![图片[1]-8.11 IPSEC-NAT穿越-大赛人网](https://www.dsrw.com/wp-content/uploads/2023/09/图片66.png)
1.AR3光猫拨号
#AR2配置地址池
ip pool FS
network 105.1.1.0 mask 255.255.255.0
#创建拨号用户
aaa
local-user abc456 password cipher Admin@1234
local-user abc456 service-type ppp
#创建拨号模板
interface Virtual-Template 2
ppp authentication-mode chap
remote address pool FS
ip address 105.1.1.1 255.255.255.0
#拨号模板关联到接口
interface GigabitEthernet3/0/0
pppoe-server bind Virtual-Template 2
#AR3配置拨号
#创建拨号规则
dialer-rule
dialer-rule 1 ip permit
#创建拨号接口
interface Dialer 1
link-protocol ppp
ppp chap user abc456
ppp chap password cipher Admin@1234
ip address ppp-negotiate
dialer user abc456
dialer bundle 1
dialer-group 1
#拨号接口绑定物理接口
interface GigabitEthernet0/0/1
pppoe-client dial-bundle-number 1
#查看接口信息
dis ip interface brief
Dialer1 105.1.1.254/32 up up(s)
#创建默认路由到拨号口
ip route-static 0.0.0.0 0.0.0.0 Dialer 1
#拨号接口创建NAT
#创建acl
acl number 2000
rule 10 permit source 192.168.1.1 0
#拨号接口绑定acl
interface Dialer1
nat outbound 2000
2.基础网络设置
#FW5
#FW5创建安全区域
firewall zone untrust
add interface GigabitEthernet1/0/0
firewall zone trust
add interface GigabitEthernet1/0/1
#FW5创建默认路由
ip route-static 0.0.0.0 0.0.0.0 192.168.1.254
ip route-static 172.20.1.0 24 172.20.58.8
#FW5创建访问公网安全策略
security-policy
rule name access_2_internet
source-zone trust
destination-zone untrust
source-address 172.20.0.0 mask 255.255.0.0
action permit
#FW5配置访问公网NAT策略
nat-policy
rule name access_2_internet
source-zone trust
destination-zone untrust
source-address 172.20.0.0 mask 255.255.0.0
action source-nat easy-ip
#R8配置默认路由
ip route-static 0.0.0.0 0.0.0.0 172.20.58.5
3.隧道基础设置
1)FW1配置(固定IP)
#IKE协商流量策略
security-policy
rule name ike_l_2_u
source-zone local
destination-zone untrust
source-address 12.1.1.12 32
action permit
rule name ike_u_2_l
source-zone untrust
destination-zone local
destination-address 12.1.1.12 32
action permit
#IPSEC保护流量策略
security-policy
rule name ipsec_t_2_un
source-zone trust
destination-zone untrust
source-address 172.16.0.0 16
destination-address 172.17.0.0 16
destination-address 172.18.0.0 16
destination-address 172.19.0.0 16
destination-address 172.20.0.0 16
action permit
rule name ipsec_un_2_t
source-zone untrust
destination-zone trust
source-address 172.17.0.0 16
source-address 172.18.0.0 16
source-address 172.19.0.0 16
source-address 172.20.0.0 16
destination-address 172.16.0.0 16
action permit
#配置前往internet安全策略
security-policy
rule name t_2_internet
source-zone trust
destination-zone untrust
source-address 172.16.0.0 mask 255.255.0.0
action permit
#配置NAT策略
nat-policy
rule name ipsec_flow_no_nat
source-zone trust
destination-zone untrust
source-address 172.16.0.0 mask 255.255.0.0
destination-address 172.17.0.0 mask 255.255.0.0
destination-address 172.18.0.0 mask 255.255.0.0
destination-address 172.19.0.0 mask 255.255.0.0
destination-address 172.20.0.0 mask 255.255.0.0
action no-nat
rule name access_2_internet
source-zone trust
destination-zone untrust
source-address 172.16.0.0 mask 255.255.0.0
action source-nat easy-ip
#配置使ipsec流量在NAT流量之前
rule move ipsec_flow_no_nat before access_2_internet
#配置感兴趣流
acl number 3001
