1、实验拓扑:
2、实验要求:
R1和R2是两个站点,R1的业务地址:10.10.10.10/32,R2的业务地址:20.20.20.20/32;
R1 – ASA:202.16.1.0/29 ASA – R2:209.16.1.0/29,先需要使用IPSEC-VPN技术对业务流量加密,使数据传输更安全;
3、实验配置:
R1:
crypto isakmp policy 10
encr3des
hashmd5
authentication pre-share
group2
crypto isakmp key cisco address 209.16.1.1
!
crypto ipsec transform-set ccna ah-md5-hmacesp-3des
!
crypto map cisco 10 ipsec-isakmp
setpeer 209.16.1.1
settransform-set ccna
match address vpn
!
interface Loopback0
ipaddress 10.10.10.10 255.255.255.255
!
interface FastEthernet0/0
ipaddress 202.16.1.1 255.255.255.248
duplex auto
speed auto
crypto map cisco
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 202.16.1.2
!
no ip http server
no ip http secure-server
!
ip access-list extended vpn
permit ip host 10.10.10.10 host 20.20.20.20
ASA:
interface Ethernet0/0
nameif outside
security-level 0
ipaddress 202.16.1.2 255.255.255.248
!
interface Ethernet0/1
nameif inside
security-level 100
ipaddress 209.16.1.2 255.255.255.248
!
access-list out extendedpermit icmp any any
access-list out extendedpermit esp host 202.16.1.1 host 209.16.1.1
access-list out extendedpermit ah host 202.16.1.1 host 209.16.1.1
pager lines 24
mtu outside 1500
mtu inside 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
access-group out ininterface outside
!
R2:
crypto isakmp policy 10
encr3des
hashmd5
authentication pre-share
group 2
crypto isakmp key cisco address 202.16.1.1
!
crypto ipsec transform-set ccna ah-md5-hmacesp-3des
!
crypto map cisco 10 ipsec-isakmp
setpeer 202.16.1.1
settransform-set ccna
match address vpn
!
interface Loopback0
ipaddress 20.20.20.20 255.255.255.255
!
interface FastEthernet0/0
ipaddress 209.16.1.1 255.255.255.248
duplex auto
speed auto
crypto map cisco
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 209.16.1.2
!
no ip http server
no ip http secure-server
!
ip access-list extended vpn
permit ip host 20.20.20.20 host 10.10.10.10
4、配置结果查看:
R1#show crypto isakmp sa
dst src state conn-id slot status
202.16.1.1 209.16.1.1 QM_IDLE 1 0 ACTIVE
R1#show crypto engine connections active
IDInterface IP-Address State Algorithm Encrypt Decrypt
1FastEthernet0/0 202.16.1.1 set HMAC_MD5+3DES_56_C 0 0
2001 FastEthernet0/0 202.16.1.1 set MD5+3DES 49 0
2002 FastEthernet0/0 202.16.1.1 set MD5+3DES 0 39
R1#ping 20.20.20.20 source 10.10.10.10
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to20.20.20.20, timeout is 2 seconds:
Packet sent with a source address of 10.10.10.10
!!!!!
Success rate is 100 percent (5/5),round-trip min/avg/max = 20/31/68 ms
R2#show crypto isakmp sa
dst src state conn-id slot status
202.16.1.1 209.16.1.1 QM_IDLE 1 0 ACTIVE
R2#show crypto engine connections active
IDInterface IP-Address State Algorithm Encrypt Decrypt
1FastEthernet0/0 209.16.1.1 set HMAC_MD5+3DES_56_C 0 0
2001 FastEthernet0/0 209.16.1.1 set MD5+3DES 44 0
2002 FastEthernet0/0 209.16.1.1 set MD5+3DES 0 15
(请大家思考两个问题:
1、为什么本实验在防火墙中需要用到AH的协议放行,而使用放行udp ...eq isakmp不行?注:真实的ASA也应该是可以通过udp ...eq isakmp实现流量放行的。)
2、如果现在条件发生了变化,需要在R1和R2上配置GRE隧道和OSPF路由协议,使用gre over ipsec技术,那么防火墙的流量放行是否需要改变?是否需要添加放行gre协议流量和ospf协议流量?
)