一.概述:
在实际工作中经常可以看到深信服的SSL VPN可以旁路部署,并且支持路由模式和NAT模式:路由器模式需要内网对VPN分派的地址池地址可路由器;NAT模式,VPN客户端访问内网主机时,内网主机看到的地址为VPN接口地址,因此不需要VPN地址池的地址内网可路由。如是想测试一下cisco的设备这种部署方式,先测试L2L和EzVPN,如果有时间准备再测试一下SSLVPN。
二.基本思路:
A.总部的L2L VPN和EzVPN都用Dynamic VTI方式配置
B.如果需要以NAT方式部署,在虚拟模板接口配置NAT
C.通过实验也可以很容易看出,通过DVTI方式配置的L2L和EzVPN不会相互干扰
三.测试拓扑:
四:基本配置:
A.Inside_Router
interface Ethernet0/0
ip address 192.168.1.1 255.255.255.0
no shut
ip route 0.0.0.0 0.0.0.0 192.168.1.254
B.ASA842:
interface GigabitEthernet0
nameif Inside
security-level 100
ip address 192.168.1.254 255.255.255.0
no shut
interface GigabitEthernet1
nameif DMZ
security-level 50
ip address 10.1.1.254 255.255.255.0
no shut
interface GigabitEthernet2
nameif Outside
security-level 0
ip address 202.100.1.1 255.255.255.0
no sht
route Outside 0.0.0.0 0.0.0.0 202.100.1.10 1
C.DMZ_VPN:
interface Ethernet0/0
ip address 10.1.1.1 255.255.255.0
no shut
ip route 0.0.0.0 0.0.0.0 10.1.1.254
D.Internet:
interface Ethernet0/0
ip address 202.100.1.10 255.255.255.0
no shut
interface Ethernet0/1
ip address 202.100.2.10 255.255.255.0
no shut
E:Brach:
interface Loopback0
ip address 172.16.1.1 255.255.255.0
interface Ethernet0/0
ip address 202.100.2.1 255.255.255.0
no shut
ip route 0.0.0.0 0.0.0.0 202.100.2.10
四:NAT配置:
A.动态PAT:
①ASA842:
object network INSIDE_Net
subnet 192.168.1.0 255.255.255.0
nat (Inside,Outside) dynamic interface
object network DMZ_Net
subnet 10.1.1.0 255.255.255.0
nat (DMZ,Outside) dynamic interface
--开启ICMP审查:
policy-map global_policy
class inspection_default
inspect icmp
--测试:
Inside_Router#ping 202.100.1.10
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 202.100.1.10, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 4/45/104 ms
DMZ_VPN#ping 202.100.1.10
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 202.100.1.10, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/48/88 ms
②Branch:
interface Ethernet0/0
ip nat outside
interface Loopback0
ip nat inside
ip access-list extended PAT
deny ip 172.16.1.0 0.0.0.255 192.168.1.0 0.0.0.255
permit ip 172.16.1.0 0.0.0.255 any
ip nat inside source list PAT interface Ethernet0/0 overload
---测试:
Branch#PING 202.100.1.1 SOUrce L0
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 202.100.1.1, timeout is 2 seconds:
Packet sent with a source address of 172.16.1.1
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/36/168 ms
B.静态PAT:
----只在ASA842配置
①静态PAT设置:
object network DMZ_VPN
host 192.168.1.1
object network DMZ_VPN2
host 192.168.1.1
object network DMZ_VPN
nat (DMZ,Outside) static interface service udp 4500 4500
object network DMZ_VPN2
nat (DMZ,Outside) static interface service udp isakmp isakmp
②防火墙策略配置:
access-list OUTSIDE extended permit udp host 202.100.2.1 object DMZ_VPN eq 4500
access-list OUTSIDE extended permit udp host 202.100.2.1 object DMZ_VPN2 eq isakmp
access-list OUTSIDE extended permit esp host 202.100.2.1 object DMZ_VPN
access-group OUTSIDE in interface Outside
五.L2L VPN配置:
A.DMZ_VPN:
①第一阶段策略:
crypto keyring Branch
pre-shared-key address 202.100.2.1 key cisco
crypto isakmp policy 10
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp profile isakmp_profile
keyring Branch
match identity address 202.100.2.1 255.255.255.255
virtual-template 1
②第二阶段转换集:
crypto ipsec transform-set transet esp-des esp-md5-hmac
③配置ipsec profile
crypto ipsec profile ipsec_profile
set transform-set transet
set isakmp-profile isakmp_profile
④配置虚拟模板接口并调用IPSEC Profile
interface Loopback100
ip address 1.1.1.1 255.255.255.0
interface Virtual-Template1 type tunnel
ip unnumbered Loopback100
tunnel source Ethernet0/0
tunnel mode ipsec ipv4
tunnel protection ipsec profile ipsec_profile
⑤配置动态路由:
router ospf 1
router-id 1.1.1.1
log-adjacency-changes
network 1.1.1.0 0.0.0.255 area 0
---尝试过建Inside区域内网通过OSPF重分布给Branch路由器,不知为什么没有成功,Branch路由器的OSPF数据库里面是有该条目的。
B.Branch:
①第一阶段策略:
crypto isakmp policy 10
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp key cisco address 202.100.1.1
②第二阶段转换集:
crypto ipsec transform-set transet esp-des esp-md5-hmac
③配置ipsec profile
crypto ipsec profile ipsec_profile
set transform-set transet
④配置tunnel接口并在上面调用ipsec profile
interface Tunnel0
ip address 1.1.1.100 255.255.255.0
tunnel source Ethernet0/0
tunnel destination 202.100.1.1
tunnel mode ipsec ipv4
tunnel protection ipsec profile ipsec_profile
⑤配置动态路由:
router ospf 1
router-id 1.1.1.100
passive-interface Loopback0
network 1.1.1.100 0.0.0.0 area 0
network 172.16.1.1 0.0.0.0 area 0
⑥配置静态路由:
----因为ASA的inside内网区域的网段无法通过动态路由学到,因此只能添加静态路由
ip route 192.168.1.0 255.255.255.0 tunnel 0
六.L2L VPN效果测试:
A.配置ASA842策略:
access-list DMZ extended permit icmp any any
access-list DMZ extended permit tcp 172.16.1.0 255.255.255.0 host 192.168.1.1 eq telnet
access-list DMZ extended permit tcp host 10.1.1.1 host 192.168.1.1 eq telnet
---第三条ACE是为了后面NAT方式测试而添加的
access-group DMZ in interface DMZ
B.路由模式测试:
①ASA842添加Branch身后网段的路由到DMZ_VPN:
route DMZ 172.16.1.0 255.255.255.0 10.1.1.1 1
②测试:
Branch#telnet 192.168.1.1 /source-interface l0
Trying 192.168.1.1 ... Open
User Access Verification
Password:
Password:
Inside_Router>show user
*Mar 1 06:56:11.082: RT: NET-RED 0.0.0.0/0s
Line User Host(s) Idle Location
0 con 0 idle 02:27:46
*130 vty 0 idle 00:00:00 172.16.1.1
Interface User Mode Idle Peer Address
B.NAT模式测试:
①DMZ_VPN配置动态PAT:
interface Ethernet0/0
ip nat outside
interface Virtual-Template1 type tunnel
ip nat inside
ip access-list extended VPN_TO_INSIDE
permit ip 172.16.1.0 0.0.0.255 192.168.1.0 0.0.0.255
ip nat inside source list VPN_TO_INSIDE interface Ethernet0/1 overload
②测试:
Branch#telnet 192.168.1.1 /source-interface l0
Trying 192.168.1.1 ... Open
User Access Verification
Password:
Inside_Router>show users
Line User Host(s) Idle Location
0 con 0 idle 00:09:23
*130 vty 0 idle 00:00:00 10.1.1.1
Interface User Mode Idle Peer Address
---可以看到连接的地址变成了DMZVPN路由器的接口地址了。
七.EzVPN配置:
A.DMZ_VPN:
①第一阶段策略:
crypto isakmp policy 10
encr 3des
hash md5
authentication pre-share
group 2crypto isakmp client configuration group Ezvpn_group
key cisco
②第1.5阶段XAUTH配置:
aaa new-model
aaa authentication login noacs line none
line console 0
login authentication noacs
line aux 0
login authentication noacs
username xll password xll
aaa authentication login Xauth local
③第1.5阶段MODE-CFG配置:
ip local pool ippool 123.1.1.100 123.1.1.200
ip access-list extended Split_INSIDE
permit ip 192.168.1.0 0.0.0.255 any
aaa authorization network Mcfg local
crypto isakmp client configuration group Ezvpn_group
pool MYPool
acl Split_INSIDE
④第2阶段转换集配置:
crypto ipsec transform-set ezvpnset esp-des esp-md5-hmac
----可以与L2L VPN共用
⑤配置isakmp profile:
crypto isakmp profile isakmp_profile
match identity group cisco
isakmp authorization list default
client authentication list Xauth
client configuration address respond
virtual-template 2
-----注意模板编号不能与L2L VPN相同
⑥配置ipsec profile:
crypto ipsec profile EzVPN_ipsec_profile
set transform-set transet
set isakmp-profile EzVPN_isakmp_profile
⑦配置虚拟模板并调用ipsec profile:
interface Virtual-Template2 type tunnel
ip unnumbered Ethernet0/0
tunnel source Ethernet0/0
tunnel mode ipsec ipv4
tunnel protection ipsec profile EzVPN_ipsec_profile
B.EzVPN客户端:
---不知道是否是EzVPN客户端原因,拨通之后没有隧道分割对应路由,需要手工添加:
route add 192.168.1.0 mask 255.255.255.0 123.1.1.100
八.EzVPN效果测试:
A.配置ASA842策略:
access-list DMZ extended permit icmp any any
access-list DMZ extended permit tcp 123.1.1.0 255.255.255.0 host 192.168.1.1 eq telnet
access-list DMZ extended permit tcp host 10.1.1.1 host 192.168.1.1 eq telnet
---第三条ACE是为了后面NAT方式测试而添加的
B.路由模式效果测试:
①ASA842添加路由:
route dmz 123.1.1.0 255.255.255.0 10.1.1.1
②客户端连接测试:
----可以看到连接的地址为VPN地址池的地址
B.NAT模式效果测试:
①DMZ_VPN配置动态PAT:
interface Ethernet0/0
ip nat outside
interface Virtual-Template2 type tunnel
ip nat inside
ip access-list extended VPN_TO_INSIDE
permit ip 123.1.1.0 0.0.0.255 192.168.1.0 0.0.0.255
ip nat inside source list VPN_TO_INSIDE interface Ethernet0/1 overload
②测试:
----可以看到,telnet到Inside路由器,路由器看到的地址为DMZ_VPN的接口地址
