背景:
在普通站點到站點***中,我們通常要考慮一個問題,那就是NAT對***產生的影響。一般的企業中,由一臺路由器或防火牆即充當了***設備,將兩個站點連接起來,又充當了將公司內網的私有地址轉換成公網IP地址的作用,這樣一來,***就會產生問題。這種情況只會對普通的站點到站點***產生影響,不會對隧道模式的***產生影響,如VTI和GRE Over IPSec。下面來演示問題的產生和解決方法:
實驗環境:
IOS:Version 12.4(15)T5
ASA 8.4版本
拓撲圖如下:
在上面的拓撲圖中,使用ASA和R3模擬總部和分支的兩臺***設備,R2模擬運營商的路由器,R1模擬總部身後的網絡。在ASA和R3這兩臺設備上,即要使用***功能,也要使用NAT功能,分別將身後的192.168.10.0/24和192.168.20.0/24的網絡轉換成公網IP地址,能夠訪問R2身後的網絡2.2.2.2。
基礎配置如下(讀者可直接粘貼):
R1:
en
conf t
host R1
int f0/0
ip add 192.168.10.10 255.255.255.0
no shut
ip route 0.0.0.0 0.0.0.0 192.168.10.1
ASA:
interface GigabitEthernet0
nameif inside
security-level 100
ip address 192.168.10.1 255.255.255.0
ciscoasa(config)# sh run int g1
!
interface GigabitEthernet1
nameif outside
security-level 0
ip address 12.1.1.1 255.255.255.0
!
route outside 0.0.0.0 0.0.0.0 12.1.1.2
R2:
interface FastEthernet1/0
ip address 12.1.1.2 255.255.255.0
no shutdown
!
interface FastEthernet2/0
ip address 23.1.1.2 255.255.255.0
no shutdown
!
interface Loopback0
ip address 2.2.2.2 255.255.255.0
R3:
interface FastEthernet2/0
ip address 23.1.1.3 255.255.255.0
no shutdown
!
interface Loopback0
ip address 192.168.20.1 255.255.255.0
!
ip route 0.0.0.0 0.0.0.0 23.1.1.2
在防火牆上ping R3進行測試:
ciscoasa# ping 23.1.1.3
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 23.1.1.3, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 10/20/50 ms
***配置:
ASA ***配置:
crypto ikev1 enable outside
crypto ikev1 policy 10
authentication pre-share
encryption des
hash md5
group 1
lifetime 86400
tunnel-group 23.1.1.3 type ipsec-l2l
tunnel-group 23.1.1.3 ipsec-attributes
ikev1 pre-shared-key cisco
crypto ipsec ikev1 transform-set trans esp-des esp-md5-hmac
access-list 100 extended permit ip 192.168.10.0 255.255.255.0 192.168.20.0 255.255.255.0
crypto map cisco 10 match address 100
crypto map cisco 10 set peer 23.1.1.3
crypto map cisco 10 set ikev1 transform-set trans
crypto map cisco interface outside
R3 ***配置:
crypto isakmp policy 10
hash md5
authentication pre-share
crypto isakmp key cisco address 12.1.1.1
!
crypto ipsec transform-set trans esp-des esp-md5-hmac
!
crypto map cisco 10 ipsec-isakmp
set peer 12.1.1.1
set transform-set trans
match address 100
!
access-list 100 permit ip 192.168.20.0 0.0.0.255 192.168.10.0 0.0.0.255
!
interface FastEthernet2/0
ip address 23.1.1.3 255.255.255.0
crypto map cisco
使用R1 ping R3的192.168.20.1來進行測試:
R1#ping 192.168.20.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.20.1, timeout is 2 seconds:
.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 52/66/80 ms
查看***加解密:
R3#show crypto engine connections active
Crypto Engine Connections
ID Interface Type Algorithm Encrypt Decrypt IP-Address
5 Fa2/0 IPsec DES+MD5 0 4 23.1.1.3
6 Fa2/0 IPsec DES+MD5 4 0 23.1.1.3
1002 Fa2/0 IKE MD5+DES 0 0 23.1.1.3
說明加解密正常。
配置NAT:
在R3上進行配置NAT轉換,將192.168.20.0/24的地址轉換成外網接口的公網IP地址,讓R3身後的網絡可以訪問互聯網。
首先在沒有配置之前測試R3身後的網絡是否可以訪問公網地址2.2.2.2(使用帶源PING進行測試)
R3#ping 2.2.2.2 source lo 0
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 2.2.2.2, timeout is 2 seconds:
Packet sent with a source address of 192.168.20.1
.....
Success rate is 0 percent (0/5)
發現無法ping通,因爲沒有做NAT。
在R3上配置NAT:
R3(config)#access-list 101 permit ip 192.168.20.0 0.0.0.255 any
R3(config)#int lo 0
R3(config-if)#ip nat inside
R3(config)#int f2/0
R3(config-if)#ip nat outside
R3(config)#ip nat inside source list 101 interface f2/0 overload
R3#ping 2.2.2.2 source lo 0
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 2.2.2.2, timeout is 2 seconds:
Packet sent with a source address of 192.168.20.1
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 4/16/60 ms
NAT配置已經成功了。
再次測試***功能:
R1#ping 192.168.20.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.20.1, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
在R3上進行測試並查看加解密數:
R3#show crypto engine connections active
Crypto Engine Connections
ID Interface Type Algorithm Encrypt Decrypt IP-Address
5 Fa2/0 IPsec DES+MD5 0 9 23.1.1.3
6 Fa2/0 IPsec DES+MD5 4 0 23.1.1.3
1002 Fa2/0 IKE MD5+DES 0 0 23.1.1.3
R3#ping 192.168.10.10 source 192.168.20.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.10.10, timeout is 2 seconds:
Packet sent with a source address of 192.168.20.1
U.U.U
Success rate is 0 percent (0/5)
R3#show crypto engine connections active
Crypto Engine Connections
ID Interface Type Algorithm Encrypt Decrypt IP-Address
5 Fa2/0 IPsec DES+MD5 0 9 23.1.1.3
6 Fa2/0 IPsec DES+MD5 4 0 23.1.1.3
1002 Fa2/0 IKE MD5+DES 0 0 23.1.1.3
發現通過***的連接已經無法ping通了,問題現在已經出來了。並且可以看到在ping前後的加解密數量是一樣的,數據包根本沒有經過加解密。
分析問題:
造成這個問題的原因是由於路由器設備在處理由內到外的流量的時候,NAT技術是優於加密技術的。當源是192.168.20.1的包去往192.168.10.10的時候,192.168.20.1已經被轉換成了23.1.1.3,而轉換後的流量不再滿足感興趣流,因而這個數據包會被轉發到互聯網。當數據包到達互聯網後(即R2模擬),發現路由表中沒有192.168.20.0的路由器,於是返回一個主機不可達的消息給R3。
問題解決:
在一臺設備即做NAT又做***的情況下,將***的流量進行bypass處理,讓它不必經過NAT處理即可。
R3(config)#ip access-list extended 101
R3(config-ext-nacl)#5 deny ip 192.168.20.0 0.0.0.255 192.168.10.0 0.0.0.255
R3#ping 192.168.10.10 source 192.168.20.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.10.10, timeout is 2 seconds:
Packet sent with a source address of 192.168.20.1
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 60/95/140 ms
發現可以ping通了。
ASA的NAT和*** bypass:
ASA8.4之前使用NAT 0:
ASA8.4之後使用twice NAT:
object network PAT
subnet 0.0.0.0 0.0.0.0
object network PAT
nat (inside,outside) dynamic interface
//以上命令意思是對inside接口去往Outside接口的流量進行動態地址轉換
object network ***-Inside
subnet 192.168.10.0 255.255.255.0
object network ***-Outside
subnet 192.168.20.0 255.255.255.0
nat (inside,outside) source static ***-Inside ***-Inside destination static ***-Outside ***-Outside
//以上命令意思是對***流量進行NAT轉換,源還轉換成源,目標IP還轉換成目標IP,相當於沒有轉換,其實就是旁路***流量
policy-map global_policy
class inspection_default
inspect icmp //對ping流量進行檢測,否則ASA身後網絡無法ping出去
驗證:
R1#ping 2.2.2.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 2.2.2.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/27/68 ms
R1#ping 192.168.20.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.20.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 52/94/132 ms
R1即通ping通互聯網上的地址2.2.2.2,也能ping通R3分站上的地址。