IP : Cisco PIX 500 系列安全设备

PIX/ASA 7.x 及更高版本:使用策略NAT的站点到站点(L2L) IPSec VPN配置示例

2016 年 10 月 24 日 - 机器翻译
其他版本: PDFpdf | 英语 (2015 年 8 月 22 日) | 反馈


目录


简介

本文档介绍了从一端对通过两个安全设备间的 LAN 到 LAN (L2L) IPsec 隧道进行传输的 VPN 数据流进行转换 (NAT) 的步骤以及对 Internet 数据流进行 PAT 的步骤。每个安全设备身后都有一个受保护的专用网络。

PIX-A 中的网络 192.168.1.0 转换为 172.18.1.0 网络并通过 IPsec 隧道发送 VPN 数据流。

在 L2L VPN 中,可以从隧道端点的任意一端启动 IPsec 隧道。在这种情况下,内部网络 (192.168.1.0) 的 PIX-A 转换为 172.18.1.0 网络(使用策略 NAT 传输 VPN 数据流)。进行该转换后,从 PIX-B 无法访问相关数据流 172.18.1.0 的源网络。如果尝试从 PIX-B 启动隧道,则 VPN 相关数据流 172.18.1.0 的目标地址(例如 PIX-A 的已进行网络地址转换的网络地址)不可访问。所以必须仅从 PIX-A 启动 VPN 隧道。

先决条件

要求

在继续本示例配置前,请确保已配置 PIX 安全设备的接口 IP 地址并且具备基本的连接。

使用的组件

本文档中的信息基于以下软件和硬件版本:

  • Cisco PIX 500 系列安全设备(运行软件版本 7.x 及更高版本)

本文档中的信息都是基于特定实验室环境中的设备编写的。本文档中使用的所有设备最初均采用原始(默认)配置。如果您使用的是真实网络,请确保您已经了解所有命令的潜在影响。

相关产品

此配置也可用于运行软件版本 7.x 及更高版本的 Cisco 5500 系列自适应安全设备。

规则

有关文档规则的详细信息,请参阅 Cisco 技术提示规则

配置

本部分提供有关如何配置本文档所述功能的信息。

注意: 使用命令查找工具仅限注册用户)可获取有关本部分所使用命令的详细信息。

网络图

本文档使用以下网络设置:

/image/gif/paws/99122/pixasa7x-vpn-nat-config.gif

配置

本文档使用以下配置:

PIX-A
PIX-A#show running-config 
: Saved
:
PIX Version 7.1(1)
!
hostname PIX-A
enable password 8Ry2YjIyt7RRXU24 encrypted
names
!
interface Ethernet0
 nameif outside
 security-level 0
 ip address 172.17.1.1 255.255.255.0

!--- Configure the outside interface.

!

interface Ethernet1
 nameif inside
 security-level 100
 ip address 192.168.1.1 255.255.255.0

!--- Configure the inside interface.


passwd 2KFQnbNIdI.2KYOU encrypted                                                      
ftp mode passive

access-list new extended permit ip 172.18.1.0 255.255.255.0 10.1.0.0 255.255.255.0

!--- This access list(new) is used with the crypto map (outside_map) 
!--- in order to determine which traffic should be encrypted 
!--- and sent across the tunnel.


access-list policy-nat extended permit ip 192.168.1.0 255.255.255.0 10.1.0.0 255.255.255.0


!--- The policy-nat ACL is used with the static 
!--- command in order to match the VPN traffic for translation. 

pager lines 24
mtu outside 1500
mtu inside 1500
no failover
asdm image flash:/asdm-511.bin
no asdm history enable
arp timeout 14400

static (inside,outside) 172.18.1.0  access-list policy-nat

!--- It is a Policy NAT statement.
!--- The static command with the access list (policy-nat),
!--- which matches the VPN traffic and translates the source (192.168.1.0) to 172.18.1.0 
!--- for outbound VPN traffic


global (outside) 1 172.19.1.1
nat (inside) 1 0.0.0.0 0.0.0.0 0 0

!--- The above statements will PAT the internet traffic 
!--- except the VPN traffic using the IP address 172.19.1.1 


route outside 0.0.0.0 0.0.0.0 172.17.1.2 1



!--- Output suppressed



!--- PHASE 2 CONFIGURATION ---!
!--- The encryption types for Phase 2 are defined here.

crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac

!--- Define the transform set for Phase 2.

crypto map outside_map 20 match address new

!--- Define which traffic should be sent to the IPsec peer with the 
!-- access list (new).


crypto map outside_map 20 set peer 172.16.1.2

!--- Sets the IPsec peer (remote end point)

crypto map outside_map 20 set transform-set ESP-AES-256-SHA

!--- Sets the IPsec transform set "ESP-AES-256-SHA"
!--- to be used with the crypto map entry "outside_map"

crypto map outside_map interface outside

!--- Specifies the interface to be used with 
!--- the settings defined in this configuration

!--- PHASE 1 CONFIGURATION ---!

