Cisco ASA IPSec ***隧道分離配置
對通過*** Client訪問的終端用戶進行組策略隧道分離配置,並限定終端訪問主機。
本例中,filtertest組只能訪問主機 192.168.2.10,ipsectest組可訪問網絡192.168.2.0/24。
防火牆: ASA5505 V8.2(5)
***終端: Windows 7 64bit系統、***client-winx64-msi-5.0.07.0440-k9 客戶端
下面以filtertest隧道組配置展開說明,ipsectest組參考filtertest組配置。
1. ***隧道分離ACL配置
ASA1(config)# show run access-list
access-list acl-outside extended permit icmp any any echo-reply
access-list no-nat extended permit ip 192.168.2.0 255.255.255.0 172.16.1.0 255.255.255.0 access-list ***filter extended permit ip any host 192.168.2.10 //限定***終端訪問主機 access-list split-1 standard permit host 192.168.2.10 //配置***隧道分離訪問網絡
2. ***傳輸集、動態加密策略配置
crypto ipsec transform-set myset esp-3des esp-sha-hmac crypto dynamic-map dyn1 10 set transform-set myset crypto dynamic-map dyn1 10 set reverse-route
3. ***靜態加密策略、接口啓用策略配置
crypto map mymap 10 ipsec-isakmp dynamic dyn1 crypto map mymap interface outside
4. *** isakmp SA協商參數/策略配置
crypto isakmp enable outside crypto isakmp policy 10 authentication pre-share encryption 3des hash sha group 2
lifetime 86400
5. ***隧道組策略配置
ASA1(config)# show run group-policy
group-policy filtertest internal
group-policy filtertest attributes
***-filter value ***filter //引用ACL列表,限定***終端訪問主機
***-tunnel-protocol IPSec //指定***隧道協議
split-tunnel-policy tunnelspecified
//開啓***隧道分離(***終端同時訪問Internet和***網絡,未開啓只能訪問***網絡)
split-tunnel-network-list value split-1 //指定***隧道分離網絡範圍
6. ***隧道組參數配置
ASA1(config)# show run tunnel-group
tunnel-group filtertest type remote-access //聲明***終端連接方式
tunnel-group filtertest general-attributes address-pool client*** //指定***終端IP地址池
default-group-policy filtertest //調用預配置***組策略
tunnel-group filtertest ipsec-attributes pre-shared-key ***** //指定***隧道預共享密鑰
7. ***隧道驗證用戶配置
ASA1(config)#username test password test
查看防火牆ARP信息
ASA1(config)# show arp
inside 192.168.2.12 94de.8044.22cd 7
inside 192.168.2.10 0030.675c.a4b3 512
附:防火牆配置
ASA1(config)# show run :
Saved :
ASA Version 8.2(5) !
hostname ASA1
enable password 2KFQnbNIdI.2KYOU encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
switchport access vlan 2
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
shutdown
!
interface Ethernet0/6
shutdown
!
interface Ethernet0/7
shutdown
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.2.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address 192.168.1.2 255.255.255.0
!
Cisco ASA IPSec ***隧道分離配置――ZWD
4 / 11
!
ftp mode passive clock timezone CTS 8
access-list acl-outside extended permit icmp any any echo-reply
access-list ***split standard permit 192.168.2.0 255.255.255.0
access-list testipsec extended permit ip any 192.168.2.0 255.255.255.0
access-list no-nat extended permit ip 192.168.2.0 255.255.255.0 172.16.1.0 255.255.255.0 access-list split-1 standard permit host 192.168.2.10
access-list ***filter extended permit ip any host 192.168.2.10
pager lines 24
logging enable
logging buffered debugging
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu DMZ 1500
ip local pool client*** 172.16.1.1-172.16.1.100 mask 255.255.255.0
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list no-nat
nat (inside) 1 0.0.0.0 0.0.0.0
access-group acl-outside in interface outside
route outside 0.0.0.0 0.0.0.0 192.168.1.9 1 timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication telnet console LOCAL
aaa authentication enable console LOCAL
aaa authentication ssh console LOCAL
aaa authentication http console LOCAL
http server enable
http 0.0.0.0 0.0.0.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set myset esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map dyn1 10 set transform-set myset
crypto dynamic-map dyn1 10 set reverse-route
crypto map mymap 10 ipsec-isakmp dynamic dyn1
crypto map mymap interface outside crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet 0.0.0.0 0.0.0.0 inside
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 inside
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 30
console timeout 0
management-access inside
dhcpd dns 202.96.128.86 202.96.134.133
dhcpd lease 36000
!
dhcpd address 192.168.2.10-192.168.2.20 inside
dhcpd dns 202.96.128.86 202.96.128.166 interface inside
dhcpd enable inside
!
threat-detection basic-threat
threat-detection statistics access-list
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200 web***
group-policy ipsectest internal
group-policy ipsectest attributes
***-filter value testipsec
***-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value ***split
group-policy filtertest internal
group-policy filtertest attributes
***-filter value ***filter
***-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value split-1
username test password P4ttSyrm33SV8TYp encrypted
username user password v5P40l1UGvtJa7Nn encrypted privilege 15
tunnel-group ipsectest type remote-access
tunnel-group ipsectest general-attributes
address-pool client***
default-group-policy ipsectest
tunnel-group ipsectest
ipsec-attributes
pre-shared-key *****
tunnel-group filtertest type remote-access
tunnel-group filtertest general-attributes
address-pool client***
default-group-policy filtertest
tunnel-group filtertest ipsec-attributes
pre-shared-key *****
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:300f6df1d1f82232518eced3f653c5f1
: end
防火牆查看*** 階段1信息
ASA1(config)# show crypto isakmp sa
Active SA: 1
Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey) Total IKE SA: 1
1 IKE Peer: 192.168.1.220
Type : user Role : responder
Rekey : no State : AM_ACTIVE
防火牆查看*** 階段2信息
ASA1(config)# show crypto ipsec sa interface: outside
Crypto map tag: dyn1, seq num: 10, local addr: 192.168.1.2
local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
remote ident (addr/mask/prot/port): (172.16.1.7/255.255.255.255/0/0) current_peer: 192.168.1.220, username: test //對端IP、驗證用戶名
dynamic allocated peer ip: 172.16.1.7 //***客戶端分配IP
#pkts encaps: 8, #pkts encrypt: 8, #pkts digest: 8
#pkts decaps: 8,
#pkts decrypt: 8,
#pkts verify: 8
#pkts compressed: 0,
#pkts decompressed: 0
#pkts comp failed: 0,
#pkts decomp failed: 0
#pre-frag successes: 0,
#pre-frag failures: 0,
#fragments created: 0
#PMTUs sent: 0,
#PMTUs rcvd: 0,
#decapsulated frgs needing reassembly: 0
#send errors: 0, #recv errors: 0
local crypto endpt.: 192.168.1.2, remote crypto endpt.: 192.168.1.220
path mtu 1500, ipsec overhead 58, media mtu 1500
current outbound spi: 8AA05DF7
current inbound spi : 32062484
inbound esp sas:
spi: 0x32062484 (839263364)
transform: esp-3des esp-sha-hmac no compression
in use settings ={RA, Tunnel, }
slot: 0, conn_id: 1069056, crypto-map: dyn1 //動態加密圖
sa timing: remaining key lifetime (sec): 27400
IV size: 8 bytes
Anti replay bitmap:
0x00000000 0x000001FF
outbound esp sas:
spi: 0x8AA05DF7 (2325765623)
transform: esp-3des esp-sha-hmac no compression
in use settings ={RA, Tunnel, }
slot: 0, conn_id: 1069056, crypto-map: dyn1 //動態加密圖
sa timing: remaining key lifetime (sec): 27400
IV size: 8 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001
防火牆查看路由表
ASA1(config)# show route
Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external,
O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
* - candidate default, U - per-user static route, o - ODR
P - periodic downloaded static route
Gateway of last resort is 192.168.1.9 to network 0.0.0.0
S 172.16.1.7 255.255.255.255 [1/0] via 192.168.1.220, outside //遠程***連接信息
C 192.168.1.0 255.255.255.0 is directly connected, outside
C 192.168.2.0 255.255.255.0 is directly connected, inside
S* 0.0.0.0 0.0.0.0 [1/0] via 192.168.1.9, outside