猪八戒出品
实验名称: 第三章 IP Sec VPN(二) IP sec + NAT穿越 实验环境: 实验要求的环境: 要求描述: 需要的软件工具、软件安装包:小凡 实验目的: 1) 会在ASA上配置IPsec VPN 2) 会排除IPSec VPN的常见故障 实验步骤: 实验拓扑图: 配置实现IPsecVPN 的NAT-TASA1e0/0inside.254192.168.1.0/24Vnet 1F0/0.1e0/1outside.1NAT-TF0/0.2.2200.0.0.0/30.1F0/0ISP100.0.0.0/30Vnet 2R1F1/0R2222.0.0.0/30e0/1Vnet 3outsideF1/0.2.1e0/0inside.254ASA2模拟Loop 011.11.11.0/2410.10.10.0/24Vnet 4F0/0R3模拟PC1R4模拟PC2 1)asa1配置 conf t ho asa1 int e0/0 nameif inside ip ad 192.168.1.254 255.255.255.0 no sh int e0/1 nameif outside ip ad 100.0.0.1 255.255.255.252 no sh exit route outside 0 0 100.0.0.2 crypto isakmp enable outside crypto isakmp policy 1 encryption des hash sha authentication pre-share group 2 exit crypto isakmp key benet address 222.0.0.1 access-list 100 permit ip 192.168.1.0 255.255.255.0 10.10.10.0 255.255.255.0 猪八戒出品
crypto ipsec transform-set benet-set esp-3des esp-sha-hmac crypto map benet-map 1 set peer 222.0.0.1 crypto map benet-map 1 set transform-set benet-set crypto map benet-map 1 match address 100 crypto map benet-map int outside nat (inside) 0 access-list 100 nat (inside) 1 0 0 global (outside) 1 int access-list 101 permit icmp any any echo-reply access-group 101 in int outside end //防火墙启用NAT-T conf t crypto isakmp nat-traversal 2)asa2配置 conf t int e0/0 nameif inside ip ad 10.10.10.254 255.255.255.0 no sh int e0/1 nameif outside ip ad 222.0.0.1 255.255.255.252 no sh exit route outside 0 0 222.0.0.2 crypto isakmp enable outside crypto isakmp policy 1 encryption des hash sha authentication pre-share group 2 exit crypto isakmp key benet address 100.0.0.1 access-list 100 permit ip 10.10.10.0 255.255.255.0 192.168.1.0 255.255.255.0 crypto ipsec transform-set benet-set esp-3des esp-sha-hmac crypto map benet-map 1 set peer 100.0.0.1 crypto map benet-map 1 set transform-set benet-set crypto map benet-map 1 match address 100 crypto map benet-map int outside nat (inside) 1 0 0 nat (inside) 0 access-list 100 global (outside) 1 int 猪八戒出品
access-list 101 permit icmp any any echo-reply access-group 101 in int outside end 实现NAT-T,需要更改对等体配置;修改如下: no crypto isakmp key benet address 100.0.0.1 no crypto map benet-map 1 set peer 100.0.0.1 clear configure tunnel-group //上一条命令执行不成功就用此命令 crypto isakmp key benet address 200.0.0.2 crypto map benet-map 1 set peer 200.0.0.2 crypto map benet-map 1 set transform-set benet-set 3)R1配置 en conf t ho r1 int fa0/0 ip ad 100.0.0.2 255.255.255.252 no sh int fa1/0 ip ad 200.0.0.2 255.255.255.252 no sh exit ip route 0.0.0.0 0.0.0.0 200.0.0.1 //NAT-T配置: access-list 100 permit ip 100.0.0.0 0.0.0.3 10.10.10.0 0.0.0.255 ip nat inside source list 100 int fa1/0 overload //在路由器上配置端口映射 ip nat inside source static udp 100.0.0.1 4500 int fa1/0 4500 ip nat inside source static udp 100.0.0.1 500 int fa1/0 500 ip nat inside source static esp 100.0.0.1 int fa1/0 //ASA与路由器配置时需使用此命令 int fa0/0 ip nat inside int fa1/0 ip nat outside end 4)R2配置 猪八戒出品
en conf t ho r2 int fa0/0 ip ad 200.0.0.1 255.255.255.252 no sh int fa1/0 ip ad 222.0.0.2 255.255.255.252 no sh int loop 0 ip ad 11.11.11.11 255.255.255.0 exit ip route 100.0.0.0 255.255.255.252 200.0.0.2 5)R3配置 en conf t ho r3 int fa0/0 ip ad 192.168.1.1 255.255.255.0 no sh exit no ip routing ip default-gateway 192.168.1.254 end 6)R4配置 en conf t ho r4 int fa0/0 ip ad 10.10.10.1 255.255.255.0 no sh exit no ip routing ip default-gateway 10.10.10.254 end 1)验证 1.在R4上ping 192.168.1.1来触发VPN流量,使用show crypto isakmp policy 查看策略是否匹配! 2.使用show crypto is key 查看密钥是否一至 3.使用show crypto isakmp sa 查看是否建立管理连接,如图所示:已建立管理连接, 猪八戒出品
4.使用show crypto ipsec sa 查看第二阶段的数据连接是否已建立,如图所示:已建立数据连接,且数据已被加密。 5.在R3上ping 11.11.11.11 (IP) ,使用show ip nat transform ,查看是否被NAT转换,如图所示:未被转换,证明访问史有访问VPN的流量才被转换,访问的流量直接由防火墙ASA1做PAT转换后转发出去。 6.在ASA1上使用show xlate 查看访问的流量是否被PAT转换,如图所示:已被转换。 7.因为在ASA1上已经NAT豁免,触发VPN流量的数据将被直接转发给R1,在ASA1上不做NAT转换, 说明ASA1只非VPN流量的数据作处理,而R1则只处理VPN流量的数据,从而达到了负载分担的目的。 8.ASA1 和R1都使用了PAT,最大限度的节省了公网IP。 9.IP Sec VPN 故障排查,模拟以下故障,并记录输出信息。 1)故障一:忘记启用ISAKMP协议 如果不启用ISAKMP协议协商,则不会建立协商。 2)故障二:阶段1传输集不匹配 模拟故障二:将阶段1的传输集改为不匹配,改变加密算法 crypto isakmp enable outside crypto isakmp policy 1 no encryption 3des encryption aes hash sha 猪八戒出品
authentication pre-share group 2 exit 使用debug crypto isakmp 100、debug crypto ipsec 100 开始调试功能,显示结果如图所示,加密算法不匹配。 3)故障三:预共享密钥配置错误 clear configure tunnel-group crypto isakmp key benn address 222.0.0.1
4)故障四:镜像crypto acl 配置错误 5)故障五:阶段2 传输集不匹配 no crypto ipsec transform-set benet-set esp-3des esp-sha-hmac crypto ipsec transform-set benet-set esp-3des esp-md5-hmac crypto map benet-map 1 set transform-set benet-set 6)故障六:crypto map 不匹配 7)故障七:crypto map 应用到错误接口 出现的问题及解决方法: 验证总结: 问题1: 解决: