网络工程 - 带有 Cisco ASA 和 ISP 路由器的 VPN LAN 到 LAN - 吾爱随笔录

带有 Cisco ASA 和 ISP 路由器的 VPN LAN 到 LAN

网络工程路由思科虚拟专用网纳特

2021-07-23 04:25:32

我们想在我们公司和客户之间建立 LAN 到 LAN 隧道 VPN，但连接不起作用。网络图如下：

在完整的 Cisco ASA 配置下方：

: Saved
:
ASA Version 9.1(2) 
!
hostname ASA
domain-name mycompany.local
enable password czov.cpL9DkL/AOc encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
ip local pool Pool.Lyon 192.168.69.100-192.168.69.150 mask 255.255.255.0
!
interface GigabitEthernet0/0
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet0/1
 description LAN
 speed 100
 duplex full
 nameif inside
 security-level 100
 ip address 10.6.9.1 255.255.255.0 
!
interface GigabitEthernet0/2
 description Connexion Internet
 nameif outside
 security-level 0
 ip address 192.168.1.200 255.255.255.0 
!
interface GigabitEthernet0/3
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet0/4
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet0/5
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Management0/0
 management-only
 nameif management
 security-level 100
 ip address 192.168.2.1 255.255.255.0 
!
boot system disk0:/asa912-smp-k8.bin
ftp mode passive
clock timezone CEST 1
clock summer-time CEDT recurring last Sun Mar 2:00 last Sun Oct 3:00
dns domain-lookup inside
dns server-group DefaultDNS
 name-server 10.6.9.5
 name-server 10.3.3.5
 domain-name mycompany.local
object network RemoteLANCustomer
 subnet 172.31.30.84 255.255.255.252
 description Reseau Local Customer
object network LocalLAN
 subnet 10.6.9.0 255.255.255.0
 description LAN mycompany
object network HoteDistantCustomer
 host 109.x.x.4
object network vHANDLYO
 host 10.6.9.5
object service RDP
 service tcp source eq 3389 destination eq 3389 
object network LANTours
 subnet 10.3.7.0 255.255.255.0
access-list outside_cryptomap extended permit ip 10.6.9.0 255.255.255.0 172.31.30.84 255.255.255.252 
access-list outside_access_in extended permit tcp any object vHANDLYO eq 3389 
pager lines 24
logging enable
logging trap notifications
logging asdm debugging
logging host inside 10.3.3.100
mtu inside 1500
mtu outside 1500
mtu management 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm733.bin
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
nat (inside,outside) source dynamic LocalLAN interface
nat (inside,outside) source static vHANDLYO vHANDLYO no-proxy-arp
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 192.168.1.1 1
route inside 10.0.0.0 255.0.0.0 10.6.9.15 1
route outside 109.x.x.4 255.255.255.255 192.168.1.1 1
route outside 172.31.30.84 255.255.255.252 192.168.1.1 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
http server enable
http 192.168.1.0 255.255.255.0 management
http 10.0.0.0 255.0.0.0 inside
snmp-server host inside 10.3.3.50 community ***** version 2c
snmp-server location France
snmp-server contact contact@mycompany.fr
snmp-server community *****
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac 
crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac 
crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac 
crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac 
crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac 
crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac 
crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac 
crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac 
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac 
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac 
crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS esp-aes esp-sha-hmac 
crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS esp-aes esp-md5-hmac 
crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS esp-aes-192 esp-sha-hmac 
crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS esp-aes-192 esp-md5-hmac 
crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS esp-aes-256 esp-sha-hmac 
crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS esp-aes-256 esp-md5-hmac 
crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS esp-3des esp-sha-hmac 
crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS esp-3des esp-md5-hmac 
crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS esp-des esp-sha-hmac 
crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS esp-des esp-md5-hmac 
crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS mode transport
crypto ipsec ikev2 ipsec-proposal DES
 protocol esp encryption des
 protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal 3DES
 protocol esp encryption 3des
 protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES
 protocol esp encryption aes
 protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES192
 protocol esp encryption aes-192
 protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES256
 protocol esp encryption aes-256
 protocol esp integrity sha-1 md5
crypto ipsec security-association pmtu-aging infinite
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 1 match address outside_cryptomap
crypto map outside_map 1 set pfs 
crypto map outside_map 1 set peer 109.x.x.4 
crypto map outside_map 1 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 1 set security-association lifetime seconds 3600
crypto map outside_map interface outside
crypto ca trustpool policy
crypto ikev2 policy 1
 encryption aes-256
 integrity sha
 group 5 2
 prf sha
 lifetime seconds 3600
crypto ikev2 policy 10
 encryption aes-192
 integrity sha
 group 5 2
 prf sha
 lifetime seconds 86400
crypto ikev2 policy 20
 encryption aes
 integrity sha
 group 5 2
 prf sha
 lifetime seconds 86400
crypto ikev2 policy 30
 encryption 3des
 integrity sha
 group 5 2
 prf sha
 lifetime seconds 86400
crypto ikev2 policy 40
 encryption des
 integrity sha
 group 5 2
 prf sha
 lifetime seconds 86400
crypto ikev2 enable outside
crypto ikev1 enable outside
crypto ikev1 policy 30
 authentication pre-share
 encryption aes-256
 hash sha
 group 2
 lifetime 3600
telnet 10.0.0.0 255.0.0.0 inside
telnet timeout 5
ssh 10.0.0.0 255.0.0.0 inside
ssh timeout 5
ssh key-exchange group dh-group1-sha1
console timeout 0
dhcpd dns 10.6.9.5 10.3.3.5 interface inside
dhcpd lease 28800 interface inside
dhcpd domain mycompany.local interface inside
dhcpd option 3 ip 10.6.9.16 10.6.9.15 interface inside
dhcpd option 6 ip 10.6.9.5 10.3.3.5 interface inside
dhcpd option 42 ip 10.6.9.5 10.3.3.5 interface inside
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ntp server 10.6.9.5 source inside
ssl encryption rc4-sha1 aes128-sha1 aes256-sha1 3des-sha1
webvpn
 enable outside
 anyconnect image disk0:/anyconnect-win-3.1.08009-k9.pkg 1
 anyconnect enable
 tunnel-group-list enable
group-policy DfltGrpPolicy attributes
 vpn-tunnel-protocol ikev1 l2tp-ipsec ssl-clientless
group-policy GroupPolicy_ClientVPN internal
group-policy GroupPolicy_ClientVPN attributes
 wins-server value 10.6.9.5
 dns-server value 10.6.9.5
 vpn-tunnel-protocol ssl-client 
 default-domain value mycompany.local
group-policy GroupPolicy_109.x.x.4 internal
group-policy GroupPolicy_109.x.x.4 attributes
 vpn-tunnel-protocol ikev1 
username * encrypted privilege 15
username * encrypted privilege 15
tunnel-group 109.x.x.4 type ipsec-l2l
tunnel-group 109.x.x.4 ipsec-attributes
 ikev1 pre-shared-key *****
 ikev2 remote-authentication pre-shared-key *****
 ikev2 local-authentication pre-shared-key *****
tunnel-group ClientVPN type remote-access
tunnel-group ClientVPN general-attributes
 address-pool Pool.Lyon
 default-group-policy GroupPolicy_ClientVPN
tunnel-group ClientVPN webvpn-attributes
 group-alias ClientVPN enable
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum client auto
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map 
  inspect ftp 
  inspect h323 h225 
  inspect h323 ras 
  inspect rsh 
  inspect rtsp 
  inspect esmtp 
  inspect sqlnet 
  inspect skinny  
  inspect sunrpc 
  inspect xdmcp 
  inspect sip  
  inspect netbios 
  inspect tftp 
  inspect ip-options 
  inspect icmp 
!
service-policy global_policy global
prompt hostname context 
no call-home reporting anonymous
Cryptochecksum:a0b795c9e166e7284056fe3de509b867
: end

ISP 路由器配置在网络图中详细说明。

在客户的防火墙上，没有来自 Cisco ASA 的任何流量。有人可以向我解释正确设置隧道的不同步骤吗？

2个回答

上面的设置不会按原样工作，因为您的 ASA 位于 ISP 路由器后面。为了让 VPN 在此实现中工作，您必须使用 NAT-T（NAT 穿越）。这是因为 ESP 是它自己的协议，ISP 路由器不知道如何处理它。通过使用 NAT-T，您将 ESP 数据包封装（本质上是重新打包）到 UDP 数据包中。

注意：即使客户是唯一使用 NAT 的设备，也需要在双方配置 NAT-T，以便了解需要对流量进行哪些操作。

在 ASA 上启用 NAT-T：

hostname(config)# crypto isakmp nat-traversal 3600

以上将 NAT 超时设置为一小时，如果您遇到问题，可以减少此时间。

hostname(config)# crypto ipsec fragmentation before-encryption

在 SRX 上启用 NAT-T：

只要您的 SRX 配置中不包含以下命令，VPN 就可以正常运行：

no-nat-traversal;

同样在客户的 ISP 路由器上，您将端口转发到 ASA 的内部地址。您应该将流量转发到 ASA 的外部接口。

这是我在这里的第一篇文章，所以主要是深思熟虑。

我遇到过类似的情况，但是我们发现最好只使用 ISP 提供的路由器来实现调制解调器功能。我们基本上将 ASA 桥接到 ISP 提供的调制解调器/路由器。消除了这种双重 NAT 情况的需要，并将减少数据包开销。您很可能还必须调整 MTU 设置。

其它你可能感兴趣的问题

上一篇在 BGP 双归属设计中，CE 之间的 iBGP 对等是否有好处？下一篇PoE 有源分路器 (802.3af) 带无源注入器？