拓樸圖:
實驗背景
在建立IPsec通道時,如果通道路徑上有NAT設備也不會影響第一階段的IKE SA的協商和第二階段IPSec SA的協商,因爲通常將IKE的數據包封裝在UDP數據包中,
但是,在完成第二階段協商後, IPsec數據包上的NAT會導致通道失敗,(也就是說IPsec的通道可以建立,但是真正的User的數據無法傳輸)
原因可能有多個,但是最關鍵的原因就是:
1.對於IPsec-ESP來說,NAT設備不能找到要做端口轉換的port和src IP address的位置(因爲它已經被加密了)
2.對外IPsec-AH協議,NAT設備雖然可以看到port和Src IP and Dst IP address,但不可以修改,如果一修改整個IPsec數據包的完整性驗證就會失敗。IPsec 數據包就會被丟棄。
IPsec和NAT和平共處的解決方法:NAT-T
在 IPsec第一階段IKE SA協商過程中,兩端支持NAT-T的*** 設備會在IPSec 協商路徑上檢測是否有NAT設備,
1.如果沒有NAT設備,IPSec數據包正常發送,接着進入IKE第二階段
2.如果監測到NAT設備,就給要發送出去的IPSec數據包再添加一層UDP封裝。可以解決認證檢查失敗的問題。NAT設備將其作爲 UDP 封包處理,更改 UDP 包頭中的源端口,不修改 AH 或 ESP 中的 SPI 包頭。對端的***設備將剝開UDP 層並處理 IPSec 封包,這樣處理就會通過認證檢查,因爲對認證過的內容並沒有做任何更改。
3.啓用NAT-T之後,也只要兩端的*** Gateway之間存在NAT設備時纔會激活。
4.要使用NAT-T功能,兩端的*** Peer都必須支持。
本次模擬試驗的設備默認都是打開了NAT-T的,因此不用配置。
實驗目的:
1、R3穿越配置了NAT的R2,實現與ASA建立起IPSEC***連接,
2、PC1 PC2在連接***的同時能夠訪問外網。即PC1能ping通2.2.2.2,PC2能ping通1.1.1.1
思路:
1、基礎配置:IP 路由以及防火牆的策略
2、配置NAT
3、配置IPSEC***
實驗配置:
ASA:
interface Ethernet0/0
nameif inside
ip address 192.168.1.1 255.255.255.0
no sh
!
interface Ethernet0/1
nameif outside
ip address 1.1.1.1 255.255.255.0
no sh
exit
策略
access-list outside extended permit ip any any
access-list no-nat extended permit ip 192.168.1.0 255.255.255.0 172.16.1.0 255.255.255.0
NAT配置
global (outside) 1 interface
nat (inside) 0 access-list no-nat
nat (inside) 1 0.0.0.0 0.0.0.0
access-group outside in interface outside
route outside 0.0.0.0 0.0.0.0 1.1.1.2 1
IPSEC***配置
access-list ipsec*** extended permit ip 192.168.1.0 255.255.255.0 172.16.1.0 255.255.255.0
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash md5
group 2
tunnel-group 2.2.2.2 type ipsec-l2l
tunnel-group 2.2.2.2 ipsec-attributes
pre-shared-key cisco
crypto ipsec transform-set myset esp-3des esp-md5-hmac
crypto map mymap 10 match address ipsec***
crypto map mymap 10 set peer 2.2.2.2
crypto map mymap 10 set transform-set myset
crypto map mymap interface outside
R1
interface FastEthernet0/0
ip address 1.1.1.2 255.255.255.0
no sh
!
interface Serial1/1
ip address 2.2.2.1 255.255.255.0
no sh
exit
R2
interface Serial1/0
ip address 2.2.2.2 255.255.255.0
ip nat outside
no sh
!
interface Serial1/1
ip address 10.10.10.1 255.255.255.0
ip nat inside
no sh
exit
ip route 0.0.0.0 0.0.0.0 Serial1/0
ip route 172.16.1.0 255.255.255.0 Serial1/1
內部用戶172.16.1.0訪問外網的NAT
ip access-list extended nat
permit ip 172.16.1.0 0.0.0.255 any
ip nat inside source list nat interface Serial1/0 overload
映射ISAKMP與NAT-T的端口
ip nat inside source static udp 10.10.10.2 500 interface Serial1/0 500
ip nat inside source static udp 10.10.10.2 4500 interface Serial1/0 4500
R3
interface Serial1/0
ip address 10.10.10.2 255.255.255.0
crypto map mymap
no sh
!
interface Serial1/1
ip address 172.16.1.1 255.255.255.0
no sh
exit
ip route 0.0.0.0 0.0.0.0 Serial1/0
ip access-list extended ipsec***
permit ip 172.16.1.0 0.0.0.255 192.168.1.0 0.0.0.255
crypto isakmp policy 10
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp key cisco address 1.1.1.1
!
crypto ipsec transform-set myset esp-3des esp-md5-hmac
!
crypto map mymap 10 ipsec-isakmp
set peer 1.1.1.1
set transform-set myset
match address ipsec***
R4 //模擬的是一臺PC,配置好IP和網關就可以了。
interface Serial1/0
ip address 172.16.1.2 255.255.255.0
no sh
exit
no ip routing
ip default-gateway 172.16.1.2
實驗結果:
R4#ping 192.168.1.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.1.2, timeout is 2 seconds:
.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 16/39/76 ms
R4#ping 1.1.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 1.1.1.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 24/57/80 ms
R3#sh crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst src state conn-id slot status
1.1.1.1 10.10.10.2 QM_IDLE 1002 0 ACTIVE
IPv6 Crypto ISAKMP SA
R3#sh crypto ipsec sa
interface: Serial1/0
Crypto map tag: mymap, local addr 10.10.10.2
protected vrf: (none)
local ident (addr/mask/prot/port): (172.16.1.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0/0/0)
current_peer 1.1.1.1 port 4500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 140, #pkts encrypt: 140, #pkts digest: 140
#pkts decaps: 140, #pkts decrypt: 140, #pkts verify: 140
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 2, #recv errors 0
local crypto endpt.: 10.10.10.2, remote crypto endpt.: 1.1.1.1
path mtu 1500, ip mtu 1500, ip mtu idb Serial1/0
current outbound spi: 0x5147BFC4(1363656644)
inbound esp sas:
spi: 0x6A82D805(1786959877)
transform: esp-3des esp-md5-hmac ,
in use settings ={Tunnel UDP-Encaps, }
conn id: 3, flow_id: 3, crypto map: mymap
sa timing: remaining key lifetime (k/sec): (4389238/3497)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0x5147BFC4(1363656644)
transform: esp-3des esp-md5-hmac ,
in use settings ={Tunnel UDP-Encaps, }
conn id: 4, flow_id: 4, crypto map: mymap
sa timing: remaining key lifetime (k/sec): (4389238/3496)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE
outbound ah sas:
outbound pcp sas: