8.11 IPSEC-NAT穿越

图片[1]-8.11 IPSEC-NAT穿越-大赛人网

1.AR3光猫拨号

#AR2配置地址池
ip pool FS
 network 105.1.1.0 mask 255.255.255.0 

#创建拨号用户
aaa
local-user abc456 password cipher Admin@1234
local-user abc456 service-type ppp

#创建拨号模板
interface Virtual-Template 2
 ppp authentication-mode chap 
 remote address pool FS
 ip address 105.1.1.1 255.255.255.0 

#拨号模板关联到接口
interface GigabitEthernet3/0/0
 pppoe-server bind Virtual-Template 2

#AR3配置拨号
#创建拨号规则
dialer-rule
 dialer-rule 1 ip permit

#创建拨号接口
interface Dialer 1
 link-protocol ppp
 ppp chap user abc456
 ppp chap password cipher Admin@1234
 ip address ppp-negotiate
 dialer user abc456
 dialer bundle 1
 dialer-group 1

#拨号接口绑定物理接口
interface GigabitEthernet0/0/1
 pppoe-client dial-bundle-number 1 

#查看接口信息
dis ip interface brief
Dialer1                           105.1.1.254/32       up         up(s)  

#创建默认路由到拨号口
ip route-static 0.0.0.0 0.0.0.0 Dialer 1

#拨号接口创建NAT
#创建acl
acl number 2000  
 rule 10 permit source 192.168.1.1 0 

#拨号接口绑定acl
interface Dialer1
 nat outbound 2000

2.基础网络设置

#FW5
#FW5创建安全区域
firewall zone untrust
  add interface GigabitEthernet1/0/0
firewall zone trust
 add interface GigabitEthernet1/0/1

#FW5创建默认路由
ip route-static 0.0.0.0 0.0.0.0 192.168.1.254
ip route-static 172.20.1.0 24 172.20.58.8

#FW5创建访问公网安全策略
security-policy
 rule name access_2_internet
  source-zone trust
  destination-zone untrust
  source-address 172.20.0.0 mask 255.255.0.0
  action permit

#FW5配置访问公网NAT策略
nat-policy
 rule name access_2_internet
  source-zone trust
  destination-zone untrust
  source-address 172.20.0.0 mask 255.255.0.0
  action source-nat easy-ip

#R8配置默认路由
ip route-static 0.0.0.0 0.0.0.0 172.20.58.5

3.隧道基础设置

1)FW1配置(固定IP)
#IKE协商流量策略
security-policy
 rule name ike_l_2_u
  source-zone local
  destination-zone untrust
  source-address 12.1.1.12 32
  action permit

rule name ike_u_2_l
  source-zone untrust
  destination-zone local
  destination-address 12.1.1.12 32
  action permit

#IPSEC保护流量策略
security-policy
rule name ipsec_t_2_un
  source-zone trust
  destination-zone untrust
  source-address 172.16.0.0 16
  destination-address 172.17.0.0 16
  destination-address 172.18.0.0 16
destination-address 172.19.0.0 16
destination-address 172.20.0.0 16
  action permit

 rule name ipsec_un_2_t
  source-zone untrust
  destination-zone trust
  source-address 172.17.0.0 16
 source-address 172.18.0.0 16
 source-address 172.19.0.0 16
source-address 172.20.0.0 16
  destination-address 172.16.0.0 16
  action permit 

#配置前往internet安全策略
security-policy
 rule name t_2_internet                   
  source-zone trust                       
  destination-zone untrust                
  source-address 172.16.0.0 mask 255.255.0.0
  action permit  

#配置NAT策略
 nat-policy
  rule name ipsec_flow_no_nat
  source-zone trust
  destination-zone untrust
  source-address 172.16.0.0 mask 255.255.0.0
  destination-address 172.17.0.0 mask 255.255.0.0
  destination-address 172.18.0.0 mask 255.255.0.0
  destination-address 172.19.0.0 mask 255.255.0.0
destination-address 172.20.0.0 mask 255.255.0.0
  action no-nat

 rule name access_2_internet
  source-zone trust
  destination-zone untrust
  source-address 172.16.0.0 mask 255.255.0.0
  action source-nat easy-ip

#配置使ipsec流量在NAT流量之前
rule move ipsec_flow_no_nat before access_2_internet

#配置感兴趣流
acl number 3001
 rule 10 permit ip source 172.16.0.0 0.0.255.255 destination 172.17.0.0 0.0.255.255
 rule 20 permit ip source 172.16.0.0 0.0.255.255 destination 172.18.0.0 0.0.255.255
 rule 30 permit ip source 172.16.0.0 0.0.255.255 destination 172.19.0.0 0.0.255.255
 rule 40 permit ip source 172.16.0.0 0.0.255.255 destination 172.20.0.0 0.0.255.255

#FW1配置IKE proposal
ike proposal 5
 encryption-algorithm aes-256
 dh group14
 authentication-algorithm sha2-256
 authentication-method pre-share
 integrity-algorithm hmac-sha2-256
 prf hmac-sha2-256

#FW1配置IKE Peer
ike peer branch
#禁用IKEv2版本 
undo version 2
exchange-mode main 
pre-shared-key Admin@1234
ike-proposal 5

#FW1配置IPSEC proposal
ipsec proposal pps01
 transform ah-esp
 ah authentication-algorithm sha2-256
 esp authentication-algorithm sha2-256
 esp encryption-algorithm aes-256

#FW1配置IPSEC 策略模板
ipsec policy-template branch_tem 10
 security acl 3001
 ike-peer branch
 proposal pps01

#从模板中复制策略
ipsec policy pl02 5 isakmp template branch_tem

#FW1接口调用IPSEC 策略
interface GigabitEthernet1/0/0
 ipsec policy pl02

2)FW5配置
#FW5IKE协商流量策略
security-policy
 rule name ike_l_2_u
  source-zone local
  destination-zone untrust
  destination-address 12.1.1.12 32
  action permit

rule name ike_u_2_l
  source-zone untrust
  destination-zone local
  source-address 12.1.1.12 32
  action permit

#IPSEC保护流量策略
security-policy
rule name ipsec_t_2_un
  source-zone trust
  destination-zone untrust
  source-address 172.20.0.0 16
  destination-address 172.16.0.0 16
  action permit

 rule name ipsec_un_2_t
  source-zone untrust
  destination-zone trust
  source-address 172.16.0.0 16
  destination-address 172.20.0.0 16
  action permit 

#配置前往internet安全策略
security-policy
rule name access_2_internet
  source-zone trust
  destination-zone untrust
  source-address 172.20.0.0 mask 255.255.0.0
  action permit

#配置NAT策略
 nat-policy
 rule name ipsec_flow_no_nat
  source-zone trust
  destination-zone untrust
  source-address 172.20.0.0 mask 255.255.0.0
  destination-address 172.16.0.0 mask 255.255.0.0
  action no-nat



 rule name access_2_internet
  source-zone trust
  destination-zone untrust
  source-address 172.20.0.0 mask 255.255.0.0
  action source-nat easy-ip

#配置使ipsec流量在NAT流量之前
rule move ipsec_flow_no_nat before access_2_internet

#FW5配置感兴趣流
acl number 3001
 rule 10 permit ip source 172.20.0.0 0.0.255.255 destination 172.16.0.0 0.0.255.255

#FW5配置IKE proposal
ike proposal 5
 encryption-algorithm aes-256
 dh group14
 authentication-algorithm sha2-256
 authentication-method pre-share
 integrity-algorithm hmac-sha2-256
 prf hmac-sha2-256

#FW5配置IKE Peer
ike peer fw1
#禁用IKEv2版本
undo version 2
exchange-mode main 
pre-shared-key Admin@1234
ike-proposal 5
remote-address 12.1.1.12

#FW5配置IPSEC proposal
ipsec proposal pps01
 transform ah-esp
 ah authentication-algorithm sha2-256
 esp authentication-algorithm sha2-256
 esp encryption-algorithm aes-256

#FW5配置IPSEC 策略
ipsec policy pl01 10 isakmp
 security acl 3001
 ike-peer fw1
 proposal pps01

#FW5接口调用IPSEC 策略
interface GigabitEthernet 1/0/0
ipsec policy pl01
图片[2]-8.11 IPSEC-NAT穿越-大赛人网

