Cisco ASA 實現 IPSec 虛擬專用網(內附故障排查)
傳送門:Cisco 路由器配置實例: https://blog.51cto.com/14227204/2448319
其實,防火牆和路由器的配置很是類似,能夠參考上方傳送門,下方會介紹一個防火牆的配置實例
1、路由器的故障診斷排查
一、show crypto isakmp sa 算法
R1:show crypto isakmp sa # 能夠顯示數據鏈接sa的細節信息
MM_NO_STATE :ISAKMP SA創建的初始狀態;管理鏈接創建失敗也會處於該狀態
MM_SA_SETUP :對等體之間ISAKMP策略協商成功後處於該狀態
MM_KEY_EXCH :對等體經過DH算法成功創建共享密鑰,此時尚未進行設備驗證
MM_KEY_AUTH :對等體成功進行設備驗證,以後會過渡到QM_IDLE狀態
QM_IDLE :管理鏈接成功創建,即將過渡到階段2的數據鏈接創建過程 ide
二、debug crypto isakmp加密
R1:debug crypto isakmp # 診斷和排查管理鏈接出現的問題
故障實例一:兩端加密算法不匹配debug
ISAKMP:(0:0:N/A:0):Checking ISAKMP transform 1 against priority 1 policy ISAKMP: default group 1 ISAKMP: encryption DES-CBC ISAKMP: hash SHA ISAKMP: auth pre-share ISAKMP: life type in seconds ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80 ISAKMP:(0:0:N/A:0):Encryption algorithm offered does not match policy! # 加密算法不匹配 ISAKMP:(0:0:N/A:0):atts are not acceptable. Next payload is 0 …… # 策略不被接受 ISAKMP:(0:0:N/A:0):no offers accepted! # 沒有匹配策略 …… received packet from 10.0.0.1 dport 500 sport 500 Global (R) MM_NO_STATE # 策略進入未成功狀態
故障案例二:兩端使用的預共享密鑰不一致code
ISAKMP:(0:0:N/A:0):Checking ISAKMP transform 1 against priority 1 policy ISAKMP: default group 1 ISAKMP: encryption DES-CBC ISAKMP: hash SHA ISAKMP: auth pre-share ISAKMP: life type in seconds ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80 ISAKMP:(0:0:N/A:0):atts are acceptable. Next payload is 0 …… # 算法已匹配,開始祕鑰交換及身份驗證 ISAKMP (0:134217729): received packet from 10.0.0.1 dport 500 sport 500 Global (R) MM_KEY_EXCH ISAKMP: reserved not zero on ID payload! %CRYPTO-4-IKMP_BAD_MESSAGE: IKE message from 10.0.0.1 failed its sanity check or is malformed # 完整性驗證失敗,將停留在MM KEY EXCH 階段
2、防火牆和路由器的區別:
IKE 協商:
路由默認開啓
ASA 防火牆默認關閉,必須手動開啓,以下:orm
ASA(config)# crypto isakmp enable outside
隧道組特性的引入:
防火牆從6.x版本升級到7.0版本引入的新特性
主要用於簡化IPSec會話的配置和管理
3、開始配置
環境以下:
需求以下:
lan1區域和lan2區域互通
lan1區域和lan3區域互通
lan2區域和lan3區域互通(lan2→lan1→lan3)
全部區域可以訪問中間ISP
配前須知(很差意思,我這裏以路由器代替了pc機因此驗證有點簡略):blog
- 自行配置接口IP之類
- 這裏我是使用了路由器充當PC機因此須要在路由器上配置個默認路由充當網關
- 防火牆往外配置一條默認路由
R1配置(R三、R4配置相似):接口
R1#conf t R1(config)#int f 0/0 R1(config-if)#ip add 192.168.1.10 255.255.255.0 # 配置接口IP R1(config-if)#no shutdown R1(config-if)#exit R1(config)#ip route 0.0.0.0 0.0.0.0 192.168.1.1 # 默認路由充當網關
R2配置以下(ISP不須要配置路由):ip
R2#conf t R2(config)#int f 0/1 R2(config-if)#ip add 201.0.0.1 255.255.255.0 R2(config-if)#no shutdown R2(config-if)#exit R2(config)#int f 0/1 R2(config-if)#ip add 202.0.0.1 255.255.255.0 R2(config-if)#no shutdown R2(config-if)#exit R2(config)#int f 1/0 R2(config-if)#ip add 202.0.0.1 255.255.255.0 R2(config-if)#no shutdown
一、配置
ASA1(lan1→lan2)配置以下md5
