ASA-1 预配
interface GigabitEthernet0/0 nameif OUT security-level 0 ip address 1.1.1.1 255.255.255.0 ! interface GigabitEthernet0/1 nameif IN security-level 100 ip address 192.168.1.1 255.255.255.0 ! route OUT 0.0.0.0 0.0.0.0 1.1.1.2
ASA-2 预配
interface GigabitEthernet0/0 nameif OUT security-level 0 ip address 1.1.1.2 255.255.255.252 ! interface GigabitEthernet0/1 nameif IN security-level 100 ip address 172.16.1.1 255.255.255.0 ! route OUT 0.0.0.0 0.0.0.0 1.1.1.1
ASA-1 在接口上开启 IKEv1
ASA-1(config)# crypto ikev1 enable OUT
ASA-1 配置 ISAKMP Policy
ASA-1(config)# crypto ikev1 policy 1 ASA-1(config-ikev1-policy)# authentication pre-share ASA-1(config-ikev1-policy)# encryption aes-256 ASA-1(config-ikev1-policy)# hash sha ASA-1(config-ikev1-policy)# group 5
ASA-1 定义 Tunnel Group (LAN-to-LAN Connection Profile)
在 site-to-site 类型的 IPsec 中 tunnel group 的名字需要配置成对端设备的 IP 地址
ASA-1(config)# tunnel-group 1.1.1.2 type ipsec-l2l ASA-1(config)# tunnel-group 1.1.1.2 ipsec-attributes ASA-1(config-tunnel-ipsec)# ikev1 pre-shared-key CISCO
ASA-1 定义 Proxy-ID (或称为 Traffic of Interest)
ASA-1(config)# object network Local_LAN ASA-1(config-network-object)# subnet 192.168.1.0 255.255.255.0 ASA-1(config)# object network Remote_LAN ASA-1(config-network-object)# subnet 172.16.1.0 255.255.255.0 ASA-1(config)# access-list ACL_VPN extended permit ip object Local_LAN object Remote_LAN
ASA-1 配置 NAT Exemption (NAT Bypass)
在 site-to-site IPsec 中一般情况下我们不会对数据做 NAT,可以利用 Identity NAT 把两边的 LAN 网段从 NAT 中排除出来
ASA-1(config)# nat (IN,OUT) source static Local_LAN Local_LAN destination static Remote_LAN Remote_LAN
ASA-1 配置 Transform Set
ASA-1(config)# crypto ipsec ikev1 transform-set TS esp-aes-256 esp-sha-hmac
ASA-1 配置 Crypto Map
ASA-1(config)# crypto map My_Crypto_Map 10 match address ACL_VPN ASA-1(config)# crypto map My_Crypto_Map 10 set peer 1.1.1.2 ASA-1(config)# crypto map My_Crypto_Map 10 set ikev1 transform-set TS ASA-1(config)# crypto map My_Crypto_Map interface OUT
ASA-2 的完整配置
crypto ikev1 enable OUT ! crypto ikev1 policy 1 authentication pre-share encryption aes-256 hash sha group 5 ! tunnel-group 1.1.1.1 type ipsec-l2l tunnel-group 1.1.1.1 ipsec-attributes ikev1 pre-shared-key CISCO ! object network Local_LAN subnet 172.16.1.0 255.255.255.0 object network Remote_LAN subnet 192.168.1.0 255.255.255.0 ! access-list ACL_VPN extended permit ip object Local_LAN object Remote_LAN ! nat (IN,OUT) source static Local_LAN Local_LAN destination static Remote_LAN Remote_LAN ! crypto ipsec ikev1 transform-set TS esp-aes-256 esp-sha-hmac ! crypto map My_Crypto_Map 10 match address ACL_VPN crypto map My_Crypto_Map 10 set peer 1.1.1.1 crypto map My_Crypto_Map 10 set ikev1 transform-set TS crypto map My_Crypto_Map interface OUT
测试
R1#ping 172.16.1.2 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 172.16.1.2, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 2/7/23 ms ASA-1(config)# show crypto ipsec sa summary Current IPSec SA's: Peak IPSec SA's: IPSec : 2 Peak Concurrent SA : 2 IPSec over UDP : 0 Peak Concurrent L2L : 2 IPSec over NAT-T : 0 Peak Concurrent RA : 0 IPSec over TCP : 0 IPSec VPN LB : 0 Total : 2 ASA-1(config)#
在这里我们可以看到 ASA 并未配置任何 ACL 但是从 R1 到 R2 的数据还是被允许通过了防火墙,这是 ASA 的一个默认行为即 VPN 数据会 bypass ACL。可以通过下面的方法修改这种行为
ASA-1(config)# no sysopt connection permit-vpn
该命令控制的是 inbound 方向的数据流量,当 VPN bypass 被关掉以后就需要配置 ACL 来让数据通过了
ASA-1(config)# access-list ACL_LAN-2-LAN extended permit ip object Remote_LAN object Local_LAN ASA-1(config)# access-group ACL_LAN-2-LAN in interface OUT