×××配置实例_07：站点到站点IPSEC ×××之NAT-T

时间 2021-07-14

一，***_Site1 ASA防火墙配置：
***site1# show run
: Saved
:
ASA Version 8.0(2)
!
hostname ***site1
enable password 8Ry2YjIyt7RRXU24 encrypted
names
!
interface Ethernet0/0
nameif Inside
security-level 100
ip address 1.1.1.10 255.255.255.0
!
interface Ethernet0/1
nameif Outside
security-level 0
ip address 200.200.200.10 255.255.255.0
!
passwd 2KFQnbNIdI.2KYOU encrypted
boot config disk0:/.private/startup-config
ftp mode passive
access-list *** extended permit ip 1.1.1.0 255.255.255.0 2.2.2.0 255.255.255.0
pager lines 24
mtu Inside 1500
mtu Outside 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
route Outside 0.0.0.0 0.0.0.0 200.200.200.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set trans esp-des esp-md5-hmac
crypto map To_site2 10 match address ***
crypto map To_site2 10 set peer 200.200.200.1
crypto map To_site2 10 set transform-set trans
crypto map To_site2 interface Outside    ##应用于接口
crypto isakmp enable Outside

crypto isakmp policy 10 ##第一阶段策略
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
telnet timeout 5
ssh timeout 5
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
!
!
tunnel-group 200.200.200.1 type ipsec-l2l
tunnel-group 200.200.200.1 ipsec-attributes
pre-shared-key *
prompt hostname context
Cryptochecksum:8c0bea924e29019fe86a165e36681f9e
: end
***site1#

二，NAT ASA防火墙配置：

NAT(config)# show run
: Saved
:
ASA Version 8.0(2)
!
hostname NAT
enable password 8Ry2YjIyt7RRXU24 encrypted
names
!
interface Ethernet0/0
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet0/1
nameif Outside
security-level 0
ip address 200.200.200.1 255.255.255.0
!
passwd 2KFQnbNIdI.2KYOU encrypted
boot config disk0:/.private/startup-config
ftp mode passive
access-list permitipany extended permit ip any any
pager lines 24
mtu Outside 1500
mtu Inside 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (Outside) 1 interface ##局域网NAT地址转换配置
nat (Inside) 1 192.168.100.0 255.255.255.0

access-group permitipany in interface Outside #这条配置可以取消
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
telnet timeout 5
ssh timeout 5
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
!
!
prompt hostname context
Cryptochecksum:366b276abed33dbaa0556052715f1d8b
: end
NAT(config)#

三，***_Site2路由器配置：

***site2#show run
Building configuration...

Current configuration : 1488 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname ***site2
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
memory-size iomem 5
!
!
ip cef
no ip domain lookup
ip domain name lab.local
!
!
ip auth-proxy max-nodata-conns 3
ip admission max-nodata-conns 3
!
crypto isakmp policy 10 #第一阶段协商策略
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp key cisco address 200.200.200.10
!
!
crypto ipsec transform-set trans esp-des esp-md5-hmac
!
crypto map To_site1 10 ipsec-isakmp
set peer 200.200.200.10
set transform-set trans
match address ***
!
interface Loopback0
ip address 2.2.2.2 255.255.255.0
!
interface FastEthernet2/0
ip address 192.168.100.1 255.255.255.0
duplex auto
speed auto
crypto map To_site1
!
no ip http server
no ip http secure-server
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 192.168.100.10
!
!
!
ip access-list extended ***
permit ip 2.2.2.0 0.0.0.255 1.1.1.0 0.0.0.255
!

***site2#

四，链路测试：

***site2#ping 1.1.1.1 so 2.2.2.2 ##必须得先SITE2发起连接。

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 1.1.1.1, timeout is 2 seconds:
Packet sent with a source address of 2.2.2.2
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 16/30/56 ms
***site2#

五，配置、状态查看：

1，***_site1:

***site1# show crypto isakm sa

Active SA: 1
Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 1

1   IKE Peer: 200.200.200.1
    Type    : L2L             Role    : responder
    Rekey   : no              State   : MM_ACTIVE
***site1# show crypto ipsec sa
interface: Outside
    Crypto map tag: To_site2, seq num: 10, local addr: 200.200.200.10

      access-list *** permit ip 1.1.1.0 255.255.255.0 2.2.2.0 255.255.255.0
      local ident (addr/mask/prot/port): (1.1.1.0/255.255.255.0/0/0)
      remote ident (addr/mask/prot/port): (2.2.2.0/255.255.255.0/0/0)
      current_peer: 200.200.200.1

      #pkts encaps: 9, #pkts encrypt: 9, #pkts digest: 9
      #pkts decaps: 9, #pkts decrypt: 9, #pkts verify: 9
      #pkts compressed: 0, #pkts decompressed: 0
      #pkts not compressed: 9, #pkts comp failed: 0, #pkts decomp failed: 0
      #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
      #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
      #send errors: 0, #recv errors: 0

      local crypto endpt.: 200.200.200.10/4500, remote crypto endpt.: 200.200.200.1/1028
      path mtu 1500, ipsec overhead 66, media mtu 1500
      current outbound spi: A2F8B2E5

    inbound esp sas:
      spi: 0xF173ACD3 (4050889939)
         transform: esp-des esp-md5-hmac none
         in use settings ={L2L, Tunnel,  NAT-T-Encaps, } #通过TUNNEL模式，NAT-T封装
         slot: 0, conn_id: 16384, crypto-map: To_site2
         sa timing: remaining key lifetime (kB/sec): (4274999/3509)
         IV size: 8 bytes
         replay detection support: Y
    outbound esp sas:
      spi: 0xA2F8B2E5 (2734207717)
         transform: esp-des esp-md5-hmac none
         in use settings ={L2L, Tunnel,  NAT-T-Encaps, }
         slot: 0, conn_id: 16384, crypto-map: To_site2
         sa timing: remaining key lifetime (kB/sec): (4274999/3505)
         IV size: 8 bytes
         replay detection support: Y

***site1#

2，***_site2：

***site2#show crypto isakmp sa
dst src state conn-id slot status
200.200.200.10 192.168.100.1 QM_IDLE 1 0 ACTIVE

***site2#show crypto engine connections ac

  ID Interface            IP-Address      State  Algorithm           Encrypt  Decrypt
   1 FastEthernet2/0      192.168.100.1   set    HMAC_MD5+3DES_56_C        0        0
2001 FastEthernet2/0      192.168.100.1   set    DES+MD5                   9        0
2002 FastEthernet2/0      192.168.100.1   set    DES+MD5                   0        9

***site2#show crypto ipsec sa

interface: FastEthernet2/0
Crypto map tag: To_site1, local addr 192.168.100.1

   protected vrf: (none)
   local  ident (addr/mask/prot/port): (2.2.2.0/255.255.255.0/0/0)
   remote ident (addr/mask/prot/port): (1.1.1.0/255.255.255.0/0/0)
   current_peer 200.200.200.10 port 4500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 69, #pkts encrypt: 69, #pkts digest: 69
    #pkts decaps: 38, #pkts decrypt: 38, #pkts verify: 38
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 3, #recv errors 0

     local crypto endpt.: 192.168.100.1, remote crypto endpt.: 200.200.200.10
     path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet2/0
     current outbound spi: 0xF173ACD3(4050889939)

     inbound esp sas:
      spi: 0xA2F8B2E5(2734207717)
        transform: esp-des esp-md5-hmac ,
        in use settings ={Tunnel UDP-Encaps, }     #路由器上显示通过TUNNEL模式，UDP封装。
        conn id: 2002, flow_id: SW:2, crypto map: To_site1
        sa timing: remaining key lifetime (k/sec): (4553817/3251)
        IV size: 8 bytes
        replay detection support: Y
        Status: ACTIVE

inbound ah sas:

inbound pcp sas:

     outbound esp sas:
      spi: 0xF173ACD3(4050889939)
        transform: esp-des esp-md5-hmac ,
        in use settings ={Tunnel UDP-Encaps, }
        conn id: 2001, flow_id: SW:1, crypto map: To_site1
        sa timing: remaining key lifetime (k/sec): (4553817/3250)
        IV size: 8 bytes
        replay detection support: Y
        Status: ACTIVE

outbound ah sas:

outbound pcp sas:
***site2#

3，NAT:

NAT# show x #显示NAT转换内容
1 in use, 2 most used
PAT Global 200.200.200.1(1028) Local 192.168.100.1(4500)

NAT# show nat

NAT policies on Interface Inside:
  match ip Inside 192.168.100.0 255.255.255.0 Outside any
    dynamic translation to pool 1 (200.200.200.1 [Interface PAT])
    translate_hits = 7, untranslate_hits = 0
  match ip Inside 192.168.100.0 255.255.255.0 Inside any
    dynamic translation to pool 1 (No matching global)
    translate_hits = 0, untranslate_hits = 0
NAT#

转载于:https://blog.51cto.com/ccie18405/1216746