Shulou(Shulou.com)06/01 Report--

Portal: Cisco router configuration example: https://blog.51cto.com/14227204/2448319

In fact, the configuration of the firewall and the router is very similar. You can refer to the upper portal. An example of the configuration of the firewall will be introduced below.

Fault diagnosis and troubleshooting of routers

1 、 show crypto isakmp sa

R1:show crypto isakmp sa # can display the details of the data connection sa

MM_NO_STATE: the initial state of ISAKMP SA establishment; management connection establishment failure will also be in this state

MM_SA_SETUP: in this state after successful ISAKMP policy negotiation between peers

MM_KEY_EXCH: the peer successfully establishes the shared key through the DH algorithm, and the device verification has not been carried out at this time

MM_KEY_AUTH: the peer successfully verifies the device and then transitions to the QM_IDLE state

QM_IDLE: manage the successful establishment of the connection, which is about to transition to the data connection establishment process of phase 2

2 、 debug crypto isakmp

R1:debug crypto isakmp # diagnosing and troubleshooting problems with administrative connections

Fault example 1: the encryption algorithms at both ends do not match

ISAKMP: (0:0:N/A:0): Checking ISAKMP transform 1 against priority 1 policyISAKMP: default group 1ISAKMP: encryption DES-CBCISAKMP: hash SHAISAKMP: auth pre-shareISAKMP: life type in secondsISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80 ISAKMP: (0:0:N/A:0): Encryption algorithm offered does not match policy! # encryption algorithm does not match ISAKMP: (0 : 0:N/A:0): atts are not acceptable. Next payload is 0... # Policy is not accepted ISAKMP: (0:0:N/A:0): no offers accepted! # there is no matching policy. Received packet from 10.0.0.1 dport 500 sport 500 Global (R) MM_NO_STATE # policy entered unsuccessful state

Failure case 2: the pre-shared key used by both sides is inconsistent

ISAKMP: (0:0:N/A:0): Checking ISAKMP transform 1 against priority 1 policyISAKMP: default group 1ISAKMP: encryption DES-CBCISAKMP: hash SHAISAKMP: auth pre-shareISAKMP: life type in secondsISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80 ISAKMP: (0:0:N/A:0): atts are acceptable. Next payload is 0... # algorithm has been matched, start secret key exchange and authentication ISAKMP (0purl 134217729): received packet from 10.0.0.1 dport 500 sport 500 Global (R) MM_KEY_EXCHISAKMP: reserved not zero on ID payload% CRYPTO Mustang 4IKMPpressed BADSSAGE: IKE message from 10.0.0.1 failed its sanity check or is malformed # Integrity verification failed and will remain in the MM KEY EXCH stage

Second, the difference between firewalls and routers:

IKE negotiation:

Routing is enabled by default

ASA Firewall is turned off by default and must be turned on manually, as follows:

ASA (config) # crypto isakmp enable outside

Introduction of tunnel group features:

New features introduced by firewall upgrade from version 6.x to version 7.0

Mainly used to simplify the configuration and management of IPSec sessions

III. Start configuration

The environment is as follows:

The requirements are as follows:

Interworking between lan1 and lan2 regions

Interworking between lan1 and lan3 regions

Lan2 area and lan3 area interworking (lan2 → lan1 → lan3)

All areas have access to the intermediate ISP

Instructions before configuration (sorry, I use a router instead of a PC here, so verification is a bit brief):

Configure the interface IP and so on. Here, I use the router as a PC, so I need to configure a default route on the router to act as a gateway firewall and configure a default route outward.

R1 configuration (R3 and R4 configurations are similar):

R1#conf tR1 (config) # int f 0/0R1 (config-if) # ip add 192.168.1.10 255.255.255.0 # configure interface IPR1 (config-if) # no shutdownR1 (config-if) # exitR1 (config) # ip route 0.0.0.0 0.0.0 192.168.1.1 # default route acts as a gateway

R2 is configured as follows (routing is not required for ISP):

R2#conf tR2 (config) # int f 0/1R2 (config-if) # ip add 201.0.0.1 255.255.255.0R2 (config-if) # no shutdownR2 (config-if) # exitR2 (config) # int f 0/1R2 (config-if) # ip add 202.0.0.1 255.255.255.0R2 (config-if) # no shutdownR2 (config-if) # exitR2 (config) # int f 1/0R2 (config-if) # ip add 202.0.0.1 255.255.255.0R2 (config-if) # no shutdown

