一.测试拓扑
测试总结:
1.VPN如果采用Site-to-Site方式的VPN,则twice-nat做NAT免除的时候,会对线路自动切换造成影响。
2.相同的NAT免除配置,采用network-plus模式的EzVPN,线路能正常进行切换。
3.如果采用L2L方式的VPN,可以采用到公网PAT挖孔的方式避免配置NAT免除从而造成对线路切换造成影响。
4.切换的时候,TCP会话都会中断,需要重新连接。
二.基本配置
1.Inside路由器
hostname Inside
interface Ethernet0/1
ip address 10.1.1.1 255.255.255.0
no shutdown
ip route 0.0.0.0 0.0.0.0 10.1.1.10
2.ASAv防火墙
hostname ASAv
interface GigabitEthernet0/0
nameif inside
security-level 100
ip address 10.1.1.10 255.255.255.0
no shutdown
interface GigabitEthernet0/1
nameif Link
security-level 50
ip address 10.2.2.1 255.255.255.252
no shutdown
interface GigabitEthernet0/2
nameif outside
security-level 0
ip address 202.100.1.1 255.255.255.0
no shutdown
policy-map global_policy
class inspection_default
inspect icmp
object network InsNet
subnet 10.1.1.0 255.255.255.0
nat (inside,outside) dynamic interface
sla monitor 100
type echo protocol ipIcmpEcho 10.2.2.2 interface Link
timeout 1000
frequency 3
sla monitor schedule 100 life forever start-time now
track 1 rtr 100 reachability
route Link 192.168.1.0 255.255.255.0 10.2.2.2 1 track 1
route outside 0.0.0.0 0.0.0.0 202.100.1.10 1
access-list link extended permit ip 192.168.1.0 255.255.255.0 10.1.1.0 255.255.255.0
access-group link in interface Link
3.Internet路由器
hostname Internet
interface Ethernet0/0
ip address 202.100.1.10 255.255.255.0
no shutdown
interface Ethernet0/1
ip address 202.100.2.10 255.255.255.0
no shutdown
4.Branch路由器
hostname Branch
interface Ethernet0/0
ip address 10.2.2.2 255.255.255.252
no shutdown
interface Ethernet0/1
ip address 202.100.2.1 255.255.255.0
ip nat outside
no shutdown
interface Ethernet0/2
ip address 192.168.1.10 255.255.255.0
ip nat inside
no shutdown
ip access-list extended PAT
deny ip 192.168.1.0 0.0.0.255 10.1.1.0 0.0.0.255
permit ip 192.168.1.0 0.0.0.255 any
ip nat inside source list PAT interface Ethernet0/1 overload
ip sla 1
icmp-echo 10.2.2.1 source-ip 10.2.2.2
ip sla schedule 1 life forever start-time now
track 1 ip sla 1 reachability
ip route 10.1.1.0 255.255.255.0 10.2.2.1 track 1
ip route 0.0.0.0 0.0.0.0 202.100.2.10
5.Branch-inside路由器
hostname Branch-inside
interface Ethernet0/0
ip address 192.168.1.1 255.255.255.0
no shutdown
ip route 0.0.0.0 0.0.0.0 192.168.1.10
6.验证
①Inside路由器可以正常访问互联网
Inside#ping 202.100.1.10
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 202.100.1.10, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms
Inside#
②Branch-inside可以正常访问互联网
Branch-inside#ping 202.100.2.10
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 202.100.2.10, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms
Branch-inside#
③Inside可以通过专线正常访问Branch_inside
Inside#ping 192.168.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.1.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/2 ms
Inside#
三.ASAv和Branch的EzVPN配置
1.ASAv配置EzVPN服务端
A.第一阶段策略:
crypto ikev1 policy 10
authentication pre-share
encryption 3des
hash md5
group 2
B.第二阶段转换集:
crypto ipsec ikev1 transform-set transet esp-3des esp-md5-hmac
C.配置crypto map并在接口应用:
crypto dynamic-map Ezdymap 1 set ikev1 transform-set transet
crypto map crymap 65535 ipsec-isakmp dynamic Ezdymap
crypto map crymap interface outside
crypto ikev1 enable outside
D.配置隧道分离的流量:
access-list Ezsplit extended permit ip 10.1.1.0 255.255.255.0 any
E.配置地址池:
ip local pool EzVPN-pool 123.1.1.100-123.1.1.200
F.配置group-policy:
group-policy Ezpolicy internal
group-policy Ezpolicy attributes
dns-server value 8.8.8.8
split-tunnel-policy tunnelspecified
split-tunnel-network-list value Ezsplit
address-pools value EzVPN-pool
G.配置tunnel-group关联group-policy:
tunnel-group EzGroup type remote-access
tunnel-group EzGroup general-attributes
default-group-policy Ezpolicy
tunnel-group EzGroup ipsec-attributes
ikev1 pre-shared-key Cisc0123
H.配置用户名密码用于登陆Ezvpn客户端:
username ezvpnuser password Cisc0123
I.配置NAT免除
object network InsNet
subnet 10.1.1.0 255.255.255.0
object network ezvpnpool
range 123.1.1.100 123.1.1.200
object network BranNet
subnet 192.168.1.0 255.255.255.0
nat (Inside,outside) source static InsNet InsNet destination static ezvpnpool ezvpnpool
nat (inside,outside) source static InsNet InsNet destination static BranNet BranNet route-lookup
备注:需要添加 route-lookup参数,否则即使专线正常从总部发起的流量ASA会直接走outside,不走专线。
2.Branch路由器配置EzVPN客户端
A.ezvpn客户端
crypto ipsec client ezvpn EzVPN-Client
connect auto
group EzGroup key Cisc0123
mode network-plus
peer 202.100.1.1
username ezvpnuser password Cisc0123
xauth userid mode local
B.在接口应用
interface Ethernet0/1
crypto ipsec client ezvpn EzVPN-Client
interface Ethernet0/2
crypto ipsec client ezvpn EzVPN-Client inside
3.测试
A.先手工拨号
Branch#crypto ipsec client ezvpn connect
Branch#
Dec 18 14:02:46.963: EZVPN(EzVPN-Client): Pending XAuth Request, Please enter the following command:
Dec 18 14:02:46.963: EZVPN: crypto ipsec client ezvpn xauth
Branch#crypto ipsec client ezvpn xauth
Dec 18 14:02:56.967: EZVPN(EzVPN-Client): Pending XAuth Request, Please enter the following command:
Dec 18 14:02:56.967: EZVPN: crypto ipsec client ezvpn xauth
Branch#crypto ipsec client ezvpn xauth
Username: ezvpnuser
Password:
Branch#
Dec 18 14:03:09.582: %CRYPTO-6-EZVPN_CONNECTION_UP: (Client) User= Group=EzGroup Client_public_addr=202.100.2.1 Server_public_addr=202.100.1.1 Assigned_client_addr=123.1.1.100
Branch#
Dec 18 14:03:10.558: %LINEPROTO-5-UPDOWN: Line protocol on Interface Loopback10000, changed state to up
Branch#
B.成功之后,Home路由器可以使用分配的地址ping通Inside和DMZ路由器
Home#ping 10.1.1.1 source Loopback10000
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.1.1, timeout is 2 seconds:
Packet sent with a source address of 123.1.1.100
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 6/6/6 ms
Home#ping 192.168.1.1 source Loopback10000
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.1.1, timeout is 2 seconds:
Packet sent with a source address of 123.1.1.100
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 6/6/7 ms
Home#
C.Branch-inside重复ping Inside的地址,同时关闭再开启Branch的专线接口E0/0,没有明显丢包
Branch-inside#ping 10.1.1.1 repeat 1000
Type escape sequence to abort.
Sending 1000, 100-byte ICMP Echos to 10.1.1.1, timeout is 2 seconds:
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!.!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!.!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!.!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!.!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!.!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!.!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!.!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!.!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!.!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!.!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!