!--- This configuration uses isakmp policy 10.   
!--- Policy 65535 is included in the configuration by default.
!--- These configuration commands define the  
!--- Phase 1 policy parameters that are used.

isakmp identity address
isakmp enable outside
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption aes-256
isakmp policy 10 hash sha
isakmp policy 10 group 5
isakmp policy 10 lifetime 86400

isakmp policy 65535 authentication pre-share
isakmp policy 65535 encryption 3des
isakmp policy 65535 hash sha
isakmp policy 65535 group 2
isakmp policy 65535 lifetime 86400

tunnel-group 172.16.1.2 type ipsec-l2l

!--- In order to create and manage the database of connection-specific records 
!--- for ipsec-l2l—IPsec (LAN-to-LAN) tunnels, use the tunnel-group 
!--- command in global configuration mode.
!--- For L2L connections, the name of the tunnel group must be 
!--- the IP address of the IPsec peer (remote peer end).

tunnel-group 172.16.1.2 ipsec-attributes
 pre-shared-key *

!--- Enter the pre-shared key in order to configure the authentication method.



telnet timeout 5
ssh timeout 5
console timeout 0
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map global_policy
 class inspection_default
  inspect dns maximum-length 512
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect netbios
  inspect rsh
  inspect rtsp
  inspect skinny
  inspect esmtp
  inspect sqlnet
  inspect sunrpc
  inspect tftp
  inspect sip
  inspect xdmcp
!
service-policy global_policy global
Cryptochecksum:33e1e37cd1280d908210dac0cc26e706
: end

PIX-B
PIX-B#show running-config 
: Saved
:
PIX Version 8.0(2)
!
hostname PIX-B
enable password 8Ry2YjIyt7RRXU24 encrypted
names
!
interface Ethernet0
 nameif outside
 security-level 0
 ip address 172.16.1.2 255.255.255.0                                                
!
interface Ethernet1
 nameif inside
 security-level 100
 ip address 10.1.0.1 255.255.255.0
!

!--- Output Suppressed


access-list 102 extended permit ip 10.1.0.0 255.255.255.0 172.18.1.0 255.255.255.0

!--- This access list (102) is used with the crypto map
!--- outside_map in order to determine which traffic should be encrypted  
!--- and sent across the tunnel.

access-list no-nat extended permit ip 10.1.0.0 255.255.255.0 172.18.1.0 255.255.255.0

!--- This access list (no-nat) is used with the  
!--- nat zero command.
!--- This prevents traffic, which matches the access list, from undergoing
!--- network address translation (NAT). 


global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0 0 0

!--- The previous statements PAT the internet traffic 
!--- except the VPN traffic that uses the outside interface IP address 



nat (inside) 0 access-list no-nat


!--- NAT 0 prevents NAT for networks specified in the ACL (no-nat).

 
route outside 0.0.0.0 0.0.0.0 172.16.1.1 1

!--- PHASE 2 CONFIGURATION ---!
!--- The encryption types for Phase 2 are defined here.

crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac

!--- Define the transform set for Phase 2.


crypto map outside_map 20 match address 102

!--- Define which traffic should be sent to the IPsec peer.


crypto map outside_map 20 set peer 172.17.1.1

!--- Sets the IPsec peer


crypto map outside_map 20 set transform-set ESP-AES-256-SHA

!--- Sets the IPsec transform set "ESP-AES-256-SHA"
!--- to be used with the crypto map entry "outside_map"


crypto map outside_map interface outside


!--- Specifies the interface to be used with 
!--- the settings defined in this configuration

!--- PHASE 1 CONFIGURATION ---!

!--- This configuration uses isakmp policy 10.   
!--- Policy 65535 is included in the config by default.
!--- The configuration commands here define the  
!--- Phase 1 policy parameters that are used.




crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 10
 authentication pre-share
 encryption aes-256
 hash sha
 group 5
 lifetime 86400

crypto isakmp policy 65535
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
no crypto isakmp nat-traversal

!--- Output suppressed



!--- In order to create and manage the database of connection-specific  
!--- records for ipsec-l2l—IPsec (LAN-to-LAN) tunnels, use the 
!--- tunnel-group  command in global configuration mode.
!--- For L2L connections the name of the tunnel group must be 
!--- the IP address of the IPsec peer.


tunnel-group 172.17.1.1 type ipsec-l2l
tunnel-group 172.17.1.1 ipsec-attributes
 pre-shared-key *

!--- Enter the pre-shared key in order to configure the authentication method.



prompt hostname context
Cryptochecksum:6b505b4a05c1aee96a71e67c23e71865
: end

验证

使用本部分可确认配置能否正常运行。

命令输出解释程序仅限注册用户)(OIT) 支持某些 show 命令。使用 OIT 可查看对 show 命令输出的分析。

  • show crypto isakmp sa — 显示对等体上的所有当前 IKE 安全关联 (SA)。

  • show crypto ipsec sa — 显示当前 SA 使用的设置。

示例

来自 PIX-A 的 show 命令

PIX-A#show crypto isakmp sa

   Active SA: 1
    Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 1

1   IKE Peer: 172.16.1.2
    Type    : L2L             Role    : initiator
    Rekey   : no              State   : MM_ACTIVE
PIX-A#show crypto ipsec sa
interface: outside
    Crypto map tag: outside_map, seq num: 20, local addr: 172.17.1.1

      access-list new permit ip 172.18.1.0 255.255.255.0 10.1.0.0 255.255.255.0
      local ident (addr/mask/prot/port): (172.18.1.0/255.255.255.0/0/0)
      remote ident (addr/mask/prot/port): (10.1.0.0/255.255.255.0/0/0)
      current_peer: 172.16.1.2

