思科防火墙IPsec配置-主模式方式(基于9.9版本)

思科防火墙IPsec配置-主模式方式(基于9.9版本)_第1张图片

网络拓扑如上图所示,为方便记忆从左到右顺时针方向的网段的分别为192.168.1.0, 2.0, 3.0。

配置目标:两台思科防火墙之间建立IPsec VPN,使得左边192.168.1.0网段能够访问右边192.168.3.0网段。

基本信息:该环境使用GNS3模拟软件,防火墙软件版本为9.9(2)。配置完成后ipsec连接不会自动触发,需要数据请求通过隧道才会触发,比如在192.168.1.2上ping 192.168.3.2,就会触发ipsec连接。

ASA1防火墙配置:

基本配置:

配置主机名:

hostname ASA1

配置接口和IP地址:

int e0/0

nameif inside

ip address 192.168.1.1 255.255.255.0

no shut

int e0/1

nameif outside

ip address 192.168.2.1 255.255.255.0

no shut

配置从192.168.1.0到192.168.3.0的数据包不做地址转换,该网络拓扑比较简单,可以不配置,但是真实环境比较复杂,一般都需要配置,故这里也配置上。由于这篇文章主要讲ipsec的配置,故这里不做地址转换命令的介绍。

object network ASA2-inside

 subnet 192.168.3.0 255.255.255.0

object network ASA1-inside

 subnet 192.168.1.0 255.255.255.0

nat (inside,outside) source static ASA2-inside ASA2-inside destination static ASA1-inside ASA1-inside

下面配置控制连接的参数,配置后,收到连接或发出连接请求时会根据策略号由低到高的匹配对端的策略。

设置1号策略,策略号可以随便填,敲入后进入二层命令行

crypto ikev1 policy 1

设置预共享密码(不是密钥),密码需要与对端一致,具体密码在通道命令里设置

 authentication pre-share

设置控制连接加密方法为3des,需要与对端一致

 encryption 3des

设置控制连接数据包完整性校验方法为sha,需要与对端一致

 hash sha

设置密钥生成的长度,需要与对端一致,一般号码越高,越长

 group 2

设置密钥更新周期,建议与对端一致

 lifetime 28800

下面配置数据连接的参数:

使用隧道(esp)方式,建议使用esp.  加密方式为3des,数据完整性校验方式为sha

crypto ipsec ikev1 transform-set trans1 esp-3des esp-sha-hmac

配置NAT-T特性,这个特性使得防火墙outside的IP地址,如果在网络中有被转换为其他地址,则双方也能通讯,建议配置。如果outside的IP地址被网络中的设备NAT后没有配置这个选项,则IPSEC不能建立。这个命令后面会加一个数字表示多少秒,该数字表示周期性发送类似于心跳包的数据包,保持网络中网络设备的NAT会话不会被删除。

crypto isakmp nat-traversal 30

配置IPSEC通道

主模式的通道名为对端的IP地址

tunnel-group 192.168.2.2 type ipsec-l2l

配置IPSEC密码和断线检测,配置20秒超时后重传,重传3次判断为断线。配置连接密码为123456,需与对端一致

tunnel-group 192.168.2.2 ipsec-attributes

  ikev1 pre-shared-key 123456

  isakmp keepalive threshold 20 retry 3

配置哪些数据包需要转发到IPSEC通道,该配置需要设置一个ACL,然后后面配置绑定这个ACL

access-list goIntoTunnel extended permit ip 192.168.1.0 255.255.255.0 192.168.3.0 255.255.255.0

注意上面这个ACL的网段必须与对端相对应,不然连接建立不起来。

比如上面这个ACL可以总结为:(本端192.168.1.0/24, 对端192.168.3.0/24)。则对端需要配置为:(本端192.168.3.0/24,对端192.168.1.0/24)。如果对端配置为:(本端192.168.3.0/27, 对端192.168.1.0/24)则不能匹配,不能建立连接。

配置cryto map。  cryto map是一个列表,该列表记录哪些数据包需要建立IPsec, 将前面配置的一些分散的信息绑定到一起形成一个ipsec连接的完整信息,这个列表有序号,序号可以随意填,匹配IPSEC参数的时候按照序号从低到高的顺序进行匹配。

设置10号入口,匹配ACL名为goIntoTunnel(该ACL已在之前设置好),需要与对端为192.168.2.2的地址建立IPSEC连接,数据参数为trans1(该参数已在之前设置)

crypto map mymap 10 match address goIntoTunnel

crypto map mymap 10 set peer 192.168.2.1

crypto map mymap 10 set ikev1 transform-set trans1

将crypto map 绑定到outside, 并设置ISAKMP(Internet Security Association and Key Management Protocol)为enable。 ISAKMP就是建立IPsec连接时需要使用的框架,包含一系列的规则。

crypto map mymap interface outside

crypto isakmp enable outside

设置允许IPSEC的数据包进入防火墙

sysopt connection permit-

设置192.168.3.0的数据包通过outside接口进行发送

route outside 192.168.3.0 255.255.255.0 192.168.2.2

防火墙ASA1的配置设置完毕。

ASA2的配置和ASA1一致,只是接口的IP地址,hostname,route,禁止地址转换的NAT命令和goIntoTunnel这个ACL有变化。

两个防火墙设置完毕后,需要从一端的PC ping另一端的pc才会触发ipsec连接。可以使用show crypto ikev1 sa查看控制连接是否建立,使用show crypto ipsec sa查看数据连接是否建立。如下图所示:

思科防火墙IPsec配置-主模式方式(基于9.9版本)_第2张图片

两个防火墙的所有配置如下:

ASA1

ASA1(config)# show run

: Saved

:

: Serial Number: 9AKPGLU7RXD

: Hardware:   ASAv, 2048 MB RAM, CPU Pentium II 3591 MHz

:

ASA Version 9.9(2)

!

hostname ASA1

enable password $sha512$5000$6WMgccmVNTMshxEm61jayA==$IcFF3twSkt3XZV9bF1MVNA== pbkdf2

names

!

interface GigabitEthernet0/0

 nameif inside

 security-level 100

 ip address 192.168.1.1 255.255.255.0

!

interface GigabitEthernet0/1

 nameif outside

 security-level 0

 ip address 192.168.2.1 255.255.255.0

!

interface GigabitEthernet0/2

 shutdown

 no nameif

 no security-level

 no ip address

!

interface GigabitEthernet0/3

 shutdown

 no nameif

 no security-level

 no ip address

!

interface GigabitEthernet0/4

 shutdown

 no nameif

 no security-level

 no ip address

!

interface GigabitEthernet0/5

 shutdown

 no nameif

 no security-level

 no ip address

!

interface GigabitEthernet0/6

 shutdown

 no nameif

 no security-level

 no ip address

!

interface Management0/0

 shutdown

 no nameif

 no security-level

 no ip address

!

ftp mode passive

object network ASA1-inside

 subnet 192.168.1.0 255.255.255.0

object network ASA2-inside

 subnet 192.168.3.0 255.255.255.0

access-list goIntoTunnel extended permit ip 192.168.1.0 255.255.255.0 192.168.3.0 255.255.255.0

pager lines 23

mtu inside 1500

mtu outside 1500

no failover

no monitor-interface service-module

icmp unreachable rate-limit 1 burst-size 1

no asdm history enable

arp timeout 14400

no arp permit-nonconnected

arp rate-limit 8192

nat (inside,outside) source static ASA1-inside ASA1-inside destination static ASA2-inside ASA2-inside

route outside 192.168.3.0 255.255.255.0 192.168.2.2 1

timeout xlate 3:00:00

timeout pat-xlate 0:00:30

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 sctp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

timeout conn-holddown 0:00:15

timeout igp stale-route 0:01:10

user-identity default-domain LOCAL

aaa authentication login-history

no snmp-server location

no snmp-server contact

crypto ipsec ikev1 transform-set trans1 esp-3des esp-sha-hmac

crypto ipsec security-association pmtu-aging infinite

crypto map mymap 10 match address goIntoTunnel

crypto map mymap 10 set peer 192.168.2.2

crypto map mymap 10 set ikev1 transform-set trans1

crypto map mymap interface outside

crypto ca trustpoint _SmartCallHome_ServerCA

 no validation-usage

 crl configure

crypto ca trustpool policy

 auto-import

crypto isakmp nat-traversal 30

crypto ikev1 policy 1

 authentication pre-share

 encryption 3des

 hash sha

 group 2

 lifetime 28800

telnet timeout 5

ssh stricthostkeycheck

ssh timeout 5

ssh version 2

ssh key-exchange group dh-group1-sha1

console timeout 0

console serial

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

dynamic-access-policy-record DfltAccessPolicy

tunnel-group 192.168.2.2 type ipsec-l2l

tunnel-group 192.168.2.2 ipsec-attributes

 ikev1 pre-shared-key *****

 isakmp keepalive threshold 20 retry 3

!

class-map inspection_default

 match default-inspection-traffic

!

!

policy-map type inspect dns migrated_dns_map_1

 parameters

  message-length maximum client auto

  message-length maximum 512

  no tcp-inspection

policy-map global_policy

 class inspection_default

  inspect dns migrated_dns_map_1

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect ip-options

  inspect netbios

  inspect rsh

  inspect rtsp

  inspect skinny

  inspect esmtp

  inspect sqlnet

  inspect sunrpc

  inspect tftp

  inspect sip

  inspect xdmcp

policy-map type inspect dns migrated_dns_map_2

 parameters

  message-length maximum client auto

  message-length maximum 512

  no tcp-inspection

!