ciscoasa> en Password: ciscoasa# conf t ciscoasa(config)# int e 0/0 ciscoasa(config-if)# nameif inside # 配置爲內接口 ciscoasa(config-if)# ip add 192.168.1.1 ciscoasa(config-if)# no shutdown ciscoasa(config-if)# exit ciscoasa(config)# int e 0/1 ciscoasa(config-if)# nameif outside # 配置爲外接口 ciscoasa(config-if)# ip add 201.0.0.2 ciscoasa(config-if)# no shutdown ciscoasa(config)# route outside 0 0 201.0.0.2 # 配置到外部的默認路由,這裏的0至關於0.0.0.0 ciscoasa(config)# crypto isakmp enable outside # 開啓IKE協商功能 ciscoasa(config)# crypto isakmp policy 1 # 配置管理鏈接 ciscoasa(config-isakmp-policy)# encryption aes # 加密爲aes ciscoasa(config-isakmp-policy)# hash md5 # 認證爲 md5 ciscoasa(config-isakmp-policy)# group 2 ciscoasa(config-isakmp-policy)# authentication pre-share # 預先設置共享祕鑰 ciscoasa(config-isakmp-policy)# lifetime 10000 ciscoasa(config-isakmp-policy)# exit ciscoasa(config)# crypto isakmp key 123.com address 202.0.0.2 # 設置共享祕鑰 # 防火牆中有兩種配置,一會在ASA2中使用 ciscoasa(config)# access-list lan1_lan2 permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0 # 編寫1.0到2.0的ACL ciscoasa(config)# crypto ipsec transform-set test-set esp-aes esp-md5-hmac # 此四條配置數據鏈接 ciscoasa(config)# crypto map test-map 1 match address lan1_lan2 ciscoasa(config)# crypto map test-map 1 set peer 202.0.0.1 ciscoasa(config)# crypto map test-map 1 set transform-set test-set ciscoasa(config)# crypto map test-map interface outside # 應用到外部的邏輯接口上
ASA2配置以下
ciscoasa> en Password: ciscoasa# conf t ciscoasa(config)# int e 0/0 # 這裏我就不介紹配置含義了,和上面基本類似 ciscoasa(config-if)# nameif outside ciscoasa(config-if)# ip add 202.0.0.2 ciscoasa(config-if)# no shutdown ciscoasa(config-if)# exit ciscoasa(config)# int e 0/1 ciscoasa(config-if)# nameif inside ciscoasa(config-if)# ip add 192.168.2.1 ciscoasa(config-if)# no shutdown ciscoasa(config-if)# exit ciscoasa(config)# route outside 0 0 202.0.0.1 ciscoasa(config)# crypto isakmp enable outside ciscoasa(config)# crypto isakmp policy 1 ciscoasa(config-isakmp-policy)# encryption aes ciscoasa(config-isakmp-policy)# hash md5 ciscoasa(config-isakmp-policy)# group 2 ciscoasa(config-isakmp-policy)# authentication pre-share ciscoasa(config-isakmp-policy)# lifetime 10000 ciscoasa(config)# tunnel-group 201.0.0.2 type ipsec-l2l # 另外一種配置祕鑰方式 ciscoasa(config)# tunnel-group 201.0.0.2 ipsec-attributes ciscoasa(config-tunnel-ipsec)# pre-shared-key 123.com ciscoasa(config-tunnel-ipsec)# exit ciscoasa(config)# access-list lan2_lan1 permit ip 192.168.2.0 255.255.255.0 192.168.1.0 255.255.255.0 ciscoasa(config)# crypto ipsec transform-set test-set esp-aes esp-md5-hmac ciscoasa(config)# crypto map test-map 1 match address lan2_lan1 ciscoasa(config)# crypto map test-map 1 set peer 201.0.0.2 ciscoasa(config)# crypto map test-map 1 set transform-set test-set ciscoasa(config)# crypto map test-map interface outside R1#ping 192.168.2.10 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 192.168.2.10, timeout is 2 seconds: !!!!!
