本文共 8274 字,大约阅读时间需要 27 分钟。
一.概述 测试了两种方法解决PIX8.0的地址重叠问题,始终觉得不是很完美,这几天正好看ASA的NAT文档,觉得可以用nat (Outside,Inside)static这样的静态NAT来解决,正好机架能用,如是用机架进行测试。二.基本思路:A.两端都为ASA8.0,建立L2L ***之后,配置内对外的静态NAT三.测试拓扑:
四.基本配置:
A.ERP_HQ路由器:
interface GigabitEthernet0/0 ip address 172.16.1.3 255.255.255.0 secondary ip address 172.16.1.2 255.255.255.0 no shutip route 0.0.0.0 0.0.0.0 172.16.1.1
B.ASA-HQ路由器:
interface GigabitEthernet0/0 nameif Inside security-level 100 ip address 172.16.1.1 255.255.255.0 no shutinterface GigabitEthernet0/1 nameif Outside security-level 0 ip address 202.100.1.1 255.255.255.0
no shut
route Outside 0.0.0.0 0.0.0.0 202.100.1.10 1
C.Internet路由器:
interface GigabitEthernet0/0 ip address 202.100.1.10 255.255.255.0 no shutinterface GigabitEthernet0/1 ip address 202.100.2.10 255.255.255.0no shut
D.ASA-Banch:
interface GigabitEthernet0/0 nameif Inside security-level 100 ip address 172.16.1.1 255.255.255.0 no shutinterface GigabitEthernet0/1 nameif Outside security-level 0 ip address 202.100.2.1 255.255.255.0 no shut
route Outside 0.0.0.0 0.0.0.0 202.100.2.10 1
E.ERP_Branch路由器:
interface GigabitEthernet0/0 ip address 172.16.1.3 255.255.255.0 secondary ip address 172.16.1.2 255.255.255.0
ip route 0.0.0.0 0.0.0.0 172.16.1.1
五.防火墙NAT配置:
A.ASA-HQ:
①动态PAT:
access-list PAT extended permit ip 172.16.0.0 255.255.0.0 any nat (Inside) 1 access-list PAT
global (Outside) 1 interface
②静态NAT:
static (Outside,Inside) 172.16.101.0 172.16.1.0 netmask 255.255.255.0③NAT免除:
access-list NONAT extended permit ip 172.16.0.0 255.255.0.0 172.16.0.0 255.255.0.0
nat (Inside) 0 access-list NONAT
---备注:NAT免除需要包括静态NAT之后的地址,否则进行一次静态NAT之后,还会进行一次PAT,从而无法撞击感兴趣流。
B.ASA-Branch:
①动态PAT:
access-list PAT extended permit ip 172.16.0.0 255.255.0.0 any nat (Inside) 1 access-list PAT
global (Outside) 1 interface
②静态NAT:
static (Outside,Inside) 172.16.100.0 172.16.1.0 netmask 255.255.255.0③NAT免除:
access-list NONAT extended permit ip 172.16.0.0 255.255.0.0 172.16.0.0 255.255.0.0
nat (Inside) 0 access-list NONAT
---备注:NAT免除需要包括静态NAT之后的地址,否则进行一次静态NAT之后,还会进行一次PAT,从而无法撞击感兴趣流。
六.防火墙L2L ***配置:
A.ASA-HQ:
①第一阶段策略:
crypto isakmp policy 10 authentication pre-share encryption 3des hash md5 group 2
tunnel-group 202.100.2.1 type ipsec-l2l
tunnel-group 202.100.2.1 ipsec-attributes pre-shared-key cisco
②第二阶段转换集:
crypto ipsec transform-set transet esp-des esp-md5-hmac
③感兴趣流:
access-list *** extended permit ip 172.16.0.0 255.255.0.0 172.16.0.0 255.255.0.0
③配置crypto map并在接口调用:
crypto map crymap 10 match address ***crypto map crymap 10 set peer 202.100.2.1
crypto map crymap 10 set transform-set transet
crypto isakmp enable Outside
B.ASA-Branch:
①第一阶段策略:
crypto isakmp policy 10 authentication pre-share encryption 3des hash md5 group 2
tunnel-group 202.100.1.1 type ipsec-l2l
