cấu hình site-to-site vpn với overlapping ip.docx
Post on 17-Sep-2015
253 Views
Preview:
TRANSCRIPT
Cu hnh Site-to-Site VPN vi overlapping IP
Khi trin khai site-to-site VPN khng phi lc no ta cng gp iu kin l tng l local v remote network s khc nhau. V site-to-site VPN l kt ni o cho php cc doanh nghip khc nhau c th giao tip c vi nhau, nn vic gia cc doanh nghip ny s dng nhng di a ch IP b overlap l iu kh trnh khi. Vy cu hi t ra l liu cc subnet b overlap c th giao tip c vi nhau thng qua VPN tunnel hay khng? C th ! Nhng thc hin c th chng ta cn phi nm c trnh t x l gi tin trn ASA t cu hnh NAT v crypto ACL sao cho ph hp.Ta xt m hnh sau:
Trong m hnh trn, PC1 (IP l 192.168.2.5) cn giao tip c vi PC2 (IP cng l 192.168.2.5) thng qua VPN tunnel. D nhin 2 PC ny c th giao tip thnh cng th chng phi thng qua 2 subnet trung gian khc. y ta s chn 2 subnet trung gian l 192.168.6.0/24 v 192.168.4.0/24. Trn quan im ca PC1, PC2 s thuc mng 192.168.4.0/24, v trn quan im ca PC2, PC1 s thuc mng 192.168.6.0/24. Khi PC1 ping PC2 th gi tin s c source IP l 192.168.2.5, destination IP l 192.168.4.5. Khi PC2 ping PC1 th gi tin c source ip l 192.168.2.5, destination IP l 192.168.6.5. gii quyt yu cu t ra ta c 2 cch:1/ Cu hnh NAT trn c ASA1 v ASA2. ASA1 s NAT source IP ca PC1 t mng 192.168.2.0/24 thnh 192.168.6.0/24, v ASA2 s NAT source IP ca PC2 t mng 192.168.2.0/24 thnh 192.168.4.0/24.2/ Ch cu hnh NAT trn ASA1 hoc ASA2, nhng s NAT c source v destination IP ca gi tin.Trong bi vit ny ta s thc hin ln lt c 2 cch trn. Trc tin l cu hnh NAT trn c ASA1 v ASA2 (lu rng cc cu hnh lin quan n Phase 1 v Phase 2 policies vn gi nguyn, ch c NAT v crypto ACL l thay i, nn y mnh ch trnh by cu hnh lin quan n NAT v crypto ACL. Cc bn c th xem cu hnh y tiCu hnh Site-to-Site VPN trn Cisco ASA).ASA1(config)# object network REAL_INSIDE_NETWORKASA1(config-network-object)# subnet 192.168.2.0 255.255.255.0ASA1(config)# object network MAPPED_INSIDE_NETWORKASA1(config-network-object)# subnet 192.168.6.0 255.255.255.0ASA1(config)# object network REMOTE_NETWORKASA1(config-network-object)# subnet 192.168.4.0 255.255.255.0ASA1(config)# object network REAL_INSIDE_NETWORKASA1(config-network-object)# nat (inside,outside1) static MAPPED_INSIDE_NETWORKASA1(config)# access-list VPN_TRAFFIC extended permit ip object MAPPED_INSIDE_NETWORK object REMOTE_NETWORKi vi ASA, n s thc hin NAT gi tin trc khi chuyn qua VPN tunnel, do khi gi tin c source/destination l 192.168.2.5/192.168.4.5 t PC1 gi n ASA1 th trc tin n s NAT source IP ca gi tin t 192.168.2.5 thnh 192.168.6.5, sau n mi chuyn gi tin va NAT xong qua VPN tunnel. V vy trong crypto ACL ta phi ch nh source IP l a ch sau khi NAT (mng 192.168.6.0/24) v destination IP l mng 192.168.4.0/24. Lu rng ta phi cu hnh trn ASA1 mt route 192.168.4.0/24 tr ra cng outside1 th crypto map mi c kch hot.Cu hnh trn ASA2 cng tng t nh ASA1 (ASA2 cng phi m bo c route 192.168.6.0/24 tr ra cng outside):ASA2(config)# object network REAL_INSIDE_NETWORKASA2(config-network-object)# subnet 192.168.2.0 255.255.255.0ASA2(config)# object network MAPPED_INSIDE_NETWORKASA2(config-network-object)# subnet 192.168.4.0 255.255.255.0ASA2(config)# object network REMOTE_NETWORKASA2(config-network-object)# subnet 192.168.6.0 255.255.255.0ASA2(config)# nat (inside,outside) source static REAL_INSIDE_NETWORK MAPPED_INSIDE_NETWORK destination static REMOTE_NETWORK REMOTE_NETWORKASA2(config)# access-list VPN_TRAFFIC extended permit ip object MAPPED_INSIDE_NETWORK object REMOTE_NETWORKTon b qu trnh din ra nh sau: Khi PC1 ping PC2 th gi tin echo request s c source/destination IP l 192.168.2.5/192.168.4.5 i vo cng inside ca ASA1. ASA1 da vo NAT rule s chuyn i source/destination IP t 192.168.2.5/192.168.4.5 thnh 192.168.6.5/192.168.4.5. Sau ASA1 xt thy source/destination IP va c NAT tha crypto ACL nn s a gi tin qua VPN tunnel v n ASA2. ASA2 gii m gi tin VPN, v da vo NAT rule hin c s NAT source/destination IP t 192.168.6.5/192.168.4.5 thnh 192.168.6.5/192.168.2.5 ri gi n cho PC2. Gi tin echo reply do PC2 tr v PC1 cng din ra tng t.Ta kim tra kt qu bng Packet Tracer trn ASA1. V qu trnh thit lp VPN tunnel mt mt khong thi gian nn mt s gi tin u tin s b drop, nhng cc gi tin tip theo s thnh cng.
Tip theo mnh s trnh by cch 2, cu hnh NAT c source/destination IP trn ASA1:ASA1(config)# object network REAL_INSIDE_NETWORKASA1(config-network-object)# subnet 192.168.2.0 255.255.255.0ASA1(config)# object network MAPPED_INSIDE_NETWORKASA1(config-network-object)# subnet 192.168.6.0 255.255.255.0ASA1(config)# object network REAL_REMOTE_NETWORKASA1(config-network-object)# subnet 192.168.2.0 255.255.255.0ASA1(config)# object network MAPPED_REMOTE_NETWORKASA1(config-network-object)# subnet 192.168.4.0 255.255.255.0ASA1(config)# nat (inside,outside1) source static REAL_INSIDE_NETWORK MAPPED_INSIDE_NETWORK destination static MAPPED_REMOTE_NETWORK REAL_REMOTE_NETWORKASA1(config)# access-list VPN_TRAFFIC extended permit ip object MAPPED_INSIDE_NETWORK object REAL_REMOTE_NETWORKCu hnh trn ASA2 nh sau (ASA2 phi c route 192.168.6.0/24 tr ra cng outside):ASA2(config)# object network INSIDE_NETWORKASA2(config-network-object)# subnet 192.168.2.0 255.255.255.0ASA2(config)# object network REMOTE_NETWORKASA2(config-network-object)# subnet 192.168.6.0 255.255.255.0ASA2(config)# nat (inside,outside) source static INSIDE_NETWORK INSIDE_NETWORK destination static REMOTE_NETWORK REMOTE_NETWORKASA2(config)# access-list VPN_TRAFFIC extended permit ip object INSIDE_NETWORK object REMOTE_NETWORKQu trnh din ra nh sau: Gi tin echo request t PC1 gi n PC2 c source/destination IP l 192.168.2.5/192.168.4.5 i vo cng inside ca ASA1. ASA1 da vo NAT rule s chuyn i source/destination IP t 192.168.2.5/192.168.4.5 thnh 192.168.6.5/192.168.2.5. Sau ASA1 xt thy source/destination IP va c NAT tha crypto ACL nn s a gi tin qua VPN tunnel v n ASA2. ASA2 gii m gi tin VPN v chuyn gi tin gc (c source/destination IP l 192.168.6.5/192.168.2.5) n cho PC2.Kim tra bng Packet Tracer:
top related