cisco+IPSEC+NAT.docx
《cisco+IPSEC+NAT.docx》由会员分享,可在线阅读,更多相关《cisco+IPSEC+NAT.docx(20页珍藏版)》请在冰豆网上搜索。
cisco+IPSEC+NAT
CISCO+IPSEC+NAT配置实例
二OO八年九月四日
目录
一、理论基础3
二、网络实例图5
三、路由器配置5
四、业务测试14
一、理论基础
IPSecVPN即指采用IPSec协议来实现远程接入的一种VPN技术,IPSec是IETF(InternetEngineerTaskForce)正在完善的安全标准,IPSec协议是一个范围广泛、开放的虚拟专用网安全协议,它提供所有在网络层上的数据保护,提供透明的安全通信。
IPSec是基于网络层的,不能穿越通常的NAT、防火墙。
首先先具体介绍一下IPsec协议:
IP_SECURITY协议(IPSec),通过相应的隧道技术,可实现VPN。
IPSec有两种模式:
隧道模式和传输模式。
IPSec协议不是一个单独的协议,它给出了应用于IP层上网络数据安全的一整套体系结构,包括网络认证协议AuthenticationHeader(AH)、封装安全载荷协议EncapsulatingSecurityPayload(ESP)、密钥管理协议InternetKeyExchange(IKE)和用于网络认证及加密的一些算法等。
IPSec规定了如何在对等层之间选择安全协议、确定安全算法和密钥交换,向上提供了访问控制、数据源认证、数据加密等网络安全服务。
IPSec的安全特性主要有:
不可否认性:
"不可否认性"可以证实消息发送方是唯一可能的发送者,发送者不能否认发送过消息。
"不可否认性"是采用公钥技术的一个特征,当使用公钥技术时,发送方用私钥产生一个数字签名随消息一起发送,接收方用发送者的公钥来验证数字签名。
由于在理论上只有发送者才唯一拥有私钥,也只有发送者才可能产生该数字签名,所以只要数字签名通过验证,发送者就不能否认曾发送过该消息。
但"不可否认性"不是基于认证的共享密钥技术的特征,因为在基于认证的共享密钥技术中,发送方和接收方掌握相同的密钥。
反重播性:
"反重播"确保每个IP包的唯一性,保证信息万一被截取复制后,不能再被重新利用、重新传输回目的地址。
该特性可以防止攻击者截取破译信息后,再用相同的信息包冒取非法访问权(即使这种冒取行为发生在数月之后)。
数据完整性:
防止传输过程中数据被篡改,确保发出数据和接收数据的一致性。
IPSec利用Hash函数为每个数据包产生一个加密检查和,接收方在打开包前先计算检查和,若包遭篡改导致检查和不相符,数据包即被丢弃。
数据可靠性(加密):
在传输前,对数据进行加密,可以保证在传输过程中,即使数据包遭截取,信息也无法被读。
该特性在IPSec中为可选项,与IPSec策略的具体设置相关。
认证:
数据源发送信任状,由接收方验证信任状的合法性,只有通过认证的系统才可以建立通信连接。
二、网络实例图
三、路由器配置
router1:
r1#showrun
Buildingconfiguration...
Currentconfiguration:
725bytes
!
version12.3
servicetimestampsdebugdatetimemsec
servicetimestampslogdatetimemsec
noservicepassword-encryption
!
hostnamer1
!
boot-start-marker
boot-end-marker
!
!
noaaanew-model
ipsubnet-zero
!
!
!
ipcef
ipauditpomax-events100
!
!
interfaceFastEthernet0/0
ipaddress10.10.11.1255.255.255.0
duplexfull
!
interfacePOS1/0
ipaddress10.10.10.1255.255.255.0
encapsulationppp
!
interfaceFastEthernet2/0
noipaddress
shutdown
duplexhalf
!
interfaceFastEthernet3/0
noipaddress
shutdown
duplexhalf
!
ipclassless
noiphttpserver
noiphttpsecure-server
!
!
gatekeeper
shutdown
!
!
linecon0
stopbits1
lineaux0
linevty04
!
!
end
r1#
router2:
r2#showrun
Buildingconfiguration...
*Sep314:
10:
46.631:
%SYS-5-CONFIG_I:
Configuredfromconsolebyconsole
Currentconfiguration:
1359bytes
!
version12.3
servicetimestampsdebugdatetimemsec
servicetimestampslogdatetimemsec
noservicepassword-encryption
!
hostnamer2
!
boot-start-marker
boot-end-marker
!
!
noaaanew-model
ipsubnet-zero
!