#在IPSEC NAT穿越下,只能走ESP封装,不能使用AH。

4.NAT穿越要点与配置

1)FW1\FW5修改ipsec proposal模式
ipsec proposal pps01
transform esp
esp authentication-algorithm sha2-512
esp encryption-algorithm aes-256

2)FW5配置NAT穿越
ike peer fw1
nat traversal 
#清空sa,连通性测试后重新抓包
reset ike sa
reset ipsec sa
图片[3]-8.11 IPSEC-NAT穿越-大赛人网
图片[4]-8.11 IPSEC-NAT穿越-大赛人网
图片[5]-8.11 IPSEC-NAT穿越-大赛人网
#FW2\FW3\FW4修改ipsec proposal模式
ipsec proposal pps01
transform esp
esp authentication-algorithm sha2-512
esp encryption-algorithm aes-256
2)FW2(不固定IP)
#FW2IKE协商流量策略
security-policy
 rule name ike_l_2_u
  source-zone local
  destination-zone untrust
  destination-address 12.1.1.12 32
  action permit

rule name ike_u_2_l
  source-zone untrust
  destination-zone local
  source-address 12.1.1.12 32
  action permit

#IPSEC保护流量策略
security-policy
rule name ipsec_t_2_un
  source-zone trust
  destination-zone untrust
  source-address 172.17.0.0 16
  destination-address 172.16.0.0 16
  action permit

 rule name ipsec_un_2_t
  source-zone untrust
  destination-zone trust
  source-address 172.16.0.0 16
  destination-address 172.17.0.0 16
  action permit 

#配置前往internet安全策略
security-policy
 rule name t_2_internet                   
  source-zone trust                       
  destination-zone untrust                
  source-address 172.17.0.0 mask 255.255.0.0
  action permit  

#配置NAT策略
 nat-policy
 rule name ipsec_flow_no_nat
  source-zone trust
  destination-zone untrust
  source-address 172.17.0.0 mask 255.255.0.0
  destination-address 172.16.0.0 mask 255.255.0.0
  action no-nat

 rule name access_2_internet
  source-zone trust
  destination-zone untrust
  source-address 172.17.0.0 mask 255.255.0.0
  action source-nat easy-ip

#配置使ipsec流量在NAT流量之前
rule move ipsec_flow_no_nat before access_2_internet

#FW2配置感兴趣流
acl number 3001
 rule 10 permit ip source 172.17.0.0 0.0.255.255 destination 172.16.0.0 0.0.255.255

#FW2配置IKE proposal
ike proposal 5
 encryption-algorithm aes-256
 dh group14
 authentication-algorithm sha2-256
 authentication-method pre-share
 integrity-algorithm hmac-sha2-256
 prf hmac-sha2-256

#FW2配置IKE Peer
ike peer fw1
#禁用IKEv2版本
undo version 2
exchange-mode main 
pre-shared-key Admin@1234
ike-proposal 5
remote-address 12.1.1.12

#FW2配置IPSEC proposal
ipsec proposal pps01
transform esp
esp authentication-algorithm sha2-512
esp encryption-algorithm aes-256

#FW2配置IPSEC 策略
ipsec policy pl01 10 isakmp
 security acl 3001
 ike-peer fw1
 proposal pps01

#FW2接口调用IPSEC 策略
interface GigabitEthernet1/0/0
ipsec policy pl01

3)FW3(不固定IP)
#FW3IKE协商流量策略
security-policy
 rule name ike_l_2_u
  source-zone local
  destination-zone untrust
  destination-address 12.1.1.12 32
  action permit

rule name ike_u_2_l
  source-zone untrust
  destination-zone local
  source-address 12.1.1.12 32
  action permit

#IPSEC保护流量策略
security-policy
rule name ipsec_t_2_un
  source-zone trust
  destination-zone untrust
  source-address 172.18.0.0 16
  destination-address 172.16.0.0 16
  action permit

 rule name ipsec_un_2_t
  source-zone untrust
  destination-zone trust
  source-address 172.16.0.0 16
  destination-address 172.18.0.0 16
  action permit 

#配置前往internet安全策略
security-policy
 rule name t_2_internet                   
  source-zone trust                       
  destination-zone untrust                
  source-address 172.18.0.0 mask 255.255.0.0
  action permit  

#配置NAT策略
 nat-policy
 rule name ipsec_flow_no_nat
  source-zone trust
  destination-zone untrust
  source-address 172.18.0.0 mask 255.255.0.0
  destination-address 172.16.0.0 mask 255.255.0.0
  action no-nat

 rule name access_2_internet
  source-zone trust
  destination-zone untrust
  source-address 172.18.0.0 mask 255.255.0.0
  action source-nat easy-ip
#配置使ipsec流量在NAT流量之前
rule move ipsec_flow_no_nat before access_2_internet

#FW3配置感兴趣流
acl number 3001
 rule 10 permit ip source 172.18.0.0 0.0.255.255 destination 172.16.0.0 0.0.255.255

#FW3配置IKE proposal
ike proposal 5
 encryption-algorithm aes-256
 dh group14
 authentication-algorithm sha2-256
 authentication-method pre-share
 integrity-algorithm hmac-sha2-256
 prf hmac-sha2-256

#FW3配置IKE Peer
ike peer fw1
#禁用IKEv2版本
undo version 2
exchange-mode main 
pre-shared-key Admin@1234
ike-proposal 5
remote-address 12.1.1.12

#FW3配置IPSEC proposal
ipsec proposal pps01
transform esp
esp authentication-algorithm sha2-512
esp encryption-algorithm aes-256

#FW3配置IPSEC 策略
ipsec policy pl01 10 isakmp
 security acl 3001
 ike-peer fw1
 proposal pps01

#FW3接口调用IPSEC 策略
interface GigabitEthernet1/0/0
ipsec policy pl01

4)FW4配置(拨号)
#FW4IKE协商流量策略
security-policy
 rule name ike_l_2_u
  source-zone local
  destination-zone untrust
  destination-address 12.1.1.12 32
  action permit

rule name ike_u_2_l
  source-zone untrust
  destination-zone local
  source-address 12.1.1.12 32
  action permit

#IPSEC保护流量策略
security-policy
rule name ipsec_t_2_un
  source-zone trust
  destination-zone untrust
  source-address 172.19.0.0 16
  destination-address 172.16.0.0 16
  action permit

 rule name ipsec_un_2_t
  source-zone untrust
  destination-zone trust
  source-address 172.16.0.0 16
  destination-address 172.19.0.0 16
  action permit 

#配置前往internet安全策略
security-policy
 rule name t_2_internet                   
  source-zone trust                       
  destination-zone untrust                
  source-address 172.19.0.0 mask 255.255.0.0
  action permit  

#配置NAT策略
 nat-policy
 rule name ipsec_flow_no_nat
  source-zone trust
  destination-zone untrust
  source-address 172.19.0.0 mask 255.255.0.0
  destination-address 172.16.0.0 mask 255.255.0.0
  action no-nat

 rule name access_2_internet
  source-zone trust
  destination-zone untrust
  source-address 172.19.0.0 mask 255.255.0.0
  action source-nat easy-ip

#配置使ipsec流量在NAT流量之前
rule move ipsec_flow_no_nat before access_2_internet

#FW4配置感兴趣流
acl number 3001
 rule 10 permit ip source 172.19.0.0 0.0.255.255 destination 172.16.0.0 0.0.255.255

#FW4配置IKE proposal
ike proposal 5
 encryption-algorithm aes-256
 dh group14
 authentication-algorithm sha2-256
 authentication-method pre-share
 integrity-algorithm hmac-sha2-256
 prf hmac-sha2-256

#FW4配置IKE Peer
ike peer fw1
#禁用IKEv2版本
undo version 2
exchange-mode main 
pre-shared-key Admin@1234
ike-proposal 5
remote-address 12.1.1.12

#FW4配置IPSEC proposal
ipsec proposal pps01
transform esp
esp authentication-algorithm sha2-512
esp encryption-algorithm aes-256

#FW4配置IPSEC 策略
ipsec policy pl01 10 isakmp
 security acl 3001
 ike-peer fw1
 proposal pps01

#FW4接口调用IPSEC 策略
interface Dialer1
ipsec policy pl01

#将拨号接口设置成为默认路由出口
ip route-static 0.0.0.0 0.0.0.0 Dialer 1
© 版权声明
THE END
喜欢就支持一下吧
点赞8 分享
评论 抢沙发
头像
欢迎您留下宝贵的见解!
提交
头像

昵称

取消
昵称

    请登录后查看评论内容