|
一:实验拓扑: 
二:实验需求:
1:R2路由器模拟ISP服务提供商,R1上配置PAT实现内网对Internet的访问.
2:两台防火墙之间建立IPSec VPN,连接穿过NAT设备,配置实现两端对等体成功建立IPSec连接.(IP地址自己指定,但尽可能节省公网IP地址)。 三:配置注意事项. 由于PAT设备的外网一侧发起建立管理连接(端口号为500)或是数据连接(端口号为4500),,PAT设备同样无法确定是与内网那个设备建立,会导致连接建立失败,所以需要将端口号500和4500静态映射到内网,具体命令如下:
1:基础配置:
ciscoasa (config-if)# ho ASA1
ASA1(config)# int e0/0
ASA1(config-if)# nameif inside
INFO: Security level for "inside" set to 100 by default.
ASA1(config-if)# ip add 192.168.1.254 255.255.255.0
ASA1(config-if)# no sh
ASA1(config-if)# int e0/1
ASA1(config-if)# nameif outside
INFO: Security level for "outside" set to 0 by default.
ASA1(config-if)# ip add 192.168.2.1 255.255.255.0
ASA1(config-if)# no sh R1(config)#int f1/0
R1(config-if)#ip add 192.168.2.2 255.255.255.0
R1(config-if)#no sh
R1(config-if)#int f0/0
R1(config-if)#ip add 12.0.0.1 255.255.255.0
R1(config-if)#no sh
R2(config)#int f0/0
R2(config-if)#ip add 12.0.0.2 255.255.255.0
R2(config-if)#no sh
R2(config-if)#int f1/0
R2(config-if)#ip add 23.0.0.2 255.255.255.0
R2(config-if)#no sh
ASA2(config)# int e0/1
ASA2(config-if)# nameif outside
ASA2(config-if)# ip add 23.0.0.3 255.255.255.0
ASA2(config-if)# no sh
ASA2(config-if)# int e0/0
ASA2(config-if)# nameif inside
ASA2(config-if)# ip add 172.16.1.254 255.255.255.0
ASA2(config-if)# no sh
ASA1(config)# route outside 0 0 192.168.2.2
ASA1(config)# access-list haha permit icmp any any
ASA1(config)# access-group haha in interface outside
R1(config)#ip route 0.0.0.0 0.0.0.0 12.0.0.2
R1(config)#ip route 192.168.1.0 255.255.255.0 192.168.2.1
ASA2(config)# route outside 0 0 23.0.0.2
ASA2(config)# access-list haha permit icmp any any
ASA2(config)# access-group haha in interface outside
R1(config)#access-list 101 deny ip 192.168.1.0 0.0.0.255 172.16.1.0 0.0.0.255
R1(config)#access-list 101 permit ip 192.168.1.0 0.0.0.255 any R1(config)#int f1/0
R1(config-if)#ip nat inside
R1(config-if)#int f0/0
R1(config-if)#ip nat outside
R1(config)#ip nat inside source list 101 interface f0/0 overload ASA2(config)# nat (inside) 1 0 0
ASA2(config)# global (outside) 1 interface
INFO: outside interface address added to PAT pool //私网上公网没问题,下来用VPN实现两个私网通信.
ASA1(config)# access-list 200 permit ip 192.168.1.0 255.255.255.0 172.16.1.0
255.255.255.0 ASA1(config)# crypto isakmp enable outside
ASA1(config)# crypto isakmp policy 10
ASA1(config-isakmp-policy)# authentication pre-share
ASA1(config-isakmp-policy)# encryption des
ASA1(config-isakmp-policy)# hash md5
ASA1(config-isakmp-policy)# group 2
ASA1(config-isakmp-policy)# exit ASA1(config)# crypto isakmp key cisco address 23.0.0.3 ASA1(config)# crypto ipsec transform-set mytrans esp-des esp-md5-hmac ASA1(config)# crypto map mymap 10 set peer 23.0.0.3
ASA1(config)# crypto map mymap 10 set transform-set mytrans
ASA1(config)# crypto map mymap 10 match address 200 ASA1(config)# crypto map mymap interface outside
ASA2(config)# access-list 200 permit ip 172.16.1.0 255.255.255.0 192.168.1.0 255.255.255.0
ASA2(config)# crypto isakmp enable outside
ASA2(config)# crypto isakmp policy 10
ASA2(config-isakmp-policy)# authentication pre-share
ASA2(config-isakmp-policy)# encryption des
ASA2(config-isakmp-policy)# hash md5
ASA2(config-isakmp-policy)# group 2
ASA2(config-isakmp-policy)# exit
ASA2(config)# crypto isakmp key cisco address 12.0.0.1
ASA2(config)# crypto ipsec transform-set mytrans esp-des esp-md5-hmac ASA2(config)# crypto map mymap 10 set peer 12.0.0.1
ASA2(config)# crypto map mymap 10 set transform-set mytrans
ASA2(config)# crypto map mymap 10 match address 200
ASA2(config)# crypto map mymap interface outside ASA2(config)# access-list no-nat permit ip 172.16.1.0 255.255.255.0 192.168.1.0 255.255.255.0
ASA2(config)# nat (inside) 0 access-list no-nat R1(config)#ip nat inside source static udp 192.168.2.1 500 interface f0/0 500
R1(config)#ip nat inside source static udp 192.168.2.1 4500 interface f0/0 4500 测试:
C:\>ping 192.168.1.1 Pinging 192.168.1.1 with 32 bytes of data: Reply from 192.168.1.1: bytes=32 time=65ms TTL=128
Reply from 192.168.1.1: bytes=32 time=36ms TTL=128
Reply from 192.168.1.1: bytes=32 time=46ms TTL=128
Reply from 192.168.1.1: bytes=32 time=42ms TTL=128 Ping statistics for 192.168.1.1:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 36ms, Maximum = 65ms, Average = 47ms ASA2# sho crypto isakmp sa Active SA: 1
Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 1 1 IKE Peer: 12.0.0.1
Type : L2L Role : responder
Rekey : no State : MM_ACTIVE ASA2# sho crypto ipsec sa
interface: outside
Crypto map tag: mymap, seq num: 10, local addr: 23.0.0.3 access-list 200 permit ip 172.16.1.0 255.255.255.0 192.168.1.0 255.255.255.0
local ident (addr/mask/prot/port): (172.16.1.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0/0/0)
current_peer: 12.0.0.1 #pkts encaps: 7, #pkts encrypt: 7, #pkts digest: 7
#pkts decaps: 7, #pkts decrypt: 7, #pkts verify: 7
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 7, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#send errors: 0, #recv errors: 0 local crypto endpt.: 23.0.0.3/4500, remote crypto endpt.: 12.0.0.1/4500
path mtu 1500, ipsec overhead 66, media mtu 1500
current outbound spi: 164EF763 inbound esp sas:
spi: 0xBAC6472B (3133556523)
transform: esp-des esp-md5-hmac none
in use settings ={L2L, Tunnel, NAT-T-Encaps, }
slot: 0, conn_id: 4096, crypto-map: mymap
sa timing: remaining key lifetime (kB/sec): (4274999/28704)
IV size: 8 bytes
replay detection support: Y
outbound esp sas:
spi: 0x164EF763 (374273891)
transform: esp-des esp-md5-hmac none
in use settings ={L2L, Tunnel, NAT-T-Encaps, }
slot: 0, conn_id: 4096, crypto-map: mymap
sa timing: remaining key lifetime (kB/sec): (4274999/28703)
IV size: 8 bytes
replay detection support: Y
|