      #pkts encaps: 9, #pkts encrypt: 9, #pkts digest: 9
      #pkts decaps: 9, #pkts decrypt: 9, #pkts verify: 9
      #pkts compressed: 0, #pkts decompressed: 0
      #pkts not compressed: 9, #pkts comp failed: 0, #pkts decomp failed: 0
      #send errors: 0, #recv errors: 0

      local crypto endpt.: 172.17.1.1, remote crypto endpt.: 172.16.1.2

      path mtu 1500, ipsec overhead 76, media mtu 1500
      current outbound spi: 95D66663

    inbound esp sas:
      spi: 0x9A4CB431 (2588718129)
         transform: esp-aes-256 esp-sha-hmac
         in use settings ={L2L, Tunnel, }
         slot: 0, conn_id: 1, crypto-map: outside_map
         sa timing: remaining key lifetime (kB/sec): (4274999/28758)
         IV size: 16 bytes
         replay detection support: Y
    outbound esp sas:
      spi: 0x95D66663 (2513856099)
         transform: esp-aes-256 esp-sha-hmac
         in use settings ={L2L, Tunnel, }
         slot: 0, conn_id: 1, crypto-map: outside_map
         sa timing: remaining key lifetime (kB/sec): (4274999/28756)
         IV size: 16 bytes
         replay detection support: Y
PIX-A#show nat

NAT policies on Interface inside:
  match ip inside 192.168.1.0 255.255.255.0 outside 10.1.0.0 255.255.255.0
    static translation to 172.18.1.0
    translate_hits = 5, untranslate_hits = 5
PIX-A#show xlate
1 in use, 2 most used
Global 172.18.1.0 Local 192.168.1.0

来自 PIX-B 的 show 命令

PIX-B#show crypto ipsec sa
interface: outside
    Crypto map tag: outside_map, seq num: 20, local addr: 172.16.1.2

      access-list 102 permit ip 10.1.0.0 255.255.255.0 172.18.1.0 255.255.255.0
      local ident (addr/mask/prot/port): (10.1.0.0/255.255.255.0/0/0)
      remote ident (addr/mask/prot/port): (172.18.1.0/255.255.255.0/0/0)
      current_peer: 172.17.1.1

      #pkts encaps: 14, #pkts encrypt: 14, #pkts digest: 14
      #pkts decaps: 14, #pkts decrypt: 14, #pkts verify: 14
      #pkts compressed: 0, #pkts decompressed: 0
      #pkts not compressed: 14, #pkts comp failed: 0, #pkts decomp failed: 0
      #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
      #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
      #send errors: 0, #recv errors: 0

      local crypto endpt.: 172.16.1.2, remote crypto endpt.: 172.17.1.1

      path mtu 1500, ipsec overhead 74, media mtu 1500
      current outbound spi: 9A4CB431

    inbound esp sas:
      spi: 0x95D66663 (2513856099)
         transform: esp-aes-256 esp-sha-hmac none
         in use settings ={L2L, Tunnel, }
         slot: 0, conn_id: 16384, crypto-map: outside_map
         sa timing: remaining key lifetime (kB/sec): (3824998/28712)
         IV size: 16 bytes
         replay detection support: Y
    outbound esp sas:
      spi: 0x9A4CB431 (2588718129)
         transform: esp-aes-256 esp-sha-hmac none
         in use settings ={L2L, Tunnel, }
         slot: 0, conn_id: 16384, crypto-map: outside_map
         sa timing: remaining key lifetime (kB/sec): (3824998/28712)
         IV size: 16 bytes
         replay detection support: Y
PIX-B#show crypto isakmp sa

   Active SA: 1
    Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 1

1   IKE Peer: 172.17.1.1
    Type    : L2L             Role    : responder
    Rekey   : no              State   : MM_ACTIVE

故障排除

清除安全关联

排除故障时,请务必在完成更改后清除现有安全关联。在 PIX 的特权模式下,使用以下命令:

  • clear crypto ipsec sa — 删除活动 IPsec SA。

  • clear crypto isakmp sa — 删除活动 IKE SA。

故障排除命令

命令输出解释程序仅限注册用户)(OIT) 支持某些 show 命令。使用 OIT 可查看对 show 命令输出的分析。

注意: 使用 debug 命令之前,请参阅有关 Debug 命令的重要信息

  • debug crypto ipsec - 显示第 2 阶段的 IPsec 协商。

  • debug crypto isakmp - 显示第 1 阶段的 ISAKMP 协商。


相关信息


Document ID: 99122