tunnel-group 202.100.1.1 ipsec-attributes pre-shared-key cisco
②第二阶段转换集:
crypto ipsec transform-set transet esp-des esp-md5-hmac
③感兴趣流:
access-list *** extended permit ip 172.16.0.0 255.255.0.0 172.16.0.0 255.255.0.0
③配置crypto map并在接口调用:
crypto map crymap 10 match address ***crypto map crymap 10 set peer 202.100.1.1
crypto map crymap 10 set transform-set transet
crypto isakmp enable Outside
七.测试:
A.从ERP_HQ访问ERP_Branch:
ERP_HQ#PING 172.16.101.3Type escape sequence to abort.Sending 5, 100-byte ICMP Echos to 172.16.101.3, timeout is 2 seconds:.!!!!Success rate is 80 percent (4/5), round-trip min/avg/max = 1/2/4 msERP_HQ#te*Jul 10 03:34:15.142: ICMP: echo reply rcvd, src 172.16.101.3, dst 172.16.1.2*Jul 10 03:34:15.146: ICMP: echo reply rcvd, src 172.16.101.3, dst 172.16.1.2*Jul 10 03:34:15.146: ICMP: echo reply rcvd, src 172.16.101.3, dst 172.16.1.2
*Jul 10 03:34:15.150: ICMP: echo reply rcvd, src 172.16.101.3, dst 172.16.1.2
ERP_Branch(config-line)#*Mar 31 14:57:59.470: ICMP: echo reply sent, src 172.16.1.3, dst 172.16.100.2*Mar 31 14:57:59.474: ICMP: echo reply sent, src 172.16.1.3, dst 172.16.100.2*Mar 31 14:57:59.474: ICMP: echo reply sent, src 172.16.1.3, dst 172.16.100.2*Mar 31 14:57:59.478: ICMP: echo reply sent, src 172.16.1.3, dst 172.16.100.2
ERP_HQ#telnet 172.16.101.3Trying 172.16.101.3 ... OpenUser Access VerificationPassword: ERP_Branch>show users Line User Host(s) Idle Location*514 vty 0 idle 00:00:00 172.16.100.2 Interface User Mode Idle Peer AddressERP_Branch>
B.从ERP_Branch访问ERP_HQ:
ERP_Branch#ping 172.16.100.3Type escape sequence to abort.Sending 5, 100-byte ICMP Echos to 172.16.100.3, timeout is 2 seconds:!!!!!Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 msERP_Branch#*Mar 31 15:15:51.374: ICMP: echo reply rcvd, src 172.16.100.3, dst 172.16.1.2*Mar 31 15:15:51.374: ICMP: echo reply rcvd, src 172.16.100.3, dst 172.16.1.2*Mar 31 15:15:51.378: ICMP: echo reply rcvd, src 172.16.100.3, dst 172.16.1.2*Mar 31 15:15:51.378: ICMP: echo reply rcvd, src 172.16.100.3, dst 172.16.1.2*Mar 31 15:15:51.378: ICMP: echo reply rcvd, src 172.16.100.3, dst 172.16.1.2
ERP_HQ(config-line)#*Jul 10 03:52:07.029: ICMP: echo reply sent, src 172.16.1.3, dst 172.16.101.2*Jul 10 03:52:07.033: ICMP: echo reply sent, src 172.16.1.3, dst 172.16.101.2*Jul 10 03:52:07.033: ICMP: echo reply sent, src 172.16.1.3, dst 172.16.101.2*Jul 10 03:52:07.037: ICMP: echo reply sent, src 172.16.1.3, dst 172.16.101.2*Jul 10 03:52:07.037: ICMP: echo reply sent, src 172.16.1.3, dst 172.16.101.2
ERP_Branch#telnet 172.16.100.3Trying 172.16.100.3 ... OpenUser Access VerificationPassword: ERP_HQ>show users Line User Host(s) Idle Location 0 con 0 idle 00:01:24 *514 vty 0 idle 00:00:00 172.16.101.2 Interface User Mode Idle Peer AddressERP_HQ>
