【原创】ASA 内网地址重叠建立IPSEC L2L VPN

robortlin · ‎05-02-2020

本帖最后由 robortlin 于 2020-5-4 14:38 编辑
上次有个CASE 帮忙建立VPN 的时候，分公司的内网地址和总公司设置一样都是 192.168.1.0/24，但双方都不想更改。五一闲着就在EVE 搭环境回顾下。

HQ-inside

HQ-Inside#sh run int e0/0
Building configuration...

Current configuration : 64 bytes
!
interface Ethernet0/0
ip address 10.1.1.2 255.255.255.0
end

HQ-Inside#sh run | s ip route
ip route 0.0.0.0 0.0.0.0 10.1.1.1
HQ
ASA-HQ# sh run int
!
interface GigabitEthernet0/0
nameif outside
security-level 0
ip address 202.100.100.1 255.255.255.0
!
interface GigabitEthernet0/1
nameif inside
security-level 100
ip address 10.1.1.1 255.255.255.0
ASA-HQ# sh run route
route outside 0.0.0.0 0.0.0.0 202.100.100.2 1
ASA-Branch
ASA-Branch# sh run int
!
interface GigabitEthernet0/0
nameif outside
security-level 0
ip address 202.100.200.1 255.255.255.0
!
interface GigabitEthernet0/1
nameif inside
security-level 100
ip address 10.1.1.1 255.255.255.0
ASA-Branch# sh run route
route outside 0.0.0.0 0.0.0.0 202.100.200.2 1
Branch-Inside
Branch-Inside#sh run | s int
mmi polling-interval 60
interface Ethernet0/0
ip address 10.1.1.2 255.255.255.0
Branch-Inside#sh run | s ip route
ip route 0.0.0.0 0.0.0.0 10.1.1.1
ASA-HQ IPSEC VPN 部分。
crypto isakmp identity address
crypto ikev1 enable outside
crypto ikev1 policy 10
authentication pre-share
encryption des
hash md5
group 2
lifetime 86400
ACL 感兴趣流
access-list L2L extended permit ip 172.16.10.0 255.255.255.0 172.16.20.0 255.255.255.0
crypto ipsec ikev1 transform-set Transset esp-des esp-md5-hmac
crypto ipsec security-association pmtu-aging infinite
crypto map Crymap 10 match address L2L
crypto map Crymap 10 set peer 202.100.200.1
crypto map Crymap 10 set ikev1 transform-set Transset
crypto map Crymap 10 set reverse-route
crypto map Crymap interface outside
NAT-PAT (内网上网 )
object network Inside-PAT
subnet 10.1.1.0 255.255.255.0
object network Inside-PAT
Manual translate nat(内网地址10.1.1.0/24 转换172.16.10.0/24）
ASA-HQ# sh run object
object network Inside-PAT
subnet 10.1.1.0 255.255.255.0
object network HQ-Inside_Real
subnet 10.1.1.0 255.255.255.0
object network HQ-Inside_Mapping
subnet 172.16.10.0 255.255.255.0
object network Branch_inside_Real
subnet 10.1.1.0 255.255.255.0
object network Branch_inside_Mapping
subnet 172.16.20.0 255.255.255.0
ASA-HQ# sh run nat
nat (inside,outside) source static HQ-Inside_Real HQ-Inside_Mapping destination static Branch_inside_Mapping Branch_inside_Mapping
Branch 配置与HQ 相似，
不同部分
注意感兴趣流
access-list L2L extended permit ip 172.16.20.0 255.255.255.0 172.16.10.0 255.255.255.0
NAT 的配置
nat (inside,outside) source static Branch-Inside_Real Branch-inside_Mapping destination static HQ-Inside_Mapping HQ-Inside_Mapping
===================
下面是测试
HQ-Inside#ping 172.16.20.2 so 10.1.1.2 re 1000
Type escape sequence to abort.
Sending 1000, 100-byte ICMP Echos to 172.16.20.2, timeout is 2 seconds:
Packet sent with a source address of 10.1.1.2
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!.!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!.!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!.!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!.!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!.
Success rate is 99 percent (548/553), round-trip min/avg/max = 1/4/38 ms
ASA-HQ# sh crypto isa sa
IKEv1 SAs:
Active SA: 1
Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 1
1 IKE Peer: 202.100.200.1
Type : L2L Role : responder
Rekey : no State : MM_ACTIVE
There are no IKEv2 SAs
ASA-HQ# sh crypto ipsec sa
interface: outside
Crypto map tag: Crymap, seq num: 10, local addr: 202.100.100.1
access-list L2L extended permit ip 172.16.10.0 255.255.255.0 172.16.20.0 255.255.255.0
local ident (addr/mask/prot/port): (172.16.10.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (172.16.20.0/255.255.255.0/0/0)
current_peer: 202.100.200.1
#pkts encaps: 569, #pkts encrypt: 569, #pkts digest: 569
#pkts decaps: 567, #pkts decrypt: 567, #pkts verify: 567
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 569, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#TFC rcvd: 0, #TFC sent: 0
#Valid ICMP Errors rcvd: 0, #Invalid ICMP Errors rcvd: 0
#send errors: 0, #recv errors: 0
local crypto endpt.: 202.100.100.1/0, remote crypto endpt.: 202.100.200.1/0
path mtu 1500, ipsec overhead 58(36), media mtu 1500
PMTU time remaining (sec): 0, DF policy: copy-df
ICMP error validation: disabled, TFC packets: disabled
current outbound spi: 5A94881E
current inbound spi : 4F8F74BB
inbound esp sas:
spi: 0x4F8F74BB (1334801595)
SA State: active
transform: esp-des esp-md5-hmac no compression
in use settings ={L2L, Tunnel, IKEv1, }
slot: 0, conn_id: 163328000, crypto-map: Crymap
sa timing: remaining key lifetime (kB/sec): (3914944/26527)
IV size: 8 bytes
replay detection support: Y
Anti replay bitmap:
0xFFFFFFFF 0xFFFFFFFF
outbound esp sas:
spi: 0x5A94881E (1519683614)
SA State: active
transform: esp-des esp-md5-hmac no compression
in use settings ={L2L, Tunnel, IKEv1, }
slot: 0, conn_id: 163328000, crypto-map: Crymap
sa timing: remaining key lifetime (kB/sec): (3914944/26526)
IV size: 8 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001
思科文档地址
https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-firewalls/211275-Configuration-Example-of-ASA-VPN-with-Ov.html

one-time · ‎05-06-2020

感谢楼主分享，谢谢~

likuo · ‎05-28-2020

学习使人进步。

likuo · ‎06-11-2020

拓扑图不错。