ASA5525翻译
- 1、下载文档前请自行甄别文档内容的完整性,平台不提供额外的编辑、内容补充、找答案等附加服务。
- 2、"仅部分预览"的文档,不可在线预览部分如存在完整性等问题,可反馈申请退款(可完整预览的文档不适用该条件!)。
- 3、如文档侵犯您的权益,请联系客服反馈,我们会尽快为您处理(人工客服工作时间:9:00-18:30)。
1、基础配置类
(1、接口配置)
interface GigabitEthernet0/0
nameif outside
security-level 0
ip address 192.168.4.254 255.255.255.0
!
interface GigabitEthernet0/1
nameif inside
security-level 100
ip address ASA5520 255.255.255.0
!
interface GigabitEthernet0/2
nameif outside2
security-level 0
ip address 116.247.109.13 255.255.255.248 !
interface Management0/0 management-only
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
配置解析:总共有2个外网,一个outside(私网),一个Outside2(公网地址),一个内网网段(Inside),一个管理接口(management),值得注意的是,这里内网网段配置是ip address ASA5520 255.255.255.0,这个ASA5520,对应192.168.2.254,为什么是这个,下面有说明。
(2、names)
names
name 192.168.5.0 VPN-network
name 172.19.0.0 MFC-network
name 172.18.0.0 Office-network
name 172.18.2.0 local-guest
name 172.100.0.0 wireless-guest
name 172.99.0.0 wireless-user
name 192.168.2.1 core-switch
name 192.168.2.253 cpcnet-gateway
name 172.20.0.0 complex-network
name 192.168.2.248 email-server
name 192.168.2.254 ASA5520
name 172.22.0.0 telephone
name 172.22.1.249 welltech-server
name 192.168.4.1 Ascanlink
name 192.168.2.251 ftp-server
name 192.168.2.230 db-server
name 172.18.3.249 edge95
name 192.168.2.231 report-server
name 192.168.2.233 terminalserver1
name 192.168.2.234 terminalserver2
name 192.168.2.235 terminalserver3
name 192.168.2.236 terminalserver4
name 192.168.2.250 web-server
name 192.168.2.2 testserver
name 192.168.2.42 File_Server
name 192.168.2.33 HR_Server
name 192.168.2.32 ComexServer
name 192.168.2.152 Yike
name 172.19.1.245 c20
name 192.168.2.6 VSVN-Server description VSVN-Server
配置解析:这个就是把一个IP地址对应一个名称,方便记忆,name 192.168.2.254 ASA5520,这个就是之前地址直接配置的ASA5520的名称,直接对应192.168.2.254
(3、路由部分)
route outside 0.0.0.0 0.0.0.0 Ascanlink 70
route outside2 5.158.151.28 255.255.255.255 116.247.109.9 1
route outside2 12.145.28.178 255.255.255.255 116.247.109.9 1
route outside2 12.145.28.185 255.255.255.255 116.247.109.9 1
route outside2 50.136.199.58 255.255.255.255 116.247.109.9 1 route outside 116.247.109.9 255.255.255.255 Ascanlink 1 route outside 116.247.109.10 255.255.255.255 Ascanlink 1 route outside 116.247.109.11 255.255.255.255 Ascanlink 1 route outside 116.247.109.12 255.255.255.255 Ascanlink 1 route inside 172.0.0.0 255.0.0.0 core-switch 1
route outside2 172.16.0.0 255.255.255.0 116.247.109.9 1 route outside2 172.16.2.0 255.255.255.0 116.247.109.9 1 route outside2 172.16.4.0 255.255.255.0 116.247.109.9 1 route outside2 172.16.6.0 255.255.255.0 116.247.109.9 1 route outside2 172.16.9.0 255.255.255.0 116.247.109.9 1 route outside2 172.16.13.0 255.255.255.0 116.247.109.9 1 route outside2 172.16.15.0 255.255.255.0 116.247.109.9 1 route outside2 172.16.19.0 255.255.255.0 116.247.109.9 1 route outside2 172.16.32.0 255.255.252.0 116.247.109.9 1 route outside2 172.16.52.0 255.255.252.0 116.247.109.9 1 route outside2 172.16.200.0 255.255.252.0 116.247.109.9 1 route outside2 172.27.6.0 255.255.255.0 116.247.109.9 1 route inside VPN-network 255.255.255.0 core-switch 1
route outside2 192.168.6.0 255.255.255.0 116.247.109.9 1 route outside2 192.168.9.0 255.255.255.0 116.247.109.9 1 route outside2 192.168.10.0 255.255.255.0 116.247.109.9 1
route outside2 192.168.11.0 255.255.255.0 116.247.109.9 1
route outside2 192.168.49.0 255.255.255.0 116.247.109.9 1
route outside2 192.168.158.0 255.255.255.0 116.247.109.9 1
route outside2 192.168.159.0 255.255.255.0 116.247.109.9 1
route outside2 192.168.160.0 255.255.255.0 116.247.109.9 1
route outside2 192.168.161.0 255.255.255.0 116.247.109.9 1
route outside2 192.168.162.0 255.255.255.0 116.247.109.9 1
route outside2 192.168.163.0 255.255.255.0 116.247.109.9 1
route outside2 192.168.164.0 255.255.252.0 116.247.109.9 1
route outside2 203.66.1.189 255.255.255.255 116.247.109.9 1
route inside 203.70.94.0 255.255.255.0 core-switch 1
route outside2 209.118.175.5 255.255.255.255 116.247.109.9 1
配置解析:这里路由有3类,一个去往outside的,一个去往outside2的,一个去往内网inside的,去往内网的写回程路由,让数据包能够返回,外网由于有2条线路,ASA 9.4版本之前都不支持PBR,所以,只支持一条默认路由,另外一条写明细路由,从配置来看,outside2 作为VPN的线路来用(也就是VPN的流量都走outside2),而outside作为上网用,所以写了默认路由route outside 0.0.0.0 0.0.0.0 Ascanlink 70
2、ACL与NAT相关
(1、object配置)
object network FTP-Server
host 192.168.2.251
object network CORE-Switch host 192.168.2.1
object network TERminalserver1 host 192.168.2.233
object network TERminalserver2 host 192.168.2.234
object network TERminalserver3 host 192.168.2.235
object network TERminalserver4 host 192.168.2.236
object network EMAil-server host 192.168.2.248
object network REPort-server host 192.168.2.231
object network EDGe95
host 172.18.3.249
object network DB-server
host 192.168.2.230
object network WEB-server host 192.168.2.250
object network C20
host 172.19.1.245
object network H192.168.2.22 host 192.168.2.22
object network H192.168.2.142 host 192.168.2.142
object network hr_server
host 192.168.2.33
object network file_server host 192.168.2.42
object network H172.20.3.36 host 172.20.3.36
object network cOMexServer host 192.168.2.32
object network H192.168.2.25 host 192.168.2.25
object network yIKE
host 192.168.2.152
object network H192.168.2.81 host 192.168.2.81
object network H192.168.2.82 host 192.168.2.82
object network asa5520
host 192.168.2.254
object network WELLTech-server host 172.22.1.249
object network vsvn-server
host 192.168.2.6
object network 192.168.158.0 subnet 192.168.158.0 255.255.255.0 description 192.168.158.0
object network 192.168.159.0 subnet 192.168.159.0 255.255.255.0 description 192.168.159.0
object network 192.168.160.0 subnet 192.168.160.0 255.255.255.0 description 192.168.160.0
object network 172.27.199.0 subnet 172.27.199.0 255.255.255.0 description AATI-Phone
object network 192168_2
subnet 192.168.2.0 255.255.255.0 object network WiFi6
subnet 172.27.6.0 255.255.255.0 object network 192.168.161.0 subnet 192.168.161.0 255.255.255.0
object network 192.168.162.0
subnet 192.168.162.0 255.255.255.0 description 192.168.162.0
object network 192.168.163.0
subnet 192.168.163.0 255.255.255.0 description 192.168.163.0
object network 192.168.164.0
subnet 192.168.164.0 255.255.252.0 description 192.168.164.0
object-group service udp_gt_8000 udp
port-object range 7999 65000
object-group network zhangjiang
network-object Office-network 255.255.0.0 network-object MFC-network 255.255.0.0 network-object complex-network 255.255.0.0 network-object wireless-user 255.255.0.0 network-object VPN-network 255.255.255.0 network-object 192.168.2.0 255.255.255.0 object-group service tcp-normal tcp
port-objecteq echo
port-objecteq ftp
port-objecteq www
port-objecteq https
port-objecteq pop3
port-objecteqsmtp
port-object range 3000 4000
port-objecteq 16000
port-objecteq 8080
port-objecteq ftp-data
object-group service tcpudp-normal tcp-udp port-objecteq domain
port-objecteq echo
port-objecteq www
object-group service udp-normal udp
port-objecteq echo
port-objecteq www
port-objecteqtftp
port-objecteq 1863
port-objecteq 4000
port-object range 6891 6900
port-objecteq time
object-group service tcp_gt_10000 tcp
port-object range 10000 65535
object-group protocol TCPUDP
protocol-objecttcp
object-group service QQ
description QQ
service-objecttcp destination eq 8000 service-objecttcp destination eq 8001
object-group service rdptcp
port-objecteq 3389
object-group network DM_INLINE_NETWORK_1 network-object host report-server
network-object host terminalserver1
network-object host terminalserver3
network-object host terminalserver4
network-object host terminalserver2
network-object host HR_Server
network-object host 192.168.2.81
object-group service DM_INLINE_TCP_1 tcp port-objecteq 10000
port-objecteq pop3
port-objecteqsmtp
port-objecteq 8080
port-objecteq imap4
object-group service tcp-10000 tcp
port-objecteq 1000
group-objectrdp
object-group service DM_INLINE_TCP_2 tcp port-objecteq ftp
port-objecteq ftp-data
port-objecteqssh
port-objecteq 990
object-group network DM_INLINE_NETWORK_3 network-object 192.168.200.0 255.255.255.0 network-object host 192.168.2.49
network-object telephone 255.255.0.0 network-object host 172.16.13.224
object-group service VideoConf descriptionVideoConf
service-objecttcp-udp destination eq sip service-objecttcp-udp
object-group network DM_INLINE_NETWORK_4 network-object host web-server
network-object host ftp-server
object-group network DM_INLINE_NETWORK_5
network-object host edge95
network-object host c20
object-group service sipphoneudp description sip-phone
port-objecteq 10087
port-objecteq 8088
port-objecteq sip
port-object range 15000 30000
object-group network DM_INLINE_NETWORK_6 network-object host edge95
network-object host c20
object-group protocol DM_INLINE_PROTOCOL_0 protocol-objectudp
protocol-objecttcp
object-group service DM_INLINE_TCP_3 tcp port-objecteq 8080
port-objecteq www
object-group service DNS
descriptiondns
service-objecttcp-udp destination eq domain object-group protocol DM_INLINE_PROTOCOL_1 protocol-objectudp
object-group protocol DM_INLINE_PROTOCOL_2 protocol-objectudp
protocol-objecttcp
object-group network DM_INLINE_NETWORK_7 network-object host web-server
network-object host File_Server
object-group service 4433 tcp
description 4433
port-objecteq 4433
object-group network SHANGHAI-LAN network-object 192.168.2.0 255.255.255.0 network-object VPN-network 255.255.255.0 network-object Office-network 255.255.0.0 network-object MFC-network 255.255.0.0 network-object wireless-user 255.255.0.0 network-object telephone 255.255.0.0 network-object complex-network 255.255.0.0 object-group network GERMANY-LAN network-object 192.168.49.0 255.255.255.0 object-group service DM_INLINE_TCP_4 tcp group-object 4433
object-group network TW-LAN
network-object 172.16.13.0 255.255.255.0 network-object 172.16.15.0 255.255.255.0 network-object 172.16.2.0 255.255.255.0 network-object 172.16.4.0 255.255.255.0 network-object 172.16.9.0 255.255.255.0 network-object 192.168.10.0 255.255.255.0 network-object 192.168.11.0 255.255.255.0 network-object 192.168.4.0 255.255.255.0 network-object 192.168.6.0 255.255.255.0 network-object 192.168.9.0 255.255.255.0 network-object 203.70.94.0 255.255.255.0 network-object 172.16.19.0 255.255.255.0 network-object 172.16.0.0 255.255.255.0 network-object 172.16.6.0 255.255.255.0 network-object 172.16.32.0 255.255.252.0 network-object 172.16.200.0 255.255.252.0 network-object 172.16.52.0 255.255.252.0 object-group network DM_INLINE_NETWORK_9 network-object telephone 255.255.0.0 network-object host welltech-server
object-group service DM_INLINE_TCP_5 tcp port-objecteq 3309
port-objecteq 3443
port-objecteq 5443
port-objecteq 1433
port-objecteq 3080
object-group network DM_INLINE_NETWORK_10 network-object host 211.78.82.113
network-object host 60.250.154.133
network-object host 210.65.220.246
network-object host 222.73.42.138
object-group service 4500 tcp-udp description 4500
port-objecteq 4500
object-group network AATI_LAN
description AATI
network-object object 192.168.158.0
network-object object 192.168.159.0
network-object object 192.168.160.0
network-object object 172.27.199.0
network-object object 192.168.161.0
network-object object 192.168.162.0
network-object object 192.168.163.0
network-object object 192.168.164.0
object-group network DM_INLINE_NETWORK_12 network-object 192.168.49.0 255.255.255.0 group-object AATI_LAN
object-group network USA-LAN
network-object 192.168.158.0 255.255.255.0 network-object 192.168.159.0 255.255.255.0 network-object 172.27.199.0 255.255.255.192 network-object 192.168.160.0 255.255.248.0 object-group network CN-LAN
description all China network
network-object wireless-guest 255.255.0.0 network-object Office-network 255.255.0.0 network-object MFC-network 255.255.0.0 network-object complex-network 255.255.0.0 network-object telephone 255.255.0.0
network-object wireless-user 255.255.0.0 network-object 192.168.0.0 255.255.255.0 network-object 192.168.10.0 255.255.255.0 network-object 192.168.11.0 255.255.255.0 network-object 192.168.2.0 255.255.255.0
network-object 192.168.6.0 255.255.255.0
network-object 192.168.21.0 255.255.255.0
配置解析:关于object的作用就是定义一个对象与多个的对象匹配,比如匹配192.168.0.0 255.255.0.0,或者可以写多个object,把需要的匹配出来,最终以一个object-group调用这些object,等于是一个合集,这样我们在配置ACL的时候,可以简化配置,直接一次性调用需要调用的内容了。
另外object还用于NAT的配置,作用就是匹配子网与端口号还有协议。
(2、ACL配置)
access-list 100 extended permit ip object-group SHANGHAI-LAN object-group AATI_LAN inactive access-list 100 extended permit ip object-group AATI_LAN object-group SHANGHAI-LAN
access-list 100 extended permit ip any any
access-listoutside_access_in extended deny udp any any object-group udp_gt_8000 log alerts
access-listoutside_access_in extended permit ip any any
access-listadlinkvpn_splitTunnelAcl standard permit 172.0.0.0 255.0.0.0
access-listadlinkvpn_splitTunnelAcl standard permit 192.168.2.0 255.255.255.0
access-listadlinkvpn_splitTunnelAcl standard permit 192.168.5.0 255.255.255.0
access-listadlinkvpn_splitTunnelAcl standard permit 203.70.94.0 255.255.255.0
access-listadlinkvpn_splitTunnelAcl standard permit 192.168.0.0 255.255.0.0
access-list inside_nat0_outbound extended permit ip 172.0.0.0 255.0.0.0 192.168.5.0 255.255.255.0 access-list inside_nat0_outbound extended permit ip 192.168.2.0 255.255.255.0 192.168.5.0 255.255.255.0 access-listinside_access_in extended permit ip any object-group AATI_LAN
access-listinside_access_in extended permit ip any host 192.168.4.1
access-listinside_access_in remark QQ
access-listinside_access_in extended permit ip 192.168.2.0 255.255.255.0 object-group DM_INLINE_NETWORK_12
access-listinside_access_in remark QQ
access-listinside_access_in extended permit tcp any host 192.168.2.254 object-group 4433
access-listinside_access_in extended permit ip host 172.22.1.249 any
access-listinside_access_in extended permit ip host 172.22.1.248 any
access-listinside_access_in extended permit ip host 172.22.1.244 any
access-listinside_access_in extended permit ip host 172.18.3.12 any
access-listinside_access_in extended permit ip object-group DM_INLINE_NETWORK_6 any
access-listinside_access_in extended permit ip host 172.20.1.101 any
access-listinside_access_in extended deny ip object-group DM_INLINE_NETWORK_3 any
access-listinside_access_in extended permit ip host 192.168.2.253 any
access-listinside_access_in extended permit ip 192.168.2.0 255.255.255.0 any
access-listinside_access_in extended permit ip any any
access-listinside_access_in remark QQ
access-list outside_access_in_1 extended permit tcp any object asa5520 eqssh
access-list outside_access_in_1 extended permit ip 192.168.188.0 255.255.255.0 any
access-list outside_access_in_1 extended permit tcp object asa5520 any eqssh
access-list outside_access_in_1 extended permit ip any host 172.22.1.244 inactive
access-list outside_access_in_1 remark SIP PHone setting by Aaron
access-list outside_access_in_1 extended permit ip any object-group DM_INLINE_NETWORK_9
access-list outside_access_in_1 extended permit tcp any host 192.168.2.254 object-group DM_INLINE_TCP_4
access-list outside_access_in_1 extended permit ip any object-group DM_INLINE_NETWORK_5
access-list outside_access_in_1 extended permit tcp any host 192.168.2.1 eq telnet
access-list outside_access_in_1 extended permit tcp any host 192.168.2.248 object-group DM_INLINE_TCP_1
access-list outside_access_in_1 extended permit icmp any any
access-list outside_access_in_1 extended permit tcp any object-group DM_INLINE_NETWORK_1 eq 3389 access-list outside_access_in_1 extended permit object-group TCPUDP any host 172.22.1.249 eq sip inactive
access-list outside_access_in_1 extended permit tcp any object-group DM_INLINE_NETWORK_4 object-group DM_INLINE_TCP_2
access-list outside_access_in_1 extended permit tcp any host 192.168.2.33 eq 8000
access-list outside_access_in_1 extended permit tcp any object-group DM_INLINE_NETWORK_7 object-group DM_INLINE_TCP_3
access-list outside_access_in_1 remark sip phone manager
access-list outside_access_in_1 extended permit tcp any host 172.22.1.249 eq 10087 inactive
access-list outside_access_in_1 extended permit tcp any host 192.168.2.32 eq 6510
access-list outside_access_in_1 remark sipphone connect
access-list outside_access_in_1 remark SIP PHone setting by Aaron
access-list outside_access_in_1 remark sip phone manager
access-list outside_access_in_1 extended permit object-group DNS any host 192.168.2.22
access-list outside_access_in_1 remark For eP System
access-list outside_access_in_1 extended permit tcp object-group DM_INLINE_NETWORK_10 host 192.168.2.152 object-group DM_INLINE_TCP_5
access-list outside_access_in_1 extended permit tcp any host 192.168.2.82 eqsqlnet
access-list outside_access_in_1 extended permit tcp any host 192.168.2.6 eq 8443
access-list outside_access_in_1 extended permit tcp any host 192.168.2.152 eq 1433
access-list outside_access_in_1 extended permit tcp any host 192.168.2.250 eq 8000
access-list outside_access_in_1 extended permit tcp any host 192.168.2.172 eq 5000
access-list outside_access_in_1 extended permit ip any any
access-list outside2_cryptomap_1 extended permit ip object-group SHANGHAI-LAN object-group AATI_LAN
access-listshanghai_cryptomap extended permit ip object-group SHANGHAI-LAN object-group TW-LAN access-list in extended deny tcp any host 216.18.228.155