Success rate is 99 percent (990/1000), round-trip min/avg/max = 1/1/7 ms
Branch-inside#
Branch(config-if)#shutdown
Branch(config-if)#
*Dec 21 03:24:22.927: %LINK-5-CHANGED: Interface Ethernet0/0, changed state to administratively down
*Dec 21 03:24:23.935: %LINEPROTO-5-UPDOWN: Line protocol on Interface Ethernet0/0, changed state to down
Branch(config-if)#
*Dec 21 03:26:16.637: %LINK-3-UPDOWN: Interface Ethernet0/0, changed state to up
*Dec 21 03:26:17.646: %LINEPROTO-5-UPDOWN: Line protocol on Interface Ethernet0/0, changed state to up
Branch(config-if)#
*Dec 21 03:27:04.550: %TRACK-6-STATE: 1 ip sla 1 reachability Down -> Up
备注:对于TCP连接,比如从Branch-inside去telnet路由器inside,当线路切换会出现卡死。
D.测试完成后,可以让Branch路由器自动进行拨号
crypto ipsec client ezvpn EzVPN-Client
connect auto
username ezvpnuser password Cisc0123
四.ASAv和Branch的L2L VPN配置
备注:配置之前先清除EzVPN的相关配置
1.ASAv
①第一阶段策略:
crypto ikev1 policy 10
authentication pre-share
encryption 3des
hash md5
group 2
tunnel-group 202.100.2.1 type ipsec-l2l
tunnel-group 202.100.2.1 ipsec-attributes
ikev1 pre-shared-key 0 Cisc0123
②第二阶段转换集:
crypto ipsec ikev1 transform-set transet esp-3des esp-md5-hmac
③配置感兴趣流:
object network InsNet
subnet 10.1.1.0 255.255.255.0
object network BranNet
subnet 192.168.1.0 255.255.255.0
access-list VPN extended permit ip object InsNet object BranNet
④配置crypto map并在接口应用:
crypto map crymap 10 match address VPN
crypto map crymap 10 set peer 202.100.2.1
crypto map crymap 10 set ikev1 transform-set transet
crypto map crymap 10 set pfs group2
crypto map crymap interface outside
⑤在DXoutside 接口激活ikev1:
crypto ikev1 enable outside
⑥配置NAT免除
nat (inside,outside) source static InsNet InsNet destination static BranNet BranNet
2.Branch路由器
①第一阶段策略:
crypto isakmp policy 10
encr 3des
hash md5
authentication pre-share
group 2
crypto isakm key 0 Cisc0123 address 202.100.1.1
②第二阶段转换集:
crypto ipsec transform-set transet esp-3des esp-md5-hmac
③配置感兴趣流:
ip access-list extended VPN
permit ip 192.168.1.0 0.0.0.255 10.1.1.0 0.0.0.255
④配置crypto map并在接口应用:
crypto map crymap 10 ipsec-isakmp
set peer 202.100.1.1
set transform-set transet
set pfs group2
match address VPN
interface Ethernet0/1
crypto map crymap
3.验证
A.Branch路由器关闭专线接口
Branch(config-if)#int e0/0
Branch(config-if)#shutdown
Branch(config-if)#
*Dec 21 03:48:10.253: %LINK-5-CHANGED: Interface Ethernet0/0, changed state to administratively down
*Dec 21 03:48:11.258: %LINEPROTO-5-UPDOWN: Line protocol on Interface Ethernet0/0, changed state to down
B.Branch-inside可以正常触发VPN流量
Branch-inside#ping 10.1.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.1.1, timeout is 2 seconds:
.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 1/1/2 ms
Branch-inside#
C.Inside路由器也可以ping通Branch-inside路由器
Inside#ping 192.168.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.1.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/3 ms
Inside#
D.此时开启Branch路由器专线接口,访问正常,抓包也可以看到走的是专线
E.因为此时数据走的是专线,关闭和开启互联网线路,对两端访问不会产生影响
F.当再次关闭Branch路由器专线接口时,就会出现不能正常切换
---从如下抓包可以看到,Branch有ESP数据包到达ASAv,但是没有返回来的包
E.修改NAT配置,取消NAT免除和PAT配置,重新利用twice-nat配置PAT
no nat (inside,outside) source static InsNet InsNet destination static BranNet BranNet
object network BranNet
subnet 192.168.1.0 255.255.255.0
no nat (inside,outside) dynamic interface
object network pub1
range 0.0.0.0 10.1.1.0
object network pub2
range 10.1.1.255 192.168.1.0
object network pub3
range 192.168.1.255 245.255.255.255
备注:挖孔的原则,排除内网接口网段和对方内网网段。
