vpn
实验拓扑
lan_to_lan配置:通过配置把internet和pix配置成lan_to_lan vpn让192.168.3.1和192.168.11.1通信.
internet_r3:
crypto isakmp policy 10
authentication pre-share
crypto isakmp key cisco address 218.18.100.254
cry ipsec transform-set cisco esp-des esp-md5
crypto map smap 10 ipsec-isakmp
set peer 218.18.100.254
set transform-set cisco
match address vpn
reverse-route
ip access-list ex vpn
permit ip 192.168.3.0 0.0.0.255 192.168.11.0 0.0.0.255
int e0/0
crypto map smap
pix:
crypto isakmp polcy 10
group 1
crypto isakmp key cisco address 218.18.100.3(第一种敲法)
tunnel-group 218.18.100.3 type ipsec-l2l(第二种敲法,建议用第二种)
tunnel-group 218.18.100.3 ipsec-attributes(ipsec属性)
pre-shared-key cisco
crypto ispec transform-set cisco esp-des esp-md5-hmac
access-list vpn permit ip 192.168.11.0 255.255.255.0 192.168.3.0 255.255.255.0
crypto map smap 10 set peer 218.18.100.3(敲完还是在全局模式)
crypto map smap 10 set transform-set cisco
crypto map smap 10 set reverse-route
crypto map smap 10 mathc address vpn
crypto map smap interface outside(把map应用到接口)
crypto isakmp enable outside(默认路由器所有接口isakmp enable,在pix是没有enable)
crypto isakmp identity auto(在路由器下identity是address,而在pix是hostname,可以使用auto)
sysopt connection permit-vpn(在pix6.3默认没敲,在7.0默认开启了,不需要到outside接口放行vpn的流量,如果从低级别到高级别的vpn流量)
show crypto isamp sa
show crypto ipsec sa
clear crypto isakmp sa
clear crypto ipsec sa
nat-control(开启nat-control不通)
access-list nonat permit ip 192.168.11.0 255.255.255.0 192.168.3.0 255.255.255.0
nat (inside) 0 access-list nonat
no nat-control
no nat (inside) 0 access-list nonat
内部用户nat上网.
nat (inside) 1 192.168.11.0 255.255.255.0
global (outside) 1 interface
nat (inside) 0 access-list nonat(通过nat-0让vpn和访问外网都通)
internet_r3:
路由器nat对vpn的影响
ip access-list ex nat
permit ip 192.168.3.0 0.0.0.255 any
int lo0
ip nat inside
int e0/0
ip nat ouside
ip nat inside source list nat interface e0/0 overload
ip access-list ex nat
5 deny ip 192.168.3.0 0.0.0.255 192.168.11.0 0.0.0.255
easy vpn配置
pix:
crypto isakmp policy 20
tunnel-group ezvpn type ipsec-ra
tunnel-group ezvpn ipsec-attributes
pre-shared-key cisco123
tunnel-group ezvpn general-attributes
address-pool vpnpool
ip local pool vpnpool 192.168.168.100-192.168.168.110
group-policy mode internal(本地group)
group-policy mode attributes
splity-tunnel-policy tunelspecified(满足这个走加密通道)
splity-tunnel-network-list value split(水平tunnel)
access-list split permit ip 192.168.11.0 255.255.255.0 any
username ipsecuser password cisco123
username ipsecuser attributes(进入到用户属性)
vpn-group-policy mode(在用户下调用group的策略)
crypto dynamic-map dmap 10 set transform-set cisco
crypto dynamic-map dmap 10 set reverse-route
crypto map smap 20 ipsec-isakmp dynamic dmap
aaa-server 3a protocol tacacs+
aaa-server 3a (inside) host 192.168.11.241
key cisco
tunnel-group ezvpn general-attributes
authentication-server-group LOCAL
access-list nonat permit ip 192.168.11.0 255.255.255.0 192.168.168.0 255.255.255.0
crypto isakmp keepalive 10 3(dpd对端私网检测)
r5:
ip access-list ex nat
permit ip 192.168.5.0 0.0.0.255 any
int e0/0.1
ip nat inside
int e0/0.2
ip nat outside
ip nat inside source list nat interface e0/0.2 overload
pix:
crypto isakmp policy 20
hash md5
r5:
crypto ipsec nat-transparency udp-encapsulation(nat穿越)
pix:
group-policy mode attributes
ipsec-udp-port enable
ipsec-udp-port 10000
isakmp nat-traversal 20(nat穿越)
isakmp ipsec-over-tcp port 10001 10002 10003
access-list locallan permit ip 192.168.5.0 255.255.255.0 any
group ezvpn key cisco123
group-policy mode attributes
no split-tunnel-policy tunnelspecified
no split-tunnel-network-list value split
split-tunnel-policy excludespecified(除了这个其他都走加密通道)
split-tunnel-network-list value locallan
r2作为ezvpn vpn的client
r2:
crypto ipsec client ezvpn cisco
peer 218.18.100.254
mode client
connect manual
int e0/0
crypto ipsec client ezvpn cisco outside
int lo0
crypto ipsec client ezvpn cisco inside
crypto ipsec client ezvpn connect
crypto ipsec client ezvpn xauth
show crypto ipsec client ezvpn
clear crypto ipsec client ezvpn
硬件不支持locallan.
pix:
group-policy mode attributes
no split-tunnel-network-list value locallan
no split-tunnel-policy tunnelspecified
split-tunnel-policy tunnelspecified
split-tunnel-network-list value split
r2:
clear crypto ipsec client ezvpn
ip route 192.168.11.0 255.255.255.0 218.18.100.254
crypto ipsec clietn ezvpn cisco
mode network-extension(网络扩展模式)
pix:
group-policy mode attributes
nem enable(配置硬件client网络扩展)
access-list nonat permit ip 192.168.11.0 255.255.255.0 192.168.2.0 255.255.255.0
same-security-traffic permit inter-interface(允许不同接口具有相同安全级别的接口相互通信)
same-security-traffic permit intra-interface(允许不同的peer在同一个接口相互通信,连接过来的)
mqc模块化的qos
对于一个流量,首先定义需要做策略的,对这个流量作相应的策略.可以是安全的策略也可以是qos策略,应用这个策略到接口或全局.
配置class map
pix1(config)#class-map se
pix1(config)#class-map exec
pix1(config)#class-map s2s_voice
pix1(config)#class-mapp internet
match的类型
access-list-acl
any-any packet
默认的监控流量
dscp
flow
port
precedence优先级
rtp
tunnel-group
policy map配置
pix1(config)#policy-map outside policy
pix1(config-pmap)#class internet
police policy
pix1(config)#policy-map outside policy
pix1(config-pmap)#class se
pix1(config-pmap-c)#police 56000 1000 conform-action transmit exceed-action drop
ips模块
pix1(config)#policy-map outside policy
pix1(config-pmap)#class internet
pix1(config-pmap-c)#ips inline fail-open
priority policy
pix1(config)#policy-map outside_policy
pix1(config-pmap)#class s2s voice
pix1(config-pmap-c)#priority
set connection设置连接数
conn-max最大连接数
embriyonic-conn-max最大半开连接数
random-sequence初始化序列号扰乱
pix1(config)#policy-map outside policy
pix1(config-pmap)#class dmz servers
pix1(config-pmap-c)#set connection conn-max 200
pix1(config-pmap-c)#set connection embryonic-conn-max 25
service policy
pix1(config)#service-policy outside policy interface outside