rule 10 permit ip source 172.16.0.0 0.0.255.255 destination 172.17.0.0 0.0.255.255
rule 20 permit ip source 172.16.0.0 0.0.255.255 destination 172.18.0.0 0.0.255.255
rule 30 permit ip source 172.16.0.0 0.0.255.255 destination 172.19.0.0 0.0.255.255
rule 40 permit ip source 172.16.0.0 0.0.255.255 destination 172.20.0.0 0.0.255.255
#FW1配置IKE proposal
ike proposal 5
encryption-algorithm aes-256
dh group14
authentication-algorithm sha2-256
authentication-method pre-share
integrity-algorithm hmac-sha2-256
prf hmac-sha2-256
#FW1配置IKE Peer
ike peer branch
#禁用IKEv2版本
undo version 2
exchange-mode main
pre-shared-key Admin@1234
ike-proposal 5
#FW1配置IPSEC proposal
ipsec proposal pps01
transform ah-esp
ah authentication-algorithm sha2-256
esp authentication-algorithm sha2-256
esp encryption-algorithm aes-256
#FW1配置IPSEC 策略模板
ipsec policy-template branch_tem 10
security acl 3001
ike-peer branch
proposal pps01
#从模板中复制策略
ipsec policy pl02 5 isakmp template branch_tem
#FW1接口调用IPSEC 策略
interface GigabitEthernet1/0/0
ipsec policy pl02
2)FW5配置
#FW5IKE协商流量策略
security-policy
rule name ike_l_2_u
source-zone local
destination-zone untrust
destination-address 12.1.1.12 32
action permit
rule name ike_u_2_l
source-zone untrust
destination-zone local
source-address 12.1.1.12 32
action permit
#IPSEC保护流量策略
security-policy
rule name ipsec_t_2_un
source-zone trust
destination-zone untrust
source-address 172.20.0.0 16
destination-address 172.16.0.0 16
action permit
rule name ipsec_un_2_t
source-zone untrust
destination-zone trust
source-address 172.16.0.0 16
destination-address 172.20.0.0 16
action permit
#配置前往internet安全策略
security-policy
rule name access_2_internet
source-zone trust
destination-zone untrust
source-address 172.20.0.0 mask 255.255.0.0
action permit
#配置NAT策略
nat-policy
rule name ipsec_flow_no_nat
source-zone trust
destination-zone untrust
source-address 172.20.0.0 mask 255.255.0.0
destination-address 172.16.0.0 mask 255.255.0.0
action no-nat
rule name access_2_internet
source-zone trust
destination-zone untrust
source-address 172.20.0.0 mask 255.255.0.0
action source-nat easy-ip
#配置使ipsec流量在NAT流量之前
rule move ipsec_flow_no_nat before access_2_internet
#FW5配置感兴趣流
acl number 3001
rule 10 permit ip source 172.20.0.0 0.0.255.255 destination 172.16.0.0 0.0.255.255
#FW5配置IKE proposal
ike proposal 5
encryption-algorithm aes-256
dh group14
authentication-algorithm sha2-256
authentication-method pre-share
integrity-algorithm hmac-sha2-256
prf hmac-sha2-256
#FW5配置IKE Peer
ike peer fw1
#禁用IKEv2版本
undo version 2
exchange-mode main
pre-shared-key Admin@1234
ike-proposal 5
remote-address 12.1.1.12
#FW5配置IPSEC proposal
ipsec proposal pps01
transform ah-esp
ah authentication-algorithm sha2-256
esp authentication-algorithm sha2-256
esp encryption-algorithm aes-256
#FW5配置IPSEC 策略
ipsec policy pl01 10 isakmp
security acl 3001
ike-peer fw1
proposal pps01
#FW5接口调用IPSEC 策略
interface GigabitEthernet 1/0/0
ipsec policy pl01
![图片[2]-8.11 IPSEC-NAT穿越-大赛人网](https://www.dsrw.com/wp-content/uploads/2023/09/图片67-1024x264.png)
#在IPSEC NAT穿越下,只能走ESP封装,不能使用AH。
4.NAT穿越要点与配置
1)FW1\FW5修改ipsec proposal模式
ipsec proposal pps01
transform esp
esp authentication-algorithm sha2-512
esp encryption-algorithm aes-256
2)FW5配置NAT穿越
ike peer fw1
nat traversal
#清空sa,连通性测试后重新抓包
reset ike sa
reset ipsec sa
![图片[3]-8.11 IPSEC-NAT穿越-大赛人网](https://www.dsrw.com/wp-content/uploads/2023/09/图片68-1024x418.png)
![图片[4]-8.11 IPSEC-NAT穿越-大赛人网](https://www.dsrw.com/wp-content/uploads/2023/09/图片69-1024x290.png)
![图片[5]-8.11 IPSEC-NAT穿越-大赛人网](https://www.dsrw.com/wp-content/uploads/2023/09/图片70-1024x400.png)
#FW2\FW3\FW4修改ipsec proposal模式
ipsec proposal pps01
transform esp
esp authentication-algorithm sha2-512
esp encryption-algorithm aes-256
2)FW2(不固定IP)
#FW2IKE协商流量策略
security-policy
rule name ike_l_2_u
source-zone local
destination-zone untrust
destination-address 12.1.1.12 32
action permit
rule name ike_u_2_l
source-zone untrust
destination-zone local
source-address 12.1.1.12 32
action permit
#IPSEC保护流量策略
security-policy
rule name ipsec_t_2_un
source-zone trust
destination-zone untrust
source-address 172.17.0.0 16
destination-address 172.16.0.0 16
action permit
rule name ipsec_un_2_t
source-zone untrust
destination-zone trust
source-address 172.16.0.0 16
destination-address 172.17.0.0 16
action permit
#配置前往internet安全策略
security-policy
rule name t_2_internet
source-zone trust
destination-zone untrust
source-address 172.17.0.0 mask 255.255.0.0
action permit
#配置NAT策略
nat-policy
rule name ipsec_flow_no_nat
source-zone trust
destination-zone untrust
source-address 172.17.0.0 mask 255.255.0.0
destination-address 172.16.0.0 mask 255.255.0.0
action no-nat
rule name access_2_internet
source-zone trust
destination-zone untrust
source-address 172.17.0.0 mask 255.255.0.0
action source-nat easy-ip
#配置使ipsec流量在NAT流量之前
rule move ipsec_flow_no_nat before access_2_internet
#FW2配置感兴趣流
acl number 3001
rule 10 permit ip source 172.17.0.0 0.0.255.255 destination 172.16.0.0 0.0.255.255
#FW2配置IKE proposal
ike proposal 5
encryption-algorithm aes-256
dh group14
authentication-algorithm sha2-256
authentication-method pre-share
integrity-algorithm hmac-sha2-256
prf hmac-sha2-256
#FW2配置IKE Peer
ike peer fw1
#禁用IKEv2版本
undo version 2
exchange-mode main
pre-shared-key Admin@1234
ike-proposal 5
remote-address 12.1.1.12
#FW2配置IPSEC proposal
ipsec proposal pps01
transform esp
esp authentication-algorithm sha2-512
esp encryption-algorithm aes-256
#FW2配置IPSEC 策略
ipsec policy pl01 10 isakmp
security acl 3001
ike-peer fw1
proposal pps01
#FW2接口调用IPSEC 策略
interface GigabitEthernet1/0/0
ipsec policy pl01
3)FW3(不固定IP)
#FW3IKE协商流量策略
security-policy
rule name ike_l_2_u
source-zone local
destination-zone untrust
destination-address 12.1.1.12 32
action permit
rule name ike_u_2_l
source-zone untrust
destination-zone local
source-address 12.1.1.12 32
action permit
#IPSEC保护流量策略
security-policy
rule name ipsec_t_2_un
source-zone trust
destination-zone untrust
source-address 172.18.0.0 16
destination-address 172.16.0.0 16
action permit
rule name ipsec_un_2_t
source-zone untrust
destination-zone trust
source-address 172.16.0.0 16
destination-address 172.18.0.0 16
action permit
#配置前往internet安全策略
security-policy
rule name t_2_internet
source-zone trust
destination-zone untrust
