Tweet
Mình đang làm 1 Lab VPN dùng làm VPN IPsec Client to site . Mô Hình như sau:
PC - Router R3 - Router R2 - ASA - Router R1
PC : nằm ngoài Internet (1.1.2.1/24) Default Gateway : 1.1.2.2
Router R3 (Xem như là Router ADSL)
1.1.2.2/24
1.1.1.1/24
Router R2 (Xem như là Router tại công ty, dùng để làm Router ADSL cho cty)
1.1.1.2/24 (Giả sử đây là IP thực khi kết nối Internet)
192.168.255.1/24 (Lớp mạng kết nối port outside của ASA)
Router này NAT port UDP 500 và UDP 4500 từ bên trong ra IP 1.1.1.2
ASA
inside 192.168.1.1/24
outside 192.168.255.2/24
R3 Xem như PC tại mạng LAN cty. IP 192.168.1.10/24, Default Gateway 192.168.1.1
Hiện mình từ PC bên ngoài đã quay VPN thành công (IP được cấp là 192.168.2.10) nhưng không thể ping được vào mạng nội bộ cũng như ngược lại.
Cấu hình R1 :
interface FastEthernet0/0
ip address 192.168.1.10 255.255.255.0
duplex auto
speed auto
!
!
interface FastEthernet0/1
no ip address
shutdown
duplex auto
speed auto
!
!
ip forward-protocol nd
no ip http server
no ip http secure-server
!
!
ip route 0.0.0.0 0.0.0.0 192.168.1.1
!
Cấu hình R2
interface FastEthernet0/0
ip address 1.1.1.2 255.255.255.0
ip flow ingress
ip flow egress
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
!
!
interface FastEthernet0/1
ip address 192.168.255.1 255.255.255.0
ip flow ingress
ip flow egress
ip nat inside
ip virtual-reassembly
duplex auto
speed auto
!
!
ip forward-protocol nd
no ip http server
no ip http secure-server
!
!
ip nat inside source list internet interface FastEthernet0/0 overload
ip nat inside source static tcp 192.168.255.2 443 interface FastEthernet0/0 443
ip nat inside source static udp 192.168.255.2 500 1.1.1.2 500 extendable
ip nat inside source static udp 192.168.255.2 4500 1.1.1.2 4500 extendable
ip nat inside source static tcp 192.168.255.2 10000 1.1.1.2 10000 extendable
ip route 0.0.0.0 0.0.0.0 1.1.1.1
ip route 192.168.1.0 255.255.255.0 192.168.255.2
!
ip access-list extended internet
permit ip 192.168.255.0 0.0.0.255 any
permit ip 192.168.0.0 0.0.0.255 any
permit ip 192.168.1.0 0.0.0.255 any
deny ip any any
Cấu hình R3
interface FastEthernet0/0
ip address 1.1.2.2 255.255.255.0
duplex auto
speed auto
!
!
interface FastEthernet0/1
ip address 1.1.1.1 255.255.255.0
duplex auto
speed auto
Cấu hình ASA :
interface GigabitEthernet0
nameif outside
security-level 0
ip address 192.168.255.2 255.255.255.0
!
interface GigabitEthernet1
nameif inseide
security-level 0
ip address 192.168.1.1 255.255.255.0
object network NETWORK_OBJ_192.168.2.0_24
subnet 192.168.2.0 255.255.255.0
access-list LAN standard permit 192.168.1.0 255.255.255.0
access-list outside_access_in extended permit ip any any
access-list inseide_access_in extended permit ip any any
pager lines 24
logging enable
logging asdm informational
mtu outside 1500
mtu inseide 1500
ip local pool VPN-POOL 192.168.2.10-192.168.2.254 mask 255.255.255.0
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-661.bin
no asdm history enable
arp timeout 14400
nat (any,any) source static any any destination static NETWORK_OBJ_192.168.2.0_24 NETWORK_OBJ_192.168.2.0_24
access-group outside_access_in in interface outside
access-group inseide_access_in in interface inseide
route outside 0.0.0.0 0.0.0.0 192.168.255.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
http server enable
http 1.1.2.1 255.255.255.255 outside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto ikev1 enable outside
crypto ikev1 policy 10
authentication crack
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 20
authentication rsa-sig
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 30
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 40
authentication crack
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 50
authentication rsa-sig
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 60
authentication pre-share
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 70
authentication crack
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 80
authentication rsa-sig
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 90
authentication pre-share
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 100
authentication crack
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 110
authentication rsa-sig
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 120
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 130
authentication crack
encryption des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 140
authentication rsa-sig
encryption des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 150
authentication pre-share
encryption des
hash sha
group 2
lifetime 86400
telnet timeout 5
ssh timeout 5
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
group-policy RA_VPN internal
group-policy RA_VPN attributes
wins-server value 192.168.1.5
dns-server value 192.168.1.5
vpn-tunnel-protocol ikev1
split-tunnel-policy tunnelspecified
split-tunnel-network-list value LAN
default-domain value dungvh.com
username vpnclient password UXU1JqgAdj2zRJuP encrypted privilege 0
username vpnclient attributes
vpn-group-policy RA_VPN
username cisco password 3USUcOPFUiMCO4Jk encrypted privilege 15
tunnel-group RA_VPN type remote-access
tunnel-group RA_VPN general-attributes
address-pool VPN-POOL
default-group-policy RA_VPN
tunnel-group RA_VPN ipsec-attributes
ikev1 pre-shared-key 123456
!
!
prompt hostname context
no call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/...es/DDCEService
destination address email callhome@cisco.com
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
crashinfo save disable
Cryptochecksum:11f33a3aec383c8a166b05a1eb87b07b
: end
PC - Router R3 - Router R2 - ASA - Router R1
PC : nằm ngoài Internet (1.1.2.1/24) Default Gateway : 1.1.2.2
Router R3 (Xem như là Router ADSL)
1.1.2.2/24
1.1.1.1/24
Router R2 (Xem như là Router tại công ty, dùng để làm Router ADSL cho cty)
1.1.1.2/24 (Giả sử đây là IP thực khi kết nối Internet)
192.168.255.1/24 (Lớp mạng kết nối port outside của ASA)
Router này NAT port UDP 500 và UDP 4500 từ bên trong ra IP 1.1.1.2
ASA
inside 192.168.1.1/24
outside 192.168.255.2/24
R3 Xem như PC tại mạng LAN cty. IP 192.168.1.10/24, Default Gateway 192.168.1.1
Hiện mình từ PC bên ngoài đã quay VPN thành công (IP được cấp là 192.168.2.10) nhưng không thể ping được vào mạng nội bộ cũng như ngược lại.
Cấu hình R1 :
interface FastEthernet0/0
ip address 192.168.1.10 255.255.255.0
duplex auto
speed auto
!
!
interface FastEthernet0/1
no ip address
shutdown
duplex auto
speed auto
!
!
ip forward-protocol nd
no ip http server
no ip http secure-server
!
!
ip route 0.0.0.0 0.0.0.0 192.168.1.1
!
Cấu hình R2
interface FastEthernet0/0
ip address 1.1.1.2 255.255.255.0
ip flow ingress
ip flow egress
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
!
!
interface FastEthernet0/1
ip address 192.168.255.1 255.255.255.0
ip flow ingress
ip flow egress
ip nat inside
ip virtual-reassembly
duplex auto
speed auto
!
!
ip forward-protocol nd
no ip http server
no ip http secure-server
!
!
ip nat inside source list internet interface FastEthernet0/0 overload
ip nat inside source static tcp 192.168.255.2 443 interface FastEthernet0/0 443
ip nat inside source static udp 192.168.255.2 500 1.1.1.2 500 extendable
ip nat inside source static udp 192.168.255.2 4500 1.1.1.2 4500 extendable
ip nat inside source static tcp 192.168.255.2 10000 1.1.1.2 10000 extendable
ip route 0.0.0.0 0.0.0.0 1.1.1.1
ip route 192.168.1.0 255.255.255.0 192.168.255.2
!
ip access-list extended internet
permit ip 192.168.255.0 0.0.0.255 any
permit ip 192.168.0.0 0.0.0.255 any
permit ip 192.168.1.0 0.0.0.255 any
deny ip any any
Cấu hình R3
interface FastEthernet0/0
ip address 1.1.2.2 255.255.255.0
duplex auto
speed auto
!
!
interface FastEthernet0/1
ip address 1.1.1.1 255.255.255.0
duplex auto
speed auto
Cấu hình ASA :
interface GigabitEthernet0
nameif outside
security-level 0
ip address 192.168.255.2 255.255.255.0
!
interface GigabitEthernet1
nameif inseide
security-level 0
ip address 192.168.1.1 255.255.255.0
object network NETWORK_OBJ_192.168.2.0_24
subnet 192.168.2.0 255.255.255.0
access-list LAN standard permit 192.168.1.0 255.255.255.0
access-list outside_access_in extended permit ip any any
access-list inseide_access_in extended permit ip any any
pager lines 24
logging enable
logging asdm informational
mtu outside 1500
mtu inseide 1500
ip local pool VPN-POOL 192.168.2.10-192.168.2.254 mask 255.255.255.0
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-661.bin
no asdm history enable
arp timeout 14400
nat (any,any) source static any any destination static NETWORK_OBJ_192.168.2.0_24 NETWORK_OBJ_192.168.2.0_24
access-group outside_access_in in interface outside
access-group inseide_access_in in interface inseide
route outside 0.0.0.0 0.0.0.0 192.168.255.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
http server enable
http 1.1.2.1 255.255.255.255 outside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto ikev1 enable outside
crypto ikev1 policy 10
authentication crack
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 20
authentication rsa-sig
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 30
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 40
authentication crack
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 50
authentication rsa-sig
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 60
authentication pre-share
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 70
authentication crack
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 80
authentication rsa-sig
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 90
authentication pre-share
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 100
authentication crack
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 110
authentication rsa-sig
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 120
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 130
authentication crack
encryption des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 140
authentication rsa-sig
encryption des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 150
authentication pre-share
encryption des
hash sha
group 2
lifetime 86400
telnet timeout 5
ssh timeout 5
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
group-policy RA_VPN internal
group-policy RA_VPN attributes
wins-server value 192.168.1.5
dns-server value 192.168.1.5
vpn-tunnel-protocol ikev1
split-tunnel-policy tunnelspecified
split-tunnel-network-list value LAN
default-domain value dungvh.com
username vpnclient password UXU1JqgAdj2zRJuP encrypted privilege 0
username vpnclient attributes
vpn-group-policy RA_VPN
username cisco password 3USUcOPFUiMCO4Jk encrypted privilege 15
tunnel-group RA_VPN type remote-access
tunnel-group RA_VPN general-attributes
address-pool VPN-POOL
default-group-policy RA_VPN
tunnel-group RA_VPN ipsec-attributes
ikev1 pre-shared-key 123456
!
!
prompt hostname context
no call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/...es/DDCEService
destination address email callhome@cisco.com
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
crashinfo save disable
Cryptochecksum:11f33a3aec383c8a166b05a1eb87b07b
: end
Comment