!
!
ipcef
ipauditpomax-events100
!
!
r2#showrun
Buildingconfiguration...
Currentconfiguration:
1359bytes
!
version12.3
servicetimestampsdebugdatetimemsec
servicetimestampslogdatetimemsec
noservicepassword-encryption
!
hostnamer2
!
boot-start-marker
boot-end-marker
!
!
noaaanew-model
ipsubnet-zero
!
!
!
ipcef
ipauditpomax-events100
!
!
cryptoisakmppolicy10
authenticationpre-share
cryptoisakmpkeyabc2001address10.10.10.2
!
!
cryptoipsectransform-setabc-desesp-desesp-sha-hmac
!
cryptomapabclocal-addressFastEthernet0/0
cryptomapabc20ipsec-isakmp
setpeer10.10.10.2
settransform-setabc-des
matchaddress105
!
!
!
!
interfaceFastEthernet0/0
ipaddress10.10.11.2255.255.255.0
ipnatoutside
duplexfull
cryptomapabc
!
interfaceFastEthernet1/0
noipaddress
shutdown
duplexhalf
!
interfaceFastEthernet2/0
ipaddress10.10.12.1255.255.255.0
ipnatinside
duplexfull
!
interfacePOS3/0
noipaddress
shutdown
!
ipnatinsidesourceroute-mapabcinterfaceFastEthernet0/0overload
ipclassless
iproute0.0.0.00.0.0.010.10.11.1
noiphttpserver
noiphttpsecure-server
!
!
access-list105permitiphost4.4.4.4host5.5.5.5
access-list150denyiphost4.4.4.4host5.5.5.5
access-list150permitiphost4.4.4.4any
!
route-mapabcpermit10
matchipaddress150
!
router3:
r3#showrun
Buildingconfiguration...
Currentconfiguration:
1409bytes
!
version12.3
servicetimestampsdebugdatetimemsec
servicetimestampslogdatetimemsec
noservicepassword-encryption
!
hostnamer3
!
boot-start-marker
boot-end-marker
!
!
noaaanew-model
ipsubnet-zero
!
!
!
ipcef
ipauditpomax-events100
!
!
!
cryptoisakmppolicy10
authenticationpre-share
cryptoisakmpkeyabc2001address10.10.11.2
!
!
cryptoipsectransform-setabc-desesp-desesp-sha-hmac
modetransport
!
cryptomapabclocal-addressPOS3/0
cryptomapabc20ipsec-isakmp
setpeer10.10.11.2
settransform-setabc-des
matchaddress105
!
!
!
!
interfaceFastEthernet0/0
ipaddress10.10.9.1255.255.255.0
ipnatinside
duplexfull
!
interfaceFastEthernet1/0
noipaddress
shutdown
duplexhalf
!
interfaceFastEthernet2/0
noipaddress
shutdown
duplexhalf
!
interfacePOS3/0
ipaddress10.10.10.2255.255.255.0
ipnatoutside
encapsulationppp
cryptomapabc
!
ipnatinsidesourceroute-mapabcinterfacePOS3/0overload
ipclassless
iproute0.0.0.00.0.0.010.10.10.1
iproute5.5.5.5255.255.255.25510.10.9.2
noiphttpserver
noiphttpsecure-server
!
!
access-list105permitiphost5.5.5.5host4.4.4.4
access-list150denyiphost5.5.5.5host4.4.4.4
access-list150permitipanyany
!
route-mapabcpermit10
matchipaddress150
!
!
gatekeeper
shutdown
!
!
linecon0
stopbits1
lineaux0
linevty04
!
!
end
r3#
router4:
r4#showrun
Buildingconfiguration...
Currentconfiguration:
788bytes
!
version12.3
servicetimestampsdebugdatetimemsec
servicetimestampslogdatetimemsec
noservicepassword-encryption
!
hostnamer4
!
boot-start-marker
boot-end-marker
!
!
noaaanew-model
ipsubnet-zero
!
!
!
ipcef
ipauditpomax-events100
!
!
interfaceLoopback0
ipaddress4.4.4.4255.255.255.255
!
interfaceFastEthernet0/0
ipaddress10.10.12.2255.255.255.0
duplexfull
!
interfacePOS1/0
noipaddress
shutdown
!
interfaceFastEthernet2/0
noipaddress
shutdown
duplexhalf
!
interfaceFastEthernet3/0
noipaddress
shutdown
duplexhalf
!
ipclassless
iproute0.0.0.00.0.0.010.10.12.1
noiphttpserver
noiphttpsecure-server
!
