cjh 12.1.2 思科ASA8.4:ASA防火墙与华为USG防火墙进行IPSec VPN连接(反射注入路由、NAT豁免)
12.1.2 思科ASA8.4:ASA防火墙与华为USG防火墙进行IPSec VPN连接(反射注入路由、NAT豁免)
华为USG防火墙_2022.08.27.01时48分07秒.txt
(1)拓扑图
(2.1)ASA防火墙: 配置管理接口的ip地址、安全区域与配置ASDM访问
interface Ethernet0
nameif manager
security-level 90
ip address 10.12.5.5 255.255.0.0
no shutdown
(2.2)ASA防火墙: 访问规则:允许所有
命令行配置:permit any any
ciscoasa(config)# access-list global_access_1 extended permit ip any any
ciscoasa(config)# access-group global_access_1 global
access-list global_access_1 extended permit ip any any
access-group global_access_1 global
(2.3)ASA防火墙: 配置ASDM来管理ASA防火墙 (图形化界面管理防火墙)
ciscoasa(config)# username admin password admin privilege 15 //创建15级帐户
ciscoasa(config)# http server enable
ciscoasa(config)# http 0.0.0.0 0.0.0.0 manager //开启http的访问的范围
username admin password admin privilege 15
http server enable
http 0.0.0.0 0.0.0.0 manager
(2.4)ASA防火墙: 配置业务接口
interface Ethernet1
nameif inside
security-level 80
ip address 192.168.1.254 255.255.255.0
no shutdown
!
interface Ethernet2
nameif outside
security-level 20
ip address 100.100.100.1 255.255.255.0
no shutdown
(2.5)ASA防火墙: 配置默认路由
route outside 0.0.0.0 0.0.0.0 100.100.100.254 1
(2.6)配置源NAT(只让192.168.1.x访问外网)
object network network192.168.1.x
subnet 192.168.1.0 255.255.255.0
!配置动态NAT, 让内网用户访问外网
nat (inside,outside) source dynamic network192.168.1.x interface
(3.1)华为USG防火墙:配置接口的ip地址
interface GigabitEthernet0/0/0
undo shutdown
ip address 10.12.5.6 255.255.0.0
service-manage http permit
service-manage https permit
service-manage ping permit
service-manage ssh permit
service-manage snmp permit
service-manage telnet permit
service-manage netconf permit
#
interface GigabitEthernet1/0/1
undo shutdown
ip address 200.200.200.1 255.255.255.0
service-manage http permit
service-manage https permit
service-manage ping permit
service-manage ssh permit
service-manage snmp permit
service-manage telnet permit
service-manage netconf permit
#
interface GigabitEthernet1/0/0
service-manage enable
undo shutdown
ip address 192.168.2.254 255.255.255.0
service-manage http permit
service-manage https permit
service-manage ping permit
service-manage ssh permit
service-manage snmp permit
service-manage telnet permit
service-manage netconf permit
(3.2)华为USG防火墙:把接口加入区域
firewall zone trust
set priority 85
add interface GigabitEthernet0/0/0
add interface GigabitEthernet1/0/0
#
firewall zone untrust
set priority 5
add interface GigabitEthernet1/0/1
#
(3.3)华为USG防火墙:配置静态路由
ip route-static 0.0.0.0 0.0.0.0 200.200.200.254
(3.4)华为USG防火墙:修改默认策略,允许所有
security-policy
default action permit
y
(3.5)华为USG防火墙:配置web登录密码
aaa
manager-user admin
password
#输入密码
#再次输入密码
level 15
[ service-type web terminal
(3.6)华为usg防火墙:配置源NAT,让内网用户访问互联网
ip address-set Net-192.168.2.x type object
address 0 192.168.2.0 mask 24
nat-policy
rule name inside-To-outside
source-zone trust
destination-zone untrust
source-address address-set Net-192.168.2.x
action source-nat easy-ip
(4.1)总部USG防火墙ipsec配置
①、配置IPSec安全提议。缺省参数可不配置。
ipsec proposal 1
esp authentication-algorithm md5
esp encryption-algorithm des
②、配置IKE安全提议。缺省参数可不配置。
ike proposal 1
encryption-algorithm 3des
prf hmac-sha2-256
authentication-algorithm sha1
authentication-method pre-share
integrity-algorithm hmac-sha2-256
dh group2
! ipsec proposal 1
! encapsulation-mode transport 封装模式配置成传输模式
! encapsulation-mode tunnel 封装模式配置成隧道模式,默认为隧道模式,命令不会显示
! encapsulation-mode auto
③、配置IKE peer。
ike peer 1
undo version 2
exchange-mode aggressive
ike-proposal 1
remote-address 100.100.100.1
pre-shared-key zh-cjh.com
!ike peer 1
! exchange-mode aggressive 协商模式配置成野蛮模式
! exchange-mode auto
! exchange-mode main 协商模式配置成主模式,默认为主模式,命令不会显示
④、定义被保护的数据流。
配置高级ACL 3000,允许10.1.1.0/24网段访问10.1.2.0/24网段。
acl 3000
rule 10 permit ip source 192.168.2.0 0.0.0.255 destination 192.168.1.0 0.0.0.255
