关于IPSEC-VPN穿越ASA防火墙数据转发流量的实验

1、实验拓扑:

技术分享

2、实验要求:

R1R2是两个站点,R1的业务地址:10.10.10.10/32R2的业务地址:20.20.20.20/32

R1 – ASA202.16.1.0/29  ASA – R2:209.16.1.0/29,先需要使用IPSEC-VPN技术对业务流量加密,使数据传输更安全;

3、实验配置:

R1:

crypto isakmp policy 10

 encr3des

 hashmd5

 authentication pre-share

 group2

crypto isakmp key cisco address 209.16.1.1

!

crypto ipsec transform-set ccna ah-md5-hmacesp-3des

!

crypto map cisco 10 ipsec-isakmp

 setpeer 209.16.1.1

 settransform-set ccna

 match address vpn

!        

interface Loopback0

 ipaddress 10.10.10.10 255.255.255.255

!

interface FastEthernet0/0

 ipaddress 202.16.1.1 255.255.255.248

 duplex auto

 speed auto

 crypto map cisco

!

ip forward-protocol nd

ip route 0.0.0.0 0.0.0.0 202.16.1.2

!

no ip http server

no ip http secure-server

!        

ip access-list extended vpn

 permit ip host 10.10.10.10 host 20.20.20.20

 

ASA:

interface Ethernet0/0

 nameif outside

 security-level 0

 ipaddress 202.16.1.2 255.255.255.248

!

interface Ethernet0/1

 nameif inside

 security-level 100

 ipaddress 209.16.1.2 255.255.255.248

!

access-list out extendedpermit icmp any any

access-list out extendedpermit esp host 202.16.1.1 host 209.16.1.1

access-list out extendedpermit ah host 202.16.1.1 host 209.16.1.1

pager lines 24

mtu outside 1500

mtu inside 1500

no failover

icmp unreachable rate-limit 1 burst-size 1

no asdm history enable

arp timeout 14400

access-group out ininterface outside

!

R2:

crypto isakmp policy 10

 encr3des

 hashmd5

 authentication pre-share

 group 2

crypto isakmp key cisco address 202.16.1.1

!

crypto ipsec transform-set ccna ah-md5-hmacesp-3des

!

crypto map cisco 10 ipsec-isakmp

 setpeer 202.16.1.1

 settransform-set ccna

 match address vpn

!        

interface Loopback0

 ipaddress 20.20.20.20 255.255.255.255

!

interface FastEthernet0/0

 ipaddress 209.16.1.1 255.255.255.248

 duplex auto

 speed auto

 crypto map cisco

!

ip forward-protocol nd

ip route 0.0.0.0 0.0.0.0 209.16.1.2

!

no ip http server

no ip http secure-server

!        

ip access-list extended vpn

 permit ip host 20.20.20.20 host 10.10.10.10

4、配置结果查看:

R1#show crypto isakmp sa

dst             src             state          conn-id slot status

202.16.1.1      209.16.1.1      QM_IDLE              1    0 ACTIVE

 

R1#show crypto engine connections active

  IDInterface            IP-Address      State Algorithm           Encrypt  Decrypt

   1FastEthernet0/0      202.16.1.1      set   HMAC_MD5+3DES_56_C        0        0

2001 FastEthernet0/0      202.16.1.1      set   MD5+3DES                 49        0

2002 FastEthernet0/0      202.16.1.1      set   MD5+3DES                  0       39

 

R1#ping 20.20.20.20 source 10.10.10.10

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to20.20.20.20, timeout is 2 seconds:

Packet sent with a source address of 10.10.10.10

!!!!!

Success rate is 100 percent (5/5),round-trip min/avg/max = 20/31/68 ms

 

R2#show crypto isakmp sa

dst             src             state          conn-id slot status

202.16.1.1      209.16.1.1      QM_IDLE              1    0 ACTIVE

 

R2#show crypto engine connections active

 IDInterface            IP-Address      State Algorithm           Encrypt  Decrypt

   1FastEthernet0/0      209.16.1.1      set   HMAC_MD5+3DES_56_C        0        0

2001 FastEthernet0/0      209.16.1.1      set   MD5+3DES                 44        0

2002 FastEthernet0/0      209.16.1.1      set   MD5+3DES                  0       15

请大家思考两个问题:

1、为什么本实验在防火墙中需要用到AH的协议放行,而使用放行udp ...eq isakmp不行?注:真实的ASA也应该是可以通过udp ...eq isakmp实现流量放行的。)

2、如果现在条件发生了变化,需要在R1和R2上配置GRE隧道和OSPF路由协议,使用gre over ipsec技术,那么防火墙的流量放行是否需要改变?是否需要添加放行gre协议流量和ospf协议流量?




本文出自 “我的技术博客” 博客,转载请与作者联系!

郑重声明:本站内容如果来自互联网及其他传播媒体,其版权均属原媒体及文章作者所有。转载目的在于传递更多信息及用于网络分享,并不代表本站赞同其观点和对其真实性负责,也不构成任何其他建议。