khoaphunganh
24-02-2010, 09:25 AM
Nhu cầu của công ty em muốn thiết lập 1 đường vpn site to site bằng 2 con Asa5505 theo mô hinh mạng dưới đây
http://i17.photobucket.com/albums/b74/baby_my_love/khoa%20IT/vpnsite2site.jpg
Hai đầu mút bao gồm:
Một đầu dùng Lease line và một đầu dùng ADSL Maxxi Plus (1 IP tỉnh) thông tin về IP như trong mô hình (chú ý giúp em các chữ thay thế cho số tưng ứng với cấu hình bên dưới)
Em đã xây dựng hệ thống cho cả hai bên theo cấu hình bên dưới:
1. Đầu dùng đường truyền ADSL:
ASA Version 7.2(4)
!
hostname vdt-asa-H3
domain-name abc.com.vn
enable password yddQK/UKIgJ/zubh encrypted
passwd yddQK/UKIgJ/zubh encrypted
names
dns-guard
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.100.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
pppoe client vpdn group megavnn
ip address pppoe
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
ftp mode passive
dns server-group DefaultDNS
domain-name abc.com.vn
object-group icmp-type ping
icmp-object echo-reply
icmp-object source-quench
icmp-object unreachable
icmp-object time-exceeded
icmp-object echo
access-list Allow-In extended permit icmp any any object-group ping
access-list Allow-In extended permit 23 any any
access-list Allow-In extended permit gre any any
access-list inside_nat0_outbound extended permit ip 192.168.100.0 255.255.255.0 10.0.2.0 255.255.255.0
access-list outside_1_cryptomap extended permit ip 192.168.100.0 255.255.255.0 10.0.2.0 255.255.255.0
pager lines 24
logging asdm informational
mtu inside 1500
mtu outside 1492
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-524.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
access-group Allow-In in interface outside
route outside 0.0.0.0 0.0.0.0 A.A.A.A 1
route outside 10.0.2.0 255.255.255.0 A.B.C.E 1
!
router rip
network 10.0.0.0
version 2
!
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
aaa authentication ssh console LOCAL
http server enable
http 192.168.100.0 255.255.255.0 inside
http authentication-certificate outside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set pfs group1
crypto map outside_map 1 set peer A.B.C.E
crypto map outside_map 1 set transform-set ESP-3DES-SHA
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet 192.168.100.0 255.255.255.0 inside
telnet timeout 5
console timeout 0
vpdn group megavnn request dialout pppoe
vpdn group megavnn localname ABC
vpdn group megavnn ppp authentication pap
vpdn username ABC password ********* store-local
dhcpd dns 203.162.4.190
dhcpd auto_config outside
!
dhcpd address 192.168.100.200-192.168.100.250 inside
dhcpd enable inside
!
username khoapa password cognKwJugQmNVNoy encrypted
tunnel-group A.B.C.E type ipsec-l2l
tunnel-group A.B.C.E ipsec-attributes
pre-shared-key *
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:aa4c9cfdcf0a79095fbf1ae0e0414ddd
: end
2. Đầu dùng đường truyền leaseline
ASA Version 7.2(4)
!
hostname vdt-asa-THD
domain-name abc.com.vn
enable password yddQK/UKIgJ/zubh encrypted
passwd yddQK/UKIgJ/zubh encrypted
names
dns-guard
!
interface Vlan1
nameif inside
security-level 100
ip address 10.0.2.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address A.B.C.E 255.255.255.240
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
ftp mode passive
dns server-group DefaultDNS
domain-name abc.com.vn
object-group icmp-type ping
icmp-object echo-reply
icmp-object source-quench
icmp-object unreachable
icmp-object time-exceeded
icmp-object echo
access-list Allow-In extended permit icmp any any object-group ping
access-list Allow-In extended permit 23 any any
access-list inside_nat0_outbound extended permit ip 10.0.2.0 255.255.255.0 192.168.100.0 255.255.255.0
access-list outside_2_cryptomap extended permit ip 10.0.2.0 255.255.255.0 192.168.100.0 255.255.255.0
pager lines 24
logging asdm informational
mtu inside 1500
mtu outside 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-524.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
access-group Allow-In in interface outside
route outside 0.0.0.0 0.0.0.0 A.B.C.E 1
route outside 192.168.100.0 255.255.255.0 A.A.A.A 1
!
router rip
network 192.168.100.0
version 2
!
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
aaa authentication ssh console LOCAL
http server enable
http 10.0.2.0 255.255.255.0 inside
http authentication-certificate outside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto map outside_map 2 match address outside_2_cryptomap
crypto map outside_map 2 set pfs group1
crypto map outside_map 2 set peer A.A.A.A
crypto map outside_map 2 set transform-set ESP-3DES-SHA
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet 10.0.2.0 255.255.255.0 inside
telnet timeout 5
console timeout 0
dhcpd dns 210.245.24.22
dhcpd auto_config outside
!
dhcpd address 10.0.2.100-10.0.2.250 inside
dhcpd enable inside
!
username khoapa password cognKwJugQmNVNoy encrypted
tunnel-group A.A.A.A type ipsec-l2l
tunnel-group A.A.A.A ipsec-attributes
pre-shared-key *
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:d2b21d26569fc21f12724e2d63456836
: end
Em cấu hình xong, nhưng địa chỉ private của cả hai đầu dều không thể ping tới nhau. Anh chị xem giúp em cầu hinh bên trên đã đúng chưa ah.
Cho em hỏi thêm là liệu IP route của thằng lease line nó có ảnh hưởng gì trong trường hợp này không vì địa chỉ lớp ngoài của Asa em sữ dụng địa chỉ IP Route
Em cám ơn anh chị nhiều
http://i17.photobucket.com/albums/b74/baby_my_love/khoa%20IT/vpnsite2site.jpg
Hai đầu mút bao gồm:
Một đầu dùng Lease line và một đầu dùng ADSL Maxxi Plus (1 IP tỉnh) thông tin về IP như trong mô hình (chú ý giúp em các chữ thay thế cho số tưng ứng với cấu hình bên dưới)
Em đã xây dựng hệ thống cho cả hai bên theo cấu hình bên dưới:
1. Đầu dùng đường truyền ADSL:
ASA Version 7.2(4)
!
hostname vdt-asa-H3
domain-name abc.com.vn
enable password yddQK/UKIgJ/zubh encrypted
passwd yddQK/UKIgJ/zubh encrypted
names
dns-guard
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.100.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
pppoe client vpdn group megavnn
ip address pppoe
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
ftp mode passive
dns server-group DefaultDNS
domain-name abc.com.vn
object-group icmp-type ping
icmp-object echo-reply
icmp-object source-quench
icmp-object unreachable
icmp-object time-exceeded
icmp-object echo
access-list Allow-In extended permit icmp any any object-group ping
access-list Allow-In extended permit 23 any any
access-list Allow-In extended permit gre any any
access-list inside_nat0_outbound extended permit ip 192.168.100.0 255.255.255.0 10.0.2.0 255.255.255.0
access-list outside_1_cryptomap extended permit ip 192.168.100.0 255.255.255.0 10.0.2.0 255.255.255.0
pager lines 24
logging asdm informational
mtu inside 1500
mtu outside 1492
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-524.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
access-group Allow-In in interface outside
route outside 0.0.0.0 0.0.0.0 A.A.A.A 1
route outside 10.0.2.0 255.255.255.0 A.B.C.E 1
!
router rip
network 10.0.0.0
version 2
!
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
aaa authentication ssh console LOCAL
http server enable
http 192.168.100.0 255.255.255.0 inside
http authentication-certificate outside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set pfs group1
crypto map outside_map 1 set peer A.B.C.E
crypto map outside_map 1 set transform-set ESP-3DES-SHA
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet 192.168.100.0 255.255.255.0 inside
telnet timeout 5
console timeout 0
vpdn group megavnn request dialout pppoe
vpdn group megavnn localname ABC
vpdn group megavnn ppp authentication pap
vpdn username ABC password ********* store-local
dhcpd dns 203.162.4.190
dhcpd auto_config outside
!
dhcpd address 192.168.100.200-192.168.100.250 inside
dhcpd enable inside
!
username khoapa password cognKwJugQmNVNoy encrypted
tunnel-group A.B.C.E type ipsec-l2l
tunnel-group A.B.C.E ipsec-attributes
pre-shared-key *
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:aa4c9cfdcf0a79095fbf1ae0e0414ddd
: end
2. Đầu dùng đường truyền leaseline
ASA Version 7.2(4)
!
hostname vdt-asa-THD
domain-name abc.com.vn
enable password yddQK/UKIgJ/zubh encrypted
passwd yddQK/UKIgJ/zubh encrypted
names
dns-guard
!
interface Vlan1
nameif inside
security-level 100
ip address 10.0.2.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address A.B.C.E 255.255.255.240
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
ftp mode passive
dns server-group DefaultDNS
domain-name abc.com.vn
object-group icmp-type ping
icmp-object echo-reply
icmp-object source-quench
icmp-object unreachable
icmp-object time-exceeded
icmp-object echo
access-list Allow-In extended permit icmp any any object-group ping
access-list Allow-In extended permit 23 any any
access-list inside_nat0_outbound extended permit ip 10.0.2.0 255.255.255.0 192.168.100.0 255.255.255.0
access-list outside_2_cryptomap extended permit ip 10.0.2.0 255.255.255.0 192.168.100.0 255.255.255.0
pager lines 24
logging asdm informational
mtu inside 1500
mtu outside 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-524.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
access-group Allow-In in interface outside
route outside 0.0.0.0 0.0.0.0 A.B.C.E 1
route outside 192.168.100.0 255.255.255.0 A.A.A.A 1
!
router rip
network 192.168.100.0
version 2
!
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
aaa authentication ssh console LOCAL
http server enable
http 10.0.2.0 255.255.255.0 inside
http authentication-certificate outside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto map outside_map 2 match address outside_2_cryptomap
crypto map outside_map 2 set pfs group1
crypto map outside_map 2 set peer A.A.A.A
crypto map outside_map 2 set transform-set ESP-3DES-SHA
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet 10.0.2.0 255.255.255.0 inside
telnet timeout 5
console timeout 0
dhcpd dns 210.245.24.22
dhcpd auto_config outside
!
dhcpd address 10.0.2.100-10.0.2.250 inside
dhcpd enable inside
!
username khoapa password cognKwJugQmNVNoy encrypted
tunnel-group A.A.A.A type ipsec-l2l
tunnel-group A.A.A.A ipsec-attributes
pre-shared-key *
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:d2b21d26569fc21f12724e2d63456836
: end
Em cấu hình xong, nhưng địa chỉ private của cả hai đầu dều không thể ping tới nhau. Anh chị xem giúp em cầu hinh bên trên đã đúng chưa ah.
Cho em hỏi thêm là liệu IP route của thằng lease line nó có ảnh hưởng gì trong trường hợp này không vì địa chỉ lớp ngoài của Asa em sữ dụng địa chỉ IP Route
Em cám ơn anh chị nhiều