Xin chào ! Nếu đây là lần đầu tiên bạn đến với diễn đàn, xin vui lòng danh ra một phút bấm vào đây để đăng kí và tham gia thảo luận cùng VnPro.

Announcement

Collapse
No announcement yet.

Xin giúp em về cấu hình site-to-site VPN trên PIX 525

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • Xin giúp em về cấu hình site-to-site VPN trên PIX 525

    Em mới tìm hiểu về PIX chưa biết nhiều, mong các anh chị giúp đỡ .
    em có topo như sau:

    với topo trên, em đã cấu hình địa chỉ và định tuyến đầy đủ cho các router R1, R2, Internet.
    em dùng thêm 2 router để làm 2 PC
    Em thử dùng lệnh : Telnet từ PC1 tới PC2 nhưng không thành công.
    mặc định, PIx không cho gói tin ICMP đi qua, có phải ta không thể dùng lệnh ping để kiểm tra xem đường hầm VPN giữa 2 PC đã up hay chưa ? Nếu như vậy em phải làm thế nào để kiểm tra kết nối VPN có thành công hay không ?
    Em phải làm thế nào để khi dùng lệnh : show crypto ipsec sa --> để có thống số là bao nhiêu gói tin được mã hóa, bao nhiều gói tin được giải mã như sau :
    #pkts encaps: 3, #pkts encrypt: 3, #pkts digest: 3
    #pkts decaps: 3, #pkts decrypt: 3, #pkts verify: 3
    Em đang rất gấp để hoàn thiện bài tập này. Mong các anh xem giúp phần cấu hình của em có bị sai gì không?
    Em xin cám ơn trước !

    Đây là file cấu hình của 2 FW
    FW1 (PIX1):
    PIX1# show running-config
    : Saved
    :
    PIX Version 8.0(2)
    !
    hostname PIX1
    enable password 8Ry2YjIyt7RRXU24 encrypted
    names
    !
    interface Ethernet0
    nameif outside
    security-level 0
    ip address 20.0.0.2 255.255.255.0
    !
    interface Ethernet1
    nameif inside
    security-level 100
    ip address 10.1.1.1 255.255.255.0
    !
    interface Ethernet2
    shutdown
    no nameif
    no security-level
    no ip address
    !
    interface Ethernet3
    shutdown
    no nameif
    no security-level
    no ip address
    !
    interface Ethernet4
    shutdown
    no nameif
    no security-level
    no ip address
    !
    passwd 2KFQnbNIdI.2KYOU encrypted
    ftp mode passive
    access-list toInside extended permit icmp any host 20.0.0.3
    access-list toPIX2 extended permit ip 10.1.1.0 255.255.255.0 10.2.2.0 255.255.255.0
    pager lines 24
    mtu outside 1500
    mtu inside 1500
    no failover
    icmp unreachable rate-limit 1 burst-size 1
    no asdm history enable
    arp timeout 14400
    nat-control
    global (outside) 1 20.0.0.4-20.0.0.6
    nat (inside) 0 access-list toPIX2
    nat (inside) 1 0.0.0.0 0.0.0.0
    static (inside,outside) 20.0.0.3 10.1.1.10 netmask 255.255.255.255
    access-group toInside in interface outside
    route outside 0.0.0.0 0.0.0.0 20.0.0.1 1
    timeout xlate 3:00:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
    timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
    timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
    timeout uauth 0:05:00 absolute
    dynamic-access-policy-record DfltAccessPolicy
    no snmp-server location
    no snmp-server contact
    snmp-server enable traps snmp authentication linkup linkdown coldstart
    crypto ipsec transform-set mytransformset esp-3des esp-sha-hmac
    crypto map mymap 2 match address toPIX2
    crypto map mymap 2 set peer 50.0.0.2
    crypto map mymap 2 set transform-set mytransformset
    crypto map mymap interface outside
    crypto isakmp enable outside
    crypto isakmp policy 2
    authentication pre-share
    encryption 3des
    hash sha
    group 2
    lifetime 86400
    no crypto isakmp nat-traversal
    telnet timeout 5
    ssh timeout 5
    console timeout 0
    threat-detection basic-threat
    threat-detection statistics access-list
    !
    !
    tunnel-group 50.0.0.2 type ipsec-l2l
    tunnel-group 50.0.0.2 ipsec-attributes
    pre-shared-key *
    prompt hostname context
    Cryptochecksum:1ce56970d844ef4eae7379f22a3857d2
    : end
    PIX1#
    FW2 (PIX2):
    PIX2# show running-config
    : Saved
    :
    PIX Version 8.0(2)
    !
    hostname PIX2
    enable password 8Ry2YjIyt7RRXU24 encrypted
    names
    !
    interface Ethernet0
    nameif outside
    security-level 0
    ip address 50.0.0.2 255.255.255.0
    !
    interface Ethernet1
    nameif inside
    security-level 100
    ip address 10.2.2.1 255.255.255.0
    !
    interface Ethernet2
    shutdown
    no nameif
    no security-level
    no ip address
    !
    interface Ethernet3
    shutdown
    no nameif
    no security-level
    no ip address
    !
    interface Ethernet4
    shutdown
    no nameif
    no security-level
    no ip address
    !
    passwd 2KFQnbNIdI.2KYOU encrypted
    ftp mode passive
    access-list toInside extended permit icmp any host 50.0.0.3
    access-list toPIX1 extended permit ip 10.2.2.0 255.255.255.0 10.1.1.0 255.255.255.0
    pager lines 24
    mtu outside 1500
    mtu inside 1500
    no failover
    icmp unreachable rate-limit 1 burst-size 1
    no asdm history enable
    arp timeout 14400
    nat-control
    global (outside) 1 50.0.0.4-50.0.0.6
    nat (inside) 0 access-list toPIX1
    nat (inside) 1 0.0.0.0 0.0.0.0
    static (inside,outside) 50.0.0.3 10.2.2.10 netmask 255.255.255.255
    access-group toInside in interface outside
    route outside 0.0.0.0 0.0.0.0 50.0.0.1 1
    timeout xlate 3:00:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
    timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
    timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
    timeout uauth 0:05:00 absolute
    dynamic-access-policy-record DfltAccessPolicy
    no snmp-server location
    no snmp-server contact
    snmp-server enable traps snmp authentication linkup linkdown coldstart
    crypto ipsec transform-set mytransformset esp-3des esp-sha-hmac
    crypto map mymap 2 match address toPIX1
    crypto map mymap 2 set peer 20.0.0.2
    crypto map mymap 2 set transform-set mytransformset
    crypto map mymap interface outside
    crypto isakmp enable outside
    crypto isakmp policy 2
    authentication pre-share
    encryption 3des
    hash sha
    group 2
    lifetime 86400
    no crypto isakmp nat-traversal
    telnet timeout 5
    ssh timeout 5
    console timeout 0
    threat-detection basic-threat
    threat-detection statistics access-list
    !
    !
    tunnel-group 20.0.0.2 type ipsec-l2l
    tunnel-group 20.0.0.2 ipsec-attributes
    pre-shared-key *
    prompt hostname context
    Cryptochecksum:fe8afb4e37da97e75d172e7fcefc3ec8
    : end
    PIX2#

  • #2
    cả forum không có ai giúp em sao?? em thấy có rất nhiều người xem bài, vậy mà không ai chịu giúp em
    Buồn wa !

    Comment


    • #3
      sau khi định tuyến trên R1,Internet,R2,bạn ping từ fw1 20.0.0.2 tới fw2 50.0.0.2 đc chưa,sau khi ping đc rồi,bạn tiến hành cấu hình vpn site to site,

      dùng lệnh show cryto isakmp sa để kiểm tra phase 1.
      dùng lệnh show cryto ipsec sa để kiểm tra phase 2.

      đây là cấu hình chi tiết và cách kiểm tra tunnel lên hay chưa.
      This document provides a sample configuration for the LAN-to-LAN (Site-to-Site) IPsec tunnel between Cisco Security Appliances (ASA/PIX) and the Adaptive Secruity Appliance (ASA) 5505.
      Last edited by thanhnam0707; 02-03-2011, 03:02 PM.
      Hugo

      Comment


      • #4
        Originally posted by thanhnam0707 View Post
        sau khi định tuyến trên R1,Internet,R2,bạn ping từ fw1 20.0.0.2 tới fw2 50.0.0.2 đc chưa,sau khi ping đc rồi,bạn tiến hành cấu hình vpn site to site,
        từ FW1 20.0.0.2 đã ping thành công tới FW2 50.0.0.2

        Đây là file cấu hình của 2 FW ( em đã có chỉnh sửa so vơi cấu hình trước )
        FW1:
        PIX1# show running-config
        : Saved
        :
        PIX Version 8.0(2)
        !
        hostname PIX1
        enable password UwiM/pkFcM.xYc8s encrypted
        names
        !
        interface Ethernet0
        nameif outside
        security-level 0
        ip address 20.0.0.2 255.255.255.0
        !
        interface Ethernet1
        nameif inside
        security-level 100
        ip address 10.1.1.1 255.255.255.0
        !
        interface Ethernet2
        shutdown
        no nameif
        no security-level
        no ip address
        !
        interface Ethernet3
        shutdown
        no nameif
        no security-level
        no ip address
        !
        interface Ethernet4
        shutdown
        no nameif
        no security-level
        no ip address
        !
        passwd UwiM/pkFcM.xYc8s encrypted
        ftp mode passive
        access-list toInside extended permit udp any eq isakmp interface outside eq isakmp
        access-list toInside extended permit esp any interface outside
        access-list toPIX2 extended permit ip 10.1.1.0 255.255.255.0 10.2.2.0 255.255.255.0
        access-list NO_NAT extended permit ip 10.1.1.0 255.255.255.0 10.2.2.0 255.255.255.0
        pager lines 24
        mtu outside 1500
        mtu inside 1500
        no failover
        icmp unreachable rate-limit 1 burst-size 1
        no asdm history enable
        arp timeout 14400
        nat-control
        global (inside) 1 interface
        nat (inside) 0 access-list NO_NAT
        nat (inside) 1 10.1.1.0 255.255.255.0
        access-group toInside in interface outside
        route outside 0.0.0.0 0.0.0.0 20.0.0.1 1
        route outside 50.0.0.2 255.255.255.255 20.0.0.1 1
        timeout xlate 3:00:00
        timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
        timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
        timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
        timeout uauth 0:05:00 absolute
        dynamic-access-policy-record DfltAccessPolicy
        no snmp-server location
        no snmp-server contact
        snmp-server enable traps snmp authentication linkup linkdown coldstart
        crypto ipsec transform-set mytransformset esp-3des esp-sha-hmac
        crypto map mymap 2 match address toPIX2
        crypto map mymap 2 set peer 50.0.0.2
        crypto map mymap 2 set transform-set mytransformset
        crypto map mymap interface outside
        crypto isakmp enable outside
        crypto isakmp policy 2
        authentication pre-share
        encryption 3des
        hash sha
        group 2
        lifetime 86400
        crypto isakmp nat-traversal 3600
        telnet 10.1.1.0 255.255.255.0 inside
        telnet timeout 5
        ssh timeout 5
        console timeout 0
        threat-detection basic-threat
        threat-detection statistics access-list
        !
        class-map inspection_default
        match default-inspection-traffic
        !
        !
        policy-map global_policy
        class inspection_default
        inspect icmp
        !
        service-policy global_policy global
        tunnel-group 50.0.0.2 type ipsec-l2l
        tunnel-group 50.0.0.2 ipsec-attributes
        pre-shared-key *
        prompt hostname context
        Cryptochecksum:779c7aac1201658c3ae15e3e5b33a9f4
        : end
        FW2:
        PIX2# show running-config
        : Saved
        :
        PIX Version 8.0(2)
        !
        hostname PIX2
        enable password UwiM/pkFcM.xYc8s encrypted
        names
        !
        interface Ethernet0
        nameif outside
        security-level 0
        ip address 50.0.0.2 255.255.255.0
        !
        interface Ethernet1
        nameif inside
        security-level 100
        ip address 10.2.2.1 255.255.255.0
        !
        interface Ethernet2
        shutdown
        no nameif
        no security-level
        no ip address
        !
        interface Ethernet3
        shutdown
        no nameif
        no security-level
        no ip address
        !
        interface Ethernet4
        shutdown
        no nameif
        no security-level
        no ip address
        !
        passwd 2KFQnbNIdI.2KYOU encrypted
        ftp mode passive
        access-list toInside extended permit esp any interface outside
        access-list toInside extended permit udp any eq isakmp interface outside eq isakmp
        access-list toPIX1 extended permit ip 10.2.2.0 255.255.255.0 10.1.1.0 255.255.255.0
        access-list NO_NAT extended permit ip 10.2.2.0 255.255.255.0 10.1.1.0 255.255.255.0
        pager lines 24
        mtu outside 1500
        mtu inside 1500
        no failover
        icmp unreachable rate-limit 1 burst-size 1
        no asdm history enable
        arp timeout 14400
        nat-control
        global (inside) 1 interface
        nat (inside) 0 access-list NO_NAT
        nat (inside) 1 10.2.2.0 255.255.255.0
        access-group toInside in interface outside
        route outside 0.0.0.0 0.0.0.0 50.0.0.1 1
        route outside 20.0.0.2 255.255.255.255 50.0.0.1 1
        timeout xlate 3:00:00
        timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
        timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
        timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
        timeout uauth 0:05:00 absolute
        dynamic-access-policy-record DfltAccessPolicy
        no snmp-server location
        no snmp-server contact
        snmp-server enable traps snmp authentication linkup linkdown coldstart
        crypto ipsec transform-set mytransformset esp-3des esp-sha-hmac
        crypto map mymap 2 match address toPIX1
        crypto map mymap 2 set peer 20.0.0.2
        crypto map mymap 2 set transform-set mytransformset
        crypto map mymap interface outside
        crypto isakmp enable outside
        crypto isakmp policy 2
        authentication pre-share
        encryption 3des
        hash sha
        group 2
        lifetime 86400
        crypto isakmp nat-traversal 3600
        telnet 10.2.2.0 255.255.255.0 inside
        telnet timeout 5
        ssh timeout 5
        console timeout 0
        threat-detection basic-threat
        threat-detection statistics access-list
        !
        class-map inspection_default
        match default-inspection-traffic
        !
        !
        policy-map global_policy
        class inspection_default
        inspect icmp
        !
        service-policy global_policy global
        tunnel-group 20.0.0.2 type ipsec-l2l
        tunnel-group 20.0.0.2 ipsec-attributes
        pre-shared-key *
        prompt hostname context
        Cryptochecksum:c8a7d639a1146d2db593a4a6c24edf9b
        : end
        từ PC1 ping (extended ping)đến PC2 không thành công ,
        Em kiểm tra phases1 và phase 2:
        PIX1# show crypto isakmp sa

        There are no isakmp sas

        PIX1# show crypto ipsec sa

        There are no ipsec sas
        PIX1#
        Mong các anh giúp đỡ
        Last edited by ttkk; 03-03-2011, 01:04 AM.

        Comment


        • #5
          Không có ai giúp em sao ??
          Mong các thầy giúp em , em đang cần hoàn thành bài tập này .

          Comment

          Working...
          X