取消
显示结果 
搜索替代 
您的意思是: 
cancel
1239
查看次数
1
有帮助
5
回复

两台思科ASA防火墙的SVTI隧道无法建立,各位大神求解啊

349797592@qq.com
Spotlight
Spotlight

微信图片_20230621100800.png该拓扑的配置中心思想是:
R1有一个环回口lookup 0(1.1.1.1) ,比如R1上带源lookup 0(1.1.1.1) 去 ping  R5的lookup 0 (5.5.5.5) 地址,ICMP包到达 ASA1防火墙的时候,封装类似gre over ipsec vpn隧道的SVTI 外层隧道地址,外层隧道地址的源为ASA1的 trust区域的Gi0/0 (12.1.1.2) 目的地址为 ASA2的trust区域的Gi0/1( 45.1.1.4) ,然后ICMP包到达ASA2后,解封装SVTI隧道外层地址,露出内层地址源 1.1.1.1 目的 5.5.5.5,再送往R3路由器。
其中ASA1的trust区域的Gi0/0(12.1.1.2)无法和ASA2的trust区域的Gi0/1(45.1.1.4)建立SVTI隧道,现在罗列出三台关键设备 ASA1 - R2 - ASA2 的配置,至于R1和R3的配置就不列出了。
设备配置如下:
ASA1配置:
interface GigabitEthernet0/0

nameif trust
security-level 100
ip address 12.1.1.2 255.255.255.0
no shutdown
interface GigabitEthernet0/1
nameif untrust
security-level 0
ip address 23.1.1.2 255.255.255.0
no shutdown
---
object network nei_wang
subnet 12.1.1.0 255.255.255.0
object-group network internet_group
network-object object nei_wang
---
object network wai_wang
subnet 45.1.1.0 255.255.255.0
object-group network outside_group
network-object object wai_wang
---
object-group service ipsecSERVER
service-object gre
service-object esp
service-object ah
service-object udp destination eq isakmp
---
ACL放通策略,放通建立SVTI的源和目地址的所需要的服务
access-list trust-untrust extended permit object-group ipsecSERVER object-group internet_group object-group outside_group
access-list trust-untrust extended permit object-group ipsecSERVER object-group outside_group object-group internet_group
---
把以上定义的ACL包括允许访问的服务,源地址,目的地址应用到对应的区域trust包含的接口上去,主要目的是放行SVTI隧道建立的源12.1.1.2,到目的45.1.1.4的建立隧道的两个阶段的流量

access-group trust-untrust in interface trust
---
放行tunnel所在AS3区域接口的流量,为了让刚兴趣流比如从R1流到当前ASA1时的 源1.1.1.1,目的5.5.5.5的经过tunnel隧道的时候被封装外层SVTI地址放行,目前不知道是不是要放行该流量,首先先列举配置出来,先放行所有流量.
access-list as2_access_in extended permit ip any any
access-group as2_access_in in interface as3
---

首先,在内部trust区域接口上启用IKEv2并配置IKEv2策略
crypto ikev2 policy 10
encryption aes-gcm-256 aes-gcm-192 aes-gcm
integrity null
group 20 5
prf sha512 sha384 sha256 sha
lifetime seconds 86400
crypto ikev2 policy 20
encryption aes-256 aes-192 aes
integrity sha512 sha384 sha256 sha
group 20 5
prf sha512 sha384 sha256 sha
lifetime seconds 86400

 

crypto ikev2 enable trust
---
配置IKEv2第二阶段的IPsec转换集和IPsec配置文件。
crypto ipsec ikev2 ipsec-proposal AES
protocol esp encryption aes
protocol esp integrity sha-1

crypto ipsec ikev2 ipsec-proposal AES192
protocol esp encryption aes-192
protocol esp integrity sha-1

crypto ipsec ikev2 ipsec-proposal AES256
protocol esp encryption aes-256
protocol esp integrity sha-1

crypto ipsec ikev2 ipsec-proposal as2-proposal
protocol esp encryption aes-256
protocol esp integrity sha-256

crypto ipsec profile as2-proposal
set ikev2 ipsec-proposal as2-proposal
---
然后,在ASA上使用步骤3中定义的预共享密钥配置组策略和隧道组。预共享密钥用于第一阶段协商认证的.
group-policy as2 internal
group-policy as2 attributes
vpn-tunnel-protocol ikev2

tunnel-group 45.1.1.4 type ipsec-l2l
tunnel-group 45.1.1.4 general-attributes
default-group-policy as2
tunnel-group 45.1.1.4 ipsec-attributes
ikev2 remote-authentication pre-shared-key cisco@123
ikev2 local-authentication pre-shared-key cisco@123
---
interface Tunnel1
nameif as3
ip address 10.2.100.1 255.255.255.252
tunnel source interface trust
tunnel destination 45.1.1.4
tunnel mode ipsec ipv4
tunnel protection ipsec profile as2-proposal

route trust 1.0.0.0 255.0.0.0 12.1.1.1
route untrust 0.0.0.0 0.0.0.0 23.1.1.3
route as3 5.5.5.5 255.255.255.255 10.2.100.2 1
---
ASA2的配置:

interface GigabitEthernet0/1
nameif trust
security-level 100
ip address 45.1.1.4 255.255.255.0
no shutdown

