GNS3模拟ASA做IPSEC ×××

发布时间:2019-09-05 07:04:38编辑:auto阅读(1620)

    GNS3中模拟ASA防火墙做IPsec ×××


    拓扑图:

    拓扑说明:

    ASA1ASA2 E0口相连模拟外网区域,R1R2E0口与ASA E1口相连模拟内网区域。




    配置脚本:


    ASA1# sh run

    : Saved

    :

    ASA Version 8.0(2)

    !

    hostname ASA1

    enable password 8Ry2YjIyt7RRXU24 encrypted

    names

    !

    interface Ethernet0/0

    nameif outside

    security-level 0

    ip address 12.1.1.1255.255.255.0

    !

    interface Ethernet0/1

    nameif inside

    security-level 100

    ip address 192.168.1.1 255.255.255.0

    !

    interface Ethernet0/2

    shutdown

    nonameif

    nosecurity-level

    noip address

    !

    interface Ethernet0/3

    shutdown    

    nonameif

    nosecurity-level

    noip address

    !

    interface Ethernet0/4

    shutdown

    nonameif

    nosecurity-level

    noip address

    !

    interface Ethernet0/5

    shutdown

    nonameif

    nosecurity-level

    noip address

    !

    passwd 2KFQnbNIdI.2KYOU encrypted

    ftp mode passive

    access-list 1 extended permiticmp any any

    access-list 101 extended permitip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0

    pager lines 24

    mtu outside 1500

    mtu inside 1500

    no failover  

    icmp unreachable rate-limit 1 burst-size 1

    no asdm history enable

    arp timeout 14400

    nat-control      //启用NAT功能

    global (outside) 1 interface      //PAT

    nat (inside) 0 access-list 101    //NAT免除(注:8.3版本以前的必须做!)

    nat (inside) 1 0.0.0.00.0.0.0

    access-group 1 in interfaceoutside   //在外网接口调用ACL List 1

    route outside 0.0.0.00.0.0.0 12.1.1.2 1   //写条默认路由,下一跳指向ASA2E0 IP

    timeout xlate 3:00:00

    timeout conn 1:00:00 half-closed 0:10:00udp 0:02:00 icmp 0:00:02

    timeout sunrpc 0:10:00 h323 0:05:00 h2251:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

    timeout sip 0:30:00 sip_media 0:02:00sip-invite 0:03:00 sip-disconnect 0:02:00

    timeout uauth 0:05:00 absolute

    dynamic-access-policy-recordDfltAccessPolicy

    no snmp-server location

    no snmp-server contact

    snmp-server enable traps snmpauthentication linkup linkdown coldstart

    crypto ipsec transform-set mysetesp-3des esp-md5-hmac   //创建IPsec交换集

    crypto map mymap 10 match address101          //匹配感兴趣流量

    crypto map mymap 10 set peer 12.1.1.2  //定义对端PeerASA2E0IP

    crypto map mymap 10 settransform-set myset      //绑定交换集

    crypto map mymap interfaceoutside             //MAP应用到外部接口

    crypto isakmp enable outside                  //外部启用isakmp

    crypto isakmp policy 10             //定义isakmap策略10

    authentication pre-share          //认证方式,采用预共享密钥

    encryption 3des                //加密算法

    hash md5                   //hash校验

    group 2                    //密钥长度

    lifetime 86400              生存周期(可选,默认为86400

    crypto isakmp policy 65535

    authentication pre-share

    encryption 3des

    hashsha

    group 2

    lifetime 86400

    telnet timeout 5

    ssh timeout 5

    console timeout 0

    threat-detection basic-threat

    threat-detection statistics access-list

    !

    !

    tunnel-group 12.1.1.2type ipsec-l2l

    tunnel-group 12.1.1.2ipsec-attributes

    pre-shared-key *                //这里就是之前我们定义的Pre-shared-key

    prompt hostname context

    Cryptochecksum:00000000000000000000000000000000

    : end

    ASA1#





    ASA2# sh run

    : Saved

    :

    ASA Version 8.0(2)

    !

    hostname ASA2

    enable password 8Ry2YjIyt7RRXU24 encrypted

    names

    !

    interface Ethernet0/0

    nameif outside

    security-level 0

    ip address 12.1.1.2255.255.255.0

    !

    interface Ethernet0/1

    nameif inside

    security-level 100

    ip address 192.168.2.1 255.255.255.0

    !

    interface Ethernet0/2

    shutdown

    nonameif

    nosecurity-level

    noip address

    !

    interface Ethernet0/3

    shutdown    

    nonameif

    nosecurity-level

    noip address

    !

    interface Ethernet0/4

    shutdown

    nonameif

    nosecurity-level

    noip address

    !

    interface Ethernet0/5

    shutdown

    nonameif

    nosecurity-level

    noip address

    !

    passwd 2KFQnbNIdI.2KYOU encrypted

    ftp mode passive

    access-list 1 extended permiticmp any any

    access-list 101 extended permitip 192.168.2.0 255.255.255.0 192.168.1.0 255.255.255.0

    pager lines 24

    mtu outside 1500

    mtu inside 1500

    no failover  

    icmp unreachable rate-limit 1 burst-size 1

    no asdm history enable

    arp timeout 14400

    nat-control

    global (outside) 1 interface

    nat (inside) 0 access-list 101

    nat (inside) 1 0.0.0.00.0.0.0

    access-group 1 in interfaceoutside

    route outside 0.0.0.00.0.0.0 12.1.1.1 1

    timeout xlate 3:00:00

    timeout conn 1:00:00 half-closed 0:10:00udp 0:02:00 icmp 0:00:02

    timeout sunrpc 0:10:00 h323 0:05:00 h2251:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

    timeout sip 0:30:00 sip_media 0:02:00sip-invite 0:03:00 sip-disconnect 0:02:00

    timeout uauth 0:05:00 absolute

    dynamic-access-policy-recordDfltAccessPolicy

    no snmp-server location

    no snmp-server contact

    snmp-server enable traps snmp authenticationlinkup linkdown coldstart

    crypto ipsec transform-set mysetesp-3des esp-md5-hmac

    crypto map mymap 10 match address101

    crypto map mymap 10 set peer 12.1.1.1

    crypto map mymap 10 settransform-set myset

    crypto map mymap interfaceoutside

    crypto isakmp enable outside

    crypto isakmp policy 10

    authentication pre-share

    encryption 3des

    hash md5

    group 2

    lifetime 86400

    crypto isakmp policy 65535

    authentication pre-share

    encryption 3des

    hashsha

    group 2

    lifetime 86400

    telnet timeout 5

    ssh timeout 5

    console timeout 0

    threat-detection basic-threat

    threat-detection statistics access-list

    !

    !

    tunnel-group 12.1.1.1type ipsec-l2l

    tunnel-group 12.1.1.1ipsec-attributes

    pre-shared-key *

    prompt hostname context

    Cryptochecksum:00000000000000000000000000000000

    : end

    ASA2#



    R1#sh run

    Building configuration...


    Current configuration : 776 bytes

    !

    version 12.3

    service timestamps debug datetime msec

    service timestamps log datetime msec

    no service password-encryption

    !

    hostname R1

    !

    boot-start-marker

    boot-end-marker

    !

    !

    memory-size iomem 15

    mmi polling-interval 60

    no mmi auto-configure

    no mmi pvc

    mmi snmp-timeout 180

    no aaa new-model

    ip subnet-zero

    no ip routing              //关闭R1的路由功能,模拟PC

    !

    !        

    no ip domain lookup

    !

    no ip cef

    ip audit po max-events 100

    no ftp-server write-enable

    !

    !

    !

    !

    !

    !

    !

    interface Ethernet0

    ip address 192.168.1.2 255.255.255.0

    noip route-cache

    half-duplex

    !

    interface FastEthernet0

    noip address

    noip route-cache

    shutdown

    speed auto

    !        

    ip default-gateway 192.168.1.1   //配置默认网关

    ip classless

    no ip http server

    no ip http secure-server

    !

    !

    !

    !

    line con 0

    exec-timeout 0 0

    logging synchronous

    line aux 0

    line vty 0 4

    !

    end

    R1#  




    R2#sh run

    Building configuration...


    Current configuration : 776 bytes

    !

    version 12.3

    service timestamps debug datetime msec

    service timestamps log datetime msec

    no service password-encryption

    !

    hostname R2

    !

    boot-start-marker

    boot-end-marker

    !

    !

    memory-size iomem 15

    mmi polling-interval 60

    no mmi auto-configure

    no mmi pvc

    mmi snmp-timeout 180

    no aaa new-model

    ip subnet-zero

    no ip routing

    !

    !        

    no ip domain lookup

    !

    no ip cef

    ip audit po max-events 100

    no ftp-server write-enable

    !

    !

    !

    !

    !

    !

    !

    interface Ethernet0

    ipaddress 192.168.2.2 255.255.255.0

    noip route-cache

    half-duplex

    !

    interface FastEthernet0

    noip address

    noip route-cache

    shutdown

    speed auto

    !        

    ip default-gateway 192.168.2.1

    ip classless

    no ip http server

    no ip http secure-server

    !

    !

    !

    !

    line con 0

    exec-timeout 0 0

    logging synchronous

    line aux 0

    line vty 0 4

    !

    end


    R2#


    我们在ASA1上开启debug,由于GNS3模拟ASA还存在诸多问题,所以debug没有反应,但我们ping测试还是可以的。

    ASA1# debug crypto isakmp

    ASA1# debug crypto ipsec

    ASA1# debug icmp trace


    R1上测试下,可以多ping几个包

    R1#ping 192.168.2.2 repeat 30  


    Type escape sequence to abort.

    Sending 30, 100-byte ICMP Echos to192.168.2.2, timeout is 2 seconds:

    ..!!!!!!!!!!!!!!!!!!!!!!!!!!!!

    Success rate is 93 percent (28/30),round-trip min/avg/max = 164/202/300 ms

    R1#


    可以看到,前面丢了两个包,那是因为isakmpike协商协商的过程。后面还是通了。


    ASA1上的ICMP 调试信息

    ASA1# ICMP echo request from inside:192.168.1.2 tooutside:192.168.2.2 ID=8 seq=0 len=72

    ICMP echo reply from outside:192.168.2.2 to inside:192.168.1.2 ID=8seq=0 len=72

    ICMP echo request from inside:192.168.1.2 to outside:192.168.2.2ID=8 seq=1 len=72

    ICMP echo reply from outside:192.168.2.2 to inside:192.168.1.2 ID=8seq=1 len=72

    ICMP echo request from inside:192.168.1.2 to outside:192.168.2.2ID=8 seq=2 len=72

    ICMP echo reply from outside:192.168.2.2 to inside:192.168.1.2 ID=8seq=2 len=72

    ICMP echo request from inside:192.168.1.2 to outside:192.168.2.2ID=8 seq=3 len=72

    ICMP echo reply from outside:192.168.2.2 to inside:192.168.1.2 ID=8seq=3 len=72

    ICMP echo request from inside:192.168.1.2 to outside:192.168.2.2ID=8 seq=4 len=72

    ICMP echo reply from outside:192.168.2.2 to inside:192.168.1.2 ID=8seq=4 len=72


    ASA1#



    我们再来ASA1show看下,


    ASA1# show crypto isakmp sa


     Active SA: 1

      Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)