source-address 172.18.0.0 mask 255.255.0.0
action permit
#配置NAT策略
nat-policy
rule name ipsec_flow_no_nat
source-zone trust
destination-zone untrust
source-address 172.18.0.0 mask 255.255.0.0
destination-address 172.16.0.0 mask 255.255.0.0
action no-nat
rule name access_2_internet
source-zone trust
destination-zone untrust
source-address 172.18.0.0 mask 255.255.0.0
action source-nat easy-ip
#配置使ipsec流量在NAT流量之前
rule move ipsec_flow_no_nat before access_2_internet
#FW3配置感兴趣流
acl number 3001
rule 10 permit ip source 172.18.0.0 0.0.255.255 destination 172.16.0.0 0.0.255.255
#FW3配置IKE proposal
ike proposal 5
encryption-algorithm aes-256
dh group14
authentication-algorithm sha2-256
authentication-method pre-share
integrity-algorithm hmac-sha2-256
prf hmac-sha2-256
#FW3配置IKE Peer
ike peer fw1
#禁用IKEv2版本
undo version 2
exchange-mode main
pre-shared-key Admin@1234
ike-proposal 5
remote-address 12.1.1.12
#FW3配置IPSEC proposal
ipsec proposal pps01
transform esp
esp authentication-algorithm sha2-512
esp encryption-algorithm aes-256
#FW3配置IPSEC 策略
ipsec policy pl01 10 isakmp
security acl 3001
ike-peer fw1
proposal pps01
#FW3接口调用IPSEC 策略
interface GigabitEthernet1/0/0
ipsec policy pl01
4)FW4配置(拨号)
#FW4IKE协商流量策略
security-policy
rule name ike_l_2_u
source-zone local
destination-zone untrust
destination-address 12.1.1.12 32
action permit
rule name ike_u_2_l
source-zone untrust
destination-zone local
source-address 12.1.1.12 32
action permit
#IPSEC保护流量策略
security-policy
rule name ipsec_t_2_un
source-zone trust
destination-zone untrust
source-address 172.19.0.0 16
destination-address 172.16.0.0 16
action permit
rule name ipsec_un_2_t
source-zone untrust
destination-zone trust
source-address 172.16.0.0 16
destination-address 172.19.0.0 16
action permit
#配置前往internet安全策略
security-policy
rule name t_2_internet
source-zone trust
destination-zone untrust
source-address 172.19.0.0 mask 255.255.0.0
action permit
#配置NAT策略
nat-policy
rule name ipsec_flow_no_nat
source-zone trust
destination-zone untrust
source-address 172.19.0.0 mask 255.255.0.0
destination-address 172.16.0.0 mask 255.255.0.0
action no-nat
rule name access_2_internet
source-zone trust
destination-zone untrust
source-address 172.19.0.0 mask 255.255.0.0
action source-nat easy-ip
#配置使ipsec流量在NAT流量之前
rule move ipsec_flow_no_nat before access_2_internet
#FW4配置感兴趣流
acl number 3001
rule 10 permit ip source 172.19.0.0 0.0.255.255 destination 172.16.0.0 0.0.255.255
#FW4配置IKE proposal
ike proposal 5
encryption-algorithm aes-256
dh group14
authentication-algorithm sha2-256
authentication-method pre-share
integrity-algorithm hmac-sha2-256
prf hmac-sha2-256
#FW4配置IKE Peer
ike peer fw1
#禁用IKEv2版本
undo version 2
exchange-mode main
pre-shared-key Admin@1234
ike-proposal 5
remote-address 12.1.1.12
#FW4配置IPSEC proposal
ipsec proposal pps01
transform esp
esp authentication-algorithm sha2-512
esp encryption-algorithm aes-256
#FW4配置IPSEC 策略
ipsec policy pl01 10 isakmp
security acl 3001
ike-peer fw1
proposal pps01
#FW4接口调用IPSEC 策略
interface Dialer1
ipsec policy pl01
#将拨号接口设置成为默认路由出口
ip route-static 0.0.0.0 0.0.0.0 Dialer 1
© 版权声明
文章版权归作者所有,未经允许请勿转载。
THE END
请登录后查看评论内容