本文转自:http://bbs.csc-china.com.cn/forum.php?mod=viewthread&tid=990787&extra=page%3D10
需求:
1.Inside访问国外路由优先走HK路由器(假定61.128.0.0/8为国内路由,其他都为国外路由)
2.Inside访问国内路由优先走ADSL路由器
3.DXoutside接口对外提供L2L和anyconnect VPN,允许访问Inside
备注:测试用的ASAv9.91,如果用ASAv9.71相同的路由配置,SSL VPN和L2L VPN会无法连通。
二.基本配置
1.ASAv防火墙
hostname ASAv
interface GigabitEthernet0/0
nameif HKoutside
security-level 0
ip address 202.100.1.10 255.255.255.0
no shutdown
interface GigabitEthernet0/1
nameif DXoutside
security-level 0
ip address 202.100.2.10 255.255.255.0
no shutdown
interface GigabitEthernet0/2
nameif ADSLoutside
security-level 0
ip address 202.100.3.10 255.255.255.0
no shutdown
interface GigabitEthernet0/3
nameif Inside
security-level 100
ip address 10.1.1.10 255.255.255.0
no shutdown
interface GigabitEthernet0/4
nameif DMZ
security-level 0
ip address 192.168.1.10 255.255.255.0
no shutdown
route HKoutside 0.0.0.0 0.0.0.0 202.100.1.1 1
route DXoutside 0.0.0.0 0.0.0.0 202.100.2.1 2
route ADSLoutside 0.0.0.0 0.0.0.0 202.100.3.1 3
route ADSLoutside 61.128.0.0 255.255.0.0 202.100.3.1 1
object network Inside-net
subnet 10.1.1.0 255.255.255.0
nat (inside,HKoutside) source dynamic Inside-net interface
nat (inside,DXoutside) source dynamic Inside-net interface
nat (Inside,ADSLoutside) source dynamic Inside-net interface
policy-map global_policy
class inspection_default
inspect ip-options
inspect icmp
2.Inside路由器
hostname Inside
interface Ethernet0/0
ip address 10.1.1.1 255.255.255.0
no shutdown
ip route 0.0.0.0 0.0.0.0 10.1.1.10
line vty 0 4
password Cisc0123
login
transport input all
3.DMZ路由器
hostname DMZ
interface Ethernet0/0
ip address 192.168.1.1 255.255.255.0
no shutdown
ip route 0.0.0.0 0.0.0.0 192.168.1.10
4.HK路由器
hostname HK
interface Ethernet0/0
ip address 202.100.1.1 255.255.255.0
no shutdown
interface Ethernet0/1
ip address 61.128.1.1 255.255.255.0
no shutdown
ip route 0.0.0.0 0.0.0.0 61.128.1.2
line vty 0 4
password Cisc0123
login
transport input all
5.DX路由器
hostname DX
interface Ethernet0/0
ip address 202.100.2.1 255.255.255.0
no shutdown
interface Ethernet0/1
ip address 61.128.2.1 255.255.255.0
no shutdown
ip route 0.0.0.0 0.0.0.0 61.128.2.2
6.ADSL路由器
hostname ADSL
interface Ethernet0/0
ip address 202.100.3.1 255.255.255.0
no shutdown
interface Ethernet0/1
ip address 61.128.3.1 255.255.255.0
no shutdown
ip route 0.0.0.0 0.0.0.0 61.128.3.2
7.Internet路由器
hostname Internet
interface Loopback0
ip address 73.1.1.1 255.255.255.0
interface Ethernet0/0
ip address 61.128.2.2 255.255.255.0
no shutdown
interface Ethernet0/1
ip address 61.128.3.2 255.255.255.0
no shutdown
interface Ethernet0/2
ip address 61.128.4.2 255.255.255.0
no shutdown
interface Ethernet0/3
ip address 61.128.1.2 255.255.255.0
interface Ethernet1/0
ip address 61.128.5.2 255.255.255.0
no shutdown
ip route 202.100.1.0 255.255.255.0 61.128.1.1
ip route 202.100.2.0 255.255.255.0 61.128.2.1
ip route 202.100.3.0 255.255.255.0 61.128.3.1
8.Home路由器
hostname Home
interface Ethernet0/0
ip address 61.128.4.1 255.255.255.0
ip nat outside
interface Ethernet0/1
ip address 192.168.10.254 255.255.255.0
ip nat inside
no shutdown
ip route 0.0.0.0 0.0.0.0 61.128.4.2
ip access-list extended PAT
permit ip 192.168.10.0 0.0.0.255 any
ip nat inside source list PAT interface Ethernet0/0 overload
9.Branch路由器
hostname Branch
interface Loopback0
ip address 172.16.1.1 255.255.255.0
ip nat inside
no shutdown
interface Ethernet0/0
ip address 61.128.5.1 255.255.255.0
ip nat outside
no shutdown
ip route 0.0.0.0 0.0.0.0 61.128.5.2
object-group network Inside-net
10.1.1.0 255.255.255.0
ip access-list extended PAT
deny ip 172.16.1.0 0.0.0.255 object-group Inside-net
permit ip 172.16.1.0 0.0.0.255 any
ip nat inside source list PAT interface Ethernet0/0 overload
10.验证
①Inside访问国外路由优先走HK路由器
Inside#ping 73.1.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 73.1.1.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms
Inside#
②Inside访问国内路由优先走ADSL路由器
Inside#ping 61.128.1.2 repeat 1
Type escape sequence to abort.
