Cấu hình VPN Router-To-PIX Mô tả: Xem hình Dựa vào sơ đồ trên ta thấy, bài lab thực hiện tạo một tunnel private giữa 2 LAN qua một môi trường truyền public, ta sử dụng một router RI làm ISP router, để các PC trong LAN ra được internet, ta sử dụng NAT overload để ra ngoài, trừ những traffic trong nội bộ tunnel. Bài lab không đi sâu vào cách cấu hỉnh PIX như thế nào. Cấu hình: RA: Building configuration *Mar 1 00:34:25.701: %SYS-5-CONFIG_I: Configured from console by console Current configuration : 1205 bytes ! version 12.2 service timestamps debug datetime msec service timestamps log datetime msec no service password-encryption ! hostname RA ! ! memory-size iomem 10 ip subnet-zero ! ! ! ! crypto isakmp policy 10 hash md5 authentication pre-share crypto isakmp key cisco address 172.17.63.213 ! ! crypto ipsec transform-set vnpro esp-des ! crypto map lee 10 ipsec-isakmp set peer 172.17.63.213 set transform-set vnpro match address 115 ! ! ! voice call carrier capacity active ! ! ! ! ! ! ! ! ! mta receive maximum-recipients 0 ! ! ! ! interface Ethernet0/0 ip address 10.2.2.1 255.255.255.0 ip nat inside half-duplex ! interface Serial0/0 ip address 172.17.63.230 255.255.255.240 ip nat outside no fair-queue crypto map lee ! ip nat inside source route-map nonat interface Serial0/0 overload ip classless ip route 0.0.0.0 0.0.0.0 172.17.63.225 ip http server ! ! access-list 110 deny ip 10.2.2.0 0.0.0.255 10.1.1.0 0.0.0.255 access-list 110 permit ip any any access-list 115 permit ip 10.2.2.0 0.0.0.255 10.1.1.0 0.0.0.255 ! route-map nonat permit 10 match ip address 110 ! call rsvp-sync ! ! mgcp profile default ! dial-peer cor custom ! ! ! ! ! line con 0 line aux 0 line vty 0 4 ! ! end PIX: PIX Version 6.3(1) interface ethernet0 auto ßup interface lên interface ethernet1 auto nameif ethernet0 outside security0 ßđặt tên cho interface, mặc định e0 là outside nameif ethernet1 inside security100 ße1 là inside enable password 8Ry2YjIyt7RRXU24 encrypted passwd 2KFQnbNIdI.2KYOU encrypted hostname PIX fixup protocol ftp 21 fixup protocol h323 h225 1720 fixup protocol h323 ras 1718-1719 fixup protocol http 80 fixup protocol ils 389 fixup protocol rsh 514 fixup protocol rtsp 554 fixup protocol sip 5060 fixup protocol sip udp 5060 fixup protocol skinny 2000 fixup protocol smtp 25 fixup protocol sqlnet 1521 names access-list ipsec permit ip 10.1.1.0 255.255.255.0 10.2.2.0 255.255.255.0 ß cấu hình ACL để xác định traffic được mã hoá bảo vệ access-list nonat permit ip 10.1.1.0 255.255.255.0 10.2.2.0 255.255.255.0 ßxác định traffic được miễn NAT pager lines 24 mtu outside 1500 mtu inside 1500 ip address outside 172.17.63.213 255.255.255.240 ßcấu hình địa chỉ IP cho interface ip address inside 10.1.1.1 255.255.255.0 ip audit info action alarm ip audit attack action alarm pdm history enable arp timeout 14400 global (outside) 1 172.17.63.210 ßxác định tầm IP được NAT nat (inside) 0 access-list nonat ßxác định là traffic trong tunnel được miễn NAT nat (inside) 1 10.1.1.0 255.255.255.0 0 0 ßxác định các IP được NAT conduit permit icmp any any ßcho phép ping ra ngoài mạng route outside 0.0.0.0 0.0.0.0 172.17.63.209 1 ßcấu hình default gateway ra ngoài internet timeout xlate 3:00:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00 timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00 timeout uauth 0:05:00 absolute aaa-server TACACS+ protocol tacacs+ aaa-server RADIUS protocol radius aaa-server LOCAL protocol local no snmp-server location no snmp-server contact snmp-server community public no snmp-server