---备注:这种方式唯一的缺陷就是不能访问对方与自己IP地址主机号相同的地址。
---用ASA的 packet-tracer显示drop,如下:
ASA-Branch# packet-tracer input Outside icmp 172.16.1.2 8 0 172.16.1.2Phase: 1Type: FLOW-LOOKUPSubtype: Result: ALLOWConfig:Additional Information:Found no matching flow, creating a new flowPhase: 2Type: ROUTE-LOOKUPSubtype: inputResult: ALLOWConfig:Additional Information:in 172.16.1.0 255.255.255.0 InsideResult:input-interface: Outsideinput-status: upinput-line-status: upoutput-interface: Insideoutput-status: upoutput-line-status: upAction: dropDrop-reason: (sp-security-failed) Slowpath security checks failed
C.互联网访问两边都正常:
ERP_HQ#ping 202.100.1.10Type escape sequence to abort.Sending 5, 100-byte ICMP Echos to 202.100.1.10, timeout is 2 seconds:!!!!!Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 msERP_HQ#*Jul 10 04:03:59.073: ICMP: echo reply rcvd, src 202.100.1.10, dst 172.16.1.2*Jul 10 04:03:59.073: ICMP: echo reply rcvd, src 202.100.1.10, dst 172.16.1.2*Jul 10 04:03:59.073: ICMP: echo reply rcvd, src 202.100.1.10, dst 172.16.1.2*Jul 10 04:03:59.073: ICMP: echo reply rcvd, src 202.100.1.10, dst 172.16.1.2*Jul 10 04:03:59.077: ICMP: echo reply rcvd, src 202.100.1.10, dst 172.16.1.2Internet#debug ip icmp ICMP packet debugging is onInternet#*Aug 2 14:28:00.205: ICMP: echo reply sent, src 202.100.1.10, dst 202.100.1.1*Aug 2 14:28:00.209: ICMP: echo reply sent, src 202.100.1.10, dst 202.100.1.1*Aug 2 14:28:00.209: ICMP: echo reply sent, src 202.100.1.10, dst 202.100.1.1*Aug 2 14:28:00.209: ICMP: echo reply sent, src 202.100.1.10, dst 202.100.1.1*Aug 2 14:28:00.209: ICMP: echo reply sent, src 202.100.1.10, dst 202.100.1.1ERP_Branch#ping 202.100.2.10Type escape sequence to abort.Sending 5, 100-byte ICMP Echos to 202.100.2.10, timeout is 2 seconds:!!!!!Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/4 msERP_Branch#*Mar 31 15:32:55.286: ICMP: echo reply rcvd, src 202.100.2.10, dst 172.16.1.2*Mar 31 15:32:55.290: ICMP: echo reply rcvd, src 202.100.2.10, dst 172.16.1.2*Mar 31 15:32:55.290: ICMP: echo reply rcvd, src 202.100.2.10, dst 172.16.1.2*Mar 31 15:32:55.290: ICMP: echo reply rcvd, src 202.100.2.10, dst 172.16.1.2*Mar 31 15:32:55.290: ICMP: echo reply rcvd, src 202.100.2.10, dst 172.16.1.2Internet#debug ip icmp ICMP packet debugging is onInternet#*Aug 2 14:28:41.561: ICMP: echo reply sent, src 202.100.2.10, dst 202.100.2.1*Aug 2 14:28:41.565: ICMP: echo reply sent, src 202.100.2.10, dst 202.100.2.1*Aug 2 14:28:41.565: ICMP: echo reply sent, src 202.100.2.10, dst 202.100.2.1*Aug 2 14:28:41.565: ICMP: echo reply sent, src 202.100.2.10, dst 202.100.2.1*Aug 2 14:28:41.569: ICMP: echo reply sent, src 202.100.2.10, dst 202.100.2.1
转载地址:http://araum.baihongyu.com/