Sending 1, 100-byte ICMP Echos to 61.128.1.2, timeout is 2 seconds:
!
Success rate is 100 percent (1/1), round-trip min/avg/max = 3/3/3 ms
Inside#ping 61.128.2.2 repeat 1
Type escape sequence to abort.
Sending 1, 100-byte ICMP Echos to 61.128.2.2, timeout is 2 seconds:
!
Success rate is 100 percent (1/1), round-trip min/avg/max = 2/2/2 ms
Inside#ping 61.128.4.2 repeat 1
Type escape sequence to abort.
Sending 1, 100-byte ICMP Echos to 61.128.4.2, timeout is 2 seconds:
!
Success rate is 100 percent (1/1), round-trip min/avg/max = 2/2/2 ms
Inside#
Internet#debug ip icmp
ICMP packet debugging is on
Internet#
*Apr 7 03:03:37.475: ICMP: echo reply sent, src 61.128.1.2, dst 202.100.3.10, topology BASE, dscp 0 topoid 0
Internet#
*Apr 7 03:03:46.363: ICMP: echo reply sent, src 61.128.2.2, dst 202.100.3.10, topology BASE, dscp 0 topoid 0
Internet#
*Apr 7 03:03:51.412: ICMP: echo reply sent, src 61.128.4.2, dst 202.100.3.10, topology BASE, dscp 0 topoid 0
Internet#
③目标地址为防火墙外部接口地址的流量回包能从原接口回
Home#debug ip icmp
ICMP packet debugging is on
Home#ping 202.100.1.10 repeat 1
Type escape sequence to abort.
Sending 1, 100-byte ICMP Echos to 202.100.1.10, timeout is 2 seconds:
!
Success rate is 100 percent (1/1), round-trip min/avg/max = 2/2/2 ms
Home#
*Apr 7 03:11:27.291: ICMP: echo reply rcvd, src 202.100.1.10, dst 61.128.3.1, topology BASE, dscp 0 topoid 0
Home#ping 202.100.2.10 repeat 1
Type escape sequence to abort.
Sending 1, 100-byte ICMP Echos to 202.100.2.10, timeout is 2 seconds:
!
Success rate is 100 percent (1/1), round-trip min/avg/max = 2/2/2 ms
Home#
*Apr 7 03:11:35.067: ICMP: echo reply rcvd, src 202.100.2.10, dst 61.128.3.1, topology BASE, dscp 0 topoid 0
Home#ping 202.100.3.10 repeat 1
Type escape sequence to abort.
Sending 1, 100-byte ICMP Echos to 202.100.3.10, timeout is 2 seconds:
!
Success rate is 100 percent (1/1), round-trip min/avg/max = 2/2/2 ms
Home#
*Apr 7 03:11:43.579: ICMP: echo reply rcvd, src 202.100.3.10, dst 61.128.3.1, topology BASE, dscp 0 topoid 0
Home#
备注:经过验证,相同配置,如果ASAv9.91换成ASAv9.71,home路由器ping不通202.100.2.10。
三.ASAv的SSL VPN配置
1.配置webvpn
webvpn
enable HKoutside
enable DXoutside
enable ADSLoutside
anyconnect image disk0:/anyconnect-win-4.3.01095-k9.pkg 1
anyconnect enable
备注:配置三个接口enable,某两个接口同时出现问题时,还能从剩余的接口拨入。
2.配置地址池
ip local pool sslpool 123.1.1.100-123.1.1.200
3.配置group-policy,指定地址池
group-policy ClientlessGP internal
group-policy ClientlessGP attributes
vpn-tunnel-protocol ssl-client ssl-clientless
address-pools value sslpool
4.配置用户,指定vpn-group-policy
username ssluser password Cisc0123
username ssluser attributes
vpn-group-policy ClientlessGP
5.配置NAT免除
object network Inside-net
subnet 10.1.1.0 255.255.255.0
object network anyconnect
range 123.1.1.100 123.1.1.200
nat (Inside,DXoutside) source static Inside-net Inside-net destination static anyconnect anyconnect
nat (Inside,HKoutside) source static Inside-net Inside-net destination static anyconnect anyconnect
nat (Inside,ADSLoutside) source static Inside-net Inside-net destination static anyconnect anyconnect
备注:如果DMZ配置了PAT访问公网,VPN拨入需要访问DMZ的话,DMZ也需要配置NAT免除.
