Cisco ASA 访问列表和网络配置

网络工程 思科-ASA ipsec acl 网络访问
2022-03-02 11:43:46

在此处输入图像描述

这是我对该网络的配置。我发现 ASA 不能互相 ping 通。此外,当我键入 show crypto isakmp SA 和 IPSec Sa 时,它根本不显示任何内容。你们能找出 LA SD SF MI NY 的所有 ASA 的配置有什么问题或有什么建议吗?我真的很感激

ISP

Int g0/0
ip add 2.2.1.1 255.255.255.252
no shut

Int g0/1
IP add 2.2.2.1 255.255.255.252
no shut

int g0/2
ip add 2.2.3.1 255.255.255.252
no shut

int g0/3
ip add 4.4.129.1 255.255.255.252
no shut

int g0/3
ip add 4.4.128.1 255.255.255.252
no shut

洛杉矶,ASA 5506:8.4 或更高版本

!
hostname LA
!
interface G0/0
 nameif outside
 security-level 0
 ip address 2.2.1.2 255.255.255.0
 no shut
!
interface G0/1
 nameif inside
 security-level 100
 ip address 10.10.255.1 255.255.255.0
 no shut
!
route outside 0.0.0.0 0.0.0.0 2.2.1.1
!
!
object network INSIDE_NETWORK
 subnet 10.10.0.0 255.255.0.0
 nat (inside,outside) dynamic interface
!
!
! Allowing ICMP through ASA.
!
!class-map inspection_default
! match default-inspection-traffic
!
policy-map global_policy
 class inspection_default
  inspect icmp 
  inspect icmp error
!
!service-policy global_policy global
!
!
! Allowing ICMP to ASA's inside interface from another site.
!
management-access inside
!
!
! Phase 1 (IKEv1)
!
crypto ikev1 enable outside
!
crypto ikev1 policy 10
 authentication pre-share
 encryption aes-256
 hash sha
 group 5
 lifetime 86400
!
tunnel-group 4.4.128.2 type ipsec-l2l
tunnel-group 4.4.128.2 ipsec-attributes
 ikev1 pre-shared-key LA10toNY20
tunnel-group 2.2.2.2 type ipsec-l2l
tunnel-group 2.2.2.2 ipsec-attributes
 ikev1 pre-shared-key LA10toSF20
tunnel-group 2.2.3.2 type ipsec-l2l
tunnel-group 2.2.3.2 ipsec-attributes
 ikev1 pre-shared-key LA10toSD20

router eigrp 1
network 10.0.0.0
red stat



!
! Phase 2 (IPSec)
!
object network N_10.10.0.0_16
 subnet 10.10.0.0 255.255.0.0
object network N_10.128.0.0_16
 subnet 10.128.0.0 255.255.0.0
object network N_10.20.0.0_16
 subnet 10.20.0.0 255.255.0.0
object network N_10.30.0.0_16
 subnet 10.30.0.0 255.255.0.0
!
access-list IPSEC_NY_ACL extended permit ip object N_10.10.0.0_16 object N_10.128.0.0_16
access-list IPSEC_SF_ACL extended permit ip object N_10.10.0.0_16 object N_10.20.0.0_16
access-list IPSEC_SD_ACL extended permit ip object N_10.10.0.0_16 object N_10.30.0.0_16
!
! NAT Exemption (No NAT)
! Packet Tracer limitation (Manual NAT is not supported.)
!
nat (inside,outside) source static N_10.10.0.0_16 N_10.10.0.0_16 destination static N_10.128.0.0_16 N_10.128.0.0_16 no-proxy-arp route-lookup
nat (inside,outside) source static N_10.10.0.0_16 N_10.10.0.0_16 destination static N_10.20.0.0_16 N_10.20.0.0_16 no-proxy-arp route-lookup
nat (inside,outside) source static N_10.10.0.0_16 N_10.10.0.0_16 destination static N_10.30.0.0_16 N_10.30.0.0_16 no-proxy-arp route-lookup
!
crypto ipsec ikev1 transform-set IPSEC_SET esp-aes-256 esp-sha-hmac
!
crypto map IPSEC_MAP 10 match address IPSEC_NY_ACL
crypto map IPSEC_MAP 10 set peer 4.4.128.2
crypto map IPSEC_MAP 10 set ikev1 transform-set IPSEC_SET
crypto map IPSEC_MAP 10 set security-association lifetime seconds 86400
crypto map IPSEC_MAP 20 match address IPSEC_SF_ACL
crypto map IPSEC_MAP 20 set peer 2.2.2.2
crypto map IPSEC_MAP 20 set security-association lifetime seconds 86400
crypto map IPSEC_MAP 30 match address IPSEC_SD_ACL
crypto map IPSEC_MAP 30 set peer 2.2.3.2
crypto map IPSEC_MAP 30 set ikev1 transform-set IPSEC_SET
crypto map IPSEC_MAP 30 set security-association lifetime seconds 86400
!
crypto map IPSEC_MAP interface outside
!

SF、ASA 5506:8.4 或更高版本

!
hostname SF
!
interface G0/0
 nameif outside
 security-level 0
 ip address 2.2.2.2 255.255.255.252
 no shut
!
interface G0/1
 nameif inside
 security-level 100
 ip address 10.20.255.1 255.255.255.252
 no shut
!
route outside 0.0.0.0 0.0.0.0 2.2.2.1
!
!
object network INSIDE_NETWORK
 subnet 10.20.0.0 255.255.0.0
 nat (inside,outside) dynamic interface




! Allowing ICMP through ASA.
!
!class-map inspection_default
! match default-inspection-traffic
!
policy-map global_policy
 class inspection_default
  inspect icmp 
  inspect icmp error
!
!service-policy global_policy global
!
!
! Allowing ICMP to ASA's inside interface from another site.
!
management-access inside


! Phase 1 (IKEv1)
!
crypto ikev1 enable outside
!
crypto ikev1 policy 10
 authentication pre-share
 encryption aes-256
 hash sha
 group 5
 lifetime 86400
!
tunnel-group 2.2.1.2 type ipsec-l2l
tunnel-group 2.2.1.2 ipsec-attributes
 ikev1 pre-shared-key LA10toSF20

router eigrp 1
network 10.0.0.0
red stat



! Phase 2 (IPSec)
!
object network N_10.20.0.0_16
 subnet 10.20.0.0 255.255.0.0
object network N_10.10.0.0_16
 subnet 10.10.0.0 255.255.0.0


access-list IPSEC_SF_ACL extended permit ip object N_10.20.0.0_16 object N_10.10.0.0_16


! NAT Exemption (No NAT)
! Packet Tracer limitation (Manual NAT is not supported.)
!
crypto ipsec ikev1 transform-set IPSEC_SET esp-aes-256 esp-sha-hmac

nat (inside,outside) source static N_10.20.0.0_16 N_10.20.0.0_16 destination static N_10.10.0.0_16 N_10.10.0.0_16 no-proxy-arp route-lookup
crypto map IPSEC_MAP 20 match address IPSEC_SF_ACL
crypto map IPSEC_MAP 20 set peer 2.2.1.2
crypto map IPSEC_MAP 20 set ikev1 transform-set IPSEC_SET
crypto map IPSEC_MAP 20 set security-association lifetime seconds 86400
!
crypto map IPSEC_MAP interface outside
!

SD、ASA 5506:8.4 或更高版本

!
hostname SD
!
interface G0/0
 nameif outside
 security-level 0
 ip address 2.2.3.2 255.255.255.252
 no shut
!
interface G0/1
 nameif inside
 security-level 100
 ip address 10.30.255.1 255.255.255.252
 no shut
!
route outside 0.0.0.0 0.0.0.0 2.2.3.1
!
!
object network INSIDE_NETWORK
 subnet 10.30.0.0 255.255.0.0
 nat (inside,outside) dynamic interface




! Allowing ICMP through ASA.
!
!class-map inspection_default
! match default-inspection-traffic
!
policy-map global_policy
 class inspection_default
  inspect icmp 
  inspect icmp error
!
!service-policy global_policy global
!
!
! Allowing ICMP to ASA's inside interface from another site.
!
management-access inside


! Phase 1 (IKEv1)
!
crypto ikev1 enable outside
!
crypto ikev1 policy 10
 authentication pre-share
 encryption aes-256
 hash sha
 group 5
 lifetime 86400
!
tunnel-group 2.2.1.2 type ipsec-l2l
tunnel-group 2.2.1.2 ipsec-attributes
 ikev1 pre-shared-key LA10toSD20

router eigrp 1
network 10.0.0.0
red stat



! Phase 2 (IPSec)
!
object network N_10.30.0.0_16
 subnet 10.30.0.0 255.255.0.0
object network N_10.10.0.0_16
 subnet 10.10.0.0 255.255.0.0


access-list IPSEC_SD_ACL extended permit ip object N_10.30.0.0_16 object N_10.10.0.0_16


! NAT Exemption (No NAT)
! Packet Tracer limitation (Manual NAT is not supported.)
!
crypto ipsec ikev1 transform-set IPSEC_SET esp-aes-256 esp-sha-hmac

nat (inside,outside) source static N_10.30.0.0_16 N_10.30.0.0_16 destination static N_10.10.0.0_16 N_10.10.0.0_16 no-proxy-arp route-lookup
crypto map IPSEC_MAP 30 match address IPSEC_SD_ACL
crypto map IPSEC_MAP 30 set peer 2.2.1.2
crypto map IPSEC_MAP 30 set ikev1 transform-set IPSEC_SET
crypto map IPSEC_MAP 30 set security-association lifetime seconds 86400
!
crypto map IPSEC_MAP interface outside
!

MI,ASA 5506:8.4 或更高版本

!
hostname MI
!
interface G0/0
 nameif outside
 security-level 0
 ip address 4.4.129.2 255.255.255.252
 no shut
!
interface G0/1
 nameif inside
 security-level 100
 ip address 10.129.255.1 255.255.255.252
 no shut
!
route outside 0.0.0.0 0.0.0.0 4.4.129.1
!
!
object network INSIDE_NETWORK
 subnet 10.129.0.0 255.255.0.0
 nat (inside,outside) dynamic interface




! Allowing ICMP through ASA.
!
!class-map inspection_default
! match default-inspection-traffic
!
policy-map global_policy
 class inspection_default
  inspect icmp 
  inspect icmp error
!
!service-policy global_policy global
!
!
! Allowing ICMP to ASA's inside interface from another site.
!
management-access inside


! Phase 1 (IKEv1)
!
crypto ikev1 enable outside
!
crypto ikev1 policy 10
 authentication pre-share
 encryption aes-256
 hash sha
 group 5
 lifetime 86400
!
tunnel-group 4.4.128.2 type ipsec-l2l
tunnel-group 4.4.128.2 ipsec-attributes
 ikev1 pre-shared-key NY10toMI20

router eigrp 1
network 10.0.0.0
red stat


! Phase 2 (IPSec)
!
object network N_10.129.0.0_16
 subnet 10.129.0.0 255.255.0.0
object network N_10.128.0.0_16
 subnet 10.128.0.0 255.255.0.0


access-list IPSEC_MI_ACL extended permit ip object N_10.129.0.0_16 object N_10.128.0.0_16


! NAT Exemption (No NAT)
! Packet Tracer limitation (Manual NAT is not supported.)
!
crypto ipsec ikev1 transform-set IPSEC_SET esp-aes-256 esp-sha-hmac

nat (inside,outside) source static N_10.129.0.0_16 N_10.129.0.0_16 destination static N_10.128.0.0_16 N_10.128.0.0_16 no-proxy-arp route-lookup
crypto map IPSEC_MAP 20 match address IPSEC_MI_ACL
crypto map IPSEC_MAP 20 set peer 4.4.128.2
crypto map IPSEC_MAP 20 set ikev1 transform-set IPSEC_SET
crypto map IPSEC_MAP 20 set security-association lifetime seconds 86400
!
crypto map IPSEC_MAP interface outside
!

纽约,ASA 5506:8.4 或更高版本

!
hostname NY
!
interface G0/0
 nameif outside
 security-level 0
 ip address 4.4.128.2 255.255.255.252
 no shut
!
interface G0/1
 nameif inside
 security-level 100
 ip address 10.128.255.1 255.255.255.252
 no shut
!
route outside 0.0.0.0 0.0.0.0 4.4.128.1
!
!
object network INSIDE_NETWORK
 subnet 10.128.0.0 255.255.0.0
 nat (inside,outside) dynamic interface




! Allowing ICMP through ASA.
!
!class-map inspection_default
! match default-inspection-traffic
!
policy-map global_policy
 class inspection_default
  inspect icmp 
  inspect icmp error
!
!service-policy global_policy global
!
!
! Allowing ICMP to ASA's inside interface from another site.
!
management-access inside


! Phase 1 (IKEv1)
!
crypto ikev1 enable outside
!
crypto ikev1 policy 10
 authentication pre-share
 encryption aes-256
 hash sha
 group 5
 lifetime 86400
!
tunnel-group 4.4.129.2 type ipsec-l2l
tunnel-group 4.4.129.2 ipsec-attributes
 ikev1 pre-shared-key NY10toMI20
tunnel-group 2.2.1.2 type ipsec-l2l
tunnel-group 2.2.1.2 ipsec-attributes
 ikev1 pre-shared-key LA10toNY20

router eigrp 1
network 10.0.0.0
red stat


! Phase 2 (IPSec)
!
object network N_10.128.0.0_16
 subnet 10.128.0.0 255.255.0.0
object network N_10.129.0.0_16
 subnet 10.129.0.0 255.255.0.0
object network N_10.128.0.0_16
 subnet 10.128.0.0 255.255.0.0
object network N_10.10.0.0_16
 subnet 10.10.0.0 255.255.0.0


access-list IPSEC_MI_ACL extended permit ip object N_10.128.0.0_16 object N_10.129.0.0_16
access-list IPSEC_NY_ACL extended permit ip object N_10.128.0.0_16 object N_10.10.0.0_16


! NAT Exemption (No NAT)
! Packet Tracer limitation (Manual NAT is not supported.)
!
crypto ipsec ikev1 transform-set IPSEC_SET esp-aes-256 esp-sha-hmac

nat (inside,outside) source static N_10.128.0.0_16 N_10.128.0.0_16 destination static N_10.129.0.0_16 N_10.129.0.0_16 no-proxy-arp route-lookup
nat (inside,outside) source static N_10.128.0.0_16 N_10.128.0.0_16 destination static N_10.10.0.0_16 N_10.10.0.0_16 no-proxy-arp route-lookup
crypto map IPSEC_MAP 10 match address IPSEC_NY_ACL
crypto map IPSEC_MAP 10 set peer 2.2.1.2
crypto map IPSEC_MAP 10 set ikev1 transform-set IPSEC_SET
crypto map IPSEC_MAP 10 set security-association lifetime seconds 86400
crypto map IPSEC_MAP 20 match address IPSEC_MI_ACL
crypto map IPSEC_MAP 20 set peer 4.4.129.2
crypto map IPSEC_MAP 20 set ikev1 transform-set IPSEC_SET
crypto map IPSEC_MAP 20 set security-association lifetime seconds 86400
!
crypto map IPSEC_MAP interface outside
1个回答

每个 ASA 都必须了解其他网络背后的网络 - 要么使用静态路由,要么设置像 OSPF 这样的路由协议。

如果没有正确的路由,所有流量都会进入默认网关。

其它你可能感兴趣的问题
上一篇什么是节点延迟? 下一篇socks4 代理连接消息中的 USERID 应该是什么?