- 最終編集日: 、編集者:
Taisuke Nakamura
はじめに
本ドキュメントでは、ASA5506 をハードウェアクライアントとして使用した、EzVPN の設定例を記載します。こちら(ASA ハードウェアクライアントを使用した EzVPN の設定例)の記事にて基本的な設定を実施しました。今回は各拠点から Internet アクセスを実現する方法と同時に拠点 1 から拠点 2 への Hairpin(ヘアピン)の接続も実現する方法を記載します。今回の記事では VPN 基本設定(ASA ハードウェアクライアントを使用した EzVPN の設定例)が設定済みという前提となります。
本記事の例ではセンター拠点は ASA5512-X を使用しております。全ての ASA OS バージョンは 9.8.2 を使用しております。 サンプル構成図は以下の通りとなります。本記事の設定では NAT と Split-Tunnel を使用します。
センター拠点の設定例
以下にセンター側拠点の設定例を記載します。(例ではセンター側は ASA5512-X を使用しております。)
### Split-Tunnel の設定追加 ###
access-list SplitTunnelNetworks standard permit 10.1.0.0 255.255.0.0
access-list SplitTunnelNetworks standard permit 10.2.0.0 255.255.0.0
access-list SplitTunnelNetworks standard permit 10.0.0.0 255.255.0.0
group-policy easyvpnclientgrouppolicy attributes
split-tunnel-policy tunnelspecified
split-tunnel-network-list value SplitTunnelNetworks
### NAT 設定 ###
object network Server-net
subnet 10.0.0.0 255.255.0.0
object network Site1-net
subnet 10.1.0.0 255.255.0.0
object network Site2-net
subnet 10.2.0.0 255.255.0.0
※NAT用のObject作成
nat (outside,outside) source static Site1-net Site1-net destination static Site2-net Site2-net description Uturn-traffic
nat (inside,outside) source static Server-net Server-net destination static Site1-net Site1-net description ToSite1
nat (inside,outside) source static Server-net Server-net destination static Site2-net Site2-net description ToSite2
object network Server-net
nat (inside,outside) dynamic interface
拠点 1 の設定例
以下に拠点 1 の設定例を記載します。Outside Interface は例では DHCP で ip address を取得しています。(例では拠点 1 は ASA5506-H を使用しております。)
### NAT 設定 ###
object network Site1-net
subnet 10.1.0.0 255.255.0.0
nat (inside,outside) dynamic interface
※Split-Tunnel 設定はセンター拠点から配布されるので設定不要です。
拠点 2 の設定例
以下に拠点 2 の設定例を記載します。Outside Interface は例では DHCP で ip address を取得しています。(例では拠点 2 は ASA5506-H を使用しております。)
### NAT 設定 ###
object network Site2-net
subnet 10.2.0.0 255.255.0.0
nat (inside,outside) dynamic interface
※Split-Tunnel 設定はセンター拠点から配布されるので設定不要です。
VPN 接続後の NAT 変換確認
確認の為に以下の Ping での疎通確認実施と NAT 動作確認
(1)拠点 1 配下の PC=10.1.0.100 から拠点 2 配下の PC=10.2.0.100 へ Ping
拠点 1 :
EzVPNClientSite1# show nat
Manual NAT Policies (Section 1)
1 (inside) to (outside) source static any any destination static _vpnc_objgrp_nem_split _vpnc_objgrp_nem_split no-proxy-arp route-lookup
translate_hits = 0, untranslate_hits = 0
2 (_internal_loopback) to (outside) source dynamic any _vpnc_nem_split_nat_addr
translate_hits = 0, untranslate_hits = 0
Auto NAT Policies (Section 2)
1 (inside) to (outside) source dynamic Site1-net interface
translate_hits = 0, untranslate_hits = 0
EzVPNClientSite1# show nat
Manual NAT Policies (Section 1)
1 (inside) to (outside) source static any any destination static _vpnc_objgrp_nem_split _vpnc_objgrp_nem_split no-proxy-arp route-lookup
translate_hits = 1, untranslate_hits = 1 <<<<< Split-Tunnel にマッチ
2 (_internal_loopback) to (outside) source dynamic any _vpnc_nem_split_nat_addr
translate_hits = 0, untranslate_hits = 0
Auto NAT Policies (Section 2)
1 (inside) to (outside) source dynamic Site1-net interface
translate_hits = 0, untranslate_hits = 0
EzVPNClientSite1#
センター拠点:
EzVPNServer# show nat
Manual NAT Policies (Section 1)
1 (outside) to (outside) source static Site1-net Site1-net destination static Site2-net Site2-net description Uturn-traffic
translate_hits = 0, untranslate_hits = 0
2 (inside) to (outside) source static Server-net Server-net destination static Site1-net Site1-net description ToSite1
translate_hits = 0, untranslate_hits = 0
3 (inside) to (outside) source static Server-net Server-net destination static Site2-net Site2-net description ToSite2
translate_hits = 0, untranslate_hits = 0
Auto NAT Policies (Section 2)
1 (inside) to (outside) source dynamic Server-net interface
translate_hits = 0, untranslate_hits = 0
EzVPNServer# show nat
Manual NAT Policies (Section 1)
1 (outside) to (outside) source static Site1-net Site1-net destination static Site2-net Site2-net description Uturn-traffic