6.配置隧道分离
object network Inside-net
subnet 10.1.1.0 255.255.255.0
object network DMZ-net
subnet 192.168.1.0 255.255.255.0
object-group network Inside-and-DMZ-net
network-object object Inside-net
network-object object DMZ-net
access-list Split extended permit ip object-group Inside-and-DMZ-net any
group-policy ClientlessGP attributes
split-tunnel-policy tunnelspecified
split-tunnel-network-list value Split
6.验证
PC1分别拨三个outside接口地址,都能成功拨入,并能访问Inside和DMZ路由器。
四.Site-to-Site VPN配置
1.ASAv
①第一阶段策略:
crypto ikev1 policy 10
authentication pre-share
encryption 3des
hash md5
group 2
tunnel-group 61.128.5.1 type ipsec-l2l
tunnel-group 61.128.5.1 ipsec-attributes
ikev1 pre-shared-key 0 Cisc0123
②第二阶段转换集:
crypto ipsec ikev1 transform-set transet esp-3des esp-md5-hmac
③配置感兴趣流:
object network Branch-net
subnet 172.16.1.0 255.255.255.0
access-list VPN extended permit ip object Inside-net object Branch-net
④配置crypto map并在接口应用:
crypto map crymap 10 match address VPN
crypto map crymap 10 set peer 61.128.5.1
crypto map crymap 10 set ikev1 transform-set transet
crypto map crymap 10 set pfs group2
crypto map crymap interface DXoutside
⑤在DXoutside 接口激活ikev1:
crypto ikev1 enable DXoutside
⑥配置NAT免除
object network Inside-net
subnet 10.1.1.0 255.255.255.0
object network Branch-net
subnet 172.16.1.0 255.255.255.0
nat (Inside,DXoutside) source static Inside-net Inside-net destination static Branch-net Branch-net
2.Branch路由器
①第一阶段策略:
crypto isakmp policy 10
encr 3des
hash md5
authentication pre-share
group 2
crypto isakm key 0 Cisc0123 address 202.100.2.10
②第二阶段转换集:
crypto ipsec transform-set transet esp-3des esp-md5-hmac
③配置感兴趣流:
ip access-list extended VPN
permit ip 172.16.1.0 0.0.0.255 10.1.1.0 0.0.0.255
④配置crypto map并在接口应用:
crypto map crymap 10 ipsec-isakmp
set peer 202.100.2.10
set transform-set transet
set pfs group2
match address VPN
interface Ethernet0/0
crypto map crymap
3.验证
Branch#PING 10.1.1.1 SOUrce L0
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.1.1, timeout is 2 seconds:
Packet sent with a source address of 172.16.1.1
.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 5/6/7 ms
Branch#
Branch#telnet 10.1.1.1 /source-interface l0
Trying 10.1.1.1 … Open
User Access Verification
Password:
Inside>show users
Line User Host(s) Idle Location
0 con 0 idle 00:10:07
* 2 vty 0 idle 00:00:00 172.16.1.1
Interface User Mode Idle Peer Address
Inside>exit
[Connection to 10.1.1.1 closed by foreign host]
Branch#show crypto engine connections active
Crypto Engine Connections
ID Type Algorithm Encrypt Decrypt LastSeqN IP-Address
3 IPsec 3DES+MD5 0 80 80 61.128.5.1
4 IPsec 3DES+MD5 105 0 0 61.128.5.1
1002 IKE MD5+3DES 0 0 0 61.128.5.1
Branch#
后面经过抓包测试发现,L2Lvpn如果不添加分支公网IP静态路由的话,VPN进来的流量走DXoutside,但是出去的是走ADSLoutside接口,虽然ESP流量的源地址是DXoutside接口地址。但是SSLVPN抓包却是另外一种情况,数据包都是从DXoutside进出。
L2LVPN流量出现非对称路径,(后面用home路由器作为EzVPN硬件客户端,发现与L2L一样,EzVPN也出现非对称路径)还无法使用策略路由改变,估计是进行VPN加密之后还得再次查询本地路由表导致。
评论