Shulou(Shulou.com)06/01 Report--

I. Overview: LAN-to-LAN reverse route injection was previously thought to be injecting an encryption point into another encryption point about the static route configuration of the flow of interest, but today it was tested, not so, so it was recorded. II. Test ideas and results: A. Thinking: ① Configure LAN-to-LAN IPSEC of PIX8.0 ××② Verify whether the set reverse-route needs to be configured on both sides to have an effect, or only needs to be configured on one side. ③ Verify what the route entry injected in reverse is, and whether it is related to the static route of the encryption point. B. Results: (1) Set reverse-route is effective only by configuring on one side. At which encryption point is configured, and at which encryption point the reverse-injected static route appears---Of course, if both sides are configured, there will be (2) injected route entries on both sides. In fact, the target network of the flow of interest has nothing to do with the static route of the encryption point, and it has nothing to do with whether the ×× connection has been established----can be verified by changing the mask of the flow of interest.

-----For routers to establish L2L × ×× without knowing the flow of interest through the tunnel interface, configure reverse route injection that should be no job

III. Test topology: IV. Test steps:

---Refer to previous blog post: 333234.blog.51cto.com/323234/1253465

A. Basic configuration:

①FW1：

---Interface configuration:

interface Ethernet0

nameif Inside

security-level 100

ip address 192.168.1.1 255.255.255.0

no shut

interface Ethernet1

nameif Outside

security-level 0

ip address 202.100.1.1 255.255.255.0

no shut

---Route configuration:

route Outside 0.0.0.0 0.0.0.0 202.100.1.10

---Policy configuration:

access-list OUTSIDE extended permit icmp any any

access-group OUTSIDE in interface Outside

---PAT Configuration:

access-list PAT extended permit ip 192.168.0.0 255.255.0.0 any

access-list NONAT extended permit ip 192.168.0.0 255.255.0.0 172.16.0.0 255.255.0.0

global (Outside) 1 interface

nat (Inside) 0 access-list NONAT

nat (Inside) 1 access-list PAT

②FW2：

---Interface configuration:

interface Ethernet0

nameif Inside

security-level 100

ip address 172.16.1.1 255.255.255.0

no shut

interface Ethernet1

nameif Outside

security-level 0

ip address 202.100.2.1 255.255.255.0

no shut

---Route configuration:

route Outside 0.0.0.0 0.0.0.0 202.100.2.10

---Policy configuration:

access-list OUTSIDE extended permit icmp any any

access-group OUTSIDE in interface Outside

---PAT Configuration:

access-list PAT extended permit ip 172.16.0.0 255.255.0.0 any

access-list NONAT extended permit ip 172.16.0.0 255.255.0.0 192.168.0.0 255.255.0.0

global (Outside) 1 interface

nat (Inside) 0 access-list NONAT

nat (Inside) 1 access-list PAT

B.××× Configuration:

①FW1:

----Strategy of the first stage:

crypto isakmp policy 10

authentication pre-share

encryption 3des

hash md5

group 2

tunnel-group 202.100.2.1 type ipsec-l2l

tunnel-group 202.100.2.1 ipsec-attributes

pre-shared-key cisco

----Phase II Transition Set:

crypto ipsec transform-set transet esp-des esp-md5-hmac

---interested stream:

access-list ××× extended permit ip 192.168.0.0 255.255.0.0 172.16.0.0 255.255.0.0

④ Configure crypto map and apply, open isakmp on interface:

crypto map crymap 20 match address ×××

crypto map crymap 20 set peer 202.100.2.1

crypto map crymap 20 set transform-set transet

crypto map crymap interface Outside

crypto isakmp enable Outside

①FW2：

----Strategy of the first stage:

crypto isakmp policy 10

authentication pre-share

encryption 3des

hash md5

group 2

tunnel-group 202.100.1.1 type ipsec-l2l

tunnel-group 202.100.1.1 ipsec-attributes

pre-shared-key cisco

----Phase II transformation set:

crypto ipsec transform-set transet esp-des esp-md5-hmac

---interested stream:

access-list ××× extended permit ip 172.16.0.0 255.255.0.0 192.168.0.0 255.255.0.0

④ Configure crypto map and apply, open isakmp on interface:

crypto map crymap 20 match address ×××

crypto map crymap 20 set peer 202.100.1.1

crypto map crymap 20 set transform-set transet

crypto map crymap interface Outside

crypto isakmp enable Outside

C. Testing:

① Without triggering ×××, check the outside interface route of the firewall. You can see that there is only one default route.

----Because reverse route injection is not configured

FW1(config)# show route outside

Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP

D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area

N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2

E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP

i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area

* - candidate default, U - per-user static route, o - ODR

P - periodic downloaded static route

Gateway of last resort is 202.100.1.10 to network 0.0.0.0

C 202.100.1.0 255.255.255.0 is directly connected, Outside

S* 0.0.0.0 0.0.0.0 [1/0] via 202.100.1.10, Outside

FW1(config)#

② Add reverse route injection configuration without triggering ×××, you can see one more static route outside

FW1(config)# crypto map crymap 20 set reverse-route

FW1(config)# show route outside

Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP

D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area

N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2

E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP

i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area

* - candidate default, U - per-user static route, o - ODR

P - periodic downloaded static route

Gateway of last resort is 202.100.1.10 to network 0.0.0.0

S 172.16.0.0 255.255.0.0 [1/0] via 202.100.1.10, Outside

C 202.100.1.0 255.255.255.0 is directly connected, Outside

S* 0.0.0.0 0.0.0.0 [1/0] via 202.100.1.10, Outside

③ Modify the ACL of the flow of interest, and the static route will change accordingly.

FW1(config)# access-list ××× extended permit ip 192.168.1.0 255.255.255.0 172.16.1.0 255.255.255.0

FW1(config)# show route outside

Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP

D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area

N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2

E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP

i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area

* - candidate default, U - per-user static route, o - ODR

P - periodic downloaded static route

Gateway of last resort is 202.100.1.10 to network 0.0.0.0

S 172.16.0.0 255.255.0.0 [1/0] via 202.100.1.10, Outside

S 172.16.1.0 255.255.255.0 [1/0] via 202.100.1.10, Outside

C 202.100.1.0 255.255.255.0 is directly connected, Outside

S* 0.0.0.0 0.0.0.0 [1/0] via 202.100.1.10, Outside

----The original interesting flow is not deleted, but a more detailed ACL is added, and a more detailed route is added to the static route.

----Thus, entries injected by reverse routes are only related to the target network of the flow of interest, and have no relationship with whether ××× is triggered.

Attachment: down.51cto.com/data/2363521

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.