!!!!!Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 msERP_HQ#*Jul 10 04:03:59.073: ICMP: echo reply rcvd, src 202.100.1.10, dst 172.16.1.2*Jul 10 04:03:59.073: ICMP: echo reply rcvd, src 202.100.1.10, dst 172.16.1.2*Jul 10 04:03:59.073: ICMP: echo reply rcvd, src 202.100.1.10, dst 172.16.1.2*Jul 10 04:03:59.073: ICMP: echo reply rcvd, src 202.100.1.10, dst 172.16.1.2*Jul 10 04:03:59.077: ICMP: echo reply rcvd, src 202.100.1.10, dst 172.16.1.2Internet#debug ip icmp ICMP packet debugging is onInternet#*Aug 2 14:28:00.205: ICMP: echo reply sent, src 202.100.1.10, dst 202.100.1.1*Aug 2 14:28:00.209: ICMP: echo reply sent, src 202.100.1.10, dst 202.100.1.1*Aug 2 14:28:00.209: ICMP: echo reply sent, src 202.100.1.10, dst 202.100.1.1*Aug 2 14:28:00.209: ICMP: echo reply sent, src 202.100.1.10, dst 202.100.1.1*Aug 2 14:28:00.209: ICMP: echo reply sent, src 202.100.1.10, dst 202.100.1.1ERP_Branch#ping 202.100.2.10Type escape sequence to abort.Sending 5, 100-byte ICMP Echos to 202.100.2.10, timeout is 2 seconds:!!!!!Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/4 msERP_Branch#*Mar 31 15:32:55.286: ICMP: echo reply rcvd, src 202.100.2.10, dst 172.16.1.2*Mar 31 15:32:55.290: ICMP: echo reply rcvd, src 202.100.2.10, dst 172.16.1.2*Mar 31 15:32:55.290: ICMP: echo reply rcvd, src 202.100.2.10, dst 172.16.1.2*Mar 31 15:32:55.290: ICMP: echo reply rcvd, src 202.100.2.10, dst 172.16.1.2*Mar 31 15:32:55.290: ICMP: echo reply rcvd, src 202.100.2.10, dst 172.16.1.2Internet#debug ip icmp ICMP packet debugging is onInternet#*Aug 2 14:28:41.561: ICMP: echo reply sent, src 202.100.2.10, dst 202.100.2.1*Aug 2 14:28:41.565: ICMP: echo reply sent, src 202.100.2.10, dst 202.100.2.1*Aug 2 14:28:41.565: ICMP: echo reply sent, src 202.100.2.10, dst 202.100.2.1*Aug 2 14:28:41.565: ICMP: echo reply sent, src 202.100.2.10, dst 202.100.2.1*Aug 2 14:28:41.569: ICMP: echo reply sent, src 202.100.2.10, dst 202.100.2.1