IPSEC VPN项目实战(附拓扑图配置、实验环境及视频讲解)

2021-06-23 00:30:05 浏览数 (1)

拓扑图:

实验环境:

该拓扑图分为四个部分最左边位总部Tiger HQ,中间的为ISP,右上角为分部Branch1,右下角为分部Branch2。总部和分部的边界设备用的是型号为USG 6000V的防火墙,都分别连接运营商的PE设备。总部内有vlan10和20,主机A和B属于vlan10,主机C和D属于vlan20。

需求:

1.各部分内网主机之间能够互相联通。

2.所有总部、分部内网主机要通过边界防火墙能够访问Internet。

3.总部的主机可以访问两个分部的主机,两个分部的主机也能访问总部的主机。

扫码可领取本次实验视频课程及实验环境。

网络设备具体配置信息:

总部部分:

SW1:

[SW1]int lo0

[SW1-LoopBack0]ip add 10.1.11.11 32

[SW1-LoopBack0]quit

[SW1]vlan batch 10 20 //创建vlan

[SW1]quit

[SW1]int g0/0/1

[SW1-GigabitEthernet0/0/1]port link-type trunk

[SW1-GigabitEthernet0/0/1]port trunk allow-pass vlan all

[SW1-GigabitEthernet0/0/1]quit

[SW1]int g0/0/2

[SW1-GigabitEthernet0/0/2]port link-type trunk

[SW1-GigabitEthernet0/0/2]port trunk allow-pass vlan all

[SW1-GigabitEthernet0/0/2]quit

[SW1]Int eth-trunk 12

[SW1-Eth-Trunk12]trunk port g0/0/23 to 0/0/24

[SW1-Eth-Trunk12]port link-type trunk

[SW1-Eth-Trunk12]port trunk allow-pass vlan all

[SW1]sto mode mstp

[SW1]stp region-configuration

[SW1-mst-]stp region-name Tigerlab

[SW1-mst-region]revision-level 1256

[SW1-mst-region]instance 10 vlan 10

[SW1-mst-region]instance 20 vlan 20

[SW1-mst-region]active region-configuration

[SW1]stp instance 10 root primary

[SW1]stp instance 20 root second

[SW1]int vlan 10

[SW1-vlanif10]ip add 10.1.10.11 24

[SW1-vlanif10]quit

[SW1]int vlan 20

[SW1-vlanif20]ip add 10.1.20.11 24

[SW1-vlanif20]quit

[SW1]int vlan 10

[SW1-vlanif10]vrrp vrid 10 virtual-ip 10.1.10.254

[SW1-vlanif10]vrrp vrid 10 priority 105

[SW1-vlanif10]quit

[SW1]int vlan 20

[SW1-vlanif20]vrrp vrid 20 virtual-ip 10.1.20.254

[SW1-vlanif20]quit

[SW1]vlan 111

[SW1-vlanif111]quit

[SW1]int g0/0/3

[SW1-GigabitEthernet0/0/3]port link-type access

[SW1-GigabitEthernet0/0/3]port default vlan 111

[SW1-GigabitEthernet0/0/3]stp egded-port enable

[SW1-GigabitEthernet0/0/3]quit

[SW1]stp bpdu-protection

[SW1]int vlan 111

[SW1-vlanif111]ip add 10.1.111.11 24

[SW1-vlanif111]quit

[SW1]ospf 10 router-id10.1.11.11

[SW1-ospf-10]area 0

[SW1-ospf-10-area-0.0.0.0]net 10.1.11.11 0.0.0.0

[SW1-ospf-10-area-0.0.0.0]net 10.1.111.11 0.0.0.0

[SW1-ospf-10-area-0.0.0.0]net 10.1.10.11 0.0.0.0

[SW1-ospf-10-area-0.0.0.0]net 10.1.20.11 0.0.0.0

检查stp的配置结果,display stp instance 10,可以看到vlan10是主根

SW2:

[SW2]int lo0

[SW2-LoopBack0]ip add 10.1.12.12 32

[SW2-LoopBack0]quit

[SW2]vlan batch 10 20

[SW2]int g0/0/1

[SW2-GigabitEthernet0/0/1]port link-type trunk

[SW2-GigabitEthernet0/0/1]port trunk allow-pass vlan all

[SW2-GigabitEthernet0/0/1]quit

[SW2]int g0/0/2

[SW2-GigabitEthernet0/0/2]port link-type trunk

[SW2-GigabitEthernet0/0/2]port trunk allow-pass vlan all

[SW2-GigabitEthernet0/0/2]quit

[SW2]int eth-trunk 12

[SW2-Eth-Trunk12]trunk port g0/0/23 to 0/0/24

[SW2-Eth-Trunk12]port link-type trunk

[SW2-Eth-Trunk12]port trunk allow-pass vlan all

[SW2]sto mode mstp

[SW2]stp region-configuration

[SW2-mst-]stp region-name Tigerlab

[SW2-mst-region]revision-level 1256

[SW2-mst-region]instance 10 vlan 10

[SW2-mst-region]instance 20 vlan 20

[SW2-mst-region]active region-configuration

[SW2]stp instance 20 root primary

[SW2]stp instance 10 root second

[SW2]int vlan 10

[SW2-vlanif10]ip add 10.1.20.12 24

[SW2-vlanif10]quit

[SW2]int vlan 20

[SW2-vlanif20]ip add 10.1.20.12 24

[SW2-vlanif20]quit

[SW2]int vlan 10

[SW2-vlanif10]vrrp vrid 10 virtual-ip 10.1.10.254

[SW2-vlanif10]quit

[SW2]int vlan 20

[SW2-vlanif20]vrrp vrid 20 virtual-ip 10.1.20.254

[SW2-vlanif20]vrrp vrid 20 priority 105

[SW2-vlanif20]quit

[SW2]vlan 112

[SW2-vlanif112]quit

[SW2]int g0/0/3

[SW2-GigabitEthernet0/0/3]port link-type access

[SW2-GigabitEthernet0/0/3]port default vlan 112

[SW2-GigabitEthernet0/0/3]stp egded-port enable

[SW2-GigabitEthernet0/0/3]quit

[SW2]stp bpdu-protection

[SW2]int vlan 112

[SW2-vlanif112]ip add 10.1.112.12 24

[SW2-vlanif112]quit

[SW2]ospf 10 router-id10.1.12.12

[SW2-ospf-10]area 0

[SW2-ospf-10-area-0.0.0.0]net 10.1.12.12 0.0.0.0

[SW2-ospf-10-area-0.0.0.0]net 10.1.112.12 0.0.0.0

[SW2-ospf-10-area-0.0.0.0]net 10.1.10.12 0.0.0.0

[SW2-ospf-10-area-0.0.0.0]net 10.1.20.12 0.0.0.0

(1)在SW1上,接下来验证一下端口的vlan情况,display port vlan

在SW1上检查一下vrrp的配置情况:display vrrp brief

SW3:

[SW3]int lo0

[SW3-LoopBack0]ip add 10.2.13.13 32

[SW3-LoopBack0]quit

[SW3]vlan batch 30 40

[SW3]int g0/0/1

[SW3-GigabitEthernet0/0/1]port link-type access

[SW3-GigabitEthernet0/0/1]port default vlan 30

[SW3-GigabitEthernet0/0/1]stp edged-port enable

[SW3-GigabitEthernet0/0/1]quit

[SW3]int g0/0/2

[SW3-GigabitEthernet0/0/2]port link-type access

[SW3-GigabitEthernet0/0/2]port default vlan 30

[SW3-GigabitEthernet0/0/2]stp edged-port enable

[SW3-GigabitEthernet0/0/2]quit

[SW3]int g0/0/3

[SW3-GigabitEthernet0/0/3]port link-type access

[SW3-GigabitEthernet0/0/3]port default vlan 40

[SW3-GigabitEthernet0/0/3]stp edged-port enable

[SW3-GigabitEthernet0/0/3]quit

[SW3]int g0/0/4

[SW3-GigabitEthernet0/0/4]port link-type access

[SW3-GigabitEthernet0/0/4]port default vlan 40

[SW3-GigabitEthernet0/0/4]stp edged-port enable

[SW3-GigabitEthernet0/0/4]quit

[SW3]stp bpdu-protection

[SW3]vlan 132

[SW3-vlanif112]quit

[SW3]int g0/0/24

[SW3-GigabitEthernet0/0/24]port link-type access

[SW3-GigabitEthernet0/0/24]port default vlan 132

[SW3-GigabitEthernet0/0/24]stp egded-port enable

[SW3-GigabitEthernet0/0/24]quit

[SW3]int vlan 132

[SW3-vlanif132]ip add 10.2.132.13 24

[SW3-vlanif132]quit

[SW3]int vlan 30

[SW3-vlanif30]ip add 10.2.30.254 24

[SW3-vlanif30]quit

[SW3]int vlan 40

[SW3-vlanif40]ip add 10.2.40.254 24

[SW3-vlanif40]quit

[SW3]ospf 10 router-id10.2.13.13

[SW3-ospf-10]area 0

[SW3-ospf-10-area-0.0.0.0]net 10.2.13.13 0.0.0.0

[SW3-ospf-10-area-0.0.0.0]net 10.2.30.254 0.0.0.0

[SW3-ospf-10-area-0.0.0.0]net 10.2.40.254 0.0.0.0

[SW3-ospf-10-area-0.0.0.0]net 10.2.132.13 0.0.0.0

SW4:

[SW4]int lo0

[SW4-LoopBack0]ip add 10.3.14.14 32

[SW4-LoopBack0]quit

[SW4]vlan batch 50

[SW4]int g0/0/1

[SW4-GigabitEthernet0/0/1]port link-type access

[SW4-GigabitEthernet0/0/1]port default vlan 50

[SW4-GigabitEthernet0/0/1]stp edged-port enable

[SW4-GigabitEthernet0/0/1]quit

[SW4]int g0/0/2

[SW4-GigabitEthernet0/0/2]port link-type access

[SW4-GigabitEthernet0/0/2]port default vlan 50

[SW4-GigabitEthernet0/0/2]stp edged-port enable

[SW4-GigabitEthernet0/0/2]quit

[SW4]int g0/0/3

[SW4-GigabitEthernet0/0/3]port link-type access

[SW4-GigabitEthernet0/0/2]port default vlan 50

[SW4-GigabitEthernet0/0/2]stp edged-port enable

[SW4]stp bpdu-protection

[SW4]vlan 143

[SW4-vlanif112]quit

[SW4]int g0/0/24

[SW4-GigabitEthernet0/0/24]port link-type access

[SW4-GigabitEthernet0/0/24]port default vlan 143

[SW4-GigabitEthernet0/0/24]stp egded-port enable

[SW4-GigabitEthernet0/0/24]quit

[SW4]int vlan 143

[SW4-vlanif132]ip add 10.3.143.14 24

[SW4-vlanif132]quit

[SW4]int vlan 50

[SW4-vlanif30]ip add 10.3.50.254 24

[SW4-vlanif30]quit

[SW4]ospf 10 router-id10.3.14.14

[SW4-ospf-10]area 0

[SW4-ospf-10-area-0.0.0.0]net 10.3.14.14 0.0.0.0

[SW4-ospf-10-area-0.0.0.0]net 10.2.50.254 0.0.0.0

[SW4-ospf-10-area-0.0.0.0]net 10.2.40.254 0.0.0.0

[SW4-ospf-10-area-0.0.0.0]net 10.2.143.14 0.0.0.0

SW5:

[SW5]vlan batch 10 20

[SW5]int g0/0/1

[SW5-GigabitEthernet0/0/1]port link-type trunk

[SW5-GigabitEthernet0/0/1]port trunk allow-pass vlan all

[SW5-GigabitEthernet0/0/1]quit

[SW5]int g0/0/2

[SW5-GigabitEthernet0/0/2]port link-type trunk

[SW5-GigabitEthernet0/0/2]port trunk allow-pass vlan all

[SW5-GigabitEthernet0/0/2]quit

[SW5]int e0/0/1

[SW5-Ethernet0/0/1]port link-type access

[SW5-Ethernet0/0/1]port default vlan 10

[SW5-Ethernet0/0/1]stp edged-port enable

[SW5-Ethernet0/0/1]quit

[SW5]int e0/0/2

[SW5-Ethernet0/0/2]port link-type access

[SW5-Ethernet0/0/2]port default vlan 20

[SW5-Ethernet0/0/2]stp edged-port enable

[SW5-Ethernet0/0/2]quit

[SW5]stp bpdu-protection

[SW5]sto mode mstp

[SW5]stp region-configuration

[SW5-mst-]stp region-name Tigerlab

[SW5-mst-region]revision-level 1256

[SW5-mst-region]instance 10 vlan 10

[SW5-mst-region]instance 20 vlan 20

[SW5-mst-region]active region-configuration

接下来验证一下端口的vlan情况,display port vlan。

SW6:

[SW6]vlan batch 10 20

[SW6]int g0/0/1

[SW6-GigabitEthernet0/0/1]port link-type trunk

[SW6-GigabitEthernet0/0/1]port trunk allow-pass vlan all

[SW6-GigabitEthernet0/0/1]quit

[SW6]int g0/0/2

[SW6-GigabitEthernet0/0/2]port link-type trunk

[SW6-GigabitEthernet0/0/2]port trunk allow-pass vlan all

[SW6-GigabitEthernet0/0/2]quit

[SW6]int e0/0/1

[SW6-Ethernet0/0/1]port link-type access

[SW6-Ethernet0/0/1]port default vlan 10

[SW6-Ethernet0/0/1]stp edged-port enable

[SW6-Ethernet0/0/1]quit

[SW6]int e0/0/2

[SW6-Ethernet0/0/2]port link-type access

[SW6-Ethernet0/0/2]port default vlan 20

[SW6-Ethernet0/0/2]stp edged-port enable

[SW6-Ethernet0/0/2]quit

[SW6]stp bpdu-protection

[SW6]sto mode mstp

[SW6]stp region-configuration

[SW6-mst-]stp region-name Tigerlab

[SW6-mst-region]revision-level 1256

[SW6-mst-region]instance 10 vlan 10

[SW6-mst-region]instance 20 vlan 20

[SW6-mst-region]active region-configuration

验证一下总部内主机与网关之间的连通性。

总部防火墙FW1:

[USG1]int lo0

[USG1-LoopBack0]ip add 10.1.1.1 32

[USG1-LoopBack0]quit

[USG1]int g1/0/0

[USG1-GigabitEthernet1/0/0 ]ip add 100.1.41.1 24

[USG1-GigabitEthernet1/0/0 ]quit

[USG1]int g1/0/1

[USG1-GigabitEthernet1/0/1 ]ip add 10.1.111.1 24

[USG1-GigabitEthernet1/0/1 ]quit

[USG1]int g1/0/2

[USG1-GigabitEthernet1/0/2 ]ip add 10.1.112.1 24

[USG1-GigabitEthernet1/0/2 ]quit

[USG1]firewall zone trust

[USG1-zone-trust]add int g1/0/1

[USG1-zone-trust]add int g1/0/2

[USG1-zone-trust]quit

[USG1]firewall zone untrust

[USG1-zone-untrust]add int g1/0/0

[USG1-zone-untrust]quit

[USG1]security-policy

[USG1-policy-security]rule name Inside

[USG1-policy-security-rule-Inside]source-zone trust

[USG1-policy-security-rule-Inside]destination-zone local

[USG1-policy-security-rule-Inside]source-zone local

[USG1-policy-security-rule-Inside]destination-zone trust

[USG1-policy-security-rule-Inside]access-authentication

[USG1-policy-security-rule-Inside]action permit

[USG1-policy-security-rule-Inside]quit

[USG1-policy-security]quit

[USG1]int g1/0/1

[USG1-GigabitEthernet1/0/1]service-manage ping permit

[USG1-GigabitEthernet1/0/1 ]quit

[USG1]int g1/0/2

[USG1-GigabitEthernet1/0/2 ]service-manage ping permit

[USG1-GigabitEthernet1/0/2 ]quit

[USG1]ospf 10 router-id 10.1.1.1

[USG1-ospf-10]area 0

[USG1-ospf-10-area-0.0.0.0]net 10.1.1.1 0.0.0.0

[USG1-ospf-10-area-0.0.0.0]net 10.1.111.1 0.0.0.0

[USG1-ospf-10-area-0.0.0.0]net 10.1.112.1 0.0.0.0

[USG1]ip route-static 0.0.0.0 0.0.0.0 GigabitEthernet 1/0/0 100.1.41.4

[USG1]security-policy

[USG1-policy-security]rule name Internet

[USG1-policy-security-rule-Internet]source-zone trust

[USG1-policy-security-rule-Internet]destination-zone untrust

[USG1-policy-security-rule-Internet]source-address 10.1.0.0 16

[USG1-policy-security-rule-Internet]action permit

[USG1]nat-policy

[USG1-policy-nat]rule name 0

[USG1-policy-nat-rule-0]source-zone trust

[USG1-policy-nat-rule-0]destination-zone untrust

[USG1-policy-nat-rule-0]destination-address 10.2.0.0 16

[USG1-policy-nat-rule-0]destination-address 10.3.0.0 16

[USG1-policy-nat-rule-0]action no-nat

[USG1-policy-nat]rule name Internet

[USG1-policy-nat-rule-Internet]source-zone trust

[USG1-policy-nat-rule-Internet]destination-zone untrust

[USG1-policy-nat-rule-Internet]source-address 10.1.0.0 16

[USG1-policy-nat-rule-Internet]egress-interface GigabitEthernet 1/0/0

[USG1-policy-nat-rule-Internet]action source-natm easy-ip

[USG1]ospf 10

[USG1-ospf-10]default-route-advertise

[USG1]security-policy

[USG1-policy-security]rule name IPSec

[USG1-policy-security-rule-IPSec]source-zone untrust

[USG1-policy-security-rule-IPSec]destination-zone local

[USG1-policy-security-rule-IPSec]source-address any

[USG1-policy-security-rule-IPSec]destination-address 100.1.41.1 32

[USG1-policy-security-rule-IPSec]service esp

[USG1-policy-security-rule-IPSec]service protocol udp source-port 500 destination-port 500

[USG1-policy-security-rule-IPSec]service protocol udp source-port 4500 destination-port 4500

[USG1-policy-security-rule-IPSec]action permit

[USG1-policy-security-rule-IPSec]quit

[USG1-policy-security]rule name IPSec-OUT

[USG1-policy-security-rule-IPSec-OUT]source-zone local

[USG1-policy-security-rule-IPSec-OUT]destination-zone untrust

[USG1-policy-security-rule-IPSec-OUT]source-address 100.1.41.1 32

[USG1-policy-security-rule-IPSec-OUT]destination-address any

[USG1-policy-security-rule-IPSec-OUT]service esp

[USG1-policy-security-rule-IPSec-OUT]service protocol udp source-port 500 destination-port 500

[USG1-policy-security-rule-IPSec-OUT]service protocol udp source-port 4500 destination-port 4500

