Cisco ASA 實(shí)現(xiàn) IPSec 虛擬專用網(wǎng)（內(nèi)附故障排

傳送門：Cisco 路由器配置實(shí)例： https://blog.51cto.com/14227204/2448319
其實(shí)，防火墻和路由器的配置非常相似，可以參考上方傳送門，下方會(huì)介紹一個(gè)防火墻的配置實(shí)例
一、路由器的故障診斷排查
1、show crypto isakmp sa

R1:show crypto isakmp sa               # 可以顯示數(shù)據(jù)連接sa的細(xì)節(jié)信息

MM_NO_STATE ：ISAKMP SA建立的初始狀態(tài)；管理連接建立失敗也會(huì)處于該狀態(tài)
MM_SA_SETUP ：對等體之間ISAKMP策略協(xié)商成功后處于該狀態(tài)
MM_KEY_EXCH ：對等體通過DH算法成功建立共享密鑰，此時(shí)還沒有進(jìn)行設(shè)備驗(yàn)證
MM_KEY_AUTH ：對等體成功進(jìn)行設(shè)備驗(yàn)證，之后會(huì)過渡到QM_IDLE狀態(tài)
QM_IDLE ：管理連接成功建立，即將過渡到階段2的數(shù)據(jù)連接建立過程

2、debug crypto isakmp

R1：debug crypto isakmp                # 診斷和排查管理連接出現(xiàn)的問題

故障實(shí)例一：兩端加密算法不匹配

ISAKMP:(0:0:N/A:0):Checking ISAKMP transform 1 against priority 1 policy
ISAKMP:      default group 1
ISAKMP:      encryption DES-CBC
ISAKMP:      hash SHA
ISAKMP:      auth pre-share
ISAKMP:      life type in seconds
ISAKMP:      life duration (VPI) of  0x0 0x1 0x51 0x80 
ISAKMP:(0:0:N/A:0):Encryption algorithm offered does not match policy!                        # 加密算法不匹配
ISAKMP:(0:0:N/A:0):atts are not acceptable. Next payload is 0
……                            # 策略不被接受
ISAKMP:(0:0:N/A:0):no offers accepted!                  # 沒有匹配策略
……
received packet from 10.0.0.1 dport 500 sport 500 Global (R) MM_NO_STATE                           # 策略進(jìn)入未成功狀態(tài)

故障案例二：兩端使用的預(yù)共享密鑰不一致

ISAKMP:(0:0:N/A:0):Checking ISAKMP transform 1 against priority 1 policy
ISAKMP:      default group 1
ISAKMP:      encryption DES-CBC
ISAKMP:      hash SHA
ISAKMP:      auth pre-share
ISAKMP:      life type in seconds
ISAKMP:      life duration (VPI) of  0x0 0x1 0x51 0x80 
ISAKMP:(0:0:N/A:0):atts are acceptable. Next payload is 0
……?           # 算法已匹配，開始秘鑰交換及身份驗(yàn)證
ISAKMP (0:134217729): received packet from 10.0.0.1 dport 500 sport 500 Global (R) MM_KEY_EXCH
ISAKMP: reserved not zero on ID payload!
%CRYPTO-4-IKMP_BAD_MESSAGE: IKE message from 10.0.0.1     failed its sanity check or is malformed          
# 完整性驗(yàn)證失敗，將停留在MM     KEY    EXCH 階段

二、防火墻和路由器的區(qū)別：
IKE 協(xié)商：
路由默認(rèn)開啟
ASA 防火墻默認(rèn)關(guān)閉，必須手動(dòng)開啟，如下：

ASA（config）# crypto  isakmp  enable  outside 

隧道組特性的引入：
防火墻從6.x版本升級(jí)到7.0版本引入的新特性
主要用于簡化IPSec會(huì)話的配置和管理
三、開始配置
環(huán)境如下：

需求如下：
lan1區(qū)域和lan2區(qū)域互通
lan1區(qū)域和lan3區(qū)域互通
lan2區(qū)域和lan3區(qū)域互通（lan2→lan1→lan3）
所有區(qū)域能夠訪問中間ISP
配前須知（不好意思，我這里以路由器代替了pc機(jī)所以驗(yàn)證有點(diǎn)簡略）：

1. 自行配置接口IP之類
2. 這里我是使用了路由器充當(dāng)PC機(jī)所以需要在路由器上配置個(gè)默認(rèn)路由充當(dāng)網(wǎng)關(guān)
3. 防火墻往外配置一條默認(rèn)路由

R1配置（R3、R4配置類似）：

R1#conf t
R1(config)#int f 0/0
R1(config-if)#ip add 192.168.1.10 255.255.255.0                # 配置接口IP
R1(config-if)#no shutdown
R1(config-if)#exit
R1(config)#ip route 0.0.0.0 0.0.0.0 192.168.1.1                   # 默認(rèn)路由充當(dāng)網(wǎng)關(guān)

R2配置如下（ISP不需要配置路由）：

R2#conf t
R2(config)#int f 0/1
R2(config-if)#ip add 201.0.0.1 255.255.255.0
R2(config-if)#no shutdown
R2(config-if)#exit
R2(config)#int f 0/1
R2(config-if)#ip add 202.0.0.1 255.255.255.0
R2(config-if)#no shutdown
R2(config-if)#exit
R2(config)#int f 1/0
R2(config-if)#ip add 202.0.0.1 255.255.255.0
R2(config-if)#no shutdown

1、配置
ASA1（lan1→lan2）配置如下

ciscoasa> en
Password:
ciscoasa# conf t
ciscoasa(config)# int e 0/0
ciscoasa(config-if)# nameif inside                    # 配置為內(nèi)接口
ciscoasa(config-if)# ip add 192.168.1.1
ciscoasa(config-if)# no shutdown
ciscoasa(config-if)# exit
ciscoasa(config)# int e 0/1
ciscoasa(config-if)# nameif outside                  # 配置為外接口
ciscoasa(config-if)# ip add 201.0.0.2
ciscoasa(config-if)# no shutdown
ciscoasa(config)# route outside 0 0 201.0.0.2                   # 配置到外部的默認(rèn)路由，這里的0相當(dāng)于0.0.0.0 
ciscoasa(config)# crypto isakmp enable outside                 # 開啟IKE協(xié)商功能
ciscoasa(config)# crypto isakmp policy 1                            # 配置管理連接
ciscoasa(config-isakmp-policy)# encryption aes                 # 加密為aes
ciscoasa(config-isakmp-policy)# hash md5                         # 認(rèn)證為 md5
ciscoasa(config-isakmp-policy)# group 2
ciscoasa(config-isakmp-policy)# authentication pre-share      # 預(yù)先設(shè)置共享秘鑰
ciscoasa(config-isakmp-policy)# lifetime 10000         
ciscoasa(config-isakmp-policy)# exit 
ciscoasa(config)# crypto isakmp key 123.com address 202.0.0.2               # 設(shè)置共享秘鑰
# 防火墻中有兩種配置，一會(huì)在ASA2中使用
ciscoasa(config)# access-list lan1_lan2 permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0                    # 編寫1.0到2.0的ACL
ciscoasa(config)# crypto ipsec transform-set test-set esp-aes esp-md5-hmac           # 此四條配置數(shù)據(jù)連接
ciscoasa(config)# crypto map test-map 1 match address lan1_lan2
ciscoasa(config)# crypto map test-map 1 set peer 202.0.0.1
ciscoasa(config)# crypto map test-map 1 set transform-set  test-set
ciscoasa(config)# crypto map test-map interface outside          # 應(yīng)用到外部的邏輯接口上

ASA2配置如下

ciscoasa> en
Password:
ciscoasa# conf t
ciscoasa(config)# int e 0/0                          # 這里我就不介紹配置含義了，和上面基本相似
ciscoasa(config-if)# nameif outside
ciscoasa(config-if)# ip add 202.0.0.2
ciscoasa(config-if)# no shutdown
ciscoasa(config-if)# exit
ciscoasa(config)# int e 0/1
ciscoasa(config-if)# nameif inside
ciscoasa(config-if)# ip add 192.168.2.1
ciscoasa(config-if)# no shutdown
ciscoasa(config-if)# exit
ciscoasa(config)# route outside 0 0 202.0.0.1
ciscoasa(config)# crypto isakmp enable outside
ciscoasa(config)# crypto isakmp policy 1
ciscoasa(config-isakmp-policy)# encryption aes
ciscoasa(config-isakmp-policy)# hash md5
ciscoasa(config-isakmp-policy)# group 2
ciscoasa(config-isakmp-policy)# authentication pre-share
ciscoasa(config-isakmp-policy)# lifetime 10000
ciscoasa(config)# tunnel-group 201.0.0.2 type ipsec-l2l             # 另一種配置秘鑰方式
ciscoasa(config)# tunnel-group 201.0.0.2 ipsec-attributes
ciscoasa(config-tunnel-ipsec)# pre-shared-key 123.com
ciscoasa(config-tunnel-ipsec)# exit
ciscoasa(config)# access-list lan2_lan1 permit ip 192.168.2.0 255.255.255.0 192.168.1.0 255.255.255.0
ciscoasa(config)# crypto ipsec transform-set test-set esp-aes esp-md5-hmac
ciscoasa(config)# crypto map test-map 1 match address lan2_lan1
ciscoasa(config)# crypto map test-map 1 set peer 201.0.0.2
ciscoasa(config)# crypto map test-map 1 set transform-set test-set
ciscoasa(config)# crypto map test-map interface outside
R1#ping 192.168.2.10

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.2.10, timeout is 2 seconds:
!!!!!

ASA1（lan1→lan3）配置如下

# 在ASA之前配置過到lan2區(qū)域，所以可以以上面為基礎(chǔ)接著配置
ciscoasa(config)# tunnel-group 203.0.0.2 type ipsec-l2l
ciscoasa(config)# tunnel-group 203.0.0.2 ipsec-attributes
ciscoasa(config-tunnel-ipsec)# pre-shared-key 123.com
ciscoasa(config)# access-list lan1_lan3 permit ip 192.168.1.0 255.255.255.0 192.168.3.0  255.255.255.0
ciscoasa(config)# crypto map test-map 2 match address lan1_lan3
WARNING: The crypto map entry is incomplete!              # 這里出現(xiàn)的警告是正常的
ciscoasa(config)# crypto map test-map 2 set peer 203.0.0.2
WARNING: The crypto map entry is incomplete!
ciscoasa(config)# crypto map test-map 2 set transform-set test-set

ASA3配置如下（和ASA2配置基本詳細(xì)）

ciscoasa> en
Password:
ciscoasa# conf t
ciscoasa(config)# int e 0/0
ciscoasa(config-if)# nameif outside
ciscoasa(config-if)# ip add 203.0.0.2
ciscoasa(config-if)# no shutdown
ciscoasa(config-if)# exit
ciscoasa(config)# int e 0/1
ciscoasa(config-if)# nameif inside
ciscoasa(config-if)# ip add 192.168.3.1
ciscoasa(config-if)# no shutdown
ciscoasa(config)# route outside 0 0 203.0.0.1
ciscoasa(config)# crypto isakmp enable outside
ciscoasa(config)# crypto isakmp policy 1
ciscoasa(config-isakmp-policy)# authentication pre-share
ciscoasa(config-isakmp-policy)# encryption aes
ciscoasa(config-isakmp-policy)# hash md5
ciscoasa(config-isakmp-policy)# group 2
ciscoasa(config-isakmp-policy)# lifetime 10000
ciscoasa(config-isakmp-policy)# exit
ciscoasa(config)# crypto isakmp key 123.com address 201.0.0.2
ciscoasa(config)# access-list lan3_lan1 permit ip 192.168.3.0 255.255.255.0 192.168.1.0 255.255.255.0
ciscoasa(config)# crypto ipsec transform-set test-set esp-aes esp-md5-hmac
ciscoasa(config)# crypto map test-map 1 match address lan3_lan1
ciscoasa(config)# crypto map test-map 1 set peer 201.0.0.2
ciscoasa(config)# crypto map test-map 1 set transform-set test-set
ciscoasa(config)# crypto map test-map interface outside
R4#ping 192.168.1.10

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.1.10, timeout is 2 seconds:
!!!!!

2、實(shí)現(xiàn)lan2→lan3通信：
ASA1配置如下

ciscoasa(config)# same-security-traffic permit intra-interface         # 允許流量進(jìn)入和離開同一個(gè)接口
ciscoasa(config)# access-list lan1_lan2 permit ip 192.168.3.0 255.255.255.0 192.168.2.0 255.255.255.0
ciscoasa(config)# access-list lan1_lan3 permit ip 192.168.2.0 255.255.255.0 192.168.3.0 255.255.255.0

ASA2配置如下

ciscoasa(config)# access-list lan2_lan1 permit ip 192.168.2.0 255.255.255.0 192.168.3.0 255.255.255.0

ASA3配置如下

ciscoasa(config)# access-list lna3_lan1 permit ip 192.168.3.0 255.255.255.0 192.168.2.0 255.255.255.0
R3#ping 192.168.3.10

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.3.10, timeout is 2 seconds:
!!!!!

3、訪問ISP
如果需要讓內(nèi)網(wǎng)能訪問互聯(lián)網(wǎng)，需要在ASA上做PAT，并啟用nat控制，豁免***的流量

ASA1配置如下

ciscoasa(config)# nat-control           # 啟用nat控制
ciscoasa(config)# nat (inside) 1 0 0            # 配置pat
ciscoasa(config)# global (outside) 1 interface                # 映射到接口
# 不使用原來的ACL條目，因?yàn)橛衛(wèi)an1_lan2和lan1_lan3,無法同時(shí)豁免兩個(gè)，所以重新定義ACL
ciscoasa(config)# access-list aaa permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0
ciscoasa(config)# access-list aaa permit ip 192.168.1.0 255.255.255.0 192.168.3.0 255.255.255.0
ciscoasa(config)# nat (inside) 0 access-list aaa                # 應(yīng)用到接口

ASA2配置如下

ciscoasa(config)# nat (inside) 1 0 0
ciscoasa(config)# global (outside) 1 interface
ciscoasa(config)# nat (inside) 0 access-list lan2_lan1

ASA3配置如下

ciscoasa(config)# nat (inside) 1 0 0
ciscoasa(config)# global (outside) 1 interface
ciscoasa(config)# nat (inside) 0 access-list lan3_lan1