⑤、配置IPSec策略。
ipsec policy 11 10 isakmp
security acl 3000
proposal 1
ike-peer 1
tunnel local applied-interface
sa trigger-mode auto
⑥、在接口GE1/0/0上应用IPSec策略组ipsec。
int GigabitEthernet 1/0/1
ipsec policy 11
(5.1)ASA防火墙ipsec配置
①、配置IKE
crypto ikev1 enable outside
crypto ikev1 policy 1
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
tunnel-group 200.200.200.1 type ipsec-l2l
tunnel-group 200.200.200.1 ipsec-attributes
ikev1 pre-shared-key zh-cjh.com
②、配置IPSec
crypto ipsec ikev1 transform-set t1 esp-des esp-md5-hmac
③、定义感兴趣流
access-list to-vpn permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0
④、关联IPSec策略
crypto map c1 10 match address to-vpn
crypto map c1 10 set peer 200.200.200.1
crypto map c1 10 set ikev1 transform-set t1
⑤、在outside接口上调用l2l策略
crypto map c1 interface outside
问题:VPN建立不成功:阶段1协商结果:发起方发送初始交互请求报文失败,或等待下一条报文超时。
解决:
ike peer 1
undo version 2
<USG6000V2>display ipsec sa brief
2022-08-25 17:29:57.500
IPSec SA information:
Src address Dst address SPI
VPN Protocol Algorithm
------------------------------------------------------------------------------------
200.200.200.1 100.100.100.1 2183952242
ESP E:DES A:MD5-96
100.100.100.1 200.200.200.1 196678592
ESP E:DES A:MD5-96
Number of IPSec SA : 2
------------------------------------------------------------------------------------
<USG6000V2>
<USG6000V2>display ike sa
display ipsec sa
查看ASA的NAT转换列表
show xlate
查看ASA防火墙IPSec VPN连接状态
ciscoasa# show crypto isakmp sa
IKEv1 SAs:
Active SA: 1
Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 1
1 IKE Peer: 200.200.200.1
Type : L2L Role : responder
Rekey : no State : AM_ACTIVE
There are no IKEv2 SAs
ciscoasa#
show crypto ipsec sa
反向路由注入(可选或者手工配置):
ipsec policy 11 10 isakmp
route inject dynamic
配置了反向路由注入后,就产生了以下这条路由:
(6.1)华为防火墙:vpn的流量不要做NAT转换。
配置前:
配置后:
ip address-set 192.168.1.X type object
address 0 192.168.1.0 mask 24
nat-policy
rule name No-NAT
source-zone trust
source-address address-set Net-192.168.2.x
destination-address address-set 192.168.1.X
action no-nat
rule name inside-To-outside
source-zone trust
destination-zone untrust
source-address address-set Net-192.168.2.x
action source-nat easy-ip
(6.2)思科防火墙:vpn的流量不要做NAT转换( NAT豁免)。
配置前
配置后
object network network192.168.1.x
subnet 192.168.1.0 255.255.255.0
object network network192.168.2.x
subnet 192.168.2.0 255.255.255.0
nat (inside,outside) source static network192.168.1.x network192.168.1.x destination static network192.168.2.x network192.168.2.x
nat (inside,outside) source dynamic network192.168.1.x interface
问题1:vpn已经建立成功,但是两个内网互联ping不通。
解决:
问题所在:vpn流量不要做源nat然后到外网,要直接进入vpn通道。
流量没有进入vpn通道。
可以看到,把源nat关闭后,就可以正常访问了,所以vpn流量不要做nat,所在要配置豁免。
访问互联网的流量正常做NAT后访问,访问对端内网的流量不要做NAT,直接进入vpn通道。
先关闭nat做测试:nat (inside,outside) source dynamic network192.168.1.x interface inactive //加上inactive就是启用此nat
ciscoasa# packet-tracer input inside rawip 192.168.1.1 0 192.168.2.100
问题2:PC1可以ping通PC2, 但是PC2ping不通PC1
原因,华为防火墙中的NO-NAT没有移到前面:
NAT豁免(旧版本):
ASA1配置豁免
1)创建访问控制列表豁免的流量
ASA1(config)# access-list nonat permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0
2)应用豁免
ASA1(config)# nat (inside) 0 access-list nonat
NAT豁免(新版本):
nat (inside,outside) source static network192.168.1.x network192.168.1.x destination static network192.168.2.x network192.168.2.x
nat (inside,outside) source dynamic network192.168.1.x interface
思科Cisco ASA防火墙(列表、list、全)asalist、防火墙list
http://www.zh-cjh.com/wenzhangguilei/2594.html
文章归类、所有文章列表、LISTLIST
http://www.zh-cjh.com/wangzhangonggao/2195.html
2、本资源基本为原创,部分来源其他付费资源平台或互联网收集,如有侵权请联系及时处理。
3、本站大部分文章的截图来源实验测试环境,请不要在生产环境中随意模仿,以免带来灾难性后果。
转载请保留出处: www.zh-cjh.com珠海陈坚浩博客 » 12.1.2 思科ASA8.4:ASA防火墙与华为USG防火墙进行IPSec VPN连接(反射注入路由、NAT豁免)
作者: cjh
| 手机扫一扫,手机上查看此文章: |
一切源于价值!
其他 模板文件不存在: ./template/plugins/comment/pc/index.htm