Quản trị mạng CISCO

Site-to-site (ASA-Router)(02/02/2010)

Site-to-site (ASA-Router)

Mục đích bài Lab: thực hiện IPsec VPN site-to-site dùng pre-shared key giữa ASA (hoặc Pix) với router.

So sánh được sự giống và khác nhau về việc cấu hình VPN giữa ASA và router.

 

Mô hình

 

PIX (Hoặc ASA)

 

 

 

PIX# sh run

: Saved

:

PIX Version 8.0(3)

!

hostname PIX

enable password 8Ry2YjIyt7RRXU24 encrypted

names

!

interface Ethernet0

 nameif outside

 security-level 0

 ip address 101.0.0.2 255.0.0.0

!

interface Ethernet1

 nameif inside

 security-level 100

 ip address 192.168.1.10 255.255.255.0

!

interface Ethernet2

 shutdown

 no nameif

 no security-level

 no ip address

!

interface Ethernet3

 shutdown    

 no nameif

 no security-level

 no ip address

!

interface Ethernet4

 shutdown

 no nameif

 no security-level

 no ip address

!

passwd 2KFQnbNIdI.2KYOU encrypted

ftp mode passive

access-list mangbaove extended permit ip 192.168.1.0 255.255.255.0 172.16.1.0 255.255.255.0

pager lines 24

mtu outside 1500

mtu inside 1500

no failover

icmp unreachable rate-limit 1 burst-size 1

no asdm history enable

arp timeout 14400

route outside 0.0.0.0 0.0.0.0 101.0.0.1 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout uauth 0:05:00 absolute

dynamic-access-policy-record DfltAccessPolicy

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec transform-set myset esp-3des esp-sha-hmac

crypto map mymap 10 match address mangbaove

crypto map mymap 10 set peer 102.0.0.2

crypto map mymap 10 set transform-set myset

crypto map mymap interface outside

crypto isakmp enable outside

crypto isakmp policy 1

 authentication pre-share

 encryption aes

 hash sha

 group 2

 lifetime 86400

crypto isakmp policy 65535

 authentication pre-share

 encryption 3des

 hash sha

 group 2

 lifetime 86400

telnet timeout 5

ssh timeout 5

console timeout 0

threat-detection basic-threat

threat-detection statistics access-list

tunnel-group 102.0.0.2 type ipsec-l2l

tunnel-group 102.0.0.2 ipsec-attributes

 pre-shared-key * (key = 123)

!

!

prompt hostname context

Cryptochecksum:d242d7a4aeb945878985b984c431bf62

: end

PIX# 

 

PIX(config)# tunnel-group 102.0.0.2 type ?   

 

configure mode commands/options:

 ipsec-l2l      IPSec Site to Site group

 ipsec-ra       IPSec Remote Access group (DEPRECATED)

 remote-access Remote access (IPSec) group

PIX(config)# tunnel-group 102.0.0.2 type ipsec-l2l

 

PIX# sh route

 

Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP

       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area

       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2

       E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP

       i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area

       * - candidate default, U - per-user static route, o - ODR

       P - periodic downloaded static route

 

Gateway of last resort is 101.0.0.1 to network 0.0.0.0

 

C    101.0.0.0 255.0.0.0 is directly connected, outside

C    192.168.1.0 255.255.255.0 is directly connected, inside

S*   0.0.0.0 0.0.0.0 [1/0] via 101.0.0.1, outside

 

 

Cho client khởi tạo traffic ban đầu (interest)

 

 

 

 

 

 

 

 

Router R2

R2#sh run

Building configuration...

 

Current configuration : 1156 bytes

!

version 12.4

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname R2

!

boot-start-marker

boot-end-marker

!

!

no aaa new-model

!

resource policy

!

memory-size iomem 5

ip cef

!

!

!

!        

!

!

!

!

!

!

!

!

!

!

!

!

!

!

!

!

!

!

!

!

crypto isakmp policy 10

 encr aes

 authentication pre-share

 group 2

crypto isakmp key 123 address 101.0.0.2

!

!

crypto ipsec transform-set myset esp-3des esp-sha-hmac

!

crypto map mymap 10 ipsec-isakmp

 set peer 101.0.0.2

 set transform-set myset

 match address 101

 reverse-route

!

!

!

!

interface Loopback1

 ip address 2.2.2.2 255.0.0.0

!

interface Loopback2

 ip address 172.16.1.1 255.255.255.0

!

interface FastEthernet0/0

 ip address 102.0.0.2 255.0.0.0

 duplex auto

 speed auto

 crypto map mymap

!

interface FastEthernet0/1

 no ip address

 shutdown

 duplex auto

 speed auto

!

ip route 0.0.0.0 0.0.0.0 102.0.0.1

!

!

ip http server

no ip http secure-server

!

access-list 101 permit ip 172.16.1.0 0.0.0.255 192.168.1.0 0.0.0.255

!

!

!

!

control-plane

!        

!

!

!

!

!

!

!

!

!

line con 0

 exec-timeout 0 0

 logging synchronous

line aux 0

line vty 0 4

 login

!

!

end

 

R2#sh ip ro

Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP

       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area

       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2

       E1 - OSPF external type 1, E2 - OSPF external type 2

       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2

       ia - IS-IS inter area, * - candidate default, U - per-user static route

       o - ODR, P - periodic downloaded static route

 

Gateway of last resort is 102.0.0.1 to network 0.0.0.0

 

C    102.0.0.0/8 is directly connected, FastEthernet0/0

C    2.0.0.0/8 is directly connected, Loopback1

     172.16.0.0/24 is subnetted, 1 subnets

C       172.16.1.0 is directly connected, Loopback2

S    192.168.1.0/24 [1/0] via 101.0.0.2

S*   0.0.0.0/0 [1/0] via 102.0.0.1

 

 

 

 

 

 

ISP

ISP#sh ip route

Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP

       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area

       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2

       E1 - OSPF external type 1, E2 - OSPF external type 2

       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2

       ia - IS-IS inter area, * - candidate default, U - per-user static route

       o - ODR, P - periodic downloaded static route

 

Gateway of last resort is not set

 

C    102.0.0.0/8 is directly connected, FastEthernet0/1

C    101.0.0.0/8 is directly connected, FastEthernet0/0

 

ISP#sh run

Building configuration...

 

Current configuration : 637 bytes

!

version 12.4

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname ISP

!

boot-start-marker

boot-end-marker

!

!

no aaa new-model

!

resource policy

!

memory-size iomem 5

ip cef

!

!

!

!        

!

!

!

!

!

!

!

!

!

!

!

!

!

!

!

!

!

!

!

!

!

!

!        

interface FastEthernet0/0

 ip address 101.0.0.1 255.0.0.0

 duplex auto

 speed auto

!

interface FastEthernet0/1

 ip address 102.0.0.1 255.0.0.0

 duplex auto

 speed auto

!

!

!

ip http server

no ip http secure-server

!

!

!

!

!

control-plane

!

!

!        

!

!

!

!

!

!

!

line con 0

 exec-timeout 0 0

 logging synchronous

line aux 0

line vty 0 4

!

!

end

 

Các tin cũ hơn: