取消
显示结果 
搜索替代 
您的意思是: 
cancel
389
查看次数
0
有帮助
0
评论
碧云天
Spotlight
Spotlight
一.概述
        如下图所示,12.3(8)T前的版本物理接口上面的ACL同时会对ipsec加密流量和解密后的流量造成影响,因此,如果配置ACL的话,要保证ipsec VPN能通的话,需要同时放行IKE、ESP流量,以及感兴趣流之间的相关流量

232755ngrmp9502nu08lkb.png

二.测试拓扑
备注:Site1和Site2采用的是 IOS (tm) 3700 Software (C3725-IK9S-M), Version 12.2(15)T9
三.测试步骤
1.基本配置
①Inside路由器
interface Ethernet0/0
    ip address 1.1.1.1 255.255.255.0
    no shutdown
ip route 0.0.0.0 0.0.0.0 1.1.1.10
②Site1路由器
interface FastEthernet0/0
    ip address 1.1.1.10 255.255.255.0
    no shutdown
interface FastEthernet0/1
    ip address 202.100.1.1 255.255.255.0
    no shutdown
ip route 0.0.0.0 0.0.0.0 202.100.1.10
③Internet路由器
interface Ethernet0/0
    ip address 202.100.1.10 255.255.255.0
    no shutdown
interface Ethernet0/1
    ip address 61.128.1.10 255.255.255.0
    no shutdown
④Site2路由器
interface FastEthernet0/0
    ip address 61.128.1.1 255.255.255.0
    no shutdown
interface FastEthernet0/1
    ip address 2.2.2.10 255.255.255.0
    no shutdown
ip route 0.0.0.0 0.0.0.0 61.128.1.10
⑤Private路由器
interface Ethernet0/0
    ip address 2.2.2.1 255.255.255.0
    no shutdown
ip route 0.0.0.0 0.0.0.0 2.2.2.10
2.VPN配置
Site1路由器
--第一阶段策略
crypto isakmp policy 10
    encr 3des
    hash md5
    authentication pre-share
    group 2  
crypto isakmp key Cisc0123 address 61.128.1.1
--第二阶段转换集
crypto ipsec transform-set transet esp-3des esp-md5-hmac
--配置感兴趣流
ip access-list extended xll-vpn
    permit ip 1.1.1.0 0.0.0.255 2.2.2.0 0.0.0.255
--配置crypto map并在接口上应用
crypto map crymap 10 ipsec-isakmp
    set peer 61.128.1.1
    set transform-set transet
    match address xll-vpn
interface FastEthernet0/0
     crypto map crymap
②Site2路由器
--第一阶段策略
crypto isakmp policy 10
    encr 3des
    hash md5
    authentication pre-share
    group 2  
crypto isakmp key Cisc0123 address 202.100.1.1
--第二阶段转换集
crypto ipsec transform-set transet esp-3des esp-md5-hmac
--配置感兴趣流
ip access-list extended xll-vpn
    permit ip 2.2.2.0 0.0.0.255 1.1.1.0 0.0.0.255 
--配置crypto map并在接口上应用
crypto map crymap 10 ipsec-isakmp
    set peer 202.100.1.1
    set transform-set transet
    match address xll-vpn
interface FastEthernet0/0
     crypto map crymap
3.入方向ACL测试(只在Site1上测试)
①配置ACL
ip access-list extended Site1.Inbound
    permit udp host 61.128.1.1 eq isakmp host 202.100.1.1 eq isakmp
    permit esp host 61.128.1.1 host 202.100.1.1
    deny   ip any any
②在出接口上面配置入方向ACL
interface FastEthernet0/1
     ip access-group Site1.Inbound in
③此时Inside路由器ping不通Private路由器,site1查看ACL拒绝有匹配的流量
Inside#ping 2.2.2.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 2.2.2.1, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
Inside#
Site1#show ip access-lists  Site1.Inbound
Extended IP access list Site1.Inbound
    10 permit udp host 61.128.1.1 eq isakmp host 202.100.1.1 eq isakmp
    20 permit esp host 61.128.1.1 host 202.100.1.1 (5 matches)
    30 deny ip any any (10 matches)
Site1#
④修改ACL增加icmp流量放行
Site1#show ip access-lists  Site1.Inbound
Extended IP access list Site1.Inbound
    10 permit udp host 61.128.1.1 eq isakmp host 202.100.1.1 eq isakmp
    20 permit esp host 61.128.1.1 host 202.100.1.1 (5 matches)
    21 permit icmp 2.2.2.0 0.0.0.255 1.1.1.0 0.0.0.255
    30 deny ip any any (10 matches)
Site1#
⑤此时Inside路由器能ping通Private路由器,site1查看ACL有匹配的流量
Inside#ping 2.2.2.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 2.2.2.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 40/42/43 ms
Inside#
Site1#show ip access-lists  Site1.Inbound
Extended IP access list Site1.Inbound
    10 permit udp host 61.128.1.1 eq isakmp host 202.100.1.1 eq isakmp
    20 permit esp host 61.128.1.1 host 202.100.1.1 (10 matches)
    21 permit icmp 2.2.2.0 0.0.0.255 1.1.1.0 0.0.0.255 (6 matches)
    30 deny ip any any (10 matches)
Site1#
     crypto map crymap
4.出方向ACL测试(只在Site1上测试)
①配置ACL
ip access-list extended Site1.Outbound
    permit udp host 202.100.1.1 eq isakmp host 61.128.1.1 eq isakmp
    permit esp host 202.100.1.1 host 61.128.1.1
    deny   ip any any
②在出接口上面配置出方向ACL
interface FastEthernet0/1
    ip access-group Site1.Outbound out
③此时Inside路由器ping不通Private路由器,site1查看ACL拒绝有匹配的流量
Inside#ping 2.2.2.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 2.2.2.1, timeout is 2 seconds:
U.U.U
Success rate is 0 percent (0/5)
Inside#
Site1#show ip access-lists Site1.Outbound
Extended IP access list Site1.Outbound
    10 permit udp host 202.100.1.1 eq isakmp host 61.128.1.1 eq isakmp
    20 permit esp host 202.100.1.1 host 61.128.1.1
    30 deny ip any any (8 matches)
④修改ACL增加icmp流量放行
Site1#show ip access-lists Site1.Outbound
Extended IP access list Site1.Outbound
    10 permit udp host 202.100.1.1 eq isakmp host 61.128.1.1 eq isakmp
    20 permit esp host 202.100.1.1 host 61.128.1.1
    21 permit icmp 1.1.1.0 0.0.0.255 2.2.2.0 0.0.0.255
    30 deny ip any any (8 matches)
Site1#
⑤此时Inside路由器能ping通Private路由器,site1查看ACL有匹配的流量
Inside#ping 2.2.2.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 2.2.2.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 31/37/44 ms
Inside#
Site1#show ip access-lists Site1.Outbound
Extended IP access list Site1.Outbound
    10 permit udp host 202.100.1.1 eq isakmp host 61.128.1.1 eq isakmp
    20 permit esp host 202.100.1.1 host 61.128.1.1
    21 permit icmp 1.1.1.0 0.0.0.255 2.2.2.0 0.0.0.255 (5 matches)
    30 deny ip any any (8 matches)
Site1#
备注:从上面也可以看到esp流量不会被匹配,从而可以确定是先匹配ACL,只有ACL放行之后,匹配了感兴趣流才会被加密。
入门指南

使用上面的搜索栏输入关键字、短语或问题,搜索问题的答案。

我们希望您在这里的旅程尽可能顺利,因此这里有一些链接可以帮助您快速熟悉思科社区: