本篇主要介绍两点,第一是如何做ASA与juniper防火墙***,第二是如何将两段×××衔接起来,中间将加上NAT的方式
1)LINUX FW与ASA的***架设(这里用到的都是IPSEC ×××,ike版本为ikev1)
首先网络环境要是通的,如默认路由等。
linux防火墙基本配置如下:
type=tunnel
left=1.1.1.1
leftsubnet=172.16.1.0/24
right=2.2.2.2
rightsubnet=192.168.0.0/24
esp=aes128-sha1
ike=aes128-sha1
pfs=no
auto=start
这一块个人没有尝试过,是别人做的,给了我一部分配置,不过我想核心都在这里了吧,接下来介绍ASA的配置
##端口基本配置##
interface GigabitEthernet0/0
nameif out_int
security-level 0
ip address 2.2.2.2 255.255.255.252
##定义一些需要用到的对象##
object network ***_local1
subnet 192.168.0.0 255.255.255.0
object network ***_linux_peer_subnet
subnet 172.16.1.0 255.255.255.0
##定义感兴趣流##
access-list out_int_cryptomap_2 extended permit ip object ***_local1 object ***_linux_peer_subnet
##定义IKE Policy,加密模式要和linux防火墙上的ipsec模式统一##
crypto ikev1 policy 1
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
##定义ipsec的转换集##
crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
##定义tunnel-group
tunnel-group 1.1.1.1 type ipsec-l2l
tunnel-group 1.1.1.1 ipsec-attributes
ikev1 pre-shared-key ***** ##两边key要一致
##定义crypto map及策略挂载出口##
crypto map out_int_map 3 match address out_int_cryptomap_2
crypto map out_int_map 3 set peer 1.1.1.1
crypto map out_int_map 3 set ikev1 transform-set ESP-AES-128-SHA
crypto map out_int_map interface out_int
##端口激活IKE认证##
crypto ikev1 enable out_int
这样,×××应该就做好了,通过相关命令可以知道×××是否连接成功
show ***-sessiondb detail
show isakmp detail
show ipsec sa peer 1.1.1.1等等都能查到相应的信息
2)Juniper SRX650与ASA的***架设
Junos设备可能现在还用的比较少,和Netscreen系列的差距还是比较大的,接下来给出SRX,×××的配置部分
##端口基本配置##
set interfaces ge-0/0/0 unit 0 description outside
set interfaces ge-0/0/0 unit 0 family inet mtu 1500
set interfaces ge-0/0/0 unit 0 family inet address 3.3.3.3/24
##定义IKE Policy,加密模式要和ASA上的ipsec模式统一##
set security ike policy ***2asa mode main
set security ike policy ***2asa proposal-set standard #standard是junos自带的一种policy#
set security ike policy ***2asa pre-shared-key ascii-text "*****" #key值要保持一致#
##定义ike gateway##
set security ike gateway gw2asa ike-policy ***2asa
set security ike gateway gw2asa address 2.2.2.2 #peer 地址#
set security ike gateway gw2asa external-interface ge-0/0/0.0 #挂载端口#
##定义ipsec策略即phase2 策略##
set security ipsec policy AAA proposal-set compatible #compatible也是junos自带的一种policy#
set security ipsec *** ***l ike gateway gw2asa
set security ipsec *** ***l ike ipsec-policy AAA
set security ipsec *** ***l establish-tunnels immediately
##定义感兴趣流,注意是双向的##
set security policies from-zone trust to-zone untrust policy ***-policy match source-address local_net
set security policies from-zone trust to-zone untrust policy ***-policy match destination-address remote_net
set security policies from-zone trust to-zone untrust policy ***-policy match application any
set security policies from-zone trust to-zone untrust policy ***-policy then permit tunnel ipsec-*** ***l
set security policies from-zone untrust to-zone trust policy ***-policy-1 match source-address remote_net
set security policies from-zone untrust to-zone trust policy ***-policy-1 match destination-address local_net
set security policies from-zone untrust to-zone trust policy ***-policy-1 match application any
set security policies from-zone untrust to-zone trust policy ***-policy-1 then permit tunnel ipsec-*** ***l
set security policies from-zone untrust to-zone trust policy ***-policy-1 then permit tunnel pair-policy ***-policy
ASA端配置为
##定义一些需要用到的对象##
object network ***-local2
subnet 10.199.16.0 255.255.240.0
object network ***-juniper-subnet
subnet 10.199.0.0 255.255.240.0
##定义感兴趣流##
access-list out_isp1_cryptomap_1 extended permit ip object ***-local2 object ***-juniper-subnet
##定义tunnel-group
tunnel-group 3.3.3.3 type ipsec-l2l
tunnel-group 3.3.3.3 ipsec-attributes
ikev1 pre-shared-key ***** ##两边key要一致
##定义crypto map及策略挂载出口##
crypto map out_int_map 2 match address out_int_cryptomap_1
crypto map out_int_map 2 set peer 3.3.3.3
crypto map out_isp1_map 2 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
#全部用上也可,为了匹配compatible policy#
crypto map out_int_map interface out_int
3)NAT转换衔接
从图中我们可以看到,虽然两两之间是有×××的,但是linux FW和Juniper却是没有×××的,因此两端内部机器是不通的。解决方法可以采用nat的方式,把linux FW与ASA的感兴趣流的转换成ASA与juniper的感兴趣流。
以下的配置是以一台具体的host主机为例,一台为172.16.1.10访问10.199.0.10,
#定义object#
object network linux-host
host 172.16.1.10
object network linux-nat
host 10.199.23.10
object network juniper-nat
host 192.168.0.10
object network juniper-host
host 10.199.0.10
首先先做从linux FW端访问juniper端的NAT策略,将源地址172.16.1.10转换成ASA到juniper之间×××的感兴趣流地址10.199.23.10 目标地址10.199.0.10转换成ASA到linux FW之间×××的感兴趣流地址192.168.0.10
nat (out_int,any) source static linux-host linux-nat destination static juniper-nat juniper-host
这条做完之后只是单向访问,只能从linux FW端发起访问
如果需要juniper端访问linux FW的策略,可以用新的地址,或是用原来的地址都可以做一条返回的NAT策略,我这边用的是新的地址
object network juniper-host-back-ip
host 10.199.23.110
object network linux-host-back-ip
host 172.16.1.110
nat (any,any) source static juniper-host juniper-nat destination static juniper-host-back-ip linux-host-back-ip
这样,linux FW与juniper之间的这两台机器就能互相访问了