!
gatekeeper
shutdown
!
!
linecon0
stopbits1
lineaux0
linevty04
!
!
end
r4#
router5:
r5#showrun
Buildingconfiguration...
Currentconfiguration:
786bytes
!
version12.3
servicetimestampsdebugdatetimemsec
servicetimestampslogdatetimemsec
noservicepassword-encryption
!
hostnamer5
!
boot-start-marker
boot-end-marker
!
!
noaaanew-model
ipsubnet-zero
!
!
!
ipcef
ipauditpomax-events100
!
!
interfaceLoopback0
ipaddress5.5.5.5255.255.255.255
!
interfaceFastEthernet0/0
ipaddress10.10.9.2255.255.255.0
duplexfull
!
interfaceFastEthernet1/0
noipaddress
shutdown
duplexhalf
!
interfaceFastEthernet2/0
noipaddress
shutdown
duplexhalf
!
interfacePOS3/0
noipaddress
shutdown
!
ipclassless
iproute0.0.0.00.0.0.010.10.9.1
noiphttpserver
noiphttpsecure-server
!
!
gatekeeper
shutdown
!
!
linecon0
stopbits1
lineaux0
linevty04
!
!
end
四、业务测试
r5#ping
Protocol[ip]:
TargetIPaddress:
4.4.4.4
Repeatcount[5]:
Datagramsize[100]:
Timeoutinseconds[2]:
Extendedcommands[n]:
y
Sourceaddressorinterface:
5.5.5.5
Typeofservice[0]:
SetDFbitinIPheader?
[no]:
Validatereplydata?
[no]:
Datapattern[0xABCD]:
Loose,Strict,Record,Timestamp,Verbose[none]:
Sweeprangeofsizes[n]:
Typeescapesequencetoabort.
Sending5,100-byteICMPEchosto4.4.4.4,timeoutis2seconds:
Packetsentwithasourceaddressof5.5.5.5
!
!
!
!
!
Successrateis100percent(5/5),round-tripmin/avg/max=504/1323/1936ms
r5#
r4#ping
Protocol[ip]:
TargetIPaddress:
5.5.5.5
Repeatcount[5]:
10
Datagramsize[100]:
Timeoutinseconds[2]:
Extendedcommands[n]:
y
Sourceaddressorinterface:
4.4.4.4
Typeofservice[0]:
SetDFbitinIPheader?
[no]:
Validatereplydata?
[no]:
Datapattern[0xABCD]:
Loose,Strict,Record,Timestamp,Verbose[none]:
Sweeprangeofsizes[n]:
Typeescapesequencetoabort.
Sending10,100-byteICMPEchosto5.5.5.5,timeoutis2seconds:
Packetsentwithasourceaddressof4.4.4.4
.!
!
!
.!
!
!
!
!
Successrateis80percent(8/10),round-tripmin/avg/max=872/1371/1872ms
r4#ping
Protocol[ip]:
TargetIPaddress:
10.10.11.1
Repeatcount[5]:
Datagramsize[100]:
Timeoutinseconds[2]:
Extendedcommands[n]:
y
Sourceaddressorinterface:
4.4.4.4
Typeofservice[0]:
SetDFbitinIPheader?
[no]:
Validatereplydata?
[no]:
Datapattern[0xABCD]:
Loose,Strict,Record,Timestamp,Verbose[none]:
Sweeprangeofsizes[n]:
Typeescapesequencetoabort.
Sending5,100-byteICMPEchosto10.10.11.1,timeoutis2seconds:
Packetsentwithasourceaddressof4.4.4.4
!
!
!
!
!
Successrateis100percent(5/5),round-tripmin/avg/max=84/419/1288ms
r4#ping
r5#ping
Protocol[ip]:
TargetIPaddress:
10.10.11.2
Repeatcount[5]:
10
Datagramsize[100]:
Timeoutinseconds[2]:
Extendedcommands[n]:
y
Sourceaddressorinterface:
5.5.5.5
Typeofservice[0]:
SetDFbitinIPheader?
[no]:
Validatereplydata?
[no]:
Datapattern[0xABCD]:
Loose,Strict,Record,Timestamp,Verbose[none]:
Sweeprangeofsizes[n]:
Typeescapesequencetoabort.
Sending10,100-byteICMPEchosto10.10.11.2,timeoutis2seconds:
Packetsentwithasourceaddressof5.5.5.5
!
!
!
!
!
!
!
!
!
!
Successrateis100percent(10/10),round-tripmin/avg/max=376/1158/1656ms
r5#
升级会员 