access-list in extended deny tcp any host 41.33.24.2
access-listddos extended permit tcp any any
access-list outside2_cryptomap extended permit ip object-group SHANGHAI-LAN object-group GERMANY-LAN
access-listvpn extended permit icmp 192.168.2.0 255.255.255.0 192.168.158.0 255.255.255.0
access-list outside_access_in_2 extended permit ip object-group AATI_LAN object-group SHANGHAI-LAN access-list outside_access_in_2 extended permit ip host 12.145.28.178 any4
access-list outside_access_in_2 extended permit ip host 203.66.1.189 any4
access-list outside_access_in_2 extended permit ip host 5.158.151.28 any4
access-listProtectUSA extended permit ip object-group CN-LAN object-group USA-LAN
access-listcappkt extended permit ip host 12.145.28.178 any4
access-list ProtectWiFi6 extended permit ip object 192168_2 object WiFi6
配置解析:ACL匹配源目IP与协议端口,来允许或者拒绝流量,这里条目比较多,用举例说明下。
access-list 100 extended permit ip object-group AATI_LAN object-group SHANGHAI-LAN
这条ACL直接允许了ip object-group AATI_LAN到object-group SHANGHAI-LAN的流量,那具体放行哪些子网,我们就得看object-group匹配的了。
(快速找到object-group可以复制object-Group的名字,然后查找)
Object-group下面调用的是一个一个的object,然后我们在查找对应的object就可以查到哪些子网在该object-group里面了。
(一般情况下,通过名称就可以看到了。
),其他的ACL条目作用类似。
(3、ACL调用)
access-group outside_access_in_1 in interface outside
access-groupinside_access_in in interface inside
access-group outside_access_in_2 in interface outside2
解析:ACL配置完毕,最终是要调用到接口的,如果没有调用则ACL不会生效。
access-group inside_access_in in interface inside :这条的作用就是关于内网访问外网的时候,匹配inside_access_in这个ACL条目来进行流量的放行与拒绝。
access-group outside_access_in_1 in interface outside:这条的作用就是关于外网主动访问内网的时候,匹配了outside_access_in_1后,来进行放行与拒绝。
access-group outside_access_in_2 in interface outside2:这条与上面的作用一样。
(4、内网上外网的NAT配置)
从配置来看,ASA的Outside没做关于内网上外网的NAT相关配置,可能是对应的出口网关已经做了。
(5、一对一映射,服务器映射)
object network FTP-Server
nat (inside,outside) static 192.168.2.251
object network CORE-Switch
nat (inside,outside) static 192.168.2.1
object network TERminalserver1
nat (inside,outside) static 192.168.2.233
object network TERminalserver2
nat (inside,outside) static 192.168.2.234
object network TERminalserver3
nat (inside,outside) static 192.168.2.235
object network TERminalserver4
nat (inside,outside) static 192.168.2.236
object network EMAil-server
nat (inside,outside) static 192.168.2.248
object network REPort-server
nat (inside,outside) static 192.168.2.231
object network EDGe95
nat (inside,outside) static 172.18.3.249
object network DB-server
nat (inside,outside) static 192.168.2.230 object network WEB-server
nat (inside,outside) static 192.168.2.250 object network C20
nat (inside,outside) static 172.19.1.245 object network H192.168.2.22
nat (inside,outside) static 192.168.2.22 object network H192.168.2.142
nat (inside,outside) static 192.168.2.142 object network hr_server
nat (inside,outside) static 192.168.2.33 object network file_server
nat (inside,outside) static 192.168.2.42 object network H172.20.3.36
nat (inside,outside) static 172.20.3.36 object network cOMexServer
nat (inside,outside) static 192.168.2.32 object network H192.168.2.25
nat (inside,outside) static 192.168.2.25 object network yIKE
nat (inside,outside) static 192.168.2.152
object network H192.168.2.81
nat (inside,outside) static 192.168.2.81
object network H192.168.2.82
nat (inside,outside) static 192.168.2.82
object network asa5520
nat (inside,outside) static 192.168.2.254
object network WELLTech-server
nat (inside,outside) static 172.22.1.249
object network vsvn-server