enable traps floodguard enable sysopt connection permit-ipsec crypto ipsec transform-set vnpro esp-des ßcấu hình VPN như bên router crypto map lee 10 ipsec-isakmp crypto map lee 10 match address ipsec crypto map lee 10 set peer 172.17.63.230 crypto map lee 10 set transform-set vnpro crypto map lee interface outside isakmp enable outside isakmp key ******** address 172.17.63.230 netmask 255.255.255.255 isakmp identity address isakmp policy 10 authentication pre-share isakmp policy 10 encryption des isakmp policy 10 hash md5 isakmp policy 10 group 1 isakmp policy 10 lifetime 86400 telnet timeout 5 ssh timeout 5 console timeout 0 terminal width 80 Cryptochecksum:e52c775e9c04687097ae170f546a111b : end RI(gateway): Building configuration Current configuration : 841 bytes ! version 12.2 service timestamps debug datetime msec service timestamps log datetime msec no service password-encryption ! hostname RI ! ! memory-size iomem 10 ip subnet-zero ! ! ! ! ! ! voice call carrier capacity active ! ! ! ! ! ! ! ! ! mta receive maximum-recipients 0 ! ! ! ! interface FastEthernet0/0 ip address 172.17.63.209 255.255.255.240 duplex auto speed auto ! interface Serial0/0 ip address 172.17.63.225 255.255.255.240 no fair-queue clockrate 64000 ! interface FastEthernet0/1 no ip address shutdown duplex auto speed auto ! interface Serial0/1 no ip address shutdown ! ip classless ip route 10.1.1.0 255.255.255.0 172.17.63.213 ip route 10.2.2.0 255.255.255.0 172.17.63.230 ip http server ! ! ! call rsvp-sync ! ! mgcp profile default ! dial-peer cor custom ! ! ! ! ! line con 0 line aux 0 line vty 0 4 ! ! end Thực hiện: Trước hết, ta phải cấu hình cho PIX hoạt động được, do PIX ở bài lab này được thiết kế có 2 cổng Ethernet để kết nối mạng nội bộ với mạng public, nên ta phải cấu hình cho 2 cổng này hoạt động được: pixfirewall# conf t pixfirewall(config)# ho PIX PIX(config)# nameif ethernet0 outside security0 PIX(config)# nameif ethernet1 inside security100 PIX(config)# ip address outside 172.17.63.213 255.255.255.240 PIX(config)# ip address inside 10.1.1.1 255.255.255.0 PIX(config)# interface e0 auto PIX(config)# interface e1 auto PIX(config)# conduit permit icmp any any PIX(config)# route outside 0.0.0.0 0.0.0.0 172.17.63.209 Sau khi đã cấu hình cho các interface của PIX up lên, ta thực hiện NAT và cấu hình VPN: PIX(config)# access-list ipsec permit ip 10.1.1.0 255.255.255.0 10.2.2.0 255.255.255.0 PIX(config)# access-list nonat permit ip 10.1.1.0 255.255.255.0 10.2.2.0 255.255.255.0 PIX(config)# global (outside) 1 172.17.63.210 Global 172.17.63.210 will be Port Address Translated PIX(config)# nat (inside) 0 access-list nonat PIX(config)# nat (inside) 1 10.1.1.0 255.255.255.0 0 0 PIX(config)# sysopt connection permit-ipsec PIX(config)# crypto ipsec transform-set vnpro esp-des PIX(config)# crypto map lee 10 ipsec-isakmp PIX(config)# crypto map lee 10 match address ipsec PIX(config)# crypto map lee 10 set peer 172.17.63.230 PIX(config)# crypto map lee 10 set transform-set vnpro PIX(config)# crypto map lee interface outside PIX(config)# isakmp enable outside PIX(config)# isakmp key cisco address 172.17.63.230 netmask 255.255.255.255 PIX(config)# isakmp identity address PIX(config)# isakmp policy 10 authentication pre-share PIX(config)# isakmp policy 10 hash md5 PIX(config)# Chú ý: khi cấu hình ACL trên PIX, ta sử dụng Subnet mask chứ không sử dụng wildcard mask, và trên PIX chỉ có thể cấu hình mọi thứ trên mode global config. Trên router A ta cũng cấu hình VPN như sau: RA(config)#crypto isakmp policy 10 