底层说明:
1. R1 ,ASA分别模拟两个VPNSite. 按图搭建拓扑, 每个VPN站点内部全网互通(配置略)
2. Internet用SW代替, Internet全网互通.
3. R1,ASA分别连接到Internet.
需求:
1. ASA上配置动态PAT,使R2可以访问Internet.
2. R1与ASA建立IKEv1 L2L VPN. 感兴趣流为10.1.1.0/24<------>172.16.1.0/24; R1 ping R2进行测试.
3. PC与ASA建立SSL VPN, ASA作为SSL VPN Gateway, PC作为SSLVPN Client. 部署SSLVPN的三种模式
4. 如果希望PC和R1可以通信,思考解决方式?
1.动态PAT配置
ASA1(config)# object network INSIDE
ASA1(config-network-object)# subnet 172.16.1.0 255.255.255.0
ASA1(config-network-object)# nat (inside,outside) dynamicinterface
test:
R2#telnet 202.100.1.10
Trying 202.100.1.10 ... Open
Internet>who
Line User Host(s) Idle Location
* 98 vty 0 idle 00:00:00 202.100.1.1
2.R1与ASA建立L2L IPsec VPN.
R1配置:
1).1阶段
crypto isakmp policy 10
authenticationpre-share
encr aes 256
hash sha
group 5
crypto isakmp key cisco123 address 202.100.1.1
2).2阶段
crypto ipsec transform-set L2L-TS esp-aes 256 esp-sha-hmac
3).感兴趣流和crypto map
ip access-list extended L2L-ACL
permit ip 10.1.1.00.0.0.255 172.16.1.0 0.0.0.255
crypto map CCC 10 ipsec-isakmp
match addressL2L-ACL
set transform-setL2L-TS
set peer202.100.1.1
interface Fastethernet0/0
crypto map CCC
ASA配置:
1).1阶段
crypto ikev1 policy 10
authenticationpre-share
encryption aes-256
hash sha
group 5
tunnel-group 61.128.1.1 type ipsec-l2l
tunnel-group 61.128.1.1 ipsec-attributes
ikev1pre-shared-key cisco123
2).2阶段
crypto ipsec ikev1 transform-set L2L-TS esp-aes-256esp-sha-hmac
3).感兴趣流和crypto map
access-list L2L-ACL extended permit ip 172.16.1.0255.255.255.0 10.1.1.0 255.255.255.0 //正掩码
crypto map CCC 10 match address L2L-ACL
crypto map CCC 10 set peer 61.128.1.1
crypto map CCC 10 set ikev1 transform-set L2L-TS
crypto map CCC interface outside //调用crypto map
crypto ikev1 enable outside //在outside接口启用IKEv1
ASA配置IPsec的基本注意点:
1).IKE缺省disable, 需要手工启用.
2).需要配置tunnel-group.
2).需要配置tunnel-group.
Tunnel-group介绍: tunnel-group隧道组也称为连接配置文件(Connection Profiles), 定义了L2L或者remoteaccess隧道, 使用这个连接配置文件来映射IPSec对等体的属性.
ASA1(config)# tunnel-group name type ?
configure mode commands/options:
ipsec-l2l IPSec Site to Site group
ipsec-ra IPSec Remote Access group (DEPRECATED)
remote-access Remote access (IPSec and WebVPN) group
webvpn WebVPN group (DEPRECATED)
如果IKE的认证方式是pre-share-key
IPsecL2L的tunnel-groupname应该是peer的IP.
remote-access的tunnel-group的name就是组名.
如果IKE的认证方式是证书, tunnel-group的name应当是证书的名字.
每个tunnel-group对应一个VPN session
激活IPsecL2L
R1#ping 172.16.1.2 source lo0 //不通
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.1.3, timeout is2 seconds:
Packet sent with a source address of 10.1.1.1
.....
