在线资料当前位置  当前位置:首页 > 在线资料 > 

ASA多点VPN和EZVPN共存实战

发布时间:2015-05-18 14:52:30 作者:瑞德实验室 点击量 :
更多
ASA多点VPN和EZVPN共存实战
一、技术应用背景
某公司存在多个分部,为了保障安全,总部和每个分部边界都有防火墙设备,并且总部要求和分部建立IPsec VPN,实现数据的私密性,为了方便出差用户对公司文件服务器的访问,在每个站点上都要求 配置EZVPN接入,同时也方便用户对网络的管理。当然,边界设备如果都是路由器,此需求也是可以实现的,一下我们介绍的是边界都是思科的ASA防火墙,应该如何部署。
 
二、项目拓扑

 \
 
 
配置
HF-ASA
1、第一阶段(可共用)
ASA5510# sh  running-config crypto ikev1
crypto ikev1 enable outside
crypto ikev1 policy 1
 authentication pre-share
 encryption 3des
 hash md5
 group 2
 lifetime 86400
ASA5510(config)# sh run tunnel-group 60.170.110.245
tunnel-group 60.170.110.245 type ipsec-l2l
tunnel-group 60.170.110.245 ipsec-attributes
 ikev1 pre-shared-key *****
2、配置第二阶段
ASA5510# sh run crypto ipsec
crypto ipsec ikev1 transform-set ipsec esp-3des esp-md5-hmac
3、配置感兴趣流
access-list ipsec extended permit ip 172.16.0.0 255.255.0.0 192.168.0.0 255.255.0.0
 
4、配置map
crypto map cisco 10 match address ipsec
crypto map cisco 10 set peer 60.170.110.245
crypto map cisco 10 set ikev1 transform-set ipsec
crypto map cisco interface outside
 
BB配置
1、第一阶段
BBWY-ASA5512-FW(config)# sh run crypto ikev1
crypto ikev1 enable outside
crypto ikev1 policy 10
 authentication pre-share
 encryption 3des
 hash md5
 group 2
BBWY-ASA5512-FW(config)# sh run tunnel-group
tunnel-group 61.132.200.204 type ipsec-l2l
tunnel-group 61.132.200.204 ipsec-attributes
 ikev1 pre-shared-key *****
2、第二阶段
BBWY-ASA5512-FW(config)# sh run crypto ipsec
crypto ipsec ikev1 transform-set TFM esp-3des esp-md5-hmac
3、感兴趣流
access-list l2l extended permit ip 192.168.0.0 255.255.0.0 172.16.0.0 255.255.0.0
4、map
crypto map mymap 10 match address l2l
crypto map mymap 10 set pfs
crypto map mymap 10 set peer 61.132.200.204
crypto map mymap 10 set ikev1 transform-set TFM
crypto map mymap 10 set security-association lifetime seconds 600000
crypto map mymap interface outside
 
 
NAT豁免技术
BB:
nat (inside,outside) source static vpn-inside vpn-inside destination static vpn-outside vpn-outside no-proxy-arp route-lookup
object network vpn-inside
 subnet 192.168.0.0 255.255.0.0
object network vpn-outside
 subnet 172.16.0.0 255.255.0.0
HF:
object network vpn-inside
 subnet 172.16.0.0 255.255.0.0
object network vpn-outside
 subnet 192.168.0.0 255.255.0.0
 
nat (inside,outside) source static vpn-inside vpn-inside destination static vpn-outside vpn-outside no-proxy-arp route-lookup
 
 
二、和BJ建立VPN
ASA5510(config)# tunnel-group 218.205.157.2 type ipsec-l2l         
ASA5510(config)# tunnel-group 218.205.157.2 ipsec-attributes
ASA5510(config-tunnel-ipsec)# ikev1 pre-shared-key nicai
ASA5510(config-tunnel-ipsec)# exit
 
crypto map cisco 20 match address ipsec1
crypto map cisco 20 set pfs
crypto map cisco 20 set peer 218.205.157.2
crypto map cisco 20 set ikev1 transform-set ipsec
crypto map cisco 20 set security-association lifetime seconds 600000
 
ASA5510(config)# sh run access-list ipsec1
access-list ipsec1 extended permit ip 172.16.0.0 255.255.0.0 172.16.202.0 255.255.255.0
access-list ipsec1 extended permit ip 172.16.0.0 255.255.0.0 172.16.254.0 255.255.255.0
 
NAT豁免
nat (inside,outside) source static vpn-inside vpn-inside destination static bj-all bj-all
object network bj
 subnet 172.16.202.0 255.255.255.0
object network bj-1
 subnet 172.16.254.0 255.255.255.0
 
ASA5510# sh run object-group
object-group network bj-all
 network-object object bj
 network-object object bj-1
BJ配置忽略
 
 
HF配置EZVPN
ASA5510(config)# crypto dynamic-map raid 10 set ikev1 transform-set ipsec
ASA5510(config)# crypto map cisco 100 ipsec-isakmp dynamic raid
 
配置1.5阶段
tunnel-group mygroup type remote-access
tunnel-group mygroup general-attributes
 address-pool ezvpn-pool
tunnel-group mygroup ipsec-attributes
 ikev1 pre-shared-key *****
ASA5510(config)# sh run ip local pool
ip local pool ezvpn-pool 123.2.2.1-123.2.2.100 mask 255.255.255.0
 
Tunnel分割
group-policy ezvpn-policy internal
group-policy ezvpn-policy attributes
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value split
 
创建用户
username skyt password GIwInwWo7bQaS5L2 encrypted
username skyt attributes
 vpn-group-policy ezvpn-policy
 password-storage enable
 
EZVPN豁免
  object network ezvpn
  subnet 123.2.2.0 255.255.255.0
  ex
  nat (inside,outside) source static vpn-inside vpn-inside destination static ezvpn ezvpn
 
 
如果BJ、BB都是PPPOE拨号获取地址,使用dymap,不指定peer
ASA5510(config)# clear configure crypto map cisco 10
ASA5510(config)# clear configure crypto map cisco 20
ASA5510(config)# crypto dynamic-map ccie 10 set ikev1 transform-set ipsec
ASA5510(config)# crypto map cisco 10 ipsec-isakmp dynamic ccie
 
 
ASA5510(config)# clear configure tunnel-group 60.170.110.245
ASA5510(config)# clear config tunnel-group 218.205.157.2
 
tunnel-group DefaultL2LGroup ipsec-attributes
ikev1 pre-shared-key nicai
 
 
不明不详之处自行补脑
 
瑞德瑞德实验室出品
 
 
 
 
 
 
 
 
 
 
 
 

在线咨询