nat (inside,outside) static 192.168.2.6
配置解析:这里虽然映射很多,但是都是同样的效果,所以下面以一个配置作为讲解。
object network vsvn-server
nat (inside,outside) static 192.168.2.6
由于配置显示问题,ASA把object与NAT分开了,object的部分之前说过,它就是匹配一个子网或者协议端口号的,用于ACL与NAT中,我们可以找到object的配置,查看下关于vsvn-server配置了什么。
这里匹配192.168.2.6,然后映射到192.168.2.6,那等于没映射一样,从配置上来讲属于没用的配置,上面的一对一映射都是同样的自己映射到自己,这个想不出来作用是什么。
可能的原因是以前的老配置,没有删除掉。
(6、VPN旁路NAT,作用是让VPN互访的流量不要做NAT转换,否则加密流量匹配不上,不走VPN隧道)nat (inside,outside) source static SHANGHAI-LAN SHANGHAI-LAN destination static TW-LAN TW-LAN route-lookup
nat (outside2,outside) source static SHANGHAI-LAN SHANGHAI-LAN destination static GERMANY-LAN GERMANY-LAN no-proxy-arp route-lookup
nat (inside,outside) source static SHANGHAI-LAN SHANGHAI-LAN destination static GERMANY-LAN GERMANY-LAN no-proxy-arp route-lookup
nat (inside,outside2) source static SHANGHAI-LAN SHANGHAI-LAN destination static AATI_LAN AATI_LAN nat (outside2,outside2) source static 192168_2 192168_2 destination static WiFi6 WiFi6 no-proxy-arp route-lookup
3、IPSEC VPN
(1、ike配置)
crypto ikev2 policy 1
encryption aes-256
integritysha
group 5 2
prfsha
lifetime seconds 86400
crypto ikev2 policy 10
encryption aes-192
integritysha
group 5 2
prfsha
lifetime seconds 86400 crypto ikev2 policy 20 encryptionaes integritysha
group 5 2
prfsha
lifetime seconds 86400 crypto ikev2 policy 30 encryption 3des integritysha
group 5 2
prfsha
lifetime seconds 86400 crypto ikev2 policy 40 encryption des integritysha
group 5 2
prfsha
lifetime seconds 86400 crypto ikev1 enable outside
crypto ikev1 enable outside2
crypto ikev1 policy 10
authentication pre-share
encryption 3des
hashsha
group 2
lifetime 86400
crypto ikev1 policy 30
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
crypto ikev1 policy 65535
authentication pre-share
encryption 3des
hashsha
group 1
lifetime 86400
配置解析:这里配置了多个policy,有IKEV1与IKEV2的,区别在于IKEV2的兼容性与扩展性更好,这里IKEV1与IKEV2都有,说明对接设备有的不支持IKEV1或者是以前老的配置。
其中encryption为加密算法、hash 验证算法、group为DH算法,值越大加密强度越大,对设备性能消耗也会增加,lifetime为生存时间,就是该协商隧道
存在多久。
配置多个policy,可以方便匹配N多的对端VPN,因为可能不通的对端,加密认证算法都不一样。
(2、IPSEC的Tunnle配置)
tunnel-group 12.145.28.178 type ipsec-l2l
tunnel-group 12.145.28.178 general-attributes
default-group-policy GroupPolicy_12.145.28.178
tunnel-group 12.145.28.178 ipsec-attributes
ikev1 pre-shared-key *****
tunnel-group 203.66.1.189 type ipsec-l2l
tunnel-group 203.66.1.189 ipsec-attributes
ikev1 pre-shared-key *****
tunnel-group 5.158.151.28 type ipsec-l2l
tunnel-group 5.158.151.28 ipsec-attributes
ikev1 pre-shared-key *****
ikev2 remote-authentication pre-shared-key *****
ikev2 local-authentication pre-shared-key *****
tunnel-group 209.118.175.5 type ipsec-l2l
tunnel-group 209.118.175.5 general-attributes
default-group-policy GroupPolicy_209.118.175.5
tunnel-group 209.118.175.5 ipsec-attributes
ikev1 pre-shared-key *****
tunnel-group 12.145.28.185 type ipsec-l2l
tunnel-group 12.145.28.185 general-attributes
default-group-policy GroupPolicy_12.145.28.185
tunnel-group 12.145.28.185 ipsec-attributes
ikev1 pre-shared-key *****
tunnel-group DefaultL2LGroup ipsec-attributes
ikev1 pre-shared-key *****
配置解析:tunnel-group的作用是用于匹配对方身份的,这里以IP地址作为身份,并且配置对应的pre-shard-key,这个key两边都一样,协商VPN才能成功。
tunnel-group 12.145.28.185 ipsec-attributes (知道具体对端IP)
ikev1 pre-shared-key *****
tunnel-group DefaultL2LGroup ipsec-attributes (不知道对端IP的)
ikev1 pre-shared-key *****
配置里面还有一个DefaultL2LGroup的配置,这个是当不知道对端的IP或者对端没有固定的公网IP,比如拨号的网络,最终匹配这个tunnel来建立VPN。
(3、IPSEC第二阶段的策略)
cryptoipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
