Site To Site (ASA - Router)

Site-to-site ASA-RouterMục đích bài Lab: thực hiện IPsec VPN site-to-site dùng pre-shared key giữa ASA hoặc Pix với router.. So sánh được sự giống và khác nhau về việc cấu hình VPN giữa

Site-to-site (ASA-Router)

Mục đích bài Lab: thực hiện IPsec VPN site-to-site dùng pre-shared key giữa ASA (hoặc Pix) với router.

So sánh được sự giống và khác nhau về việc cấu hình VPN giữa ASA và router.

Mô hình Lab

PIX (Hoặc ASA)

Code:

PIX# sh run

: Saved

:

PIX Version 8.0(3)

!

hostname PIX

enable password 8Ry2YjIyt7RRXU24 encrypted

names

!

interface Ethernet0

nameif outside

security-level 0

ip address 101.0.0.2 255.0.0.0

!

interface Ethernet1

nameif inside

security-level 100

ip address 192.168.1.10 255.255.255.0

!

interface Ethernet2

shutdown

no nameif

no security-level

no ip address

!

interface Ethernet3

shutdown

no nameif

no security-level

no ip address

!

interface Ethernet4

shutdown

no nameif

no security-level

no ip address

!

passwd 2KFQnbNIdI.2KYOU encrypted

ftp mode passive

access-list mangbaove extended permit ip 192.168.1.0 255.255.255.0

172.16.1.0 255.255.255.0

pager lines 24

mtu outside 1500

mtu inside 1500

no failover

icmp unreachable rate-limit 1 burst-size 1

no asdm history enable

arp timeout 14400

route outside 0.0.0.0 0.0.0.0 101.0.0.1 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02 timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 invite 0:03:00

sip-disconnect 0:02:00

timeout uauth 0:05:00 absolute

dynamic-access-policy-record DfltAccessPolicy

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec transform-set myset esp-3des esp-sha-hmac

crypto map mymap 10 match address mangbaove

crypto map mymap 10 set peer 102.0.0.2

crypto map mymap 10 set transform-set myset

crypto map mymap interface outside

crypto isakmp enable outside

crypto isakmp policy 1

authentication pre-share

encryption aes

hash sha

group 2

lifetime 86400

crypto isakmp policy 65535

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

telnet timeout 5

ssh timeout 5

console timeout 0

threat-detection basic-threat

threat-detection statistics access-list

tunnel-group 102.0.0.2 type ipsec-l2l

tunnel-group 102.0.0.2 ipsec-attributes

pre-shared-key * (key = 123)

!

!

prompt hostname context

Cryptochecksum:d242d7a4aeb945878985b984c431bf62

: end

PIX#

PIX(config)# tunnel-group 102.0.0.2 type ?

configure mode commands/options:

ipsec-l2l IPSec Site to Site group

ipsec-ra IPSec Remote Access group (DEPRECATED)

remote-access Remote access (IPSec) group

PIX(config)# tunnel-group 102.0.0.2 type ipsec-l2l

PIX# sh route

Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP

D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2 E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP

i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area

* - candidate default, U - per-user static route, o - ODR

P - periodic downloaded static route

Gateway of last resort is 101.0.0.1 to network 0.0.0.0

C 101.0.0.0 255.0.0.0 is directly connected, outside

C 192.168.1.0 255.255.255.0 is directly connected, inside

S* 0.0.0.0 0.0.0.0 [1/0] via 101.0.0.1, outside

Cho client khởi tạo traffic ban đầu (interest)

Router R2

Code:

R2#sh run

Building configuration

Current configuration : 1156 bytes !

version 12.4

service timestamps debug datetime msec service timestamps log datetime msec

no service password-encryption

!

hostname R2

!

boot-start-marker

boot-end-marker

!

!

no aaa new-model

!

resource policy

!

memory-size iomem 5

ip cef

!

!

!

!

!

!

!

!

!

!

!

!

!

!

!

!

!

!

!

!

!

!

!

!

crypto isakmp policy 10

encr aes

authentication pre-share

group 2

crypto isakmp key 123 address 101.0.0.2

!

!

crypto ipsec transform-set myset esp-3des esp-sha-hmac !

crypto map mymap 10 ipsec-isakmp

set peer 101.0.0.2

set transform-set myset

match address 101

reverse-route

!

!

!

