USG与ASA IPSEC VPN对接成功

[复制链接]
发表于 : 2018-2-7 16:29:38 最新回复:2018-02-08 09:08:07
1433 4
忧郁的红雨伞  专家  

使用eNPS中的USG5500与虚拟机上运行的ASA5500 IPSEC VPN 预共享秘钥方式对接成功




ciscoasa# show version 


Cisco Adaptive Security Appliance Software Version 8.0(2) 

Device Manager Version 6.1(5)


Compiled on Fri 15-Jun-07 19:29 by builders

System image file is "Unknown, monitor mode tftp booted image"

Config file at boot was "startup-config"


ciscoasa up 2 hours 16 mins


Hardware:   ASA5520, 256 MB RAM, CPU Pentium 4 Celeron 2000 MHz 

Internal ATA Compact Flash, 128MB

BIOS Flash Firmware Hub @ 0xffe00000, 1024KB



<SRG>display version 

16:18:06  2018/02/07

Huawei Versatile Routing Platform Software

VRP WVSP Software Version VRPV500R003C07 

Copyright (c) 2000-2013 by VRP Team Beijing Institute Huawei Tech, Inc

Compiled Feb 27 2014 16:04:12 by VSP



<SRG>display ike sa

16:20:36  2018/02/07

current ike sa number: 2

-----------------------------------------------------------------------------

conn-id    peer                    flag          phase vpn

-----------------------------------------------------------------------------

40004      3.3.3.100               RD|ST         v1:2  public

40003      3.3.3.100               RD|ST         v1:1  public


  flag meaning

  RD--READY    ST--STAYALIVE  RL--REPLACED      FD--FADING

  TO--TIMEOUT  TD--DELETING   NEG--NEGOTIATING  D--DPD



<SRG>display ipsec sa

16:20:38  2018/02/07

===============================

Interface: GigabitEthernet0/0/1

    path MTU: 1500

===============================


  -----------------------------

  IPsec policy name: "map1"

  sequence number: 1

  mode: isakmp

  vpn: public

  -----------------------------

    connection id: 40004

    rule number: 10

    encapsulation mode: tunnel

    holding time: 0d 0h 39m 43s

    tunnel local : 3.3.3.101    tunnel remote: 3.3.3.100

    flow      source: 10.1.1.0/255.255.255.0 0/0

    flow destination: 20.1.1.0/255.255.255.0 0/0


    [inbound ESP SAs] 

      spi: 2993241236 (0xb2693c94)

      vpn: public  said: 2  cpuid: 0x0000

      proposal: ESP-ENCRYPT-AES ESP-AUTH-SHA1

      sa remaining key duration (bytes/sec): 1887429500/1217

      max received sequence-number: 85

      udp encapsulation used for nat traversal: N


    [outbound ESP SAs] 

      spi: 3981069911 (0xed4a4e57)

      vpn: public  said: 3  cpuid: 0x0000

      proposal: ESP-ENCRYPT-AES ESP-AUTH-SHA1

      sa remaining key duration (bytes/sec): 1887429584/1217

      max sent sequence-number: 91

      udp encapsulation used for nat traversal: N



ciscoasa# show crypto isakmp sa

   Active SA: 1
    Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 1

1   IKE Peer: 3.3.3.101
    Type    : L2L             Role    : responder 
    Rekey   : no              State   : MM_ACTIVE 



ciscoasa# show crypto ipsec  sa 
interface: outside
    Crypto map tag: ipsec_map, seq num: 10, local addr: 3.3.3.100

      access-list ipsec permit ip 20.1.1.0 255.255.255.0 10.1.1.0 255.255.255.0 
      local ident (addr/mask/prot/port): (20.1.1.0/255.255.255.0/0/0)
      remote ident (addr/mask/prot/port): (10.1.1.0/255.255.255.0/0/0)
      current_peer: 3.3.3.101

      #pkts encaps: 85, #pkts encrypt: 85, #pkts digest: 85
      #pkts decaps: 180, #pkts decrypt: 90, #pkts verify: 180
      #pkts compressed: 0, #pkts decompressed: 0
      #pkts not compressed: 85, #pkts comp failed: 0, #pkts decomp failed: 0
      #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
      #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
      #send errors: 0, #recv errors: 90

      local crypto endpt.: 3.3.3.100, remote crypto endpt.: 3.3.3.101

      path mtu 1500, ipsec overhead 74, media mtu 1500
      current outbound spi: B2693C94

    inbound esp sas:
      spi: 0xED4A4E57 (3981069911)
         transform: esp-aes esp-sha-hmac none 
         in use settings ={L2L, Tunnel, }
         slot: 0, conn_id: 8192, crypto-map: ipsec_map
         sa timing: remaining key lifetime (kB/sec): (1529992/1175)
         IV size: 16 bytes
         replay detection support: Y
    outbound esp sas:
      spi: 0xB2693C94 (2993241236)
         transform: esp-aes esp-sha-hmac none 
         in use settings ={L2L, Tunnel, }
         slot: 0, conn_id: 8192, crypto-map: ipsec_map
         sa timing: remaining key lifetime (kB/sec): (1529992/1175)
         IV size: 16 bytes
         replay detection support: Y

   默认情况下ASA VPN流量不经过访问控制,在ASA上关闭该默认项,配置一个ACL,允许client访问ASA内网的centos上配置的Apache Server主页,但无法ping通centos主机。

no sysopt connection permit-vpn
access-list out_side_web extended permit tcp host 10.1.1.2 host 20.1.1.2 eq www 
access-group out_side_web in interface outside

    在ensp中的client分别使用http和ping测试ASA后的centos虚机可达性,http正常连接,无法ping通。ASA上的相关ACL有命中计数。


 






ciscoasa# show access-list  out_side_web
access-list out_side_web; 1 elements
access-list out_side_web line 1 extended permit tcp host 10.1.1.2 host 20.1.1.2 eq www (hitcnt=3) 0x6f9294a0 

本帖子中包含更多资源

您需要 登录 才可以下载或查看,没有帐号?注册

x
  • x
  • 常规:

点评 回复

始于此,止于此,了无遗憾。
跳转到指定楼层
忧郁的红雨伞  专家   发表于 2018-2-7 16:47:24 已赞(1) 赞(1)

USG上的会话表项忘记贴了:

<SRG>display firewall session table verbose
16:45:36 2018/02/07
Current Total Sessions : 2
http VPN:public --> public
Zone: trust--> untrust TTL: 00:00:10 Left: 00:00:07
Interface: GigabitEthernet0/0/1 NextHop: 3.3.3.100 MAC: 00-0c-29-af-d7-8b
<--packets:5 bytes:560 -->packets:6 bytes:412
10.1.1.2:2053-->20.1.1.2:80

esp VPN:public --> public
Zone: untrust--> local TTL: 00:10:00 Left: 00:09:57
Interface: InLoopBack0 NextHop: 127.0.0.1 MAC: 00-00-00-00-00-00
<--packets:0 bytes:0 -->packets:10 bytes:1744
3.3.3.100:0-->3.3.3.101:0
  • x
  • 常规:

点评 回复

社区管理员咕噜噜 发表于 2018-2-8 09:31
谢谢阿伞的有心,棒棒哒 
始于此,止于此,了无遗憾。
丿如_初  版主   发表于 2018-2-8 09:05:12 已赞(0) 赞(0)

伞哥霸气侧漏,顶
  • x
  • 常规:

点评 回复

hw.customer     发表于 2018-2-8 09:08:07 已赞(0) 赞(0)

同意楼上说法,楼主太厉害啦
  • x
  • 常规:

点评 回复

发表回复
您需要登录后才可以回帖 登录 | 注册

如果附件按钮无法使用,请将Adobe Flash Player 更新到最新版本!
快速回复 返回顶部