PIX/ASA 7.x及更高版本:具有重疊網路的LAN到LAN IPsec VPN配置示例

下載選項

  • PDF     (268.6 KB)
    在多種裝置上使用 Adobe Reader 檢視
  • ePub     (92.5 KB)
    在 iPhone、iPad、Android、Sony Reader 或 Windows Phone 上的各種應用程式中檢視
  • Mobi (Kindle)     (100.4 KB)
    在 Kindle 裝置或多部裝置的 Kindle 應用程式上檢視
已更新: 2010 年 12 月 9 日
文件 ID:112049

無偏見用語

本產品的文件集力求使用無偏見用語。針對本文件集的目的,無偏見係定義為未根據年齡、身心障礙、性別、種族身分、民族身分、性別傾向、社會經濟地位及交織性表示歧視的用語。由於本產品軟體使用者介面中硬式編碼的語言、根據 RFP 文件使用的語言,或引用第三方產品的語言,因此本文件中可能會出現例外狀況。深入瞭解思科如何使用包容性用語。

關於此翻譯

思科已使用電腦和人工技術翻譯本文件,讓全世界的使用者能夠以自己的語言理解支援內容。請注意,即使是最佳機器翻譯,也不如專業譯者翻譯的內容準確。Cisco Systems, Inc. 對這些翻譯的準確度概不負責,並建議一律查看原始英文文件(提供連結)。

簡介

本文檔介紹用於轉換(NAT)在兩個安全裝置之間通過LAN到LAN(L2L)IPsec隧道傳輸的VPN流量以及PAT網際網路流量的步驟。每個安全裝置後面都有一個受保護的專用網路。在此示例中,具有相同和重疊的內部網路的兩個思科自適應安全裝置(ASA)通過VPN隧道連線。在正常情況下,由於ping資料包從未離開本地子網,因此不會通過VPN進行通訊,因為使用者ping的是同一子網的IP地址。為了使這兩個專用內部網路相互通訊,在兩個ASA上使用策略NAT來轉換本地子網,以便按預期進行通訊。

必要條件

需求

在繼續此配置示例之前,請確保已在介面上配置了IP地址且具備基本連線。

採用元件

本檔案中的資訊是根據以下軟體版本:

  • 思科自適應安全裝置軟體版本7.x及更高版本。

本文中的資訊是根據特定實驗室環境內的裝置所建立。文中使用到的所有裝置皆從已清除(預設)的組態來啟動。如果您的網路正在作用,請確保您已瞭解任何指令可能造成的影響。

相關產品

此配置還可以與Cisco PIX安全裝置7.x版及更高版本配合使用。

慣例

請參閱思科技術提示慣例以瞭解更多有關文件慣例的資訊。

設定

本節提供用於設定本文件中所述功能的資訊。

註:使Command Lookup Tool(僅限註冊客戶)可獲取本節中使用的命令的詳細資訊。

網路圖表

本檔案會使用以下網路設定:

asa8x-vpn-olap-config-01.gif

組態

本檔案會使用以下設定:

ASA-1 
ASA-1#show running-config 
: Saved
:
ASA Version 8.0(3)
!
hostname ciscoasa
enable password 8Ry2YjIyt7RRXU24 encrypted
names
!
interface Ethernet0
 nameif outside
 security-level 0
 ip address 172.162.1.1 255.255.255.0

!--- Configure the outside interface.

!

interface Ethernet1
 nameif inside
 security-level 100
 ip address 192.168.1.1 255.255.255.0

!--- Configure the inside interface.


passwd 2KFQnbNIdI.2KYOU encrypted                                                      
ftp mode passive


access-list new extended permit ip 192.168.2.0 255.255.255.0 192.168.3.0 255.255.255.0

!--- This access list (new) is used with the crypto map (outside_map) !--- in order to determine which traffic should be encrypted !--- and sent across the tunnel.



access-list policy-nat extended permit ip 192.168.1.0 255.255.255.0 192.168.3.0 255.255.255.0


!--- The policy-nat ACL is used with the static !--- command in order to match the VPN traffic for translation. 

pager lines 24
mtu outside 1500
mtu inside 1500
no failover
asdm image flash:/asdm-615.bin
no asdm history enable
arp timeout 14400


static (inside,outside) 192.168.2.0  access-list policy-nat

!--- It is a Policy NAT statement. !--- The static command with the access list (policy-nat), !--- which matches the VPN traffic and translates the source (192.168.1.0) to !--- 192.168.2.0 for outbound VPN traffic.


global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0 0 0

!--- The previous statements PAT the Internet traffic !--- except for the VPN traffic that uses the IP address 172.17.1.1. 

route outside 0.0.0.0 0.0.0.0 172.162.1.2 1



!--- Output is suppressed.



!--- PHASE 2 CONFIGURATION ---! !--- The encryption types for Phase 2 are defined here.


crypto ipsec transform-set CISCO esp-des esp-md5-hmac

!--- Define the transform set for Phase 2.

crypto map outside_map 20 match address new

!--- Define which traffic should be sent to the IPsec peer with the !--- access list (new). 

crypto map outside_map 20 set peer 172.162.1.2

!--- Sets the IPsec peer (remote end point)


crypto map outside_map 20 set transform-set CISCO

!--- Sets the IPsec transform set "CISCO" !--- to be used with the crypto map entry "outside_map"

crypto map outside_map interface outside

!--- Specifies the interface to be used with !--- the settings defined in this configuration !--- PHASE 1 CONFIGURATION ---! !--- This configuration uses isakmp policy 65535. !--- Policy 65535 is included in the configuration by default. !--- These configuration commands define the !--- Phase 1 policy parameters that are used.

crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 65535
 authentication pre-share
 encryption des
 hash md5
 group 2
 lifetime 86400

tunnel-group 172.162.1.2 type ipsec-l2l

!--- In order to create and manage the database of connection-specific records !--- for IPsec-L2L—IPsec (LAN-to-LAN) tunnels, use the tunnel-group !--- command in global configuration mode. !--- For L2L connections, the name of the tunnel group must be !--- the IP address of the IPsec peer (remote peer end).

tunnel-group 172.162.1.2 ipsec-attributes
 pre-shared-key *

!--- Enter the pre-shared key in order to configure the authentication method. 


telnet timeout 5
ssh timeout 5
console timeout 0
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map global_policy
 class inspection_default
  inspect dns maximum-length 512
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect netbios
  inspect rsh
  inspect rtsp
  inspect skinny
  inspect esmtp
  inspect sqlnet
  inspect sunrpc
  inspect tftp
  inspect sip
  inspect xdmcp
!
service-policy global_policy global
Cryptochecksum:33e1e37cd1280d908210dac0cc26e706
: end

ASA-2 
ASA-2#show running-config 
: Saved
:
ASA Version 8.0(3)
!
hostname ASA-2
enable password 8Ry2YjIyt7RRXU24 encrypted
names
!
interface Ethernet0
 nameif outside
 security-level 0
 ip address 172.162.1.2 255.255.255.0                                                
!
interface Ethernet1
 nameif inside
 security-level 100
 ip address 192.168.1.1 255.255.255.0
!

!--- Output is suppressed.


access-list new extended permit ip 192.168.3.0 255.255.255.0 192.168.2.0 255.255.255.0

!--- This access list (new) is used with the crypto map (outside_map) !--- in order to determine which traffic needs to be encrypted !--- and sent across the tunnel.



access-list policy-nat extended permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0


!--- The policy-nat ACL is used with the static !--- command in order to match the VPN traffic for translation. 

pager lines 24
mtu outside 1500
mtu inside 1500
no failover
asdm image flash:/asdm-615.bin
no asdm history enable
arp timeout 14400



static (inside,outside) 192.168.3.0  access-list policy-nat

!--- This is a Policy NAT statement. !--- The static command with the access list (policy-nat), !--- which matches the VPN traffic and translates the source (192.168.1.0) to !--- 192.168.3.0 for outbound VPN traffic.

global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0 0 0

!--- The previous statements PAT the Internet traffic !--- except the VPN traffic that uses the outside interface IP address. 



 
route outside 0.0.0.0 0.0.0.0 172.162.1.2 1

!--- PHASE 2 CONFIGURATION ---! !--- The encryption types for Phase 2 are defined here.


crypto ipsec transform-set CISCO esp-des esp-md5-hmac

!--- Define the transform set for Phase 2.



crypto map outside_map 20 match address new

!--- Define which traffic needs to be sent to the IPsec peer.


crypto map outside_map 20 set peer 172.162.1.1

!--- Sets the IPsec peer.


crypto map outside_map 20 set transform-set CISCO

!--- Sets the IPsec transform set "CISCO" !--- to be used with the crypto map entry "outside_map".


crypto map outside_map interface outside

 !--- Specifies the interface to be used with !--- the settings defined in this configuration. !--- PHASE 1 CONFIGURATION ---! !--- This configuration uses isakmp policy 65535 !--- which is included in the configuration by default. !--- The configuration commands here define the !--- Phase 1 policy parameters that are used.



crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 65535
 authentication pre-share
 encryption des
 hash md5
 group 2
 lifetime 86400


!--- Output is suppressed.



!--- In order to create and manage the database of connection-specific !--- records for IPsec-L2L—IPsec (LAN-to-LAN) tunnels, use the !--- tunnel-group  command in global configuration mode. !--- For L2L connections, the name of the tunnel group must be !--- the IP address of the IPsec peer.


tunnel-group 172.162.1.1 type ipsec-l2l
tunnel-group 172.162.1.1 ipsec-attributes
 pre-shared-key *

!--- Enter the pre-shared key in order to configure the authentication method. 


prompt hostname context
Cryptochecksum:6b505b4a05c1aee96a71e67c23e71865
: end

驗證

使用本節內容,確認您的組態是否正常運作。

輸出直譯器工具(僅供已註冊客戶使用)(OIT)支援某些show命令。使用OIT檢視show指令輸出的分析:

  • show crypto isakmp sa — 顯示對等體上的所有當前IKE安全關聯(SA)。

  • show crypto ipsec sa — 顯示當前SA使用的設定。

來自ASA-1的show命令 

ASA-1#show crypto isakmp sa

   

Active SA: 1
    Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 1

1   IKE Peer: 172.162.1.2
    Type    : L2L             Role    : initiator
    Rekey   : no              State   : MM_ACTIVE
ASA-1#show crypto ipsec sa
interface: outside
    Crypto map tag: outside_map, seq num: 20, local addr: 172.162.1.1

      access-list new permit ip 192.168.2.0 255.255.255.0 192.168.3.0 

255.255.2
5.0
      local ident (addr/mask/prot/port): (192.168.2.0/255.255.255.0/0/0)
      remote ident (addr/mask/prot/port): (192.168.3.0/255.255.255.0/0/0)
      current_peer: 172.162.1.2

      #pkts encaps: 9, #pkts encrypt: 9, #pkts digest: 9
      #pkts decaps: 9, #pkts decrypt: 9, #pkts verify: 9
      #pkts compressed: 0, #pkts decompressed: 0
      #pkts not compressed: 9, #pkts comp failed: 0, #pkts decomp failed: 0
      #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
      #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
      #send errors: 0, #recv errors: 0

      local crypto endpt.: 172.162.1.1, remote crypto endpt.: 172.162.1.2

      path mtu 1500, ipsec overhead 58, media mtu 1500
      current outbound spi: 0BA6CD7E

    inbound esp sas:
      spi: 0xFB4BD01A (4216049690)
         transform: esp-des esp-md5-hmac none
         in use settings ={L2L, Tunnel, }
         slot: 0, conn_id: 8192, crypto-map: outside_map
         sa timing: remaining key lifetime (kB/sec): (3824999/27738)
         IV size: 8 bytes
         replay detection support: Y
    outbound esp sas:
      spi: 0x0BA6CD7E (195480958)
         transform: esp-des esp-md5-hmac none
         in use settings ={L2L, Tunnel, }
         slot: 0, conn_id: 8192, crypto-map: outside_map
         sa timing: remaining key lifetime (kB/sec): (3824999/27738)
         IV size: 8 bytes
         replay detection support: Y
ASA-1#show nat