RA(config-isakmp)#hash md5 RA(config-isakmp)#authentication pre-share RA(config-isakmp)#exit RA(config)#crypto isakmp key cisco address 172.17.63.213 RA(config)#crypto ipsec transform-set vnpro esp-des RA(cfg-crypto-trans)#exit RA(config)#crypto map lee 10 ipsec-isakmp % NOTE: This new crypto map will remain disabled until a peer and a valid access list have been configured. RA(config-crypto-map)#set peer 172.17.63.213 RA(config-crypto-map)#set transform-set vnpro RA(config-crypto-map)#match address 115 RA(config-crypto-map)#exit RA(config)#int s0/0 RA(config-if)#ip nat out RA(config-if)#ip nat outside RA(config-if)#crypto map lee RA(config-if)#exit RA(config)#int e0/0 RA(config-if)#ip nat in RA(config-if)#ip nat inside RA(config-if)#exit RA(config)#ip nat inside source route-map nonat interface s0/0 overload RA(config)#access-list 110 deny ip 10.2.2.0 0.0.0.255 10.1.1.0 0.0.0.255 RA(config)#access-list 110 permit ip any any RA(config)#access-list 115 permit ip 10.2.2.0 0.0.0.255 10.1.1.0 0.0.0.255 RA(config)#route-map nonat permit 10 RA(config-route-map)#match ip address 110 Kiểm tra: Ta thực hiện các lệnh show ở 2 bên và thực hiện debug: RA#sh crypto map Crypto Map "lee" 10 ipsec-isakmp Peer = 172.17.63.213 Extended IP access list 115 access-list 115 permit ip 10.2.2.0 0.0.0.255 10.1.1.0 0.0.0.255 Current peer: 172.17.63.213 Security association lifetime: 4608000 kilobytes/3600 seconds PFS (Y/N): N Transform sets={ vnpro, } Interfaces using crypto map lee: Serial0/0 RA#sh crypto isakmp policy Protection suite of priority 10 encryption algorithm: DES - Data Encryption Standard (56 bit keys). hash algorithm: Message Digest 5 authentication method: Pre-Shared Key Diffie-Hellman group: #1 (768 bit) lifetime: 86400 seconds, no volume limit Default protection suite encryption algorithm: DES - Data Encryption Standard (56 bit keys). hash algorithm: Secure Hash Standard authentication method: Rivest-Shamir-Adleman Signature Diffie-Hellman group: #1 (768 bit) lifetime: 86400 seconds, no volume limit RA#sh crypto ipsec transform-set Transform set vnpro: { esp-des } will negotiate = { Tunnel, }, PIX# sh crypto map Crypto Map: "lee" interfaces: { outside } Crypto Map "lee" 10 ipsec-isakmp Peer = 172.17.63.230 access-list ipsec; 1 elements access-list ipsec line 1 permit ip 10.1.1.0 255.255.255.0 10.2.2.0 255.255.255.0 hitcnt=0) Current peer: 172.17.63.230 Security association lifetime: 4608000 kilobytes/28800 seconds PFS (Y/N): N Transform sets={ vnpro, } PIX# sh isakmp policy Protection suite of priority 10 encryption algorithm: DES - Data Encryption Standard (56 bit keys). hash algorithm: Message Digest 5 authentication method: Pre-Shared Key Diffie-Hellman group: #1 (768 bit) lifetime: 86400 seconds, no volume limit Default protection suite encryption algorithm: DES - Data Encryption Standard (56 bit keys). hash algorithm: Secure Hash Standard authentication method: Rivest-Shamir-Adleman Signature Diffie-Hellman group: #1 (768 bit) lifetime: 86400 seconds, no volume limit RA#debug ip nat IP NAT debugging is on RA#debug crypto ipsec Crypto IPSEC debugging is on RA#debug crypto isakmp Crypto ISAKMP debugging is on Sau khi bật debug, ta thực hiện ping thử ra các địa chỉ ở ngoài, và các địa chỉ trong mang LAN bên kia: RA# *Mar 1 00:37:43.910: NAT: s=10.2.2.2->172.17.63.230, d=172.17.63.225 [1888] *Mar 1 00:37:43.930: NAT*: s=172.17.63.225, d=172.17.63.230->10.2.2.2 [1888] *Mar 1 00:37:44.916: NAT*: s=10.2.2.2->172.17.63.230, d=172.17.63.225 [1891] *Mar 1 00:37:44.932: NAT*: s=172.17.63.225, d=172.17.63.230->10.2.2.2 [1891] *Mar 1 00:37:45.913: NAT*: s=10.2.2.2->172.17.63.230, d=172.17.63.225 [1894] *Mar 1 00:37:45.933: NAT*: s=172.17.63.225, d=172.17.63.230->10.2.2.2 [1894] *Mar 1 00:37:46.915: NAT*: s=10.2.2.2->172.17.63.230, d=172.17.63.225 [1898] *Mar 1 00:37:46.935: NAT*: s=172.17.63.225, d=172.17.63.230->10.2.2.2 [1898] *Mar 1 00:37:55.597: NAT: s=10.2.2.2->172.17.63.230, d=172.17.63.213 [1917] *Mar 1 00:37:55.617: NAT*: s=172.17.63.213, d=172.17.63.230->10.2.2.2 [9077] *Mar 1 00:37:56.603: NAT*: s=10.2.2.2->172.17.63.230, d=172.17.63.213 [1918] *Mar 1 00:37:56.619: NAT*: s=172.17.63.213, d=172.17.63.230->10.2.2.2 [9078] *Mar 1 00:37:57.600: NAT*: s=10.2.2.2->172.17.63.230, d=172.17.63.213 [1920] *Mar 1 00:37:57.620: NAT*: s=172.17.63.213, d=172.17.63.230->10.2.2.2 [9079] *Mar 1 00:37:58.602: NAT*: s=10.2.2.2->172.17.63.230, d=172.17.63.213 [1922] *Mar 1 00:37:58.622: NAT*: s=172.17.63.213, d=172.17.63.230->10.2.2.2 [9080] *Mar 1 00:38:12.789: IPSEC(sa_request): , (key eng. msg.) OUTBOUND local= 172.17.63.230, remote= 172.17.63.213, local_proxy= 10.2.2.0/255.255.255.0/0/0 (type=4), remote_proxy= 10.1.1.0/255.255.255.0/0/0 (type=4), protocol= ESP, transform= esp-des , lifedur= 3600s and 4608000kb, spi= 0x3E3F5095(1044336789), conn_id= 0, keysize= 0, flags= 0x400C *Mar 1 00:38:12.789: ISAKMP: received ke message (1/1) *Mar 1 00:38:12.789: ISAKMP: local port 500, remote port 500 *Mar 1 00:38:12.793: ISAKMP (0:1): Input = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_MM *Mar 1 00:38:12.793: ISAKMP (0:1): Old State = IKE_READY New State = IKE_I_MM1 *Mar 1 00:38:12.793: ISAKMP (0:1): beginning Main Mode exchange *Mar 1 00:38:12.797: ISAKMP (0:1): sending packet to 172.17.63.213 (I) MM_NO_STATE *Mar 1 00:38:12.873: ISAKMP (0:1): received packet from 172.17.63.213 (I) MM_NO_STATE *Mar 1 00:38:12.877: ISAKMP (0:1): Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH *Mar 1 00:38:12.877: ISAKMP (0:1): Old State = IKE_I_MM1 New State = IKE_I_MM2 *Mar 1 00:38:12.877: ISAKMP (0:1): processing SA payload. message ID = 0 *Mar 1 00:38:12.877: ISAKMP (0:1): found peer pre-shared key matching 172.17.63.213 *Mar 1 00:38:12.877: ISAKMP (0:1): Checking ISAKMP transform 1 against priority 10 policy *Mar 1 00:38:12.882: ISAKMP: encryption DES-CBC *Mar 1 00:38:12.882: ISAKMP: hash MD5 *Mar 1 00:38:12.882: ISAKMP: default group 1 *Mar 1 00:38:12.882: ISAKMP: auth pre-share *Mar 1 00:38:12.882: ISAKMP: life type in seconds *Mar 1 00:38:12.882: ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80 *Mar 1 00:38:12.882: ISAKMP (0:1): atts are acceptable. Next payload is 0 *Mar 1 00:38:13.050: ISAKMP (0:1): Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE *Mar 1 00:38:13.050: ISAKMP (0:1): Old State = IKE_I_MM2 New State = IKE_I_MM2 *Mar 1 00:38:13.054: ISAKMP (0:1): sending packet to 172.17.63.213 (I) MM_SA_SETUP *Mar 1 00:38:13.058: ISAKMP (0:1): Input = IKE_MESG_INTERNAL, . Cấu hình VPN Router- To -PIX Mô tả: Xem hình Dựa vào sơ đồ trên ta thấy, bài lab thực hiện tạo một tunnel private giữa 2 LAN qua một môi trường truyền public, ta sử dụng một router RI. dụng Subnet mask chứ không sử dụng wildcard mask, và trên PIX chỉ có thể cấu hình mọi thứ trên mode global config. Trên router A ta cũng cấu hình VPN như sau: RA(config)#crypto isakmp policy 10 RA(config-isakmp)#hash. cấu hình cho các interface của PIX up lên, ta thực hiện NAT và cấu hình VPN: PIX( config)# access-list ipsec permit ip 10.1.1.0 255.255.255.0 10.2.2.0 255.255.255.0 PIX( config)# access-list nonat