Cisco ASA IPSec ×××隧道分离配置
对通过××× Client访问的终端用户进行组策略隧道分离配置,并限定终端访问主机。
本例中,filtertest组只能访问主机 192.168.2.10,ipsectest组可访问网络192.168.2.0/24。
防火墙: ASA5505 V8.2(5)
×××终端: Windows 7 64bit系统、***client-winx64-msi-5.0.07.0440-k9 客户端
下面以filtertest隧道组配置展开说明,ipsectest组参考filtertest组配置。
1. ×××隧道分离ACL配置
ASA1(config)# show run access-list
access-list acl-outside extended permit icmp any any echo-reply
access-list no-nat extended permit ip 192.168.2.0 255.255.255.0 172.16.1.0 255.255.255.0 access-list ***filter extended permit ip any host 192.168.2.10 //限定×××终端访问主机 access-list split-1 standard permit host 192.168.2.10 //配置×××隧道分离访问网络
2. ×××传输集、动态加密策略配置
crypto ipsec transform-set myset esp-3des esp-sha-hmac crypto dynamic-map dyn1 10 set transform-set myset crypto dynamic-map dyn1 10 set reverse-route
3. ×××静态加密策略、接口启用策略配置
crypto map mymap 10 ipsec-isakmp dynamic dyn1 crypto map mymap interface outside
4. ××× isakmp SA协商参数/策略配置
crypto isakmp enable outside crypto isakmp policy 10 authentication pre-share encryption 3des hash sha group 2
lifetime 86400
5. ×××隧道组策略配置
ASA1(config)# show run group-policy
group-policy filtertest internal
group-policy filtertest attributes
***-filter value ***filter //引用ACL列表,限定×××终端访问主机
***-tunnel-protocol IPSec //指定×××隧道协议
split-tunnel-policy tunnelspecified
//开启×××隧道分离(×××终端同时访问Internet和×××网络,未开启只能访问×××网络)
split-tunnel-network-list value split-1 //指定×××隧道分离网络范围
6. ×××隧道组参数配置
ASA1(config)# show run tunnel-group
tunnel-group filtertest type remote-access //声明×××终端连接方式
tunnel-group filtertest general-attributes address-pool client*** //指定×××终端IP地址池
default-group-policy filtertest //调用预配置×××组策略
tunnel-group filtertest ipsec-attributes pre-shared-key ***** //指定×××隧道预共享密钥
7. ×××隧道验证用户配置
ASA1(config)#username test password test
查看防火墙ARP信息
ASA1(config)# show arp
inside 192.168.2.12 94de.8044.22cd 7
inside 192.168.2.10 0030.675c.a4b3 512
附:防火墙配置
ASA1(config)# show run :
Saved :
ASA Version 8.2(5) !
hostname ASA1
enable password 2KFQnbNIdI.2KYOU encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
switchport access vlan 2
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
shutdown
!
interface Ethernet0/6
shutdown
!
interface Ethernet0/7
shutdown
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.2.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address 192.168.1.2 255.255.255.0
!
Cisco ASA IPSec ×××隧道分离配置――ZWD
4 / 11
!
ftp mode passive clock timezone CTS 8
access-list acl-outside extended permit icmp any any echo-reply
access-list ***split standard permit 192.168.2.0 255.255.255.0
access-list testipsec extended permit ip any 192.168.2.0 255.255.255.0
access-list no-nat extended permit ip 192.168.2.0 255.255.255.0 172.16.1.0 255.255.255.0 access-list split-1 standard permit host 192.168.2.10
access-list ***filter extended permit ip any host 192.168.2.10
pager lines 24
logging enable
logging buffered debugging
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu DMZ 1500
ip local pool client*** 172.16.1.1-172.16.1.100 mask 255.255.255.0
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list no-nat
nat (inside) 1 0.0.0.0 0.0.0.0
access-group acl-outside in interface outside
route outside 0.0.0.0 0.0.0.0 192.168.1.9 1 timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication telnet console LOCAL
aaa authentication enable console LOCAL
aaa authentication ssh console LOCAL
aaa authentication http console LOCAL
http server enable
http 0.0.0.0 0.0.0.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set myset esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map dyn1 10 set transform-set myset
crypto dynamic-map dyn1 10 set reverse-route
crypto map mymap 10 ipsec-isakmp dynamic dyn1
crypto map mymap interface outside crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet 0.0.0.0 0.0.0.0 inside
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 inside
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 30
console timeout 0
management-access inside
dhcpd dns 202.96.128.86 202.96.134.133
dhcpd lease 36000
!
dhcpd address 192.168.2.10-192.168.2.20 inside
dhcpd dns 202.96.128.86 202.96.128.166 interface inside
dhcpd enable inside
!
threat-detection basic-threat
threat-detection statistics access-list
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200 web***
group-policy ipsectest internal
group-policy ipsectest attributes
***-filter value testipsec
***-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value ***split
group-policy filtertest internal
group-policy filtertest attributes
***-filter value ***filter
***-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value split-1
username test password P4ttSyrm33SV8TYp encrypted
username user password v5P40l1UGvtJa7Nn encrypted privilege 15
tunnel-group ipsectest type remote-access
tunnel-group ipsectest general-attributes
address-pool client***
default-group-policy ipsectest
tunnel-group ipsectest
ipsec-attributes
pre-shared-key *****
tunnel-group filtertest type remote-access
tunnel-group filtertest general-attributes
address-pool client***
default-group-policy filtertest
tunnel-group filtertest ipsec-attributes
pre-shared-key *****
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:300f6df1d1f82232518eced3f653c5f1
: end
防火墙查看××× 阶段1信息
ASA1(config)# show crypto isakmp sa
Active SA: 1
Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey) Total IKE SA: 1
1 IKE Peer: 192.168.1.220
Type : user Role : responder
Rekey : no State : AM_ACTIVE
防火墙查看××× 阶段2信息
ASA1(config)# show crypto ipsec sa interface: outside
Crypto map tag: dyn1, seq num: 10, local addr: 192.168.1.2
local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
remote ident (addr/mask/prot/port): (172.16.1.7/255.255.255.255/0/0) current_peer: 192.168.1.220, username: test //对端IP、验证用户名
dynamic allocated peer ip: 172.16.1.7 //×××客户端分配IP
#pkts encaps: 8, #pkts encrypt: 8, #pkts digest: 8
#pkts decaps: 8,
#pkts decrypt: 8,
#pkts verify: 8
#pkts compressed: 0,
#pkts decompressed: 0
#pkts comp failed: 0,
#pkts decomp failed: 0
#pre-frag successes: 0,
#pre-frag failures: 0,
#fragments created: 0
#PMTUs sent: 0,
#PMTUs rcvd: 0,
#decapsulated frgs needing reassembly: 0
#send errors: 0, #recv errors: 0
local crypto endpt.: 192.168.1.2, remote crypto endpt.: 192.168.1.220
path mtu 1500, ipsec overhead 58, media mtu 1500
current outbound spi: 8AA05DF7
current inbound spi : 32062484
inbound esp sas:
spi: 0x32062484 (839263364)
transform: esp-3des esp-sha-hmac no compression
in use settings ={RA, Tunnel, }
slot: 0, conn_id: 1069056, crypto-map: dyn1 //动态加密图
sa timing: remaining key lifetime (sec): 27400
IV size: 8 bytes
Anti replay bitmap:
0x00000000 0x000001FF
outbound esp sas:
spi: 0x8AA05DF7 (2325765623)
transform: esp-3des esp-sha-hmac no compression
in use settings ={RA, Tunnel, }
slot: 0, conn_id: 1069056, crypto-map: dyn1 //动态加密图
sa timing: remaining key lifetime (sec): 27400
IV size: 8 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001
防火墙查看路由表
ASA1(config)# show route
Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external,
O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
* - candidate default, U - per-user static route, o - ODR
P - periodic downloaded static route
Gateway of last resort is 192.168.1.9 to network 0.0.0.0
S 172.16.1.7 255.255.255.255 [1/0] via 192.168.1.220, outside //远程×××连接信息
C 192.168.1.0 255.255.255.0 is directly connected, outside
C 192.168.2.0 255.255.255.0 is directly connected, inside
S* 0.0.0.0 0.0.0.0 [1/0] via 192.168.1.9, outside