Configuring an IPSec VPN on an ASA firewall is not very different from a router, and the principles are the same. Refer to the previous article for the working principle of VPN, and will not repeat them here.
Experimental case
In order to reduce personnel costs, a software development company has established branch companies in small and medium-sized cities. However, the data uploaded by the branch companies to the head office is generally the key business data of software development. If it is stolen, it may bring unpredictable losses to the company. As the network administrator of this branch company, the following design requirements are put forward to the network.
Description of Requirement:
1) The development project team can access the R&D server of the head office through VPN, but cannot access the Internet
2) Other clients of the branch can access the Internet
The experimental topology on GNS3 is as follows:
The specific configuration is as follows:
1. Configuration on 3sw
3sw#vlan database #Create VLAN 3sw(vlan)#vlan 10 3sw(vlan)#vlan 20 3sw(vlan)#exit 3sw#conf t 3sw(config)#int vlan 10 #Configure VLAN address 3sw(config-if)#ip add 172.16.10.254 255.255.255.0 3sw(config-if)#no sh 3sw(config-if)#int vlan 20 3sw(config-if)#ip add 172.16.20.254 255.255.255.0 3sw(config-if)#no sh 3sw(config-if)#int f1/0 3sw(config-if)#no switchport 3sw(config-if)#ip add 192.168.1.2 255.255.255.252 3sw(config)#int f1/1 3sw(config-if)#switchport access vlan 10 3sw(config-if)#int f1/2 3sw(config-if)#switchport access vlan 20 3sw(config-if)#exit 3sw(config)#ip route 0.0.0.0 0.0.0.0 192.168.1.1 #Configure routing
2. Configure on the branch ASA-1
ASA-1# conf t #Configure the interface address ASA-1(config)# int e0/0 ASA-1(config-if)# nameif inside ASA-1(config-if)# security-level 100 ASA-1(config-if)# ip add 192.168.1.1 255.255.255.252 ASA-1(config-if)# no sh ASA-1(config-if)# int e0/1 ASA-1(config-if)# nameif outside ASA-1(config-if)# security-level 0 ASA-1(config-if)# ip add 100.0.0.1 255.255.255.252 ASA-1(config-if)# no sh ASA-1(config)# route outside 0 0 100.0.0.2 #Configure route ASA-1(config)# route inside 172.16.0.0 255.255.0.0 192.168.1.2 ASA-1 (config) # nat-control # 配置 NAT ASA-1(config)# nat (inside) 1 0 0 ASA-1(config)# global (outside) 1 int ASA-1(config)# access-list nonat extended permit ip 172.16.10.0 255.255.255.0 10.10.33.0 255.255.255.0 ASA-1(config)# nat (inside) 0 access-list nonat #Configure NAT exemption ASA-1(config)# crypto isakmp enable outside #启用ISAKMP/IKE ASA-1(config)# crypto isakmp policy 1 #配置ISAKMP策略 ASA-1(config-isakmp-policy)# encryption aes #配置加密算法 ASA-1(config-isakmp-policy)# hash sha #配置数字签名 ASA-1(config-isakmp-policy)# authentication pre-share #采用预共享密钥 ASA-1(config-isakmp-policy)# group 1 #指定DH密钥组
注意:配置预共享密钥有两种方式,第一种配置和路由器相同,第二种是7.0以上版本的新特性,7.0以上版本一般采用隧道组来配置密钥
第一种配置:和路由器配置相同
ASA-1(config)# crypto isakmp key vpn-key address 200.0.0.1
第二种配置:采用隧道组配置,配置如下
ASA-1# tunnel-group 200.0.0.1 type ipsec-l2l ASA-1(config)# tunnel-group 200.0.0.1 ipsec-attributes ASA-1(config-tunnel-ipsec)# pre-shared-key vpn-key
预共享密钥任选其一即可,接下来的配置如下:
ASA-1(config)# access-list vpn extended permit ip 172.16.10.0 255.255.255.0 10.10.33.0 255.255.255.0 #ACL ASA-1(config)# crypto ipsec transform-set vpn-set esp-aes esp-sha-hmac #配置IPSec变换集 ASA-1(config)# crypto map vpn-map 1 match address vpn #应用ACL ASA-1(config)# crypto map vpn-map 1 set peer 200.0.0.1 #配置IPSec对等体设备 ASA-1(config)# crypto map vpn-map 1 set transform-set vpn-set #应用IPSec变换集 ASA-1(config)# crypto map vpn-map interface outside #将其映射到接口
3、在ISP上配置
ISP#conf t ISP(config)#int f0/0 ISP(config-if)#ip add 100.0.0.2 255.255.255.252 ISP(config-if)#no sh ISP(config-if)#int f0/1 ISP(config-if)#ip add 200.0.0.2 255.255.255.252 ISP(config-if)#no sh
4、在总公司ASA-2上配置
ASA-2# conf t ASA-2(config)# int e0/0 ASA-2(config-if)# nameif outside ASA-2(config-if)# security-level 0 ASA-2(config-if)# ip add 200.0.0.1 255.255.255.252 ASA-2(config-if)# no sh ASA-2(config-if)# int e0/1 ASA-2(config-if)# nameif inside ASA-2(config-if)# security-level 100 ASA-2(config-if)# ip add 10.10.33.254 255.255.255.0 ASA-2(config-if)# no sh ASA-2(config)# route outside 0 0 200.0.0.2 ASA-2(config)# crypto isakmp enable outside ASA-2(config)# crypto isakmp policy 1 ASA-2(config-isakmp-policy)# encryption aes ASA-2(config-isakmp-policy)# hash sha ASA-2(config-isakmp-policy)# authentication pre-share ASA-2(config-isakmp-policy)# group 1 ASA-2(config)# crypto isakmp key vpn-key address 100.0.0.1 ASA-2(config)# access-list vpn extended permit ip 10.10.33.0 255.255.255.0 172.16.10.0 255.255.255.0 ASA-2(config)# crypto ipsec transform-set vpn-set esp-aes esp-sha-hmac ASA-2(config)# crypto map vpn-map 1 match address vpn ASA-2(config)# crypto map vpn-map 1 set peer 100.0.0.1 ASA-2(config)# crypto map vpn-map 1 set transform-set vpn-set ASA-2(config)# crypto map vpn-map interface outside
防火墙和路由器的区别
防火墙由于自身IOS原因,在配置命令方面与路由器有一定区别,但并不非常明显。这里重点介绍两个方面:
1、默认配置的区别
在建立管理连接的过程中,cisco asa防火墙和路由器默认情况下使用的参数不同。
Cisco asa防火墙使用的参数如下:
ASA-1(config)# show run crypto
路由器使用的参数如下:
Router#show crypto isakmp policy
防火墙不支持命令show crypto isakmp policy,要想查看管理连接的默认参数,需在初始配置下启用isakmp策略,然后通过命令show run进行观察。与路由器相比,默认的加密算法变为3DES,默认的DH组使用2,默认的设备验证方法变为预共享秘钥,而默认的HASH算法以及生存周期没有变化。
ASA防火墙采用了更为安全的默认设置,这是cisco公司设备技术革新的一种表现。需要注意的是,如果ipsec对等体双方式ASA防火墙和cisco路由器,那么使用默认的ISAKMP策略是无法建立连接的。
另外,在数据连接建立过程中,ASA防火墙只支持ESP协议,因此,如果路由器使用AH协议实现数据验证功能,将无法与ASA成功地建立数据连接。
2、IKE协商默认是否开启
默认情况下,IKE协商在路由器中是开启的,而在ASA防火墙中是关闭的。因此,在ASA防火墙中必须使用命令crypto isakmp enable outside开启IKE协商。
3、隧道组特性的引入
Strictly speaking, this is not a configuration difference between a firewall and a router. The new feature introduced by the firewall upgrade from version 6.x to version 7.0 is mainly used to simplify the configuration and management of ipsec sessions. In addition, the ASA firewall still supports the command to configure the shared secret key (crypto isakmp key key-string address peer-address) on the router.
4. The impact of interface security level on ipsec traffic.
Firewalls have a limitation that if traffic comes in from one interface, it cannot go out from a port of the same security level. That is, traffic cannot be transmitted between ports with a unified security level. This is a feature set mainly from the perspective of security, but it may have a certain impact on ipsec traffic.
If the ASA firewall is located at the central node of the network (such as the company headquarters), in order to achieve unified management of branch network traffic, it is required that the access traffic between branches must pass through the head office. This will cause the above situation to occur, resulting in the inability to communicate between the branches. Then you need to use the following command to achieve.
ASA-1(config)# same-security-traffic permit {intra-interface | inter-interface}
The difference between the last two parameters of the above command:
The Intra-interface parameter allows traffic to enter and leave the same interface, which is mostly used for central equipment in L2L sessions;
The inter-interface parameter allows traffic to enter and leave two different interfaces with the same security level, and is mostly used for Easy VPN gateways in remote access VPN sessions.