GNS3模拟ASA做IPSEC ×××

GNS3中模拟ASA防火墙做IPsec ×××

拓扑图：

拓扑说明：

ASA1与ASA2 E0口相连模拟外网区域，R1、R2的E0口与ASA E1口相连模拟内网区域。

配置脚本：

ASA1# sh run

: Saved

:

ASA Version 8.0(2)

!

hostname ASA1

enable password 8Ry2YjIyt7RRXU24 encrypted

names

!

interface Ethernet0/0

nameif outside

security-level 0

ip address 12.1.1.1255.255.255.0

!

interface Ethernet0/1

nameif inside

security-level 100

ip address 192.168.1.1 255.255.255.0

!

interface Ethernet0/2

shutdown

nonameif

nosecurity-level

noip address

!

interface Ethernet0/3

shutdown    

nonameif

nosecurity-level

noip address

!

interface Ethernet0/4

shutdown

nonameif

nosecurity-level

noip address

!

interface Ethernet0/5

shutdown

nonameif

nosecurity-level

noip address

!

passwd 2KFQnbNIdI.2KYOU encrypted

ftp mode passive

access-list 1 extended permiticmp any any

access-list 101 extended permitip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0

pager lines 24

mtu outside 1500

mtu inside 1500

no failover  

icmp unreachable rate-limit 1 burst-size 1

no asdm history enable

arp timeout 14400

nat-control      //启用NAT功能

global (outside) 1 interface      //PAT

nat (inside) 0 access-list 101    //NAT免除（注：8.3版本以前的必须做！）

nat (inside) 1 0.0.0.00.0.0.0

access-group 1 in interfaceoutside   //在外网接口调用ACL List 1

route outside 0.0.0.00.0.0.0 12.1.1.2 1   //写条默认路由，下一跳指向ASA2的E0 口IP

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h2251:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00sip-invite 0:03:00 sip-disconnect 0:02:00

timeout uauth 0:05:00 absolute

dynamic-access-policy-recordDfltAccessPolicy

no snmp-server location

no snmp-server contact

snmp-server enable traps snmpauthentication linkup linkdown coldstart

crypto ipsec transform-set mysetesp-3des esp-md5-hmac   //创建IPsec交换集

crypto map mymap 10 match address101          //匹配感兴趣流量

crypto map mymap 10 set peer 12.1.1.2  //定义对端Peer为ASA2的E0口IP

crypto map mymap 10 settransform-set myset      //绑定交换集

crypto map mymap interfaceoutside             //将MAP应用到外部接口

crypto isakmp enable outside                  //外部启用isakmp

crypto isakmp policy 10             //定义isakmap策略10

authentication pre-share          //认证方式，采用预共享密钥

encryption 3des                //加密算法

hash md5                   //hash校验

group 2                    //密钥长度

lifetime 86400              生存周期（可选，默认为86400）

crypto isakmp policy 65535

authentication pre-share

encryption 3des

hashsha

group 2

lifetime 86400

telnet timeout 5

ssh timeout 5

console timeout 0

threat-detection basic-threat

threat-detection statistics access-list

!

!

tunnel-group 12.1.1.2type ipsec-l2l

tunnel-group 12.1.1.2ipsec-attributes

pre-shared-key *                //这里就是之前我们定义的Pre-shared-key

prompt hostname context

Cryptochecksum:00000000000000000000000000000000

: end

ASA1#

ASA2# sh run

: Saved

:

ASA Version 8.0(2)

!

hostname ASA2

enable password 8Ry2YjIyt7RRXU24 encrypted

names

!

interface Ethernet0/0

nameif outside

security-level 0

ip address 12.1.1.2255.255.255.0

!

interface Ethernet0/1

nameif inside

security-level 100

ip address 192.168.2.1 255.255.255.0

!

interface Ethernet0/2

shutdown

nonameif

nosecurity-level

noip address

!

interface Ethernet0/3

shutdown    

nonameif

nosecurity-level

noip address

!

interface Ethernet0/4

shutdown

nonameif

nosecurity-level

noip address

!

interface Ethernet0/5

shutdown

nonameif

nosecurity-level

noip address

!

passwd 2KFQnbNIdI.2KYOU encrypted

ftp mode passive

access-list 1 extended permiticmp any any

access-list 101 extended permitip 192.168.2.0 255.255.255.0 192.168.1.0 255.255.255.0

pager lines 24

mtu outside 1500

mtu inside 1500

no failover  

icmp unreachable rate-limit 1 burst-size 1

no asdm history enable

arp timeout 14400

nat-control

global (outside) 1 interface

nat (inside) 0 access-list 101

nat (inside) 1 0.0.0.00.0.0.0

access-group 1 in interfaceoutside

route outside 0.0.0.00.0.0.0 12.1.1.1 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h2251:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00sip-invite 0:03:00 sip-disconnect 0:02:00

timeout uauth 0:05:00 absolute

dynamic-access-policy-recordDfltAccessPolicy

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authenticationlinkup linkdown coldstart

crypto ipsec transform-set mysetesp-3des esp-md5-hmac

crypto map mymap 10 match address101

crypto map mymap 10 set peer 12.1.1.1

crypto map mymap 10 settransform-set myset

crypto map mymap interfaceoutside

crypto isakmp enable outside

crypto isakmp policy 10

authentication pre-share

encryption 3des

hash md5

group 2

lifetime 86400

crypto isakmp policy 65535

authentication pre-share

encryption 3des

hashsha

group 2

lifetime 86400

telnet timeout 5

ssh timeout 5

console timeout 0

threat-detection basic-threat

threat-detection statistics access-list

!

!

tunnel-group 12.1.1.1type ipsec-l2l

tunnel-group 12.1.1.1ipsec-attributes

pre-shared-key *

prompt hostname context

Cryptochecksum:00000000000000000000000000000000

: end

ASA2#

R1#sh run

Building configuration...

Current configuration : 776 bytes

!

version 12.3

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname R1

!

boot-start-marker

boot-end-marker

!

!

memory-size iomem 15

mmi polling-interval 60

no mmi auto-configure

no mmi pvc

mmi snmp-timeout 180

no aaa new-model

ip subnet-zero

no ip routing              //关闭R1的路由功能，模拟PC

!

!        

no ip domain lookup

!

no ip cef

ip audit po max-events 100

no ftp-server write-enable

!

!

!

!

!

!

!

interface Ethernet0

ip address 192.168.1.2 255.255.255.0

noip route-cache

half-duplex

!

interface FastEthernet0

noip address

noip route-cache

shutdown

speed auto

!        

ip default-gateway 192.168.1.1   //配置默认网关

ip classless

no ip http server

no ip http secure-server

!

!

!

!

line con 0

exec-timeout 0 0

logging synchronous

line aux 0

line vty 0 4

!

end

R1#  

R2#sh run

Building configuration...

Current configuration : 776 bytes

!

version 12.3

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname R2

!

boot-start-marker

boot-end-marker

!

!

memory-size iomem 15

mmi polling-interval 60

no mmi auto-configure

no mmi pvc

mmi snmp-timeout 180

no aaa new-model

ip subnet-zero

no ip routing

!

!        

no ip domain lookup

!

no ip cef

ip audit po max-events 100

no ftp-server write-enable

!

!

!

!

!

!

!

interface Ethernet0

ipaddress 192.168.2.2 255.255.255.0

noip route-cache

half-duplex

!

interface FastEthernet0

noip address

noip route-cache

shutdown

speed auto

!        

ip default-gateway 192.168.2.1

ip classless

no ip http server

no ip http secure-server

!

!

!

!

line con 0

exec-timeout 0 0

logging synchronous

line aux 0

line vty 0 4

!

end

R2#

我们在ASA1上开启debug，由于GNS3模拟ASA还存在诸多问题，所以debug没有反应，但我们ping测试还是可以的。

ASA1# debug crypto isakmp

ASA1# debug crypto ipsec

ASA1# debug icmp trace

在R1上测试下，可以多ping几个包

R1#ping 192.168.2.2 repeat 30  

Type escape sequence to abort.

Sending 30, 100-byte ICMP Echos to192.168.2.2, timeout is 2 seconds:

..!!!!!!!!!!!!!!!!!!!!!!!!!!!!

Success rate is 93 percent (28/30),round-trip min/avg/max = 164/202/300 ms

R1#

可以看到，前面丢了两个包，那是因为isakmp和ike协商协商的过程。后面还是通了。

在ASA1上的ICMP 调试信息

ASA1# ICMP echo request from inside:192.168.1.2 tooutside:192.168.2.2 ID=8 seq=0 len=72

ICMP echo reply from outside:192.168.2.2 to inside:192.168.1.2 ID=8seq=0 len=72

ICMP echo request from inside:192.168.1.2 to outside:192.168.2.2ID=8 seq=1 len=72

ICMP echo reply from outside:192.168.2.2 to inside:192.168.1.2 ID=8seq=1 len=72

ICMP echo request from inside:192.168.1.2 to outside:192.168.2.2ID=8 seq=2 len=72

ICMP echo reply from outside:192.168.2.2 to inside:192.168.1.2 ID=8seq=2 len=72

ICMP echo request from inside:192.168.1.2 to outside:192.168.2.2ID=8 seq=3 len=72

ICMP echo reply from outside:192.168.2.2 to inside:192.168.1.2 ID=8seq=3 len=72

ICMP echo request from inside:192.168.1.2 to outside:192.168.2.2ID=8 seq=4 len=72

ICMP echo reply from outside:192.168.2.2 to inside:192.168.1.2 ID=8seq=4 len=72

ASA1#

我们再来ASA1上show看下，

ASA1# show crypto isakmp sa

 Active SA: 1

  Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)

Total IKE SA: 1

1  IKE Peer: 12.1.1.2

  Type    : L2L             Role    : initiator

  Rekey   : no              State  : MM_ACTIVE

ASA1#

ASA1# show crypto isakmp stats

Global IKE Statistics

Active Tunnels: 1

Previous Tunnels: 2

In Octets: 17144

In Packets: 196

In Drop Packets: 1

In Notifys: 187

In P2 Exchanges: 0

In P2 Exchange Invalids: 0

In P2 Exchange Rejects: 0

In P2 Sa Delete Requests: 0

Out Octets: 17548

Out Packets: 199

Out Drop Packets: 0

Out Notifys: 374

Out P2 Exchanges: 2

Out P2 Exchange Invalids: 0

Out P2 Exchange Rejects: 0

Out P2 Sa Delete Requests: 1

Initiator Tunnels: 2

Initiator Fails: 0

Responder Fails: 0

System Capacity Fails: 0

Auth Fails: 0

Decrypt Fails: 0

Hash Valid Fails: 0

No Sa Fails: 0

ASA1#

ASA1# show crypto ipsec sa

interface: outside

  Crypto map tag: mymap, seq num: 10, local addr: 12.1.1.1

    access-list 101 permit ip 192.168.1.0 255.255.255.0 192.168.2.0255.255.255.0

    local ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0/0/0)

    remote ident (addr/mask/prot/port): (192.168.2.0/255.255.255.0/0/0)

    current_peer: 12.1.1.2

    #pkts encaps: 28, #pkts encrypt: 28, #pkts digest: 28

    #pkts decaps: 28, #pkts decrypt: 28, #pkts verify: 28

    #pkts compressed: 0, #pkts decompressed: 0

    #pkts not compressed: 28, #pkts comp failed: 0, #pkts decomp failed: 0

    #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0

    #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0

    #send errors: 0, #recv errors: 0

    local crypto endpt.: 12.1.1.1, remote cryptoendpt.: 12.1.1.2

    path mtu 1500, ipsec overhead 58, media mtu 1500

    current outbound spi: 49BD5F83

  inbound esp sas:

    spi: 0x9F6046AC (2673886892)

       transform: esp-3des esp-md5-hmac none

       in use settings ={L2L, Tunnel, }

       slot: 0, conn_id: 8192, crypto-map: mymap

       sa timing: remaining key lifetime (kB/sec): (3824997/28536)

       IV size: 8 bytes

       replay detection support: Y

  outbound esp sas:

    spi: 0x49BD5F83 (1237147523)

       transform: esp-3des esp-md5-hmac none

       in use settings ={L2L, Tunnel, }

       slot: 0, conn_id: 8192, crypto-map: mymap

       sa timing: remaining key lifetime (kB/sec): (3824997/28536)

       IV size: 8 bytes

       replay detection support: Y

ASA1#

ASA1# show crypto ipsec stats

IPsec Global Statistics

-----------------------

Active tunnels: 1

Previous tunnels: 2

Inbound

  Bytes: 9000

  Decompressed bytes: 9000

  Packets: 90

  Dropped packets: 0

  Replay failures: 0

  Authentications: 90

  Authentication failures: 0

   Decryptions: 90

  Decryption failures: 0

  Decapsulated fragments needing reassembly: 0

Outbound

  Bytes: 9000

  Uncompressed bytes: 9000

  Packets: 90

  Dropped packets: 0

  Authentications: 90

  Authentication failures: 0

  Encryptions: 90

  Encryption failures: 0

  Fragmentation successes: 0

      Pre-fragmentation successses: 0

      Post-fragmentation successes: 0

  Fragmentation failures: 0

      Pre-fragmentation failures: 0

      Post-fragmentation failures: 0

  Fragments created: 0

  PMTUs sent: 0

  PMTUs rcvd: 0

Protocol failures: 0

Missing SA failures: 0

System capacity failures: 0

ASA1#