NAT policies on Interface inside:
  match ip inside 192.168.1.0 255.255.255.0 outside 192.168.3.0 255.255.255.0
    static translation to 192.168.2.0
    translate_hits = 12, untranslate_hits = 5
  match ip inside any outside any
    dynamic translation to pool 1 (172.162.1.1 [Interface PAT])
    translate_hits = 0, untranslate_hits = 0
  match ip inside any inside any
    dynamic translation to pool 1 (No matching global)
    translate_hits = 0, untranslate_hits = 0
  match ip inside any dmz any
    dynamic translation to pool 1 (No matching global)
    translate_hits = 0, untranslate_hits = 0
ASA-1#show xlate

1 in use, 1 most used
Global 192.168.2.0 Local 192.168.1.0

來自ASA-2的show命令 

ASA-2#show crypto ipsec sa

interface: outside
    Crypto map tag: outside_map, seq num: 20, local addr: 172.162.1.2

      access-list new permit ip 192.168.3.0 255.255.255.0 192.168.2.0 

255.255.25
5.0
      local ident (addr/mask/prot/port): (192.168.3.0/255.255.255.0/0/0)
      remote ident (addr/mask/prot/port): (192.168.2.0/255.255.255.0/0/0)
      current_peer: 172.162.1.1

      #pkts encaps: 9, #pkts encrypt: 9, #pkts digest: 9
      #pkts decaps: 9, #pkts decrypt: 9, #pkts verify: 9
      #pkts compressed: 0, #pkts decompressed: 0
      #pkts not compressed: 9, #pkts comp failed: 0, #pkts decomp failed: 0
      #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
      #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
      #send errors: 0, #recv errors: 0

      local crypto endpt.: 172.162.1.2, remote crypto endpt.: 172.162.1.1

      path mtu 1500, ipsec overhead 58, media mtu 1500
      current outbound spi: FB4BD01A

    inbound esp sas:
      spi: 0x0BA6CD7E (195480958)
         transform: esp-des esp-md5-hmac none
         in use settings ={L2L, Tunnel, }
         slot: 0, conn_id: 8192, crypto-map: outside_map
         sa timing: remaining key lifetime (kB/sec): (4274999/26902)
         IV size: 8 bytes
         replay detection support: Y
    outbound esp sas:
      spi: 0xFB4BD01A (4216049690)
         transform: esp-des esp-md5-hmac none
         in use settings ={L2L, Tunnel, }
         slot: 0, conn_id: 8192, crypto-map: outside_map
         sa timing: remaining key lifetime (kB/sec): (4274999/26902)
         IV size: 8 bytes
         replay detection support: Y


ASA-2#show crypto isakmp sa

Active SA: 1
    Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 1

1   IKE Peer: 172.162.1.1
    Type    : L2L             Role    : responder
    Rekey   : no              State   : MM_ACTIVE

疑難排解

清除安全關聯

進行故障排除時,請確保在進行更改後清除現有SA。在PIX的特權模式下,使用以下命令:

  • clear crypto ipsec sa — 刪除活動的IPsec SA。

  • clear crypto isakmp sa — 刪除活動的IKE SA。

疑難排解指令

輸出直譯器工具(僅供已註冊客戶使用)支援某些show命令。使用OIT檢視show指令輸出的分析。

附註:使用 debug 指令之前,請先參閱有關 Debug 指令的重要資訊

  • debug crypto ipsec — 顯示第2階段的IPsec協商。

  • debug crypto isakmp — 顯示第1階段的ISAKMP協商。

相關資訊

修訂記錄

修訂 發佈日期 意見
1.0
09-Dec-2010
初始版本

這份文件是否有所幫助?

Feedback意見

讓思科協助您

本文件適用於這些產品