Success rate is 0 percent (0/5)
R1#show crypto session
Crypto session current status
Interface: FastEthernet0/0
Session status: UP-ACTIVE
Peer: 202.100.1.1 port 500
IKEv1 SA: local61.128.1.1/500 remote 202.100.1.1/500 Active
IPSEC FLOW:permit ip 10.1.1.0/255.255.255.0 172.16.1.0/255.255.255.0
Active SAs: 2, origin: crypto map
ASA1(config)# show vpn-sessiondb l2l
Session Type: LAN-to-LAN
Connection :61.128.1.1
Index :1 IP Addr : 61.128.1.1
Protocol :IKEv1 IPsec
Encryption :AES256 Hashing : SHA1
Bytes Tx :0 Bytes Rx : 400
Login Time :12:05:44 UTC Thu Dec 17 2015
Duration :0h:05m:54s
现象说明:
IPsec L2L已经建立, VPN不通; 原因是NAT对IPsec的影响.ASA需要配置NATBypass.
ASA1(config)# object network INSIDE
ASA1(config-network-object)# subnet 172.16.1.0 255.255.255.0
ASA1(config)# object network L2L-VPN
ASA1(config-network-object)# subnet 10.1.1.0 255.255.255.0
ASA1(config)# nat (inside,outside) source static INSIDEINSIDE destination static L2L-VPN L2L-VPN
R1#ping 172.16.1.3 source lo0
Packet sent with a source address of 10.1.1.1
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max= 56/60/72 ms
思考:ASA需要显式放行VPN流量吗?
答: 不需要. ASA对VPN流量缺省放行,
ASA1(config)# sysopt connection permit-vpn //放行VPN流量, 缺省启用.
4. PC与ASA建立SSL VPN, ASA作为SSL VPNGateway, PC作为SSL VPNClient. 部署SSL VPN.
4.1Clientless基本配置如下
1)ASA配置证书
ASA1(config)#crypto key generate rsa label asa1.key modulus 1024
ASA1(config)#crypto ca trustpoint TP
ASA1(config-ca-trustpoint)#enroll self
ASA1(config-ca-trustpoint)#subject-name cn=asa1.wolf.com
ASA1(config-ca-trustpoint)#keypair asa1.key
ASA1(config-ca-trustpoint)#crypto ca enroll TP
% Thefully-qualified domain name in the certificate will be: ASA1
%Include the device serial number in the subject name? [yes/no]: no
GenerateSelf-Signed Certificate? [yes/no]: yes
ASA1(config)#show crypto ca certificates
Certificate
Status: Available
Certificate Serial Number: ad5bbb5a
Certificate Usage: General Purpose
Public Key Type: RSA (1024 bits)
Signature Algorithm: SHA1 with RSA Encryption
Issuer Name:
hostname=ASA1
cn=asa1.wolf.com
Subject Name:
hostname=ASA1
cn=asa1.wolf.com
Validity Date:
start date: 09:32:56 UTC Mar 28 2018
end date: 09:32:56 UTC Mar 25 2028
Associated Trustpoints: TP
ASA1(config)# ssl trust-point TP //SSL VPN调用TP的证书
2)ASA SSL VPN基本配置
ASA1(config)# username ssluser password cisco
ASA1(config)# webvpn
ASA1(config-webvpn)# enable outside
INFO: WebVPN and DTLS are enabled on 'outside'.
ASA1(config-webvpn)# exit
登录,PC上浏览器打开https://202.100.1.1,弹出如下页面,点击”Login”, 进入SSL VPN门户界面.
可以在”Address”部分输入http://172.16.1.2 访问内部的HTTP服务器; 也可以通过cifs://172.16.1.241访问内部的文件服务器,这个技术叫做Reverseproxy technology(clientless access ). 如下:
访问HTTP 服务器:
访问文件服务器:
可以看到, 在访问过程中, ASA充当代理服务器的功能; ASA把SSLVPN Client的请求交给服务器,服务器返回信息给ASA,由ASA转交给Client.
R2#show tcp brief
TCB LocalAddress Foreign Address (state)
67B14C50 172.16.1.2.80 172.16.1.1.41975 TIMEWAIT
ASA1# show vpn-sessiondb webvpn
Session Type: WebVPN
Username :ssluser Index : 10
Public IP :100.1.2.100
Protocol : Clientless
License :AnyConnect Premium
Encryption :RC4 Hashing : SHA1
Bytes Tx :72187 Bytes Rx : 58201
Group Policy : DfltGrpPolicy Tunnel Group : DefaultWEBVPNGroup
Login Time : 09:47:42UTC Tue Jan 19 2016
Duration :0h:12m:23s
Inactivity :0h:00m:00s
NAC Result : Unknown
VLAN Mapping : N/A VLAN : none
4.2 Clietless高级配置
4.2.1 http proxy
在某些网络环境中,有专门的代理服务器(如,WSA). 这时候, 就希望在访问内部资源的时候,让代理服务器代转.
ASA1(config)# webvpn
ASA1(config-webvpn)# http-proxy 172.16.1.100 80
ASA1(config-webvpn)# https-proxy 172.16.1.100 443
4.2.2 bookmarks(书签)配置(注意:bookmarks不支持CLI配置, 只能通过ASDM配置)
初始化ASDM
ASA1(config)# asdm image disk0:/asdm-645-206.bin
ASA1(config)# http server enable 8443 //为了不和SSLVPN冲突, ASDM用8443端口ASA1(config)# http 0 0 outside //任何outside地址都可以通过ASDM网管
ASA1(config)# username admin password cisco privilege 15
ASA1(config)# aaa authentication http console LOCAL //ASDM使用本地数据库认证
定义group-policy,调用bookmarks
ASA1(config)#group-policy GP-SSL internal
ASA1(config)#group-policy GP-SSL attributes
ASA1(config-group-policy)#webvpn
ASA1(config-group-webvpn)#url-list value Inside-Server
ASA1(config-group-webvpn)#exit
ASA1(config-group-policy)#exit
ASA1(config)# username ssluserattributes
ASA1(config-username)#vpn-group-policy GP-SSL
ASA1(config-username)#exit
退出, 重新登录.
为什么只能在ASDM做url-list?
因为url-list不是存储在配置文件里的,而是在disk0:/csco_config/97/bookmarks/的XML文件
4.2.3 Java Plugin (对Clientless的扩展)
1)将下载的java插件copy到flash中
ASA1# show flash:
--#-- --length-- -----date/time------ path
531 879113 Jan 14 2012 00:01:34 rdp2-plugin.090211.jar
532 405006 Jan 14 2012 00:01:46 ssh-plugin.080430.jar
533 90142 Jan 14 2012 00:01:58 vnc-plugin.080130.jar
534 688755 Jan 14 2012 00:02:12 rdp-plugin.101215.jar
2)加载flash中的插件
ASA1(config)# importwebvpn plug-in protocol rdp disk0:/rdp-plugin.101215.jar
ASA1(config)# importwebvpn plug-in protocol ssh,telnet disk0:/ssh-plugin.080430.jar
退出,重新登录SSL VPN
4.3 Thin Client配置
4.3.1 port-forward
ASA1(config)# webvpn
ASA1(config-webvpn)#port-forward Telnet-TO-R2 2323 172.16.1.2 telnet
ASA1(config)#group-policy GP-SSL attributes
ASA1(config-group-policy)#webvpn
ASA1(config-group-webvpn)#port-forward enable Telnet-TO-R2
ASA1(config-group-webvpn)#exit
ASA1(config-group-policy)#exit
验证: PC退出, 重新登录
4.3.2 Smart-tunnel
今天写的有点晚,其他的明天补上。。。
[原创]IOS和ASA之间IPSEC配置及其ASA的SSL VPN 配置 [2]