    Total IKE SA: 1


    1  IKE Peer: 12.1.1.2

      Type    : L2L             Role    : initiator

      Rekey   : no              State  : MM_ACTIVE

    ASA1#



    ASA1# show crypto isakmp stats


    Global IKE Statistics

    Active Tunnels: 1

    Previous Tunnels: 2

    In Octets: 17144

    In Packets: 196

    In Drop Packets: 1

    In Notifys: 187

    In P2 Exchanges: 0

    In P2 Exchange Invalids: 0

    In P2 Exchange Rejects: 0

    In P2 Sa Delete Requests: 0

    Out Octets: 17548

    Out Packets: 199

    Out Drop Packets: 0

    Out Notifys: 374

    Out P2 Exchanges: 2

    Out P2 Exchange Invalids: 0

    Out P2 Exchange Rejects: 0

    Out P2 Sa Delete Requests: 1

    Initiator Tunnels: 2

    Initiator Fails: 0

    Responder Fails: 0

    System Capacity Fails: 0

    Auth Fails: 0

    Decrypt Fails: 0

    Hash Valid Fails: 0

    No Sa Fails: 0

    ASA1#



    ASA1# show crypto ipsec sa

    interface: outside

      Crypto map tag: mymap, seq num: 10, local addr: 12.1.1.1


        access-list 101 permit ip 192.168.1.0 255.255.255.0 192.168.2.0255.255.255.0

        local ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0/0/0)

        remote ident (addr/mask/prot/port): (192.168.2.0/255.255.255.0/0/0)

        current_peer: 12.1.1.2


        #pkts encaps: 28, #pkts encrypt: 28, #pkts digest: 28

        #pkts decaps: 28, #pkts decrypt: 28, #pkts verify: 28

        #pkts compressed: 0, #pkts decompressed: 0

        #pkts not compressed: 28, #pkts comp failed: 0, #pkts decomp failed: 0

        #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0

        #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0

        #send errors: 0, #recv errors: 0


        local crypto endpt.: 12.1.1.1, remote cryptoendpt.: 12.1.1.2


        path mtu 1500, ipsec overhead 58, media mtu 1500

        current outbound spi: 49BD5F83


      inbound esp sas:

        spi: 0x9F6046AC (2673886892)

           transform: esp-3des esp-md5-hmac none

           in use settings ={L2L, Tunnel, }

           slot: 0, conn_id: 8192, crypto-map: mymap

           sa timing: remaining key lifetime (kB/sec): (3824997/28536)

           IV size: 8 bytes

           replay detection support: Y

      outbound esp sas:

        spi: 0x49BD5F83 (1237147523)

           transform: esp-3des esp-md5-hmac none

           in use settings ={L2L, Tunnel, }

           slot: 0, conn_id: 8192, crypto-map: mymap

           sa timing: remaining key lifetime (kB/sec): (3824997/28536)

           IV size: 8 bytes

           replay detection support: Y


    ASA1#



    ASA1# show crypto ipsec stats


    IPsec Global Statistics

    -----------------------

    Active tunnels: 1

    Previous tunnels: 2

    Inbound

      Bytes: 9000

      Decompressed bytes: 9000

      Packets: 90

      Dropped packets: 0

      Replay failures: 0

      Authentications: 90

      Authentication failures: 0

       Decryptions: 90

      Decryption failures: 0

      Decapsulated fragments needing reassembly: 0

    Outbound

      Bytes: 9000

      Uncompressed bytes: 9000

      Packets: 90

      Dropped packets: 0

      Authentications: 90

      Authentication failures: 0

      Encryptions: 90

      Encryption failures: 0

      Fragmentation successes: 0

          Pre-fragmentation successses: 0

          Post-fragmentation successes: 0

      Fragmentation failures: 0

          Pre-fragmentation failures: 0

          Post-fragmentation failures: 0

      Fragments created: 0

      PMTUs sent: 0

      PMTUs rcvd: 0

    Protocol failures: 0

    Missing SA failures: 0

    System capacity failures: 0


    ASA1#

关键字