Есть pix/asa(FW0) которая терминурет site2site vpn на себя от другой pix/asa(FW1). Требуется настроит Remote Access VPN терминирующийся на FW0, так что бы пользователи RA VPN имели доступ до ресурсов за FW1. При этом этот доступ должен идти через ipsec.
Решение:
Схема сети:
Конфигурация dynagen:
#
#
# laptop <-> R0 <-> SW <-> FW1
# ^
# |
# FW0
# laptop - 172.16.1.1/24
# R0 f0/0 - 172.16.1.2/24
# f0/1 - 172.16.2.1/24
# FW1 e0 - 172.16.2.2/24
# FW0 e0 - 172.16.2.3/24
autostart = False
[pemu localhost]
# workingdir = /tmp
[[525]]
serial = 907191750
key = 0xf73b6765,0x38bb3ffc,0xd80291b0,0xb0d09c44,0x8c1e94ba
image = /home/grint/software/cisco/pix/pix804.bin
[[FW FW0]]
e0 = S1 1
e1 = S1 4
[[FW FW1]]
e0 = S1 2
e1 = S1 5
[localhost:7200]
[[2621]]
image = /home/grint/software/cisco/ios/2610xm/c2600-advsecurityk9-mz.124-21a.image
ghostios = True
chassis = 2621
[[ROUTER R0]]
model = 2621
console = 2000
f0/0 = NIO_tap:tap0
# f0/0 = NIO_linux_eth:tap0
f0/1 = S1 3
[[ETHSW S1]]
1 = access 1
2 = access 1
3 = access 1
4 = access 1 NIO_udp:30000:127.0.0.1:20000
5 = access 1 NIO_udp:30001:127.0.0.1:20001
Конфигурация оборудования: R0:
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname R0
!
boot-start-marker
boot-end-marker
!
enable password cisco
!
aaa new-model
!
!
aaa authentication login default local
!
aaa session-id common
memory-size iomem 10
ip cef
!
!
ip auth-proxy max-nodata-conns 3
ip admission max-nodata-conns 3
!
!
!
!
!
!
username cisco password 0 cisco
!
!
!
!
!
crypto ipsec client ezvpn ra_profile
connect manual
group ra_group key cisco
mode client
peer 172.16.2.2
xauth userid mode interactive
!
!
!
interface FastEthernet0/0
ip address 172.16.1.2 255.255.255.0
duplex auto
speed auto
!
interface FastEthernet0/1
ip address 172.16.2.1 255.255.255.0
duplex auto
speed auto
crypto ipsec client ezvpn ra_profile
!
ip forward-protocol nd
!
ip http server
no ip http secure-server
!
!
!
control-plane
!
!
!
!
line con 0
line aux 0
line vty 0 4
!
!
end
FW0:
: Saved
: Written by enable_15 at 14:13:35.163 UTC Fri Dec 12 2008
!
PIX Version 8.0(4)
!
hostname FW0
enable password 2KFQnbNIdI.2KYOU encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface Ethernet0
nameif outside
security-level 0
ip address 172.16.2.2 255.255.255.0
!
interface Ethernet1
nameif inside
security-level 100
ip address 192.168.102.1 255.255.255.0
!
interface Ethernet2
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet3
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet4
shutdown
no nameif
no security-level
no ip address
!
ftp mode passive
same-security-traffic permit intra-interface
access-list split_tunnel standard permit 192.168.102.0 255.255.255.0
access-list split_tunnel standard permit 192.168.103.0 255.255.255.0
access-list 100 extended permit ip any any
access-list 200 extended permit ip 192.168.102.0 255.255.255.0 192.168.103.0 255.255.255.0
access-list 200 extended permit ip 192.168.110.0 255.255.255.0 192.168.103.0 255.255.255.0
access-list nonat extended permit ip 192.168.102.0 255.255.255.0 192.168.103.0 255.255.255.0
access-list nonat extended permit ip 192.168.110.0 255.255.255.0 192.168.103.0 255.255.255.0
pager lines 24
mtu outside 1500
mtu inside 1500
ip local pool vpnpool 192.168.110.1-192.168.110.254
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
nat-control
global (outside) 1 interface
nat (outside) 0 access-list nonat
nat (outside) 1 192.168.110.0 255.255.255.0
nat (inside) 0 access-list nonat
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) 192.168.102.2 192.168.102.2 netmask 255.255.255.255
access-group 100 in interface outside
access-group 100 out interface outside
access-group 100 in interface inside
access-group 100 out interface inside
route outside 172.16.1.0 255.255.255.0 172.16.2.1 1
route outside 192.168.103.0 255.255.255.0 172.16.2.3 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
aaa authentication telnet console LOCAL
aaa authentication ssh console LOCAL
aaa authentication serial console LOCAL
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set myset esp-3des esp-sha-hmac
crypto ipsec transform-set s2s_set esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map rtpdynmap 20 set transform-set myset
crypto dynamic-map rtpdynmap 20 set security-association lifetime seconds 28800
crypto dynamic-map rtpdynmap 20 set security-association lifetime kilobytes 4608000
crypto dynamic-map rtpdynmap 20 set reverse-route
crypto map mymap 10 match address 200
crypto map mymap 10 set peer 172.16.2.3
crypto map mymap 10 set transform-set s2s_set
crypto map mymap 10 set security-association lifetime seconds 28800
crypto map mymap 10 set security-association lifetime kilobytes 4608000
crypto map mymap 20 ipsec-isakmp dynamic rtpdynmap
crypto map mymap 30 set security-association lifetime seconds 28800
crypto map mymap 30 set security-association lifetime kilobytes 4608000
crypto map mymap interface outside
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
crypto isakmp policy 20
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp policy 65535
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet timeout 5
ssh timeout 5
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
group-policy clientgroup internal
group-policy clientgroup attributes
vpn-idle-timeout 20
split-tunnel-policy tunnelspecified
split-tunnel-network-list value split_tunnel
username cisco password 3USUcOPFUiMCO4Jk encrypted
tunnel-group rtptacvpn type remote-access
tunnel-group rtptacvpn general-attributes
address-pool vpnpool
authorization-server-group LOCAL
default-group-policy clientgroup
tunnel-group rtptacvpn ipsec-attributes
pre-shared-key cisco
tunnel-group 172.16.2.3 type ipsec-l2l
tunnel-group 172.16.2.3 ipsec-attributes
pre-shared-key cisco
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:f02de0562aaeede865f5f868c8e44197
: end
FW1:
FW1# show run
: Saved
:
PIX Version 8.0(4)
!
hostname FW1
enable password 2KFQnbNIdI.2KYOU encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface Ethernet0
nameif outside
security-level 0
ip address 172.16.2.3 255.255.255.0
!
interface Ethernet1
nameif inside
security-level 100
ip address 192.168.103.1 255.255.255.0
!
interface Ethernet2
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet3
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet4
shutdown
no nameif
no security-level
no ip address
!
ftp mode passive
access-list 100 extended permit ip 192.168.103.0 255.255.255.0 192.168.102.0 255.255.255.0
access-list 100 extended permit ip 192.168.103.0 255.255.255.0 192.168.110.0 255.255.255.0
access-list outside extended permit esp any any
access-list outside extended permit ah any any
access-list outside extended permit icmp any any
access-list outside extended permit udp any any eq isakmp
access-list outside extended permit ip any any
pager lines 24
mtu outside 1500
mtu inside 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
nat-control
global (outside) 1 interface
nat (inside) 0 access-list 100
nat (inside) 1 0.0.0.0 0.0.0.0
access-group outside in interface outside
route outside 192.168.102.0 255.255.255.0 172.16.2.2 1
route outside 192.168.110.0 255.255.255.0 172.16.2.2 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
aaa authentication telnet console LOCAL
aaa authentication ssh console LOCAL
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set myset esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto map outside_map 20 match address 100
crypto map outside_map 20 set peer 172.16.2.2
crypto map outside_map 20 set transform-set myset
crypto map outside_map 20 set security-association lifetime seconds 28800
crypto map outside_map 20 set security-association lifetime kilobytes 4608000
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet timeout 5
ssh timeout 5
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ssl encryption rc4-sha1
username cisco password 3USUcOPFUiMCO4Jk encrypted
tunnel-group 172.16.2.2 type ipsec-l2l
tunnel-group 172.16.2.2 ipsec-attributes
pre-shared-key *
!
!
prompt hostname context
Cryptochecksum:f269c05f9eb7f6b046fda9ad287a89d1
: end
FW1#
Примечание:
Главное не забыть о волшебной команде nat (outside) 0 access-list nonat на устройстве, которое терминурует на себе site2site-vpn и ra-vpn(в данном случае FW0). Иначе на нем будет видно как приходят пакеты шифрованые из одного тунеля, но не уходят во второй тунель.
P.S. Картинка схемы сети маленькой оказалось. Переделовать вечером в пятницу не хочется.
P.S. 2 А аналог cut lj тут есть?
Комментариев нет:
Отправить комментарий