!

interface Loopback1

ip address 2.2.2.2 255.0.0.0

!

interface Loopback2

ip address 172.16.1.1 255.255.255.0

!

interface FastEthernet0/0

ip address 102.0.0.2 255.0.0.0

duplex auto

speed auto

crypto map mymap

!

interface FastEthernet0/1

no ip address

shutdown

duplex auto

speed auto

!

ip route 0.0.0.0 0.0.0.0 102.0.0.1

!

!

ip http server

no ip http secure-server

!

access-list 101 permit ip 172.16.1.0 0.0.0.255 192.168.1.0 0.0.0.255 !

!

!

!

control-plane

!

!

!

!

!

!

!

!

!

!

line con 0

exec-timeout 0 0

logging synchronous

line aux 0

line vty 0 4

login

!

!

end

R2#sh ip ro

Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP

D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2 E1 - OSPF external type 1, E2 - OSPF external type 2

i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2

ia - IS-IS inter area, * - candidate default, U - per-user static route

o - ODR, P - periodic downloaded static route

Gateway of last resort is 102.0.0.1 to network 0.0.0.0

C 102.0.0.0/8 is directly connected, FastEthernet0/0

C 2.0.0.0/8 is directly connected, Loopback1

172.16.0.0/24 is subnetted, 1 subnets

C 172.16.1.0 is directly connected, Loopback2

S 192.168.1.0/24 [1/0] via 101.0.0.2

S* 0.0.0.0/0 [1/0] via 102.0.0.1

Code:

ISP#sh ip route

Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP

D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2 E1 - OSPF external type 1, E2 - OSPF external type 2

i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2

ia - IS-IS inter area, * - candidate default, U - per-user static route

o - ODR, P - periodic downloaded static route

Gateway of last resort is not set

C 102.0.0.0/8 is directly connected, FastEthernet0/1

C 101.0.0.0/8 is directly connected, FastEthernet0/0

ISP#sh run

Building configuration

Current configuration : 637 bytes

!

version 12.4

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname ISP

!

boot-start-marker

boot-end-marker

!

!

no aaa new-model

!

resource policy

!

memory-size iomem 5

ip cef

!

!

!

!

!

!

!

!

!

!

!

!

!

!

!

!

!

!

!

!

!

!

!

!

!

!

!

interface FastEthernet0/0

ip address 101.0.0.1 255.0.0.0

duplex auto

speed auto

!

interface FastEthernet0/1

ip address 102.0.0.1 255.0.0.0

duplex auto

speed auto

!

!

!

ip http server

no ip http secure-server

!

!

!

!

!

control-plane

!

!

!

!

!

!

!

!

!

!

line con 0

exec-timeout 0 0

logging synchronous

line aux 0

line vty 0 4

!

!

end

Link

http://www.4shared.com/file/21297684 sa-router.html

Site-site VPN (Router-Router)

Mô hình

R3#ping 192.168.1.10 source 172.16.1.1

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 192.168.1.10, timeout is 2 seconds: Packet sent with a source address of 172.16.1.1

.!!!!

Success rate is 80 percent (4/5), round-trip min/avg/max = 20/69/136 ms R3#sh cry

R3#sh crypto isa

R3#sh crypto isakmp sa

dst src state conn-id slot status

101.0.0.2 102.0.0.2 QM_IDLE 1 0 ACTIVE

R3#sh ip ro

R3#sh ip route

Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP

D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2 E1 - OSPF external type 1, E2 - OSPF external type 2

i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2

ia - IS-IS inter area, * - candidate default, U - per-user static route

o - ODR, P - periodic downloaded static route

Gateway of last resort is 102.0.0.1 to network 0.0.0.0

C 102.0.0.0/8 is directly connected, FastEthernet0/0

C 2.0.0.0/8 is directly connected, Loopback1

172.16.0.0/24 is subnetted, 1 subnets

C 172.16.1.0 is directly connected, Loopback2

S* 0.0.0.0/0 [1/0] via 102.0.0.1

Cấu hình

R1

Code:

R1#sh run

Building configuration

Current configuration : 1087 bytes

!

version 12.4

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname R1

!

boot-start-marker

boot-end-marker

!

!

no aaa new-model

!

resource policy

!

memory-size iomem 5

ip cef

!

!

!

!

!

!

!

!

!

!

!

!

!

!

!

!

!

!

!

!

!

!

!

