请选择 进入手机版 | 继续访问电脑版

设为首页 收藏本站
思科社区 关注
思科社区

搜索
热搜: 邮件服务器
查看: 1506|回复: 3

【原创】ASA 内网地址重叠建立IPSEC L2L VPN

[复制链接]
发表于 2020-5-2 19:02:59 | 显示全部楼层 |阅读模式
本帖最后由 robortlin 于 2020-5-4 14:38 编辑

上次有个CASE 帮忙建立VPN 的时候, 分公司的内网地址和总公司设置一样都是 192.168.1.0/24,但双方都不想更改。五一闲着就在EVE 搭环境回顾下。

HQ-inside



HQ-Inside#sh run int e0/0
Building configuration...


Current configuration : 64 bytes
!
interface Ethernet0/0
ip address 10.1.1.2 255.255.255.0
end


HQ-Inside#sh run | s ip route
ip route 0.0.0.0 0.0.0.0 10.1.1.1
HQ
ASA-HQ# sh run int
!
interface GigabitEthernet0/0
nameif outside
security-level 0
ip address 202.100.100.1 255.255.255.0
!
interface GigabitEthernet0/1
nameif inside
security-level 100
ip address 10.1.1.1 255.255.255.0

ASA-HQ# sh run route
route outside 0.0.0.0 0.0.0.0 202.100.100.2 1


ASA-Branch
ASA-Branch# sh run int
!
interface GigabitEthernet0/0
nameif outside
security-level 0
ip address 202.100.200.1 255.255.255.0
!
interface GigabitEthernet0/1
nameif inside
security-level 100
ip address 10.1.1.1 255.255.255.0

ASA-Branch# sh run route
route outside 0.0.0.0 0.0.0.0 202.100.200.2 1

Branch-Inside
Branch-Inside#sh run | s int
mmi polling-interval 60
interface Ethernet0/0
ip address 10.1.1.2 255.255.255.0

Branch-Inside#sh run | s ip route
ip route 0.0.0.0 0.0.0.0 10.1.1.1


ASA-HQ IPSEC VPN 部分。

crypto isakmp identity address
crypto ikev1 enable outside
crypto ikev1 policy 10
authentication pre-share
encryption des
hash md5     
group 2      
lifetime 86400


ACL 感兴趣流
access-list L2L extended permit ip 172.16.10.0 255.255.255.0 172.16.20.0 255.255.255.0

crypto ipsec ikev1 transform-set Transset esp-des esp-md5-hmac
crypto ipsec security-association pmtu-aging infinite
crypto map Crymap 10 match address L2L
crypto map Crymap 10 set peer 202.100.200.1
crypto map Crymap 10 set ikev1 transform-set Transset
crypto map Crymap 10 set reverse-route
crypto map Crymap interface outside


NAT-PAT (内网上网 )
object network Inside-PAT
subnet 10.1.1.0 255.255.255.0

object network Inside-PAT

Manual translate nat(内网地址10.1.1.0/24 转换172.16.10.0/24)


ASA-HQ# sh run object
object network Inside-PAT
subnet 10.1.1.0 255.255.255.0
object network HQ-Inside_Real
subnet 10.1.1.0 255.255.255.0
object network HQ-Inside_Mapping
subnet 172.16.10.0 255.255.255.0
object network Branch_inside_Real
subnet 10.1.1.0 255.255.255.0
object network Branch_inside_Mapping
subnet 172.16.20.0 255.255.255.0
ASA-HQ# sh run nat
nat (inside,outside) source static HQ-Inside_Real HQ-Inside_Mapping destination static Branch_inside_Mapping Branch_inside_Mapping
Branch 配置与HQ 相似,  
不同部分
注意感兴趣流
access-list L2L extended permit ip 172.16.20.0 255.255.255.0 172.16.10.0 255.255.255.0


NAT 的配置
nat (inside,outside) source static Branch-Inside_Real Branch-inside_Mapping destination static HQ-Inside_Mapping HQ-Inside_Mapping

===================
下面是测试
HQ-Inside#ping 172.16.20.2  so 10.1.1.2 re 1000
Type escape sequence to abort.
Sending 1000, 100-byte ICMP Echos to 172.16.20.2, timeout is 2 seconds:
Packet sent with a source address of 10.1.1.2
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!.!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!.!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!.!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!.!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!.
Success rate is 99 percent (548/553), round-trip min/avg/max = 1/4/38 ms

ASA-HQ# sh crypto isa sa

IKEv1 SAs:

   Active SA: 1
    Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 1

1   IKE Peer: 202.100.200.1
    Type    : L2L             Role    : responder
    Rekey   : no              State   : MM_ACTIVE

There are no IKEv2 SAs

ASA-HQ# sh crypto ipsec sa
interface: outside
    Crypto map tag: Crymap, seq num: 10, local addr: 202.100.100.1

      access-list L2L extended permit ip 172.16.10.0 255.255.255.0 172.16.20.0 255.255.255.0
      local ident (addr/mask/prot/port): (172.16.10.0/255.255.255.0/0/0)
      remote ident (addr/mask/prot/port): (172.16.20.0/255.255.255.0/0/0)
      current_peer: 202.100.200.1


      #pkts encaps: 569, #pkts encrypt: 569, #pkts digest: 569
      #pkts decaps: 567, #pkts decrypt: 567, #pkts verify: 567
      #pkts compressed: 0, #pkts decompressed: 0
      #pkts not compressed: 569, #pkts comp failed: 0, #pkts decomp failed: 0
      #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
      #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
      #TFC rcvd: 0, #TFC sent: 0
      #Valid ICMP Errors rcvd: 0, #Invalid ICMP Errors rcvd: 0
      #send errors: 0, #recv errors: 0

      local crypto endpt.: 202.100.100.1/0, remote crypto endpt.: 202.100.200.1/0
      path mtu 1500, ipsec overhead 58(36), media mtu 1500
      PMTU time remaining (sec): 0, DF policy: copy-df
      ICMP error validation: disabled, TFC packets: disabled
      current outbound spi: 5A94881E
      current inbound spi : 4F8F74BB

    inbound esp sas:
      spi: 0x4F8F74BB (1334801595)
         SA State: active
         transform: esp-des esp-md5-hmac no compression
         in use settings ={L2L, Tunnel, IKEv1, }
         slot: 0, conn_id: 163328000, crypto-map: Crymap
         sa timing: remaining key lifetime (kB/sec): (3914944/26527)
         IV size: 8 bytes
         replay detection support: Y
         Anti replay bitmap:
          0xFFFFFFFF 0xFFFFFFFF
    outbound esp sas:
      spi: 0x5A94881E (1519683614)
         SA State: active
         transform: esp-des esp-md5-hmac no compression
         in use settings ={L2L, Tunnel, IKEv1, }
         slot: 0, conn_id: 163328000, crypto-map: Crymap
         sa timing: remaining key lifetime (kB/sec): (3914944/26526)
         IV size: 8 bytes
         replay detection support: Y
         Anti replay bitmap:
          0x00000000 0x00000001

思科文档地址
https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-firewalls/211275-Configuration-Example-of-ASA-VPN-with-Ov.html




本帖子中包含更多资源

您需要 思科 CCO 登录 才可以下载或查看,没有帐号?思科 CCO 注册   

x
  • 1
  • 2
  • 3
  • 4
  • 5
  • 1
  • 2
  • 3
  • 4
  • 5
平均得分0 (0 评价)
发表于 2020-5-6 16:43:29 | 显示全部楼层
感谢楼主分享,谢谢~
  • 1
  • 2
  • 3
  • 4
  • 5
  • 1
  • 2
  • 3
  • 4
  • 5
平均得分0 (0 评价)
发表于 2020-5-28 17:45:52 | 显示全部楼层
学习使人进步。
  • 1
  • 2
  • 3
  • 4
  • 5
  • 1
  • 2
  • 3
  • 4
  • 5
平均得分0 (0 评价)
发表于 2020-6-12 11:35:01 | 显示全部楼层
拓扑图不错。
  • 1
  • 2
  • 3
  • 4
  • 5
  • 1
  • 2
  • 3
  • 4
  • 5
平均得分0 (0 评价)
您需要登录后才可以回帖 思科 CCO 登录 | 思科 CCO 注册   

本版积分规则

Archiver | 思科社区  

GMT+8, 2020-8-14 10:43 , Processed in 0.103692 second(s), 43 queries .

京ICP备11014401号-17

© 2020 思科系统.版权所有 重要声明 | 保密声明 | 隐私权政策 | 商标 |

快速回复 返回顶部 返回列表