Cisco ASA VPN配置

1、配置VPN连接

1.1 PC1配置

PC1>en
PC1#conf t
PC1(config)#configure terminal     
PC1(config-if)#ip address 192.168.1.2 255.255.255.0
PC1(config-if)#no sh
PC1(config-if)#exit
PC1(config)#no ip routing
PC1(config)#ip default-g
PC1(config)#ip default-gateway 192.168.1.1

1.2 PC2配置

PC2>en
PC2#conf terminal 
PC2(config)#in f 0/0
PC2(config-if)#ip add 192.168.2.2 255.255.255.0
PC2(config-if)#no sh
PC2(config-if)#exit
PC2(config)#no ip routing
PC2(config)#ip default-gateway 192.168.2.1
PC2(config)#

1.3 PNAT配置

PNAT>en
PNAT#conf terminal 
PNAT(config)#in f 0/0
PNAT(config-if)#ip add 10.0.0.1 255.255.255.0
PNAT(config-if)#no sh
PNAT(config-if)#exit
PNAT(config)#in f 1/0        
PNAT(config-if)#ip add 192.168.10.2 255.255.255.0
PNAT(config-if)#no sh
PNAT(config-if)#exit
PNAT(config)#access-list 100 deny ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255       
PNAT(config)#access-list 100 permit ip any any 
PNAT(config)#ip nat inside source list 100 interface f 0/0 overload 
PNAT(config)#ip nat inside source static udp 192.168.10.1 4500 int f 0/0 4500
PNAT(config)#ip nat inside source static udp 192.168.10.1 500 int f 0/0 500  
PNAT(config)#in f 0/0
PNAT(config-if)#ip nat outside 
PNAT(config-if)#exit
PNAT(config-if)#in f 1/0
PNAT(config-if)#ip nat inside 
PNAT(config-if)#exit
PNAT(config)#ip route 0.0.0.0 0.0.0.0 10.0.0.2
PNAT(config)#ip route 192.168.1.0 255.255.255.0 192.168.10.1
PNAT(config)#exit
PNAT#debug ip nat
IP NAT debugging is on
PNAT#

1.4 ISP配置

ISP>en
ISP#conf t
ISP(config)#in f 0/0
ISP(config-if)#ip add 10.0.0.2 255.255.255.0
ISP(config-if)#no sh
ISP(config-if)#exit
ISP(config)#in f 1/0
ISP(config-if)#ip add 10.1.1.2 255.255.255.0
ISP(config-if)#no sh
ISP(config-if)#exit
ISP(config)#enable password 456
ISP(config)#line vty 0 4
ISP(config-line)#password 123
ISP(config-line)#login
ISP(config-line)#exit

1.5 BJASA配置

ciscoasa> en
Password:    
ciscoasa# conf t
ciscoasa(config)# int e0/1
ciscoasa(config-if)# ip add 192.168.10.1 255.255.255.0
ciscoasa(config-if)# no sh
ciscoasa(config-if)# nameif outside
INFO: Security level for "outside" set to 0 by default.
ciscoasa(config-if)# security-level 0
ciscoasa(config-if)# exit
ciscoasa(config)# int e 0/0
ciscoasa(config-if)# ip add 192.168.1.1 255.255.255.0
ciscoasa(config-if)# no sh
ciscoasa(config-if)# nameif inside
INFO: Security level for "inside" set to 100 by default.
ciscoasa(config-if)# security-level 100
ciscoasa(config-if)# exit
ciscoasa(config)# route outside 0 0  192.168.10.2
ciscoasa(config)# crypto isakmp enable outside 
ciscoasa(config)# crypto isakmp policy 1
ciscoasa(config-isakmp-policy)# en des
ciscoasa(config-isakmp-policy)# group 2
ciscoasa(config-isakmp-policy)# aut pr
ciscoasa(config-isakmp-policy)# has
ciscoasa(config-isakmp-policy)# hash sha
ciscoasa(config-isakmp-policy)# exit
ciscoasa(config)# crypto isakmp key benet-key add 10.1.1.1
ciscoasa(config)# access-list 100 permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0
ciscoasa(config)# crypto ipsec transform-set benet-set esp-des esp-sha-hmac 
ciscoasa(config)# crypto map benet-map 1 set tran benet-set
ciscoasa(config)# crypto map benet-map 1 set peer 10.1.1.1
ciscoasa(config)# crypto map benet-map 1 match address 100
ciscoasa(config)# crypto map benet-map int outside
ciscoasa(config)#

1.6 SHASA配置

ciscoasa> en
Password:   
ciscoasa# conf t
ciscoasa(config)# int e0/1
ciscoasa(config-if)# ip add 10.1.1.1 255.255.255.0
ciscoasa(config-if)# no sh
ciscoasa(config-if)# nameif outside
INFO: Security level for "outside" set to 0 by default.
ciscoasa(config-if)# secu
ciscoasa(config-if)# security-level 0
ciscoasa(config-if)# exit
ciscoasa(config)# int e 0/0
ciscoasa(config-if)# ip add 192.168.2.1 255.255.255.0
ciscoasa(config-if)# no sh
ciscoasa(config-if)# nameif inside
ciscoasa(config-if)# secu
ciscoasa(config-if)# security-level 100
ciscoasa(config)# crypto isakmp enable outside
ciscoasa(config)# crypto isakmp policy 1
ciscoasa(config-isakmp-policy)# en des
ciscoasa(config-isakmp-policy)# group 2
ciscoasa(config-isakmp-policy)# aut pr 
ciscoasa(config-isakmp-policy)# hash sha
ciscoasa(config-isakmp-policy)# exit
ciscoasa(config)# crypto isakmp key benet-key add 10.0.0.1
ciscoasa(config)# access-list 100 permit ip 192.168.2.0 255.255.255.0 192.168.1.0 255.255.255.0
ciscoasa(config)# crypto ipsec transform-set benet-set esp-des esp-sha-hmac 
ciscoasa(config)# crypto map benet-map 1 set peer 10.0.0.1
ciscoasa(config)# crypto map benet-map 1 set transform-set benet-set
ciscoasa(config)# crypto map benet-map 1 match add 100
ciscoasa(config)# crypto map benet-map int outside
ciscoasa(config)# route outside 0 0 10.1.1.2
ciscoasa(config)#

2、验证

前面我们在PNAT上开户了debug调试功能，主要测试如下：

2.1 在PC1上telnet PNAT，查看PNAT上的调试信息

在PC上telnet PNAT：

PC1#telnet 192.168.10.2
Trying 192.168.10.2 ... Open


Password required, but none set

[Connection to 192.168.10.2 closed by foreign host]

在PNAT上查看调试信息：

PNAT#
*Mar  1 00:40:25.743: %SYS-5-CONFIG_I: Configured from console by console
PNAT#debu
PNAT#debug ip nat
IP NAT debugging is on
PNAT#
*Mar  1 00:41:27.275: NAT: s=192.168.10.1->10.0.0.1, d=10.1.1.1 [31819]
PNAT#
*Mar  1 00:41:35.259: NAT*: s=192.168.10.1->10.0.0.1, d=10.1.1.1 [22403]
PNAT#
*Mar  1 00:41:43.319: NAT*: s=192.168.10.1->10.0.0.1, d=10.1.1.1 [28533]
*Mar  1 00:41:43.331: NAT*: s=10.1.1.1, d=10.0.0.1->192.168.10.1 [31955]
*Mar  1 00:41:43.431: NAT*: s=192.168.10.1->10.0.0.1, d=10.1.1.1 [23148]
*Mar  1 00:41:43.571: NAT*: s=10.1.1.1, d=10.0.0.1->192.168.10.1 [18199]
*Mar  1 00:41:43.643: NAT*: s=192.168.10.1->10.0.0.1, d=10.1.1.1 [6844]
*Mar  1 00:41:43.671: NAT*: s=10.1.1.1, d=10.0.0.1->192.168.10.1 [14619]
*Mar  1 00:41:43.707: NAT*: s=192.168.10.1->10.0.0.1, d=10.1.1.1 [27416]
*Mar  1 00:41:43.767: NAT*: s=10.1.1.1, d=10.0.0.1->192.168.10.1 [31555]
*Mar  1 00:41:43.779: NAT*: s=192.168.10.1->10.0.0.1, d=10.1.1.1 [6476]

因为前面配置的感兴趣流是192.168.1.0到192.168.2.0的，所以当PC1 telnet PNAT时不会走VPN遂道。

2.2 在PC1上ping 192.168.2.2，并查看PNAT上的调试信息

在PC1上ping 192.168.2.2:

PC1#ping 192.168.2.2 source 192.168.1.2 repeat 10

Type escape sequence to abort.
Sending 10, 100-byte ICMP Echos to 192.168.2.2, timeout is 2 seconds:
Packet sent with a source address of 192.168.1.2 
!!!!!!!!!!
Success rate is 100 percent (10/10), round-trip min/avg/max = 44/59/84 ms
PC1#

在PNAT上查看调试信息：

PNAT#
*Mar  1 00:58:47.387: NAT*: s=192.168.10.1->10.0.0.1, d=10.1.1.1 [12777]
PNAT#
*Mar  1 00:58:48.611: NAT*: s=192.168.10.1->10.0.0.1, d=10.1.1.1 [18234]
*Mar  1 00:58:48.631: NAT*: s=10.1.1.1, d=10.0.0.1->192.168.10.1 [32288]
PNAT#
*Mar  1 00:58:58.635: NAT*: s=192.168.10.1->10.0.0.1, d=10.1.1.1 [13756]
*Mar  1 00:58:58.639: NAT*: s=10.1.1.1, d=10.0.0.1->192.168.10.1 [30459]
PNAT#
*Mar  1 00:59:07.407: NAT*: s=192.168.10.1->10.0.0.1, d=10.1.1.1 [1140]
PNAT#
*Mar  1 00:59:08.627: NAT*: s=192.168.10.1->10.0.0.1, d=10.1.1.1 [1443]
*Mar  1 00:59:08.655: NAT*: s=10.1.1.1, d=10.0.0.1->192.168.10.1 [27812]
PNAT#
*Mar  1 00:59:18.695: NAT*: s=192.168.10.1->10.0.0.1, d=10.1.1.1 [20356]
*Mar  1 00:59:18.723: NAT*: s=10.1.1.1, d=10.0.0.1->192.168.10.1 [25563]
PNAT#
*Mar  1 00:59:27.499: NAT*: s=192.168.10.1->10.0.0.1, d=10.1.1.1 [25863]
PNAT#
*Mar  1 00:59:28.723: NAT*: s=192.168.10.1->10.0.0.1, d=10.1.1.1 [5199]
*Mar  1 00:59:28.739: NAT*: s=10.1.1.1, d=10.0.0.1->192.168.10.1 [11844]
PNAT#
*Mar  1 00:59:38.747: NAT*: s=192.168.10.1->10.0.0.1, d=10.1.1.1 [16789]
*Mar  1 00:59:38.767: NAT*: s=10.1.1.1, d=10.0.0.1->192.168.10.1 [10411]
PNAT#
*Mar  1 00:59:47.595: NAT*: s=192.168.10.1->10.0.0.1, d=10.1.1.1 [17173]
PNAT#
*Mar  1 00:59:48.807: NAT*: s=192.168.10.1->10.0.0.1, d=10.1.1.1 [13977]
*Mar  1 00:59:48.831: NAT*: s=10.1.1.1, d=10.0.0.1->192.168.10.1 [2158]
PNAT#

可以看到PNAT上的地址转换还是跟前面看到的一样，这时我们配置的VPN就起作用了，因为192.168.1.0和192.168.2.0的通信都是在遂道里进行的，这里看不到他们的真实地址。

再查看BJASA连接状态：

ciscoasa# show crypto isakmp sa

   Active SA: 1
    Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 1

1   IKE Peer: 10.1.1.1
    Type    : L2L             Role    : initiator 
    Rekey   : no              State   : MM_ACTIVE 
ciscoasa#

可以看到状态是活跃的

查看数年连接的细节信息：

ciscoasa# show crypto ipsec sa
interface: outside
    Crypto map tag: benet-map, seq num: 1, local addr: 192.168.10.1

      access-list 100 permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0 
      local ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0/0/0)
      remote ident (addr/mask/prot/port): (192.168.2.0/255.255.255.0/0/0)
      current_peer: 10.1.1.1

      #pkts encaps: 9, #pkts encrypt: 9, #pkts digest: 9
      #pkts decaps: 9, #pkts decrypt: 9, #pkts verify: 9
      #pkts compressed: 0, #pkts decompressed: 0
      #pkts not compressed: 20, #pkts comp failed: 0, #pkts decomp failed: 0
      #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
      #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
      #send errors: 0, #recv errors: 0

      local crypto endpt.: 192.168.10.1/4500, remote crypto endpt.: 10.1.1.1/4500
      path mtu 1500, ipsec overhead 66, media mtu 1500
      current outbound spi: 70E139B5

    inbound esp sas:
      spi: 0xECB3822C (3971187244)
         transform: esp-des esp-sha-hmac none 
         in use settings ={L2L, Tunnel,  NAT-T-Encaps, }
         slot: 0, conn_id: 4096, crypto-map: benet-map
         sa timing: remaining key lifetime (kB/sec): (3824998/27507)
         IV size: 8 bytes
         replay detection support: Y
    outbound esp sas:
      spi: 0x70E139B5 (1893808565)
         transform: esp-des esp-sha-hmac none 
         in use settings ={L2L, Tunnel,  NAT-T-Encaps, }
         slot: 0, conn_id: 4096, crypto-map: benet-map
         sa timing: remaining key lifetime (kB/sec): (3824998/27506)
         IV size: 8 bytes
         replay detection support: Y