ASA1(lan1→lan3)配置以下
# 在ASA以前配置過到lan2區域,因此能夠以上面爲基礎接着配置 ciscoasa(config)# tunnel-group 203.0.0.2 type ipsec-l2l ciscoasa(config)# tunnel-group 203.0.0.2 ipsec-attributes ciscoasa(config-tunnel-ipsec)# pre-shared-key 123.com ciscoasa(config)# access-list lan1_lan3 permit ip 192.168.1.0 255.255.255.0 192.168.3.0 255.255.255.0 ciscoasa(config)# crypto map test-map 2 match address lan1_lan3 WARNING: The crypto map entry is incomplete! # 這裏出現的警告是正常的 ciscoasa(config)# crypto map test-map 2 set peer 203.0.0.2 WARNING: The crypto map entry is incomplete! ciscoasa(config)# crypto map test-map 2 set transform-set test-set
ASA3配置以下(和ASA2配置基本詳細)
ciscoasa> en Password: ciscoasa# conf t ciscoasa(config)# int e 0/0 ciscoasa(config-if)# nameif outside ciscoasa(config-if)# ip add 203.0.0.2 ciscoasa(config-if)# no shutdown ciscoasa(config-if)# exit ciscoasa(config)# int e 0/1 ciscoasa(config-if)# nameif inside ciscoasa(config-if)# ip add 192.168.3.1 ciscoasa(config-if)# no shutdown ciscoasa(config)# route outside 0 0 203.0.0.1 ciscoasa(config)# crypto isakmp enable outside ciscoasa(config)# crypto isakmp policy 1 ciscoasa(config-isakmp-policy)# authentication pre-share ciscoasa(config-isakmp-policy)# encryption aes ciscoasa(config-isakmp-policy)# hash md5 ciscoasa(config-isakmp-policy)# group 2 ciscoasa(config-isakmp-policy)# lifetime 10000 ciscoasa(config-isakmp-policy)# exit ciscoasa(config)# crypto isakmp key 123.com address 201.0.0.2 ciscoasa(config)# access-list lan3_lan1 permit ip 192.168.3.0 255.255.255.0 192.168.1.0 255.255.255.0 ciscoasa(config)# crypto ipsec transform-set test-set esp-aes esp-md5-hmac ciscoasa(config)# crypto map test-map 1 match address lan3_lan1 ciscoasa(config)# crypto map test-map 1 set peer 201.0.0.2 ciscoasa(config)# crypto map test-map 1 set transform-set test-set ciscoasa(config)# crypto map test-map interface outside R4#ping 192.168.1.10 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 192.168.1.10, timeout is 2 seconds: !!!!!
二、實現lan2→lan3通訊:
ASA1配置以下
ciscoasa(config)# same-security-traffic permit intra-interface # 容許流量進入和離開同一個接口 ciscoasa(config)# access-list lan1_lan2 permit ip 192.168.3.0 255.255.255.0 192.168.2.0 255.255.255.0 ciscoasa(config)# access-list lan1_lan3 permit ip 192.168.2.0 255.255.255.0 192.168.3.0 255.255.255.0
ASA2配置以下
ciscoasa(config)# access-list lan2_lan1 permit ip 192.168.2.0 255.255.255.0 192.168.3.0 255.255.255.0
ASA3配置以下
ciscoasa(config)# access-list lna3_lan1 permit ip 192.168.3.0 255.255.255.0 192.168.2.0 255.255.255.0 R3#ping 192.168.3.10 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 192.168.3.10, timeout is 2 seconds: !!!!!
三、訪問ISP
若是須要讓內網能訪問互聯網,須要在ASA上作PAT,並啓用nat控制,豁免***的流量
ASA1配置以下
ciscoasa(config)# nat-control # 啓用nat控制 ciscoasa(config)# nat (inside) 1 0 0 # 配置pat ciscoasa(config)# global (outside) 1 interface # 映射到接口 # 不使用原來的ACL條目,由於有lan1_lan2和lan1_lan3,沒法同時豁免兩個,因此從新定義ACL ciscoasa(config)# access-list aaa permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0 ciscoasa(config)# access-list aaa permit ip 192.168.1.0 255.255.255.0 192.168.3.0 255.255.255.0 ciscoasa(config)# nat (inside) 0 access-list aaa # 應用到接口
ASA2配置以下
ciscoasa(config)# nat (inside) 1 0 0 ciscoasa(config)# global (outside) 1 interface ciscoasa(config)# nat (inside) 0 access-list lan2_lan1
ASA3配置以下
ciscoasa(config)# nat (inside) 1 0 0 ciscoasa(config)# global (outside) 1 interface ciscoasa(config)# nat (inside) 0 access-list lan3_lan1
相關文章
- 1. Cisco ASA防火牆實現IPSec 虛擬專用網,可跟作!!!
- 2. Cisco ASA 之 Easy 虛擬專用網
- 3. ASA防火牆上實現IPSec 虛擬專用網
- 4. Cisco ASA 配置IPsec ***
- 5. Cisco ASA防火牆實現遠程訪問虛擬專用網——Easy虛擬專用網(解決出差員工訪問內網的問題)
- 6. CIsco路由器實現IPSec 虛擬專用網原理及配置詳解
- 7. 多子網Cisco ASA to AWS IPSEC ××× 問題
- 8. linux實用故障排查
- 9. 在asa是實現IPsec
- 10. Cisco ASA-ASA 8.2-L2L ***
- 更多相關文章...
- • Hibernate實現增刪改查 - Hibernate教程
- • 現實生活中的 XML - XML 教程
- • ☆基於Java Instrument的Agent實現
- • Spring Cloud 微服務實戰(三) - 服務註冊與發現
相關標籤/搜索
每日一句
-
每一个你不满意的现在,都有一个你没有努力的曾经。
歡迎關注本站公眾號,獲取更多信息
相關文章