interface GigabitEthernet0/0
nameif untrust
security-level 0
ip address 34.1.1.4 255.255.255.0
no shutdown
---
object network nei_wang
subnet 45.1.1.0 255.255.255.0
object-group network internet_group
network-object object nei_wang
---
object network wai_wang
subnet 12.1.1.0 255.255.255.0
object-group network outside_group
network-object object wai_wang
---
object-group service ipsecSERVER
service-object gre
service-object esp
service-object ah
service-object udp destination eq isakmp
---
ACL放通策略,放通建立SVTI的源和目地址的所需要的服务
access-list trust-untrust extended permit object-group ipsecSERVER object-group internet_group object-group outside_group
access-list trust-untrust extended permit object-group ipsecSERVER object-group outside_group object-group internet_group
---
把以上定义的ACL包括允许访问的服务,源地址,目的地址应用到对应的区域trust包含的接口上去,主要目的是放行SVTI隧道建立的源45.1.1.4,到目的12.1.1.2的建立隧道的两个阶段的流量
access-group trust-untrust in interface trust
---
放行tunnel所在AS3区域接口的流量,为了让刚兴趣流比如从R1流到当前ASA1时的 源1.1.1.1,目的5.5.5.5的经过tunnel隧道的时候被封装外层SVTI地址放行,目前不知道是不是要放行该流量,首先先列举配置出来,先放行所有流量.
access-list as2_access_in extended permit ip any any
access-group as2_access_in in interface as3
---

首先,在内部trust区域接口上启用IKEv2并配置IKEv2策略
crypto ikev2 policy 10
encryption aes-gcm-256 aes-gcm-192 aes-gcm
integrity null
group 20 5
prf sha512 sha384 sha256 sha
lifetime seconds 86400
crypto ikev2 policy 20
encryption aes-256 aes-192 aes
integrity sha512 sha384 sha256 sha
group 20 5
prf sha512 sha384 sha256 sha
lifetime seconds 86400

crypto ikev2 enable trust
---
配置IKEv2第二阶段的IPsec转换集和IPsec配置文件。
crypto ipsec ikev2 ipsec-proposal AES
protocol esp encryption aes
protocol esp integrity sha-1

crypto ipsec ikev2 ipsec-proposal AES192
protocol esp encryption aes-192
protocol esp integrity sha-1

crypto ipsec ikev2 ipsec-proposal AES256
protocol esp encryption aes-256
protocol esp integrity sha-1

crypto ipsec ikev2 ipsec-proposal as2-proposal
protocol esp encryption aes-256
protocol esp integrity sha-256

crypto ipsec profile as2-proposal
set ikev2 ipsec-proposal as2-proposal
---
然后,在ASA上使用步骤3中定义的预共享密钥配置组策略和隧道组。预共享密钥用于第一阶段协商认证的.
group-policy as2 internal
group-policy as2 attributes
vpn-tunnel-protocol ikev2

tunnel-group 12.1.1.2 type ipsec-l2l
tunnel-group 12.1.1.2 general-attributes
default-group-policy as2
tunnel-group 12.1.1.2 ipsec-attributes
ikev2 remote-authentication pre-shared-key cisco@123
ikev2 local-authentication pre-shared-key cisco@123
---
interface Tunnel1
nameif as3
ip address 10.2.100.2 255.255.255.252
tunnel source interface trust
tunnel destination 12.1.1.2
tunnel mode ipsec ipv4
tunnel protection ipsec profile as2-proposal


route trust 5.0.0.0 255.0.0.0 45.1.1.5
route untrust 0.0.0.0 0.0.0.0 34.1.1.3
route as3 1.1.1.1 255.255.255.255 10.2.100.1 1
----
华为路由R2的配置:
interface G0/0/0

ip address 23.1.1.3 255.255.255.0
no shutdown
interface G0/0/1
ip address 34.1.1.3 255.255.255.0
no shutdown
ip route-static 45.1.1.4 255.255.255.255 34.1.1.4
ip route-static 12.1.1.2 255.255.255.255 23.1.1.2

1 个已接受解答

已接受的解答

ilay
VIP
VIP

没看明白,为什么要用trust-trust的方式建立tunnel,这玩意能通?

换成outside或untrust接口来配置

trust接口可以不用挂acl,高安全级别到低安全级别的流量默认是permit的,保证trust的security-level高于untrust即可

切记,站在设备角度上,使用去往目标地址“最近”的接口作为vpn及tunnel的源接口

在原帖中查看解决方案

5 条回复5

349797592@qq.com
Spotlight
Spotlight

这个是思科官方的SVTI建立隧道的ipsec vpn的配置,以上也是按照文档配置,还是SVTI隧道无法建立,奇怪
https://www.cisco.com/c/zh_cn/support/docs/security/adaptive-security-appliance-asa-software/214109-configure-asa-ipsec-vti-connection-to-az.html?dtid=osscdc000283

ilay
VIP
VIP

没看明白,为什么要用trust-trust的方式建立tunnel,这玩意能通?

换成outside或untrust接口来配置

trust接口可以不用挂acl,高安全级别到低安全级别的流量默认是permit的,保证trust的security-level高于untrust即可

切记,站在设备角度上,使用去往目标地址“最近”的接口作为vpn及tunnel的源接口

切记,站在设备角度上,使用去往目标地址“最近”的接口作为vpn及tunnel的源接口, 受教了.
但是上面的拓扑和配置是不能建立tunnel的ipse vpn隧道吗,我怎么配置都不通的,是不是怎么配置都无法建立隧道呢
trust接口可以不用挂acl,高安全级别到低安全级别的流量默认是permit的,保证trust的security-level高于untrust即可
这点我也明白了,谢谢大神赐教.

大神有个ASA防火墙的问题能请教你一下吗?

我这边思科防火墙型号ASA 5555 ,现在要配置
口令复杂度策略、口令有效期、登陆失败次数锁定
请问可以配置吗,大神,官方好像找不到相应的信息,谢谢大神.


大神有微信联系方式吗?谢谢

快捷链接