translate_hits = 1, untranslate_hits = 1 <<<<< Site1 -> Site2 にマッチ
2 (inside) to (outside) source static Server-net Server-net destination static Site1-net Site1-net description ToSite1
translate_hits = 0, untranslate_hits = 0
3 (inside) to (outside) source static Server-net Server-net destination static Site2-net Site2-net description ToSite2
translate_hits = 0, untranslate_hits = 0
Auto NAT Policies (Section 2)
1 (inside) to (outside) source dynamic Server-net interface
translate_hits = 0, untranslate_hits = 0
拠点 2 :
EzVPNClientSite2# show nat
Manual NAT Policies (Section 1)
1 (inside) to (outside) source static any any destination static _vpnc_objgrp_nem_split _vpnc_objgrp_nem_split no-proxy-arp route-lookup
translate_hits = 0, untranslate_hits = 0
2 (_internal_loopback) to (outside) source dynamic any _vpnc_nem_split_nat_addr
translate_hits = 0, untranslate_hits = 0
Auto NAT Policies (Section 2)
1 (inside) to (outside) source dynamic Site2-net interface
translate_hits = 0, untranslate_hits = 0
EzVPNClientSite2# show nat
Manual NAT Policies (Section 1)
1 (inside) to (outside) source static any any destination static _vpnc_objgrp_nem_split _vpnc_objgrp_nem_split no-proxy-arp route-lookup
translate_hits = 1, untranslate_hits = 1 <<<< Split-Tunnel にマッチ
2 (_internal_loopback) to (outside) source dynamic any _vpnc_nem_split_nat_addr
translate_hits = 0, untranslate_hits = 0
Auto NAT Policies (Section 2)
1 (inside) to (outside) source dynamic Site2-net interface
translate_hits = 0, untranslate_hits = 0
(2)拠点 1 配下の PC=10.1.0.100 から仮想インターネット 1.1.1.1 へ Ping
拠点 1 :
EzVPNClientSite1# show nat
Manual NAT Policies (Section 1)
1 (inside) to (outside) source static any any destination static _vpnc_objgrp_nem_split _vpnc_objgrp_nem_split no-proxy-arp route-lookup
translate_hits = 1, untranslate_hits = 1
2 (_internal_loopback) to (outside) source dynamic any _vpnc_nem_split_nat_addr
translate_hits = 0, untranslate_hits = 0
Auto NAT Policies (Section 2)
1 (inside) to (outside) source dynamic Site1-net interface
translate_hits = 0, untranslate_hits = 0
EzVPNClientSite1# show nat
Manual NAT Policies (Section 1)
1 (inside) to (outside) source static any any destination static _vpnc_objgrp_nem_split _vpnc_objgrp_nem_split no-proxy-arp route-lookup
translate_hits = 1, untranslate_hits = 1
2 (_internal_loopback) to (outside) source dynamic any _vpnc_nem_split_nat_addr
translate_hits = 0, untranslate_hits = 0
Auto NAT Policies (Section 2)
1 (inside) to (outside) source dynamic Site1-net interface
translate_hits = 5, untranslate_hits = 0 <<<<< Intenet への NAT にマッチ
(3)拠点 1 配下の PC=10.1.0.100 からセンター拠点配下の PC=10.0.0.100 へ Ping
拠点 1 :
EzVPNClientSite1# show nat
Manual NAT Policies (Section 1)
1 (inside) to (outside) source static any any destination static _vpnc_objgrp_nem_split _vpnc_objgrp_nem_split no-proxy-arp route-lookup
translate_hits = 1, untranslate_hits = 1
2 (_internal_loopback) to (outside) source dynamic any _vpnc_nem_split_nat_addr
translate_hits = 0, untranslate_hits = 0
Auto NAT Policies (Section 2)
1 (inside) to (outside) source dynamic Site1-net interface
translate_hits = 5, untranslate_hits = 0
EzVPNClientSite1# show nat
Manual NAT Policies (Section 1)
1 (inside) to (outside) source static any any destination static _vpnc_objgrp_nem_split _vpnc_objgrp_nem_split no-proxy-arp route-lookup
translate_hits = 6, untranslate_hits = 6 <<<<< Split-Tunnel にマッチ
2 (_internal_loopback) to (outside) source dynamic any _vpnc_nem_split_nat_addr
translate_hits = 0, untranslate_hits = 0
Auto NAT Policies (Section 2)
1 (inside) to (outside) source dynamic Site1-net interface
translate_hits = 5, untranslate_hits = 0
センター拠点:
EzVPNServer# show nat
Manual NAT Policies (Section 1)
1 (outside) to (outside) source static Site1-net Site1-net destination static Site2-net Site2-net description Uturn-traffic
translate_hits = 1, untranslate_hits = 1
2 (inside) to (outside) source static Server-net Server-net destination static Site1-net Site1-net description ToSite1
translate_hits = 0, untranslate_hits = 0
3 (inside) to (outside) source static Server-net Server-net destination static Site2-net Site2-net description ToSite2
translate_hits = 0, untranslate_hits = 0
Auto NAT Policies (Section 2)
1 (inside) to (outside) source dynamic Server-net interface
translate_hits = 0, untranslate_hits = 0
EzVPNServer# show nat
Manual NAT Policies (Section 1)
1 (outside) to (outside) source static Site1-net Site1-net destination static Site2-net Site2-net description Uturn-traffic
translate_hits = 1, untranslate_hits = 1
2 (inside) to (outside) source static Server-net Server-net destination static Site1-net Site1-net description ToSite1
translate_hits = 5, untranslate_hits = 5 <<<<< センター拠点と拠点 1 の NAT にマッチ
3 (inside) to (outside) source static Server-net Server-net destination static Site2-net Site2-net description ToSite2
translate_hits = 0, untranslate_hits = 0
Auto NAT Policies (Section 2)
1 (inside) to (outside) source dynamic Server-net interface
translate_hits = 0, untranslate_hits = 0
(4)センター拠点配下の PC=10.0.0.100 から拠点 1 配下の PC=10.1.0.100 へ Ping
センター拠点:
EzVPNServer# sh nat
Manual NAT Policies (Section 1)
1 (outside) to (outside) source static Site1-net Site1-net destination static Site2-net Site2-net description Uturn-traffic
translate_hits = 1, untranslate_hits = 1
2 (inside) to (outside) source static Server-net Server-net destination static Site1-net Site1-net description ToSite1
translate_hits = 5, untranslate_hits = 5
3 (inside) to (outside) source static Server-net Server-net destination static Site2-net Site2-net description ToSite2
translate_hits = 0, untranslate_hits = 0
Auto NAT Policies (Section 2)
1 (inside) to (outside) source dynamic Server-net interface
translate_hits = 0, untranslate_hits = 0
EzVPNServer# show nat
Manual NAT Policies (Section 1)
1 (outside) to (outside) source static Site1-net Site1-net destination static Site2-net Site2-net description Uturn-traffic
translate_hits = 1, untranslate_hits = 1
2 (inside) to (outside) source static Server-net Server-net destination static Site1-net Site1-net description ToSite1
translate_hits = 10, untranslate_hits = 10 <<<<< センター拠点と拠点 1 の NAT にマッチ
3 (inside) to (outside) source static Server-net Server-net destination static Site2-net Site2-net description ToSite2
translate_hits = 0, untranslate_hits = 0
Auto NAT Policies (Section 2)
1 (inside) to (outside) source dynamic Server-net interface
translate_hits = 0, untranslate_hits = 0
拠点 1 :
EzVPNClientSite1# show nat
Manual NAT Policies (Section 1)
1 (inside) to (outside) source static any any destination static _vpnc_objgrp_nem_split _vpnc_objgrp_nem_split no-proxy-arp route-lookup
translate_hits = 6, untranslate_hits = 6
2 (_internal_loopback) to (outside) source dynamic any _vpnc_nem_split_nat_addr
translate_hits = 0, untranslate_hits = 0
Auto NAT Policies (Section 2)
1 (inside) to (outside) source dynamic Site1-net interface
translate_hits = 5, untranslate_hits = 0
EzVPNClientSite1# show nat
Manual NAT Policies (Section 1)
1 (inside) to (outside) source static any any destination static _vpnc_objgrp_nem_split _vpnc_objgrp_nem_split no-proxy-arp route-lookup
translate_hits = 11, untranslate_hits = 11 <<<<< センター拠点と拠点 1 の NAT にマッチ
2 (_internal_loopback) to (outside) source dynamic any _vpnc_nem_split_nat_addr
translate_hits = 0, untranslate_hits = 0
Auto NAT Policies (Section 2)
1 (inside) to (outside) source dynamic Site1-net interface
translate_hits = 5, untranslate_hits = 0
参考情報
ASA ハードウェアクライアントを使用した EzVPN の設定例
https://supportforums.cisco.com/t5/-/-/ta-p/3397470
ネットワーク アドレス変換(NAT)
https://www.cisco.com/c/ja_jp/td/docs/security/asa/asa98/configuration/firewall/asa-98-firewall-config/asa-98-firewall-config_chapter_01010.html
ASA/PIX: ASA で VPN クライアントのスプリット トンネリングを許可するための設定例
検索バーにキーワード、フレーズ、または質問を入力し、お探しのものを見つけましょう
シスコ コミュニティをいち早く使いこなしていただけるよう役立つリンクをまとめました。みなさんのジャーニーがより良いものとなるようお手伝いします