cryptoipsec ikev1 transform-set myset esp-3des esp-md5-hmac
cryptoipsec ikev1 transform-set ESP-AES-128-SHA esp-aesesp-sha-hmac
cryptoipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
cryptoipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac cryptoipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac cryptoipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac cryptoipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac cryptoipsec ikev1 transform-set ESP-AES-128-SHA-TRANS esp-aesesp-sha-hmac cryptoipsec ikev1 transform-set ESP-AES-128-SHA-TRANS mode transport cryptoipsec ikev1 transform-set ESP-AES-128-MD5-TRANS esp-aes esp-md5-hmac cryptoipsec ikev1 transform-set ESP-AES-128-MD5-TRANS mode transport cryptoipsec ikev1 transform-set ESP-AES-192-SHA-TRANS esp-aes-192 esp-sha-hmac cryptoipsec ikev1 transform-set ESP-AES-192-SHA-TRANS mode transport cryptoipsec ikev1 transform-set ESP-AES-192-MD5-TRANS esp-aes-192 esp-md5-hmac cryptoipsec ikev1 transform-set ESP-AES-192-MD5-TRANS mode transport cryptoipsec ikev1 transform-set ESP-AES-256-SHA-TRANS esp-aes-256 esp-sha-hmac cryptoipsec ikev1 transform-set ESP-AES-256-SHA-TRANS mode transport cryptoipsec ikev1 transform-set ESP-AES-256-MD5-TRANS esp-aes-256 esp-md5-hmac cryptoipsec ikev1 transform-set ESP-AES-256-MD5-TRANS mode transport cryptoipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac cryptoipsec ikev1 transform-set ESP-3DES-SHA-TRANS esp-3des esp-sha-hmac cryptoipsec ikev1 transform-set ESP-3DES-SHA-TRANS mode transport
cryptoipsec ikev1 transform-set ESP-3DES-MD5-TRANS esp-3des esp-md5-hmac cryptoipsec ikev1 transform-set ESP-3DES-MD5-TRANS mode transport
cryptoipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
cryptoipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac cryptoipsec ikev1 transform-set ESP-DES-SHA-TRANS esp-des esp-sha-hmac cryptoipsec ikev1 transform-set ESP-DES-SHA-TRANS mode transport cryptoipsec ikev1 transform-set ESP-DES-MD5-TRANS esp-des esp-md5-hmac cryptoipsec ikev1 transform-set ESP-DES-MD5-TRANS mode transport cryptoipsec ikev2 ipsec-proposal AES256
protocolesp encryption aes-256
protocolesp integrity sha-1 md5
cryptoipsec ikev2 ipsec-proposal AES192
protocolesp encryption aes-192
protocolesp integrity sha-1 md5
cryptoipsec ikev2 ipsec-proposal AES
protocolesp encryption aes
protocolesp integrity sha-1 md5
cryptoipsec ikev2 ipsec-proposal 3DES
protocolesp encryption 3des
protocolesp integrity sha-1 md5
cryptoipsec ikev2 ipsec-proposal DES
protocolesp encryption des
protocolesp integrity sha-1 md5
配置解析:该配置是用于协商实际业务流量加密的参数,比如用什么加密算法、认证算法等,两端建立的需要一一匹配,这里也包括IKEV1与IKEV2的,并且多个,可以匹配多个对端VPN设备建立隧道。
(4、VPN感兴趣流量)
access-list outside2_cryptomap_1 extended permit ip object-group SHANGHAI-LAN object-group AATI_LAN
access-listProtectUSA extended permit ip object-group CN-LAN object-group USA-LAN
access-list ProtectWiFi6 extended permit ip object 192168_2 object WiFi6
access-listshanghai_cryptomap extended permit ip object-group SHANGHAI-LAN object-group TW-LAN
配置解析:这里ACL的作用是当匹配了当源地址与目的地址在该ACL里面的时候,会触发VPN建立,不在的则正常走路由出去。
它是启动协商VPN的一个关键,存在ACL里面匹配的则会触发VPN建立,哪些存在ACL里面,跟上面介绍的查看是一样的,查找对应的object-group与object即可(通过复制名称,然后查找)
(5、crypto map 关于outside2出口的)
crypto map germany_map 1 match address outside2_cryptomap
crypto map germany_map 1 set peer 5.158.151.28
crypto map germany_map 1 set ikev1 transform-set ESP-3DES-SHA
crypto map germany_map 1 set nat-t-disable。