!

crypto isakmp policy 1

encr aes

authentication pre-share

group 2

crypto isakmp key 123 address 102.0.0.2

!

!

crypto ipsec transform-set myset esp-3des esp-sha-hmac !

crypto map mymap 10 ipsec-isakmp

set peer 102.0.0.2

set transform-set myset

match address 101

reverse-route

!

!

!

!

interface FastEthernet0/0

ip address 101.0.0.2 255.0.0.0

duplex auto

speed auto

crypto map mymap

!

interface FastEthernet0/1

ip address 192.168.1.10 255.255.255.0

duplex auto

speed auto

!

ip route 0.0.0.0 0.0.0.0 101.0.0.1

!

!

ip http server

no ip http secure-server

!

ip access-list extended protected

!

access-list 101 permit ip 192.168.1.0 0.0.0.255 172.16.1.0 0.0.0.255 !

!

!

!

control-plane

!

!

!

!

!

!

!

!

!

!

line con 0

exec-timeout 0 0

logging synchronous

line aux 0

line vty 0 4

!

!

end

R1#sh ip ro

Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP

D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2 E1 - OSPF external type 1, E2 - OSPF external type 2

i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2

ia - IS-IS inter area, * - candidate default, U - per-user static route

o - ODR, P - periodic downloaded static route

Gateway of last resort is 101.0.0.1 to network 0.0.0.0

C 101.0.0.0/8 is directly connected, FastEthernet0/0

C 192.168.1.0/24 is directly connected, FastEthernet0/1

S* 0.0.0.0/0 [1/0] via 101.0.0.1

R3

Code:

R3#sh run

Building configuration

Current configuration : 1149 bytes

!

version 12.4

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname R3

!

boot-start-marker

boot-end-marker

!

!

no aaa new-model

!

resource policy

!

memory-size iomem 5

ip cef

!

!

!

!

!

!

!

!

!

!

!

!

!

!

!

!

!

!

!

!

!

!

!

!

crypto isakmp policy 10

encr aes

authentication pre-share

group 2

crypto isakmp key 123 address 101.0.0.2

!

!

crypto ipsec transform-set myset esp-3des esp-sha-hmac

!

crypto map mymap 10 ipsec-isakmp

set peer 101.0.0.2

set transform-set myset

match address 101

reverse-route

!

!

!

!

interface Loopback1

ip address 2.2.2.2 255.0.0.0

!

interface Loopback2

ip address 172.16.1.1 255.255.255.0

!

interface FastEthernet0/0

ip address 102.0.0.2 255.0.0.0

duplex auto

speed auto

crypto map mymap

!

interface FastEthernet0/1

no ip address

shutdown

duplex auto

speed auto

!

ip route 0.0.0.0 0.0.0.0 102.0.0.1

!

!

ip http server

no ip http secure-server

!

access-list 101 permit ip 172.16.1.0 0.0.0.255 192.168.1.0 0.0.0.255 !

!

!

!

control-plane

!

!

!

!

!

!

!

!

!

!

line con 0

exec-timeout 0 0

logging synchronous

line aux 0

line vty 0 4

!

!

end

R3#sh ip route

Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP

D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2 E1 - OSPF external type 1, E2 - OSPF external type 2

i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2

ia - IS-IS inter area, * - candidate default, U - per-user static route

o - ODR, P - periodic downloaded static route

Gateway of last resort is 102.0.0.1 to network 0.0.0.0

C 102.0.0.0/8 is directly connected, FastEthernet0/0

C 2.0.0.0/8 is directly connected, Loopback1

172.16.0.0/24 is subnetted, 1 subnets

C 172.16.1.0 is directly connected, Loopback2

S* 0.0.0.0/0 [1/0] via 102.0.0.1

ISP

Code:

ISP#sh ip route

Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP

D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2 E1 - OSPF external type 1, E2 - OSPF external type 2

i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2

ia - IS-IS inter area, * - candidate default, U - per-user static route

o - ODR, P - periodic downloaded static route

Gateway of last resort is not set

C 102.0.0.0/8 is directly connected, FastEthernet0/1

C 101.0.0.0/8 is directly connected, FastEthernet0/0

ISP#sh ip int br

Interface IP-Address OK? Method Status Protocol

FastEthernet0/0 101.0.0.1 YES manual up

up

FastEthernet0/1 102.0.0.1 YES manual up up

Link

http://www.4shared.com/file/21297961 N_Router_.html