1. Configuration

ASA1 (lan1 → lan2) is configured as follows

Ciscoasa > enPassword:ciscoasa# conf tciscoasa (config) # int e 0/0ciscoasa (config-if) # nameif inside # is configured as the inner interface ciscoasa (config-if) # ip add 192.168.1.1ciscoasa (config-if) # no shutdownciscoasa (config-if) # exitciscoasa (config) # int e 0/1ciscoasa (config-if) # nameif outside # as the outer interface ciscoasa (config-if) # ip add 201.0. 0.2ciscoasa (config-if) # no shutdownciscoasa (config) # route outside 0 0201.0.0.2 # configure an external default route 0 here equals 0.0.0.0 ciscoasa (config) # crypto isakmp enable outside # enable IKE negotiation function ciscoasa (config) # crypto isakmp policy 1 # configure management connection ciscoasa (config-isakmp-policy) # encryption aes # encrypted to aesciscoasa (config-isakmp-policy) # hash md5 # Authenticate to md5ciscoasa (config-isakmp-policy) # group 2ciscoasa (config-isakmp-policy) # authentication pre-share # preset shared key ciscoasa (config-isakmp-policy) # lifetime 10000 ciscoasa (config-isakmp-policy) # exit ciscoasa (config) # crypto isakmp key 123.com address 202.0.0.2 # set shared key # there are two configurations in the firewall In a moment, use ciscoasa (config) # access-list lan1_lan2 permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0 # write ACLciscoasa (config) # crypto ipsec transform-set test-set esp-aes esp-md5-hmac # these four configuration data connections ciscoasa (config) # crypto map test-map 1 match address Lan1_lan2ciscoasa (config) # crypto map test-map 1 set peer 202.0.0.1ciscoasa (config) # crypto map test-map 1 set transform-set test-setciscoasa (config) # crypto map test-map interface outside # apply to the external logical interface

The ASA2 configuration is as follows

Ciscoasa > enPassword:ciscoasa# conf tciscoasa (config) # int e 0swap 0 # I will not introduce the meaning of configuration here Similar to the above ciscoasa (config-if) # nameif outsideciscoasa (config-if) # ip add 202.0.0.2ciscoasa (config-if) # no shutdownciscoasa (config-if) # exitciscoasa (config) # int e 0/1ciscoasa (config-if) # nameif insideciscoasa (config-if) # ip add 192.168.2.1ciscoasa (config-if) # no shutdownciscoasa (config-if) # exitciscoasa (config) # route outside 0 202.0.0.1ciscoasa (config) # crypto isakmp enable outsideciscoasa (config) # Crypto isakmp policy 1ciscoasa (config-isakmp-policy) # encryption aesciscoasa (config-isakmp-policy) # hash md5ciscoasa (config-isakmp-policy) # group 2ciscoasa (config-isakmp-policy) # authentication pre-shareciscoasa (config-isakmp-policy) # lifetime 10000ciscoasa (config) # tunnel-group 201.0.0.2 type ipsec-l2l # another key configuration method ciscoasa (config) # tunnel-group 201.0.0.2 ipsec-attributesciscoasa (config-tunnel-ipsec) # pre-shared -key 123.comciscoasa (config-tunnel-ipsec) # exitciscoasa (config) # access-list lan2_lan1 permit ip 192.168.2.0 255.255.255.0 192.168.1.0 255.255.255.0ciscoasa (config) # crypto ipsec transform-set test-set esp-aes esp-md5-hmacciscoasa (config) # crypto map test-map 1 match address lan2_lan1ciscoasa (config) # crypto map test-map 1 set peer 201.0.0.2ciscoasa (config) # crypto map test-map 1 set transform -set test-setciscoasa (config) # crypto map test-map interface outsideR1#ping 192.168.2.10Type escape sequence to abort.Sending 5 100-byte ICMP Echos to 192.168.2.10, timeout is 2 seconds:!

ASA1 (lan1 → lan3) is configured as follows

# configured to the lan2 area before ASA So you can configure ciscoasa (config) # tunnel-group 203.0.0.2 type ipsec-l2lciscoasa (config) # tunnel-group 203.0.0.2 ipsec-attributesciscoasa (config-tunnel-ipsec) # pre-shared-key 123.comciscoasa (config) # access-list lan1_lan3 permit ip 192.168.1.0 255.255.255.0 192.168.3.0 255.255.255.0ciscoasa (config) # crypto map test-map 2 match address lan1_ Lan3WARNING: The crypto map entry is incomplete! # the warning here is normal ciscoasa (config) # crypto map test-map 2 set peer 203.0.0.2WARNING: The crypto map entry is incompleteciscoasa (config) # crypto map test-map 2 set transform-set test-set

The ASA3 configuration is as follows (and the ASA2 configuration is basically detailed)

Ciscoasa > enPassword:ciscoasa# conf tciscoasa (config) # int e 0/0ciscoasa (config-if) # nameif outsideciscoasa (config-if) # ip add 203.0.0.2ciscoasa (config-if) # no shutdownciscoasa (config-if) # exitciscoasa (config) # int e 0/1ciscoasa (config-if) # nameif insideciscoasa (config-if) # ip add 192.168.3.1ciscoasa (config-if) # no shutdownciscoasa (config) # route outside 00 203.0.0.1ciscoasa (config) # crypto isakmp enable outsideciscoasa (config) # crypto isakmp policy 1ciscoasa (config-isakmp-policy) # authentication pre-shareciscoasa (config-isakmp-policy) # encryption aesciscoasa (config-isakmp-policy) # hash md5ciscoasa (config-isakmp-policy) # group 2ciscoasa (config-isakmp-policy) # lifetime 10000ciscoasa (config-isakmp-policy) # exitciscoasa (config) # crypto isakmp key 123.com address 201.0.0.2ciscoasa (config) # access-list lan3_lan1 permit ip 192.168.3.0 255.255.255.0 192.168.1.0 255.255 .255.0ciscoasa (config) # crypto ipsec transform-set test-set esp-aes esp-md5-hmacciscoasa (config) # crypto map test-map 1 match address lan3_lan1ciscoasa (config) # crypto map test-map 1 set peer 201.0.0.2ciscoasa (config) # crypto map test-map 1 set transform-set test-setciscoasa (config) # crypto map test-map interface outsideR4#ping 192.168.1.10Type escape sequence to abort.Sending 5 100-byte ICMP Echos to 192.168.1.10, timeout is 2 seconds:!

2. Realize lan2 → lan3 communication:

The ASA1 configuration is as follows

Ciscoasa (config) # same-security-traffic permit intra-interface # allows traffic to enter and leave the same interface ciscoasa (config) # access-list lan1_lan2 permit ip 192.168.3.0 255.255.255.0 192.168.2.0 255.255.255.0ciscoasa (config) # access-list lan1_lan3 permit ip 192.168.2.0 255.255.255.0 192.168.3.0 255.255.255.0

The ASA2 configuration is as follows

Ciscoasa (config) # access-list lan2_lan1 permit ip 192.168.2.0 255.255.255.0 192.168.3.0 255.255.255.0

The ASA3 configuration is as follows

Ciscoasa (config) # access-list lna3_lan1 permit ip 192.168.3.0 255.255.255.0 192.168.2.0 255.255.255.0R3#ping 192.168.3.10Type escape sequence to abort.Sending 5, 100-byte ICMP Echos to 192.168.3.10, timeout is 2 secondsdisplay!

3. Visit ISP

If you need to allow the intranet to access the Internet, you need to do PAT on ASA, and enable nat control to exempt * traffic.

The ASA1 configuration is as follows

Ciscoasa (config) # nat-control # enable nat control ciscoasa (config) # nat (inside) 100 # configure patciscoasa (config) # global (outside) 1 interface # Map to interface # do not use the original ACL entry, because there are lan1_lan2 and lan1_lan3, you cannot exempt both So redefine ACLciscoasa (config) # access-list aaa permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0ciscoasa (config) # access-list aaa permit ip 192.168.1.0 255.255.255.0 192.168.3.0 255.255.255.0ciscoasa (config) # nat (inside) 0 access-list aaa # apply to the interface

The ASA2 configuration is as follows

Ciscoasa (config) # nat (inside) 1 0 0ciscoasa (config) # global (outside) 1 interfaceciscoasa (config) # nat (inside) 0 access-list lan2_lan1

The ASA3 configuration is as follows

Ciscoasa (config) # nat (inside) 1 0 0ciscoasa (config) # global (outside) 1 interfaceciscoasa (config) # nat (inside) 0 access-list lan3_lan1

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.