service-policy global_policy global

prompt hostname context

no call-home reporting anonymous

call-home

 profile CiscoTAC-1

  no active

  destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService

  destination address email [email protected]

  destination transport-method http

  subscribe-to-alert-group diagnostic

  subscribe-to-alert-group environment

  subscribe-to-alert-group inventory periodic monthly

  subscribe-to-alert-group configuration periodic monthly

  subscribe-to-alert-group telemetry periodic daily

 profile License

  destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService

  destination transport-method http

Cryptochecksum:b3a796f62e488059a3260dc6b62140d5

: end

ASA1(config)#

ASA2

ASA2# show run

: Saved

:

: Serial Number: 9ABEBX6EHCM

: Hardware:   ASAv, 2048 MB RAM, CPU Pentium II 3591 MHz

:

ASA Version 9.9(2)

!

hostname ASA2

enable password $sha512$5000$CePBg529+woL2AWUReGHoQ==$bOEpcoZbq/QcFrfAvtzviw== pbkdf2

names

!

interface GigabitEthernet0/0

 nameif inside

 security-level 100

 ip address 192.168.3.1 255.255.255.0

!

interface GigabitEthernet0/1

 nameif outside

 security-level 0

 ip address 192.168.2.2 255.255.255.0

!

interface GigabitEthernet0/2

 shutdown

 no nameif

 no security-level

 no ip address

!

interface GigabitEthernet0/3

 shutdown

 no nameif

 no security-level

 no ip address

!

interface GigabitEthernet0/4

 shutdown

 no nameif

 no security-level

 no ip address

!

interface GigabitEthernet0/5

 shutdown

 no nameif

 no security-level

 no ip address

!

interface GigabitEthernet0/6

 shutdown

 no nameif

 no security-level

 no ip address

!

interface Management0/0

 shutdown

 no nameif

 no security-level

 no ip address

!

ftp mode passive

object network ASA2-inside

 subnet 192.168.3.0 255.255.255.0

object network ASA1-inside

 subnet 192.168.1.0 255.255.255.0

access-list goIntoTunnel extended permit ip 192.168.3.0 255.255.255.0 192.168.1.0 255.255.255.0

pager lines 23

mtu outside 1500

mtu inside 1500

no failover

no monitor-interface service-module

icmp unreachable rate-limit 1 burst-size 1

no asdm history enable

arp timeout 14400

no arp permit-nonconnected

arp rate-limit 8192

nat (inside,outside) source static ASA2-inside ASA2-inside destination static ASA1-inside ASA1-inside

route outside 192.168.1.0 255.255.255.0 192.168.2.1 1

timeout xlate 3:00:00

timeout pat-xlate 0:00:30

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 sctp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

timeout conn-holddown 0:00:15

timeout igp stale-route 0:01:10

user-identity default-domain LOCAL

aaa authentication login-history

no snmp-server location

no snmp-server contact

crypto ipsec ikev1 transform-set trans1 esp-3des esp-sha-hmac

crypto ipsec security-association pmtu-aging infinite

crypto map mymap 10 match address goIntoTunnel

crypto map mymap 10 set peer 192.168.2.1

crypto map mymap 10 set ikev1 transform-set trans1

crypto map mymap interface outside

crypto ca trustpoint _SmartCallHome_ServerCA

 no validation-usage

 crl configure

crypto ca trustpool policy

 auto-import

crypto isakmp nat-traversal 30

crypto ikev1 policy 1

 authentication pre-share

 encryption 3des

 hash sha

 group 2

 lifetime 28800

telnet timeout 5

ssh stricthostkeycheck

ssh timeout 5

ssh version 2

ssh key-exchange group dh-group1-sha1

console timeout 0

console serial

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

dynamic-access-policy-record DfltAccessPolicy

tunnel-group 192.168.2.1 type ipsec-l2l

tunnel-group 192.168.2.1 ipsec-attributes

 ikev1 pre-shared-key *****

 isakmp keepalive threshold 20 retry 3

!

class-map inspection_default

 match default-inspection-traffic

!

!

policy-map type inspect dns migrated_dns_map_1

 parameters

  message-length maximum client auto

  message-length maximum 512

  no tcp-inspection

policy-map global_policy

 class inspection_default

  inspect dns migrated_dns_map_1

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect ip-options

  inspect netbios

  inspect rsh

  inspect rtsp

  inspect skinny

  inspect esmtp

  inspect sqlnet

  inspect sunrpc

  inspect tftp

  inspect sip

  inspect xdmcp

policy-map type inspect dns migrated_dns_map_2

 parameters

  message-length maximum client auto

  message-length maximum 512

  no tcp-inspection

!

service-policy global_policy global

prompt hostname context

no call-home reporting anonymous

call-home

 profile CiscoTAC-1

  no active

  destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService

  destination address email [email protected]

  destination transport-method http

  subscribe-to-alert-group diagnostic

  subscribe-to-alert-group environment

  subscribe-to-alert-group inventory periodic monthly

  subscribe-to-alert-group configuration periodic monthly

  subscribe-to-alert-group telemetry periodic daily

 profile License

  destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService

  destination transport-method http

Cryptochecksum:90c5eb6485719533d6d3b01b2ecddf0e

: end

ASA2#

你可能感兴趣的:(服务器,linux,网络)