Upload File

cấu hình site-to-site vpn với overlapping ip.docx

  • Home
  • Documents
  • Cấu hình Site-to-Site VPN với overlapping IP.docx
7
Cấu hình Site-to-Site VPN với overlapping IP Khi triển khai site-to-site VPN không phải lúc nào ta cũng gặp điều kiện lý tưởng là local và remote network sẽ khác nhau. Vì site-to-site VPN là kết nối ảo cho phép các doanh nghiệp khác nhau có thể giao tiếp được với nhau, nên việc giữa các doanh nghiệp này sử dụng những dải địa chỉ IP bị overlap là điều khó tránh khỏi. Vậy câu hỏi đặt ra là liệu các subnet bị overlap có thể giao tiếp được với nhau thông qua VPN tunnel hay không? Có thể ! Nhưng để thực hiện được thì chúng ta cần phải nắm được trình tự xử lý gói tin trên ASA để từ đó cấu hình NAT và crypto ACL sao cho phù hợp. Ta xét mô hình sau: Trong mô hình trên, PC1 (IP là 192.168.2.5) cần giao tiếp được với PC2 (IP cũng là 192.168.2.5) thông qua VPN tunnel. Dĩ nhiên để 2 PC này có thể giao tiếp thành công thì chúng phải thông qua 2 subnet trung gian khác. Ở

Upload: nguyen-huu-thien-an

Post on 17-Sep-2015

253 views

Category:

Documents


6 download

Report

TRANSCRIPT

Cu hnh Site-to-Site VPN vi overlapping IP

Khi trin khai site-to-site VPN khng phi lc no ta cng gp iu kin l tng l local v remote network s khc nhau. V site-to-site VPN l kt ni o cho php cc doanh nghip khc nhau c th giao tip c vi nhau, nn vic gia cc doanh nghip ny s dng nhng di a ch IP b overlap l iu kh trnh khi. Vy cu hi t ra l liu cc subnet b overlap c th giao tip c vi nhau thng qua VPN tunnel hay khng? C th ! Nhng thc hin c th chng ta cn phi nm c trnh t x l gi tin trn ASA t cu hnh NAT v crypto ACL sao cho ph hp.Ta xt m hnh sau:

Trong m hnh trn, PC1 (IP l 192.168.2.5) cn giao tip c vi PC2 (IP cng l 192.168.2.5) thng qua VPN tunnel. D nhin 2 PC ny c th giao tip thnh cng th chng phi thng qua 2 subnet trung gian khc. y ta s chn 2 subnet trung gian l 192.168.6.0/24 v 192.168.4.0/24. Trn quan im ca PC1, PC2 s thuc mng 192.168.4.0/24, v trn quan im ca PC2, PC1 s thuc mng 192.168.6.0/24. Khi PC1 ping PC2 th gi tin s c source IP l 192.168.2.5, destination IP l 192.168.4.5. Khi PC2 ping PC1 th gi tin c source ip l 192.168.2.5, destination IP l 192.168.6.5. gii quyt yu cu t ra ta c 2 cch:1/ Cu hnh NAT trn c ASA1 v ASA2. ASA1 s NAT source IP ca PC1 t mng 192.168.2.0/24 thnh 192.168.6.0/24, v ASA2 s NAT source IP ca PC2 t mng 192.168.2.0/24 thnh 192.168.4.0/24.2/ Ch cu hnh NAT trn ASA1 hoc ASA2, nhng s NAT c source v destination IP ca gi tin.Trong bi vit ny ta s thc hin ln lt c 2 cch trn. Trc tin l cu hnh NAT trn c ASA1 v ASA2 (lu rng cc cu hnh lin quan n Phase 1 v Phase 2 policies vn gi nguyn, ch c NAT v crypto ACL l thay i, nn y mnh ch trnh by cu hnh lin quan n NAT v crypto ACL. Cc bn c th xem cu hnh y tiCu hnh Site-to-Site VPN trn Cisco ASA).ASA1(config)# object network REAL_INSIDE_NETWORKASA1(config-network-object)# subnet 192.168.2.0 255.255.255.0ASA1(config)# object network MAPPED_INSIDE_NETWORKASA1(config-network-object)# subnet 192.168.6.0 255.255.255.0ASA1(config)# object network REMOTE_NETWORKASA1(config-network-object)# subnet 192.168.4.0 255.255.255.0ASA1(config)# object network REAL_INSIDE_NETWORKASA1(config-network-object)# nat (inside,outside1) static MAPPED_INSIDE_NETWORKASA1(config)# access-list VPN_TRAFFIC extended permit ip object MAPPED_INSIDE_NETWORK object REMOTE_NETWORKi vi ASA, n s thc hin NAT gi tin trc khi chuyn qua VPN tunnel, do khi gi tin c source/destination l 192.168.2.5/192.168.4.5 t PC1 gi n ASA1 th trc tin n s NAT source IP ca gi tin t 192.168.2.5 thnh 192.168.6.5, sau n mi chuyn gi tin va NAT xong qua VPN tunnel. V vy trong crypto ACL ta phi ch nh source IP l a ch sau khi NAT (mng 192.168.6.0/24) v destination IP l mng 192.168.4.0/24. Lu rng ta phi cu hnh trn ASA1 mt route 192.168.4.0/24 tr ra cng outside1 th crypto map mi c kch hot.Cu hnh trn ASA2 cng tng t nh ASA1 (ASA2 cng phi m bo c route 192.168.6.0/24 tr ra cng outside):ASA2(config)# object network REAL_INSIDE_NETWORKASA2(config-network-object)# subnet 192.168.2.0 255.255.255.0ASA2(config)# object network MAPPED_INSIDE_NETWORKASA2(config-network-object)# subnet 192.168.4.0 255.255.255.0ASA2(config)# object network REMOTE_NETWORKASA2(config-network-object)# subnet 192.168.6.0 255.255.255.0ASA2(config)# nat (inside,outside) source static REAL_INSIDE_NETWORK MAPPED_INSIDE_NETWORK destination static REMOTE_NETWORK REMOTE_NETWORKASA2(config)# access-list VPN_TRAFFIC extended permit ip object MAPPED_INSIDE_NETWORK object REMOTE_NETWORKTon b qu trnh din ra nh sau: Khi PC1 ping PC2 th gi tin echo request s c source/destination IP l 192.168.2.5/192.168.4.5 i vo cng inside ca ASA1. ASA1 da vo NAT rule s chuyn i source/destination IP t 192.168.2.5/192.168.4.5 thnh 192.168.6.5/192.168.4.5. Sau ASA1 xt thy source/destination IP va c NAT tha crypto ACL nn s a gi tin qua VPN tunnel v n ASA2. ASA2 gii m gi tin VPN, v da vo NAT rule hin c s NAT source/destination IP t 192.168.6.5/192.168.4.5 thnh 192.168.6.5/192.168.2.5 ri gi n cho PC2. Gi tin echo reply do PC2 tr v PC1 cng din ra tng t.Ta kim tra kt qu bng Packet Tracer trn ASA1. V qu trnh thit lp VPN tunnel mt mt khong thi gian nn mt s gi tin u tin s b drop, nhng cc gi tin tip theo s thnh cng.

Tip theo mnh s trnh by cch 2, cu hnh NAT c source/destination IP trn ASA1:ASA1(config)# object network REAL_INSIDE_NETWORKASA1(config-network-object)# subnet 192.168.2.0 255.255.255.0ASA1(config)# object network MAPPED_INSIDE_NETWORKASA1(config-network-object)# subnet 192.168.6.0 255.255.255.0ASA1(config)# object network REAL_REMOTE_NETWORKASA1(config-network-object)# subnet 192.168.2.0 255.255.255.0ASA1(config)# object network MAPPED_REMOTE_NETWORKASA1(config-network-object)# subnet 192.168.4.0 255.255.255.0ASA1(config)# nat (inside,outside1) source static REAL_INSIDE_NETWORK MAPPED_INSIDE_NETWORK destination static MAPPED_REMOTE_NETWORK REAL_REMOTE_NETWORKASA1(config)# access-list VPN_TRAFFIC extended permit ip object MAPPED_INSIDE_NETWORK object REAL_REMOTE_NETWORKCu hnh trn ASA2 nh sau (ASA2 phi c route 192.168.6.0/24 tr ra cng outside):ASA2(config)# object network INSIDE_NETWORKASA2(config-network-object)# subnet 192.168.2.0 255.255.255.0ASA2(config)# object network REMOTE_NETWORKASA2(config-network-object)# subnet 192.168.6.0 255.255.255.0ASA2(config)# nat (inside,outside) source static INSIDE_NETWORK INSIDE_NETWORK destination static REMOTE_NETWORK REMOTE_NETWORKASA2(config)# access-list VPN_TRAFFIC extended permit ip object INSIDE_NETWORK object REMOTE_NETWORKQu trnh din ra nh sau: Gi tin echo request t PC1 gi n PC2 c source/destination IP l 192.168.2.5/192.168.4.5 i vo cng inside ca ASA1. ASA1 da vo NAT rule s chuyn i source/destination IP t 192.168.2.5/192.168.4.5 thnh 192.168.6.5/192.168.2.5. Sau ASA1 xt thy source/destination IP va c NAT tha crypto ACL nn s a gi tin qua VPN tunnel v n ASA2. ASA2 gii m gi tin VPN v chuyn gi tin gc (c source/destination IP l 192.168.6.5/192.168.2.5) n cho PC2.Kim tra bng Packet Tracer:


4-7 Overlapping

Mnemonics for Overlapping Groups

Endereçamento IP.docx

Horizontal Overlapping Translate)

Overlapping Gesture

Overlapping community detection

informe sobre TCP - ip.docx

Elma Nurkovic Napredne tehnologije IP.docx

Taller Telefonía IP.docx

A Bayesian Overlapping Coalition Formation Game for Device ... Bayesian Overlapping Coalition Formati… · seek an overlapping coalition agreement profile in the core that maximizes

Untangling the Overlapping Conflicts in the Syrian War ... · PDF file11.11.2015 · Untangling the Overlapping Conflicts in the Syrian War ... Untangling the Overlapping Conflicts

Overlapping Triangles.pdf

The Overlapping Data Problemagecon.okstate.edu/faculty/publications/165.pdfThe Overlapping Data Problem Abstract We consider the overlapping data problem. The conventional estimation

overlapping TATA box and site of transcription initiation

UNAD - Acta de aceptación (5) TELEFONIA IP.docx

OVERLAPPING, MULTIPLE-LINED DRAWINGS

Melanocytic nevi and melanoma: overlapping … · noma. In addition, a specific anatomic site of a melanocytic proliferation is referred to as a special site. Melanocytic nevi

Barchart Overlapping

Overlapping Contradictory Landscape

TUGAS ARYANDI TROYANTO 2 ROUTER 3 KELAS IP.docx

ICMJE _ Recommendations _ Overlapping Publications

Site Ref L01 Site Name Lime Avenue - Warwick District · 0.37 Settlement Leamington Spa Source SHLAA 08 Land Type Previously developed Adjacent/ Overlapping Site . ... Pav il on 1

The bZIP Targets Overlapping DNA Subsites within a Half-Site

2010 Overlapping Generations Model

dynIP da SAPO – Uma alternativa ao serviço no-ip.docx

Experimental Results for Temporally Overlapping … Results for Temporally Overlapping Pulses from Quantel EverGreen ... Experimental Results for Temporally Overlapping Pulses from

1987 Rawls Overlapping Consensus

Voice over IP.docx

The Overlapping Data Problem

Overlapping Communities

Overlapping Prefix - Cisco...LISP Site Registration Information * = Some locators are down or unreachable # = Some registrations are sourced by reliable transport Site Name Last Up

Overlapping triangle drill

Overlapping Experiments Infrastructure

kv1dehuroad.comkv1dehuroad.com/Split Up IP.docx  · Web viewWord Processor, Presentation Tool, Spreadsheet Package, Database Management System, Integrated Development Environment

Overlapping Mornings