Chinaunix首页 | 论坛 | 博客
  • 博客访问: 381808
  • 博文数量: 114
  • 博客积分: 0
  • 博客等级: 民兵
  • 技术积分: 1219
  • 用 户 组: 普通用户
  • 注册时间: 2015-02-07 21:23
文章分类

全部博文(114)

文章存档

2018年(1)

2017年(5)

2016年(87)

2015年(21)

我的朋友

分类: 系统运维

2016-01-27 15:17:29

在静态寻址IOS路由器和动态地寻址PIX之间的动态IPSec与NAT的配置示例
Cisco ASA 5500 系列版本 7.x 运行类似 PIX 版本 7.x 的软件版本。本文档中的配置适用于这两个产品系列。
在 PIX 上,access-list 和 nat 0 命令协同工作。当 10.1.1.0 网络上的用户访问 10.2.1.0 网络时,将使用访问列表允许 10.1.1.0 网络数据流在没有 NAT 的情况下进行加密。在路由器上,将使用 access-list 命令允许 10.2.1.0 网络数据流在没有 NAT 的情况下进行加密。然而,当同样用户去别处(类似互联网)时,他们翻译对外部接口IP地址通过端口地址转换(PAT)。
要使通过隧道的数据流不经过 PAT,而使到达 Internet 的数据流经过 PAT,则必须在 PIX 安全设备上使用以下配置命令。
access-list nonat permit ip 10.1.1.0 255.255.255.0 10.2.2.0 255.255.255.0
nat (inside) 0 access-list nonat
nat (inside) 1 10.1.1.0 255.255.255.0 0 0

pix 7.0以上版本
  1. pixfirewall#show running-config
  2.  PIX Version 7.2(2)
  3. !
  4. hostname pixfirewall
  5. enable password 8Ry2YjIyt7RRXU24 encrypted
  6. names
  7. !

  8. !--- The interface dynamically learns its IP address
  9. !--- from the service provider.

  10. interface Ethernet0
  11.  nameif outside
  12.  security-level 0
  13.  ip address dhcp
  14. !
  15. interface Ethernet1
  16.  nameif inside
  17.  security-level 100
  18.  ip address 10.1.1.2 255.255.255.0
  19. !
  20. !


  21. !-- Output is suppressed.

  22. !
  23. passwd 2KFQnbNIdI.2KYOU encrypted
  24. ftp mode passive



  25. !--- This is the access list (IPsec-traffic) used for the VPN interesting traffic
  26. !--- to be encrypted.



  27. access-list IPSec-traffic extended permit ip 10.1.1.0 255.255.255.0 10.2.1.0 255.255.255.0


  28. !--- This access list (nonat) is used for a nat zero command that prevents
  29. !--- traffic which matches the access list from undergoing NAT.


  30. access-list NO-NAT extended permit ip 10.1.1.0 255.255.255.0 10.2.1.0 255.255.255.0


  31. pager lines 24
  32. mtu inside 1500
  33. mtu outside 1500
  34. no failover
  35. icmp unreachable rate-limit 1 burst-size 1
  36. no asdm history enable
  37. arp timeout 14400


  38.   
  39. !--- NAT 0 prevents NAT for networks specified in the ACL - nonat.
  40. !--- The nat 1 command specifies PAT using the
  41. !--- outside interface for all other traffic.


  42. global (outside) 1 interface
  43. nat (inside) 0 access-list NO-NAT
  44. nat (inside) 1 0.0.0.0 0.0.0.0

  45. route outside 0.0.0.0 0.0.0.0 172.16.1.2 1

  46. timeout xlate 3:00:00
  47. timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
  48. timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
  49. timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
  50. timeout uauth 0:05:00 absolute
  51. no snmp-server location
  52. no snmp-server contact
  53. snmp-server enable traps snmp authentication linkup linkdown coldstart


  54. !--- PHASE 2 CONFIGURATION ---!
  55. !--- The encryption types for Phase 2 are defined here.
  56. !--- A triple single DES encryption with
  57. !--- the md5 hash algorithm is used.


  58. crypto ipsec transform-set DYN-TS esp-des esp-md5-hmac


  59. !--- Define which traffic should be sent to the IPsec peer.



  60. crypto map IPSEC 10 match address IPSec-traffic


  61. !--- Sets the IPsec peer.


  62. crypto map IPSEC 10 set peer 192.168.1.2


  63. !--- Sets the IPsec transform set "DYN-TS"
  64. !--- to be used with the crypto map entry "IPSEC".


  65. crypto map IPSEC 10 set transform-set DYN-TS


  66. !--- Specifies the interface to be used with
  67. !--- the settings defined in this configuration.


  68. crypto map IPSEC interface outside


  69. !--- Enables IPsec on the outside interface.

  70. crypto isakmp enable outside


  71. !--- PHASE 1 CONFIGURATION ---!

  72. !--- This configuration uses isakmp policy 10.
  73. !--- Policy 65535 is included in the configuration by default.
  74. !--- The configuration commands here define the Phase
  75. !--- 1 policy parameters that are used.

  76. crypto isakmp policy 10
  77.  authentication pre-share
  78.  encryption des
  79.  hash md5
  80.  group 1
  81.  lifetime 86400


  82. crypto isakmp policy 65535
  83.  authentication pre-share
  84.  encryption 3des
  85.  hash sha
  86.  group 2
  87.  lifetime 86400

  88. !--- In order to create and manage the database of connection-specific records
  89. !--- for IPsec-L2L—IPsec tunnels, use the tunnel-group
  90. !--- command in global configuration mode.
  91. !--- For L2L connections the name of the tunnel group MUST be the IP
  92. !--- address of the IPsec peer.


  93. tunnel-group 192.168.1.2 type ipsec-l2l


  94. !--- Enter the pre-shared-key in IPsec-attribute parameters
  95. !--- in order to configure the authentication method.


  96. tunnel-group 192.168.1.2 ipsec-attributes
  97.  pre-shared-key *

  98. telnet timeout 5
  99. ssh timeout 5
  100. console timeout 0
  101. !
  102. class-map inspection_default
  103.  match default-inspection-traffic
  104. !
  105. !
  106. policy-map type inspect dns preset_dns_map
  107.  parameters
  108.   message-length maximum 512
  109. policy-map global_policy
  110.  class inspection_default
  111.   inspect dns preset_dns_map
  112.   inspect ftp
  113.   inspect h323 h225
  114.   inspect h323 ras
  115.   inspect netbios
  116.   inspect rsh
  117.   inspect rtsp
  118.   inspect skinny
  119.   inspect esmtp
  120.   inspect sqlnet
  121.   inspect sunrpc
  122.   inspect tftp
  123.   inspect sip
  124.   inspect xdmcp
  125. !
  126. service-policy global_policy global
  127. prompt hostname context
  128. Cryptochecksum:d609c9eaf51c154f147b3b4ba3c834e0
  129. : end
  130. pixfirewall#
route配置
  1. Router#show running-config
  2. Current configuration : 1354 bytes
  3. !
  4. version 12.4
  5. service timestamps debug datetime msec
  6. service timestamps log datetime msec
  7. no service password-encryption
  8. !
  9. hostname Router
  10. !
  11. boot-start-marker
  12. boot-end-marker
  13. !
  14. !
  15. no aaa new-model
  16. !
  17. resource policy
  18. !
  19. !
  20. !
  21. ip cef
  22. !


  23. !--- Configuration for IKE policies.
  24. !--- Enables the IKE policy configuration (config-isakmp)
  25. !--- command mode, where you can specify the parameters that
  26. !--- are used during an IKE negotiation.


  27. crypto isakmp policy 10
  28.  hash md5
  29.  authentication pre-share


  30. !--- Specifies the preshared key "cisco123" which should
  31. !--- be identical at both peers. This is a global
  32. !--- configuration mode command. It accepts any peer which matches
  33. !--- the pre-shared key.

  34. crypto isakmp key cisco123 address 0.0.0.0 0.0.0.0
  35. !

  36. !--- Configuration for IPsec policies.
  37. !--- Enables the crypto transform configuration mode,
  38. !--- where you can specify the transform sets that are used
  39. !--- during an IPsec negotiation.


  40. crypto ipsec transform-set DYN-TS esp-des esp-md5-hmac


  41. !--- IPsec policy, Phase 2.


  42. crypto dynamic-map DYN 10



  43. !--- Configures IPsec to use the transform-set
  44. !--- "DYN-TS" defined earlier in this configuration.


  45.  set transform-set DYN-TS



  46. crypto map IPSEC 10 ipsec-isakmp dynamic DYN
  47. !
  48. interface Ethernet0/0
  49.  ip address 192.168.1.2 255.255.255.0
  50.  ip nat outside
  51.  ip virtual-reassembly
  52.  half-duplex

  53. !--- Configures the interface to use the
  54. !--- crypto map "IPSEC" for IPsec.

  55.  crypto map IPSEC
  56. !
  57. interface FastEthernet1/0
  58.  ip address 10.2.1.1 255.255.255.0
  59.  ip nat inside
  60.  ip virtual-reassembly
  61.  duplex auto
  62.  speed auto
  63. !
  64. interface Serial2/0
  65.  no ip address
  66.  shutdown
  67.  no fair-queue
  68. !
  69. interface Serial2/1
  70.  no ip address
  71.  shutdown
  72. !
  73. interface Serial2/2
  74.  no ip address
  75.  shutdown
  76. !
  77. interface Serial2/3
  78.  no ip address
  79.  shutdown
  80. !
  81. ip http server
  82. no ip http secure-server
  83. !
  84. ip route 0.0.0.0 0.0.0.0 192.168.1.1
  85. !
  86. ip nat inside source list 100 interface Ethernet0/0 overload
  87. !

  88. !--- This ACL 100 identifies the traffic flows and be PATed
  89. !--- via the outside interface( Ethernet0/0).


  90. access-list 100 deny ip 10.2.1.0 0.0.0.255 10.1.1.0 0.0.0.255
  91. access-list 100 permit ip 10.2.1.0 0.0.0.255 any



  92. control-plane
  93. !

  94. !
  95. line con 0
  96. line aux 0
  97. line vty 0 4
  98. !
  99. !
  100. end

  1. 清除安全关联 (SA)

  2. 在 PIX 的特权模式下使用以下这些命令:

  3. clear [crypto] ipsec sa - 删除活动 IPsec SA。关键字 crypto 是可选的。

  4. clear [crypto] isakmp sa - 删除活动 IKE SA。关键字 crypto 是可选的。
  5. show crypto isakmp sa
  6. show crypto ipsec sa
  7. PIX 安全设备 - debug 输出

  8. debug crypto ipsec 7 - 显示第 2 阶段的 IPsec 协商。

  9. debug crypto isakmp 7 - 显示第 1 阶段的 ISAKMP 协商。

  10. 远程 IOS 路由器 - debug 输出

  11. debug crypto ipsec - 显示第 2 阶段的 IPsec 协商。

  12. debug crypto isakmp - 显示第 1 阶段的 ISAKMP 协商。




阅读(1148) | 评论(0) | 转发(0) |
给主人留下些什么吧!~~