[USG1-policy-security-rule-IPSec-OUT]action permit

[USG1-policy-security-rule-IPSec-OUT]quit

[USG1-policy-security]rule name IPSec-DATA

[USG1-policy-security-rule-IPSec-DATA]source-zone trust

[USG1-policy-security-rule-IPSec-DATA]destination-zone untrust

[USG1-policy-security-rule-IPSec-DATA]source-zone untrust

[USG1-policy-security-rule-IPSec-DATA]destination-zone trust

[USG1-policy-security-rule-IPSec-DATA]source-address 10.1.0.0 16

[USG1-policy-security-rule-IPSec-DATA]]destination-address 10.2.0.0 16

[USG1-policy-security-rule-IPSec-DATA]]destination-address 10.3.0.0 16

[USG1-policy-security-rule-IPSec-DATA]source-address 10.2.0.0 16

[USG1-policy-security-rule-IPSec-DATA]source-address 10.3.0.0 16

[USG1-policy-security-rule-IPSec-DATA]destination-address 10.1.0.0 16

[USG1-policy-security-rule-IPSec-DATA]action permit

[USG1-policy-security-rule-IPSec-DATA]quit

[USG1-policy-security]quit

[USG1]ike proposal 10

[USG1-ike-proposal-10]encryption-algorithm aes-256

[USG1-ike-proposal-10]authentication-algorithm sha2-512

[USG1-ike-proposal-10]authentication-method pre-share

[USG1-ike-proposal-10]dh group14

[USG1-ike-proposal-10]quit

[USG1]ike peer Hub

[USG1-ike-peer-Hub]ike-proposal 10

[USG1-ike-peer-Hub]exchange-mode main

[USG1-ike-peer-Hub]undo version 2

[USG1-ike-peer-Hub]nat traversal

[USG1-ike-peer-Hub]pre-shared-key Cisco12345

[USG1]ipsec proposal ESP

[USG1-ipsec-proposal-ESP]transform esp

[USG1-ipsec-proposal-ESP]esp authentication-algorithm sha2-512

[USG1-ipsec-proposal-ESP]espencrption-algorithm aes-256

[USG1]ipsec policy-template T 10

[USG1-ipsec-policy-template-T-10]ike-peer Hub

[USG1-ipsec-policy-template-T-10] proposal ESP

[USG1-ipsec-policy-template-T-10]tunnel local 100.1.41.1

[USG1]ipsec policy Tigerlab 10 isakmp template T

[USG1]int g1/0/0

[USG1-GigabitEthernet1/0/0 ]ipsec policy Tigerlab

(1)做到这里检查一下防火墙能否ping通交换机:

(2)在防火墙上查看ospf邻居和路由:display ospf peer brief、display ip routing-table protocol ospf

(3)在防火墙上ping内网的主机:

分支Branch1的防火墙FW2:

[USG2]int lo0

[USG2-LoopBack0]ip add 10.2.2.2 32

[USG2-LoopBack0]quit

[USG2]int g1/0/0

[USG2-GigabitEthernet1/0/0 ]ip add 100.1.52.2 24

[USG2-GigabitEthernet1/0/0 ]quit

[USG2]int g1/0/1

[USG2-GigabitEthernet1/0/1 ]ip add 10.2.132.2 24

[USG2-GigabitEthernet1/0/1 ]quit

[USG2]firewall zone trust

[USG2-zone-trust]add int g1/0/1

[USG2-zone-trust]quit

[USG2]firewall zone untrust

[USG2-zone-untrust]add int g1/0/0

[USG2-zone-untrust]quit

[USG2]security-policy

[USG2-policy-security]rule name Inside

[USG2-policy-security-rule-Inside]source-zone trust

[USG2-policy-security-rule-Inside]destination-zone local

[USG2-policy-security-rule-Inside]source-zone local

[USG2-policy-security-rule-Inside]destination-zone trust

[USG2-policy-security-rule-Inside]access-authentication

[USG2-policy-security-rule-Inside]action permit

[USG2-policy-security-rule-Inside]quit

[USG2-policy-security]quit

[USG2]int g1/0/1

[USG2-GigabitEthernet1/0/1]service-manage ping permit

[USG2-GigabitEthernet1/0/1 ]quit

[USG2]ospf 10 router-id 10.2.2.2

[USG2-ospf-10]area 0

[USG2-ospf-10-area-0.0.0.0]net 10.2.2.2 0.0.0.0

[USG2-ospf-10-area-0.0.0.0]net 10.2.132.2 0.0.0.0

[USG2]ip route-static 0.0.0.0 0.0.0.0 GigabitEthernet 1/0/0 100.1.52.5

[USG2]security-policy

[USG2-policy-security]rule name Internet

[USG2-policy-security-rule-Internet]source-zone trust

[USG2-policy-security-rule-Internet]destination-zone untrust

[USG2-policy-security-rule-Internet]source-address 10.2.0.0 16

[USG2-policy-security-rule-Internet]action permit

[USG2]nat-policy

[USG2-policy-nat]rule name 0

[USG2-policy-nat-rule-0]source-zone trust

[USG2-policy-nat-rule-0]destination-zone untrust

[USG2-policy-nat-rule-0]destination-address 10.1.0.0 16

[USG2-policy-nat-rule-0]action no-nat

[USG2-policy-nat]rule name Internet

[USG2-policy-nat-rule-Internet]source-zone trust

[USG2-policy-nat-rule-Internet]destination-zone untrust

[USG2-policy-nat-rule-Internet]source-address 10.2.0.0 16

[USG2-policy-nat-rule-Internet]egress-interface GigabitEthernet 1/0/0

[USG2-policy-nat-rule-Internet]action source-natm easy-ip

[USG2]ospf 10

[USG2-ospf-10]default-route-advertise

[USG2]security-policy

[USG2-policy-security]rule name IPSec-IN

[USG2-policy-security-rule-IPSec-IN]source-zone untrust

[USG2-policy-security-rule-IPSec-IN]destination-zone local

[USG2-policy-security-rule-IPSec-IN]source-address 100.1.41.1 32

[USG2-policy-security-rule-IPSec-IN]destination-address any

[USG2-policy-security-rule-IPSec-IN]service esp

[USG2-policy-security-rule-IPSec-IN]service protocol udp source-port 500 destination-port 500

[USG2-policy-security-rule-IPSec-IN]service protocol udp source-port 4500 destination-port 4500

[USG2-policy-security-rule-IPSec-IN]action permit

[USG2-policy-security-rule-IPSec-IN]quit

[USG2-policy-security]rule name IPSec-OUT

[USG2-policy-security-rule-IPSec-OUT]source-zone local

[USG2-policy-security-rule-IPSec-OUT]destination-zone untrust

[USG2-policy-security-rule-IPSec-OUT]source-address any

[USG2-policy-security-rule-IPSec-OUT]destination-address 100.1.41.1 32

[USG2-policy-security-rule-IPSec-OUT]service esp

[USG2-policy-security-rule-IPSec-OUT]service protocol udp source-port 500 destination-port 500

[USG2-policy-security-rule-IPSec-OUT]service protocol udp source-port 4500 destination-port 4500

[USG2-policy-security-rule-IPSec-OUT]action permit

[USG2-policy-security]rule name IPSec-DATA

[USG2-policy-security-rule-IPSec-DATA]source-zone trust

[USG2-policy-security-rule-IPSec-DATA]destination-zone untrust

[USG2-policy-security-rule-IPSec-DATA]source-zone untrust

[USG2-policy-security-rule-IPSec-DATA]destination-zone trust

[USG2-policy-security-rule-IPSec-DATA]source-address 10.1.0.0 16

[USG2-policy-security-rule-IPSec-DATA]]destination-address 10.2.0.0 16

[USG2-policy-security-rule-IPSec-DATA]source-address 10.2.0.0 16

[USG2-policy-security-rule-IPSec-DATA]destination-address 10.1.0.0 16

[USG2-policy-security-rule-IPSec-DATA]action permit

[USG2]ike proposal 10

[USG2-ike-proposal-10]encryption-algorithm aes-256

[USG2-ike-proposal-10]authentication-algorithm sha2-512

[USG2-ike-proposal-10]authentication-method pre-share

[USG2-ike-proposal-10]dh group14

[USG2-ike-proposal-10]quit

[USG2]ike peer Speak1

[USG2-ike-peer-Speak1]ike-proposal 10

[USG2-ike-peer-Speak1]exchange-mode main

[USG2-ike-peer-Speak1]undo version 2

[USG2-ike-peer-Speak1]nat traversal

[USG2-ike-peer-Speak1]remote-address 100.1.41.1

[USG2-ike-peer-Speak1]pre-shared-key Cisco12345

[USG2]ipsec proposal ESP

[USG2-ipsec-proposal-ESP]transform esp

[USG2-ipsec-proposal-ESP]esp authentication-algorithm sha2-512

[USG2-ipsec-proposal-ESP]espencrption-algorithm aes-256

[USG2]acl number 3000

[USG2-acl-adv-3000] rule 10 permit ip source 10.2.0.0 0.0.255.255 destination 10.1.0.0 0.0.255.255

[USG2]ipsec policy Tigerlab 10 isakmp

[USG2-ipsec-policy-isakmp-Tigerlab-10]ike-peer Spoke1

[USG2-ipsec-policy-isakmp-Tigerlab-10]proposal ESP

[USG2-ipsec-policy-isakmp-Tigerlab-10]security acl 3000

[USG2]int g1/0/0

[USG2-GigabitEthernet1/0/0 ]ipsec policy Tigerlab

测试在防火墙上ping内网的主机,可以看到已经全部ping通。

分支Branch2的防火墙FW3:

[USG3]int lo0

[USG3-LoopBack0]ip add 10.3.3.3 32

[USG3-LoopBack0]quit

[USG3]int g1/0/0

[USG3-GigabitEthernet1/0/0 ]ip add 100.1.63.3 24

[USG3-GigabitEthernet1/0/0 ]quit

[USG3]int g1/0/1

[USG3-GigabitEthernet1/0/1 ]ip add 10.3.143.3 24

[USG3-GigabitEthernet1/0/1 ]quit

[USG3]firewall zone trust

[USG3-zone-trust]add int g1/0/1

[USG3-zone-trust]quit

[USG3]firewall zone untrust

[USG3-zone-untrust]add int g1/0/0

[USG3-zone-untrust]quit

[USG3]security-policy

[USG3-policy-security]rule name Inside

[USG3-policy-security-rule-Inside]source-zone trust

[USG3-policy-security-rule-Inside]destination-zone local

[USG3-policy-security-rule-Inside]source-zone local

[USG3-policy-security-rule-Inside]destination-zone trust

[USG3-policy-security-rule-Inside]access-authentication

[USG3-policy-security-rule-Inside]action permit

[USG3-policy-security-rule-Inside]quit

[USG3-policy-security]quit

[USG3]int g1/0/1

[USG3-GigabitEthernet1/0/1]service-manage ping permit

[USG3-GigabitEthernet1/0/1 ]quit

[USG3]ospf 10 router-id 10.3.3..3

[USG3-ospf-10]area 0

[USG3-ospf-10-area-0.0.0.0]net 10.3.3.3 0.0.0.0

[USG3-ospf-10-area-0.0.0.0]net 10.3.143.3 0.0.0.0

[USG3]ip route-static 0.0.0.0 0.0.0.0 GigabitEthernet 1/0/0 100.1.63.6

[USG3]security-policy

[USG3-policy-security]rule name Internet

[USG3-policy-security-rule-Internet]source-zone trust

[USG3-policy-security-rule-Internet]destination-zone untrust

[USG3-policy-security-rule-Internet]source-address 10.3.0.0 16

[USG3-policy-security-rule-Internet]action permit

[USG3]nat-policy

[USG3-policy-nat]rule name 0

[USG3-policy-nat-rule-0]source-zone trust

[USG3-policy-nat-rule-0]destination-zone untrust

[USG3-policy-nat-rule-0]destination-address 10.1.0.0 16

[USG3-policy-nat-rule-0]action no-nat

[USG3-policy-nat]rule name Internet

[USG3-policy-nat-rule-Internet]source-zone trust

[USG3-policy-nat-rule-Internet]destination-zone untrust

[USG3-policy-nat-rule-Internet]source-address 10.3.0.0 16

[USG3-policy-nat-rule-Internet]egress-interface GigabitEthernet 1/0/0

[USG3-policy-nat-rule-Internet]action source-natm easy-ip

[USG3]ospf 10

[USG3-ospf-10]default-route-advertise

[USG3]security-policy

[USG3-policy-security]rule name IPSec-IN

[USG3-policy-security-rule-IPSec-IN]source-zone untrust

[USG3-policy-security-rule-IPSec-IN]destination-zone local

[USG3-policy-security-rule-IPSec-IN]source-address 100.1.41.1 32

[USG3-policy-security-rule-IPSec-IN]destination-address any

[USG3-policy-security-rule-IPSec-IN]service esp

[USG3-policy-security-rule-IPSec-IN]service protocol udp source-port 500 destination-port 500

[USG3-policy-security-rule-IPSec-IN]service protocol udp source-port 4500 destination-port 4500

[USG3-policy-security-rule-IPSec-IN]action permit

[USG3-policy-security-rule-IPSec-IN]quit

[USG3-policy-security]rule name IPSec-OUT

[USG3-policy-security-rule-IPSec-OUT]source-zone local

[USG3-policy-security-rule-IPSec-OUT]destination-zone untrust

[USG3-policy-security-rule-IPSec-OUT]source-address any

[USG3-policy-security-rule-IPSec-OUT]destination-address 100.1.41.1 32

[USG3-policy-security-rule-IPSec-OUT]service esp

[USG3-policy-security-rule-IPSec-OUT]service protocol udp source-port 500 destination-port 500

[USG3-policy-security-rule-IPSec-OUT]service protocol udp source-port 4500 destination-port 4500

[USG3-policy-security-rule-IPSec-OUT]action permit

[USG3-policy-security]rule name IPSec-DATA

[USG3-policy-security-rule-IPSec-DATA]source-zone trust

[USG3-policy-security-rule-IPSec-DATA]destination-zone untrust

[USG3-policy-security-rule-IPSec-DATA]source-zone untrust

[USG3-policy-security-rule-IPSec-DATA]destination-zone trust

[USG3-policy-security-rule-IPSec-DATA]source-address 10.1.0.0 16

[USG3-policy-security-rule-IPSec-DATA]]destination-address 10.3.0.0 16

[USG3-policy-security-rule-IPSec-DATA]source-address 10.3.0.0 16

[USG3-policy-security-rule-IPSec-DATA]destination-address 10.1.0.0 16

[USG3-policy-security-rule-IPSec-DATA]action permit

[USG3]ike proposal 10

[USG3-ike-proposal-10]encryption-algorithm aes-256

[USG3-ike-proposal-10]authentication-algorithm sha2-512

[USG3-ike-proposal-10]authentication-method pre-share

[USG3-ike-proposal-10]dh group14

[USG3]ike peer Speak2

[USG3-ike-peer-Speak2]ike-proposal 10

[USG3-ike-peer-Speak2]exchange-mode main

[USG3-ike-peer-Speak2]undo version 2

[USG3-ike-peer-Speak2]nat traversal

[USG3-ike-peer-Speak2]remote-address 100.1.41.1

[USG3-ike-peer-Speak2]pre-shared-key Cisco12345

[USG3]ipsec proposal ESP

[USG3-ipsec-proposal-ESP]transform esp

[USG3-ipsec-proposal-ESP]esp authentication-algorithm sha2-512

[USG3-ipsec-proposal-ESP]espencrption-algorithm aes-256

[USG3]acl number 3000

[USG3-acl-adv-3000] rule 10 permit ip source 10.3.0.0 0.0.255.255 destination 10.1.0.0 0.0.255.255

[USG3]ipsec policy Tigerlab 10 isakmp

[USG3-ipsec-policy-isakmp-Tigerlab-10]ike-peer Spoke2

[USG3-ipsec-policy-isakmp-Tigerlab-10]proposal ESP

[USG3-ipsec-policy-isakmp-Tigerlab-10]security acl 3000

[USG3]int g1/0/0

[USG3-GigabitEthernet1/0/0 ]ipsec policy Tigerlab

ISP部分:

AR4:

[AR4]int lo0

[AR4-LoopBack0]ip add 10.1.4.4 32

[AR4-LoopBack0]quit

[AR4]itn g0/0/0

[AR4-GigabitEthernet0/0/0 ]ip add 100.1.41.4 24

[AR4-GigabitEthernet0/0/0 ]quit

[AR4]itn g0/0/1

[AR4-GigabitEthernet0/0/1 ]ip add 100.1.100.4 24

[AR4-GigabitEthernet0/0/1 ]quit

[AR4]ospf 10 router-id 10.1.4.4

[AR4-ospf-10]area 0

[AR4-ospf-10-area-0.0.0.0]net 10.1.4.4 0.0.0.0

[AR4-ospf-10-area-0.0.0.0]net 10.1.41.4 0.0.0.0

[AR4-ospf-10-area-0.0.0.0]net 100.1.100.4 0.0.0.0

AR5:

[AR5]int lo0

[AR5-LoopBack0]ip add 10.1.5.5 32

[AR5-LoopBack0]quit

[AR5]itn g0/0/0

[AR5-GigabitEthernet0/0/0 ]ip add 100.1.52.5 24

[AR5-GigabitEthernet0/0/0 ]quit

[AR5]itn g0/0/1

[AR5-GigabitEthernet0/0/1 ]ip add 100.1.100.5 24

[AR5-GigabitEthernet0/0/1 ]quit

[AR5]ospf 10 router-id 10.1.5.5

[AR5-ospf-10]area 0

[AR5-ospf-10-area-0.0.0.0]net 10.1.5.5 0.0.0.0

[AR5-ospf-10-area-0.0.0.0]net 10.1.52.5 0.0.0.0

[AR5-ospf-10-area-0.0.0.0]net 100.1.100.5 0.0.0.05

AR6

[AR6]int lo0

[AR6-LoopBack0]ip add 10.1.6.6 32

[AR6-LoopBack0]quit

[AR6]itn g0/0/0

[AR6-GigabitEthernet0/0/0 ]ip add 100.1.63.6 24

[AR6-GigabitEthernet0/0/0 ]quit

[AR6]itn g0/0/1

[AR6-GigabitEthernet0/0/1 ]ip add 100.1.100.6 24

[AR6-GigabitEthernet0/0/1 ]quit

[AR6]itn g0/0/2

[AR6-GigabitEthernet0/0/2 ]ip add 100.1.36.6 24

[AR6-GigabitEthernet0/0/2 ]quit

[AR6]ospf 10 router-id 10.1.6.6

[AR6-ospf-10]area 0

[AR6-ospf-10-area-0.0.0.0]net 10.1.6.6 0.0.0.0

[AR6-ospf-10-area-0.0.0.0]net 10.1.63.6 0.0.0.0

[AR6-ospf-10-area-0.0.0.0]net 100.1.100.6 0.0.0.0

[AR6-ospf-10-area-0.0.0.0]net 100.1.36.6 0.0.0.0

测试

(1)各区域主机是否能ping通isp的服务器,可以看到总部和分部的主机都能够ping通isp的服务器。

(2)总部与分部之间的联通测试。

可以看到总部已经可以与分部之间通讯,实验到这里就结束了。

0 人点赞