S2S *** NAT-T

實驗目的:

1.***可以穿越NAT設備

2.Inside1可以觸發***流量

因爲PAT需要轉換端口號，而ESP是沒有端口號的，就會造成PAT失敗，不能穿越PAT設備.

使用NAT-T技術後，數據包增加UDP頭部，這樣就有了端口號.

配置:

Inside1:

interface FastEthernet1/0
ip address 1.1.1.1 255.255.255.0
duplex auto
speed auto
!        
ip route 0.0.0.0 0.0.0.0 1.1.1.10

 

GW1:

interface GigabitEthernet0
nameif Inside
security-level 100
ip address 1.1.1.10 255.255.255.0
!
interface GigabitEthernet1
nameif Outside
security-level 0
ip address 202.1.1.1 255.255.255.0

route Outside 0.0.0.0 0.0.0.0 202.1.1.10 1
route Inside 0.0.0.0 0.0.0.0 1.1.1.1 tunneled //解密後流量送到1.1.1.1

crypto ikev1 enable Outside
crypto ikev1 policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
tunnel-group 64.1.1.1 type ipsec-l2l
tunnel-group 64.1.1.1 ipsec-attributes
ikev1 pre-shared-key cisco
crypto ipsec ikev1 transform-set SET esp-3des esp-md5-hmac

access-list *** extended permit ip 1.1.1.0 255.255.255.0 2.2.2.0 255.255.255

crypto map cisco 10 match address ***
crypto map cisco 10 set pfs group5
crypto map cisco 10 set peer 64.1.1.1
crypto map cisco 10 set ikev1 transform-set SET
crypto map cisco interface Outside

access-list out extended permit icmp any any
access-group out in interface Outside

crypto isakmp nat-traversal //開啓NAT-T功能,路由器默認開啓，ASA默認不開啓,兩端必須都開啓纔可以使能NAT-T功能

 

Internet:

interface FastEthernet1/0
ip address 202.1.1.10 255.255.255.0
duplex auto
speed auto
!
interface FastEthernet1/1
ip address 64.1.1.10 255.255.255.0
duplex auto
speed auto

 

GW2:

interface GigabitEthernet0
nameif Inside
security-level 100
ip address 10.1.1.10 255.255.255.0
!
interface GigabitEthernet1
nameif Outside
security-level 0
ip address 64.1.1.1 255.255.255.0

route Outside 0.0.0.0 0.0.0.0 64.1.1.10 1
route Inside 0.0.0.0 0.0.0.0 10.1.1.1 tunneled

object network PAT                                       //PAT源爲10.1.1.0/24
subnet 10.1.1.0 255.255.255.0
object network ***-inside-network          //***加解密點
host 10.1.1.1
object network ***4500-inside-network //***加解密點
host 10.1.1.1

object network PAT                                      //源爲10.1.1.0/24轉爲外部接口地址
nat (Inside,Outside) dynamic interface
object network ***-inside-network         //外網訪問外部接口202.1.1.1 udp端口500時，轉換爲內部地址10.1.1.1 udp端口500
nat (Inside,Outside) static interface service udp isakmp isakmp
object network ***4500-inside-network //外網訪問外部接口202.1.1.1 udp端口4500時，轉換爲內部地址10.1.1.1 udp端口4500
nat (Inside,Outside) static interface service udp 4500 4500

access-list out extended permit icmp any any
access-list out extended permit udp host 202.1.1.1 eq isakmp host 10.1.1.1 eq isakmp //放行外部202.1..11發起的IKE協商
access-list out extended permit udp host 202.1.1.1 eq 4500 host 10.1.1.1 eq 4500 //放行esp外部202.1.1.1發起的UDP頭部爲4500的加密流量

 

Inside2:

crypto keyring cisco 
  pre-shared-key address 202.1.1.1 key cisco
!
crypto isakmp policy 10
encr 3des
authentication pre-share
group 2
crypto isakmp profile isaprof
   keyring cisco
   match identity address 202.1.1.1 255.255.255.255
!
crypto ipsec transform-set SET esp-3des esp-md5-hmac
!
crypto map cisco 10 ipsec-isakmp
set peer 202.1.1.1
set transform-set SET
set pfs group5
set isakmp-profile isaprof
match address ***
!
interface Loopback0
ip address 2.2.2.2 255.255.255.0
!
interface FastEthernet1/0
ip address 10.1.1.1 255.255.255.0
duplex auto
speed auto
crypto map cisco
!
ip route 0.0.0.0 0.0.0.0 10.1.1.10
!
ip access-list extended ***
permit ip 2.2.2.0 0.0.0.255 1.1.1.0 0.0.0.255

測試:

使用的是IPSec over UDP