PIX的IPSCE站点to站点的VPN

2015/02/09 23:15
阅读数 25
案例分析与配置:
 

目标:实现ASA550跟R2做IPSEC-VPN(使用3DES-MD5加密)
         开放外部允许访问内部SSH,TELNET,HTTP,HTTPS这些功能\
         允许ASDM可以管理FW
现在我们来看看下相关的配置思路:
1、R1:
A>>>开放相关的端口.
http >>>>http server enable
Telnet>>>line vty 0 4
SSH>>>>
----配置域名,只有拥用域名后,才会有证书.
----生成证书ouside(config)#crypto key generate rsa   
----建立本地用户:username test password test 
----将认证设置为本地认证.aaa authentication ssh console LOCAL (LOCAL一定要大写)
https>>>ip http secure-server

2. ASA
A>>配置inside/ouside口
B>>配置ACL,允许外部可以访问本机的HTTP,HTTPS,TELNET,SSH
EX:access-list out extended permit tcp any host 10.200.200.1 eq ssh
C>>使用静态映射端口>>>>ASA不能更改默认的SSH22端口,但是路由器可以更改SSH端口.
static (inside,ouside) tcp interface telnet 1.1.1.1 telnet netmask 255.255.255.255
D>>配置允许FW可以被ASDM管理(最好先show flash: 看是否存在ASDM.bin)
允许内部使用ASDM管理FW:
http server enable
http 0 0 inside
允许外部使用ASDM管理FW:
http server eable 6666  加端口是为了不让外部使用默认端口,也可以把443端口给其他用户使用.
http 0 0 ouside /也可以使用http 202.96.128.86 255.255.255.252 ouside定义某个IP可以管理.
E>>使用ASDM来配置SITE-TO-SITE--VPN (加密使用3DES+MD5)

使用FW来配置VPN时,命令行跟路由器有些区别,但是不大! 我将会在后续进行手工配置.
1.crypto isakmp enable ouside (首先要在接口上启用ISAKMP)
2.使用ACL抓取感兴趣流.
3.配置crypto isakmp policy 第一阶段.  认证方式\加密方式\HASH值\组别.
4.配置共享密钥
EX:crypto isakmp key fanqingfuming address 10.200.200.100
在show run的显示结果中会变成:
tunnel-group 10.200.200.100 type ipsec-l2l
tunnel-group 10.200.200.100 ipsec-attributes
 pre-shared-key *

R1>>>>>>>>>>>>>
inside#show run
Building configuration...

Current configuration : 2769 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname inside
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
!
resource policy
!
memory-size iomem 5
!
!
ip cef
no ip domain lookup
ip domain name qq.com
!
!
ip ssh port 2022 rotary 22
!
!
!
crypto pki trustpoint TP-self-signed-241257058          
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-241257058
 revocation-check none
 rsakeypair TP-self-signed-241257058
!
!
crypto pki certificate chain TP-self-signed-241257058
 certificate self-signed 01                                                                                            -----------这部分为SSH证书,因机而异
  30820243 308201AC A0030201 02020101 300D0609 2A864886 F70D0101 04050030
  30312E30 2C060355 04031325 494F532D 53656C66 2D536967 6E65642D 43657274
  69666963 6174652D 32343132 35373035 38301E17 0D303230 33303130 30323231
  385A170D 32303031 30313030 30303030 5A303031 2E302C06 03550403 1325494F
  532D5365 6C662D53 69676E65 642D4365 72746966 69636174 652D3234 31323537
  30353830 819F300D 06092A86 4886F70D 01010105 0003818D 00308189 02818100
  B0C17BEC 3E6742AD 32F40EEA EE93922A 8F8CF77D DDCEED8C 896E31AC 7DD4F6F8
  67F4F95C 90BC9DBA E2AA86FF E929456B 6E481382 B56822AA 03993780 6DFF4FE4
  C1E2804C 5CD18F66 9ED04927 955D3F10 4287D7A8 CBB2CAD3 44C9CEF7 1CA74FD2
  A8F5B113 2F2731E8 9B72EA49 13ECE75A C09D439A 194B49EB DD200578 B5DAE171
  02030100 01A36D30 6B300F06 03551D13 0101FF04 05300301 01FF3018 0603551D
  11041130 0F820D69 6E736964 652E7171 2E636F6D 301F0603 551D2304 18301680
  14E438BE 7B24BC1A B2CA7874 86B4EC06 47D9BF03 12301D06 03551D0E 04160414
  E438BE7B 24BC1AB2 CA787486 B4EC0647 D9BF0312 300D0609 2A864886 F70D0101
  04050003 81810046 13893A1D C48505CB 724D6FCD 9BC6E93C 1D6432A5 60723581
  FE59D94D E3D26E80 3A362B88 E371AF82 37F8C0DC 066D6049 617501B9 022FFAC0
  826F4A40 83644F3C 24A6FACA 671D31F2 9BF66371 E7F77B8A 6C995283 9696D9B7
  9D0CABDA 61EA02B9 620356AC E9110C29 0482B95C 571F392C 8E43D4A5 14804543
  5459F9E0 108609
  quit
!
!
!
!
!
!
!
!
!
!
!        
username cisco password 0 cisco
!
!
!
!
!
!
!
interface Loopback1
 ip address 1.1.1.1 255.255.255.255
!
interface Loopback3
 ip address 3.3.3.3 255.255.255.255
!
interface Loopback4
 ip address 4.4.4.4 255.255.255.255
!
interface FastEthernet0/0
 no ip address
 shutdown
 duplex auto
 speed auto
!        
interface FastEthernet0/1
 ip address 192.168.1.100 255.255.255.0
 duplex auto
 speed auto
!
interface FastEthernet1/0
 ip address 172.16.0.1 255.255.255.0
 duplex auto
 speed auto
!
interface FastEthernet2/0
 no ip address
 shutdown
 duplex auto
 speed auto
!
ip http server
ip http secure-server
!
ip route 0.0.0.0 0.0.0.0 192.168.1.1
!
!
!        
!
!
control-plane
!
!
!
!
!
!
!
!
!
line con 0
 exec-timeout 0 0
 logging synchronous
line aux 0
line vty 0 4
 login local
!
!
end

inside#

ASA550>>>>>>>>>>>>>>>>>
ciscoasa# show run
: Saved
:
PIX Version 7.2(4)
!
hostname ciscoasa
domain-name default.domain.invalid
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface Ethernet0
 nameif inside
 security-level 100
 ip address 192.168.1.1 255.255.255.0
!
interface Ethernet1
 nameif ouside
 security-level 20
 ip address 10.200.200.1 255.0.0.0
!
ftp mode passive
dns server-group DefaultDNS
 domain-name default.domain.invalid
access-list 192_198 extended permit ip host 192.168.1.100 host 198.133.219.25
access-list out extended permit tcp any host 10.200.200.1 eq telnet
access-list out extended permit tcp any host 10.200.200.1 eq www
access-list out extended permit tcp any host 10.200.200.1 eq https
access-list out extended permit tcp any host 10.200.200.1 eq ssh
access-list out extended permit tcp any host 10.200.200.1 eq 2022
access-list ouside_20_cryptomap extended permit ip host 3.3.3.3 host 192.168.0.2
access-list inside_nat0_outbound extended permit ip host 3.3.3.3 host 192.168.0.2
pager lines 24
mtu inside 1500
mtu ouside 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image flash:/ASDM-522.BIN
no asdm history enable
arp timeout 14400
nat-control
global (ouside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,ouside) tcp interface telnet 1.1.1.1 telnet netmask 255.255.255.255
static (inside,ouside) tcp interface www 3.3.3.3 www netmask 255.255.255.255
static (inside,ouside) tcp interface 2022 4.4.4.4 2022 netmask 255.255.255.255
static (inside,ouside) tcp interface https 3.3.3.3 https netmask 255.255.255.255
static (inside,ouside) 10.200.200.50  access-list 192_198
access-group out in interface ouside
route inside 3.3.3.3 255.255.255.255 192.168.1.100 1
route inside 1.1.1.1 255.255.255.255 192.168.1.100 1
route inside 4.4.4.4 255.255.255.255 192.168.1.100 1
route inside 172.16.0.0 255.255.255.0 192.168.1.100 1
route ouside 0.0.0.0 0.0.0.0 198.133.219.25 1
route ouside 192.168.0.0 255.255.255.0 10.200.200.100 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
aaa authentication ssh console LOCAL
http server enable 4443
http 0.0.0.0 0.0.0.0 ouside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto map ouside_map 20 match address ouside_20_cryptomap
crypto map ouside_map 20 set pfs
crypto map ouside_map 20 set peer 10.200.200.100
crypto map ouside_map 20 set transform-set ESP-3DES-MD5
crypto map ouside_map interface ouside
crypto isakmp enable ouside  防火墙上必须的命令.
crypto isakmp policy 10
 authentication pre-share
 encryption 3des
 hash md5
 group 1
 lifetime 86400
telnet timeout 5
ssh 10.200.200.100 255.255.255.255 ouside
ssh timeout 5
console timeout 0
ssl encryption rc4-md5
username cisco password 3USUcOPFUiMCO4Jk encrypted
tunnel-group 10.200.200.100 type ipsec-l2l
tunnel-group 10.200.200.100 ipsec-attributes
 pre-shared-key *
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map  我一直很奇怪这部分,在7.0中时有时无,所以如果没有,使用fixup protocal开启。
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect netbios
  inspect rsh
  inspect rtsp
  inspect skinny
  inspect esmtp
  inspect sqlnet
  inspect sunrpc
  inspect tftp
  inspect sip
  inspect xdmcp
  inspect icmp (默认是没有的,需要手工增加这一条,应用程序检测)
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:08c060da90600ce74bb9560debbe5943
: end
ciscoasa#                             

R2>>>>>>>>>>>>>>>>>>>>
ouside#show run
Building configuration...

Current configuration : 1333 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname ouside
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
!
resource policy
!
memory-size iomem 5
!
ip cef
no ip domain lookup
!        
crypto isakmp policy 10
 encr 3des
 hash md5
 authentication pre-share
crypto isakmp key fanqingfuming address 10.200.200.1 255.0.0.0
!
!
crypto ipsec transform-set vpn_set esp-3des esp-md5-hmac
!
crypto map vpn_map 10 ipsec-isakmp
 set peer 10.200.200.1
 set transform-set vpn_set
 match address vpn
!
interface Loopback192
 ip address 198.133.219.25 255.255.255.255
!
interface FastEthernet0/0
 no ip address
 shutdown
 duplex auto
 speed auto
!        
interface FastEthernet0/1
 ip address 10.200.200.100 255.0.0.0
 duplex auto
 speed auto
 crypto map vpn_map
!
interface FastEthernet1/0
 ip address 192.168.0.1 255.255.255.0
 duplex auto
 speed auto
!
interface FastEthernet2/0
 no ip address
 shutdown
 duplex auto
 speed auto
!
ip http server
no ip http secure-server
!
ip route 0.0.0.0 0.0.0.0 10.200.200.1
!
!        
ip access-list extended vpn
 permit ip host 192.168.0.2 host 3.3.3.3
!
control-plane
!
line con 0
 exec-timeout 0 0
 logging synchronous
line aux 0
line vty 0 4
 no login
!        
!
end

 

本文出自 “潜入技术的海洋” 博客,请务必保留此出处http://myhat.blog.51cto.com/391263/193188

展开阅读全文
打赏
0
0 收藏
分享
加载中
更多评论
打赏
0 评论
0 收藏
0
分享
返回顶部
顶部