VPN Remote Access — различия между версиями

Материал из wiki
Перейти к: навигация, поиск
(PIX (Nat only))
 
(не показано 7 промежуточных версий этого же участника)
Строка 1: Строка 1:
Cisco ASA/PIX
+
= VPN удаленного доступа (remote access) =
 
+
== Топология ==
 
<code>
 
<code>
 
   users------PIX-----------inet
 
   users------PIX-----------inet
Строка 9: Строка 9:
 
users 10.0.0.0/24
 
users 10.0.0.0/24
 
dmz  10.11.12.13/24
 
dmz  10.11.12.13/24
inet  212.192.80.150
+
inet  212.192.80.150,151,152
 
vpn = users via outside
 
vpn = users via outside
  
Строка 20: Строка 20:
  
 
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
 
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
 +
</code>
 +
 +
== Cisco PIX ==
 +
 +
<code>
 +
  
 
pixfirewall# sh run
 
pixfirewall# sh run
Строка 114: Строка 120:
 
</code>
 
</code>
  
 +
== PIX (Nat only) ==
 +
<code>
 +
interface Ethernet0
 +
nameif outside
 +
security-level 0
 +
ip address 212.192.88.150 255.255.255.0
 +
no shut
 +
!
 +
interface Ethernet1
 +
nameif inside
 +
security-level 100
 +
ip address 10.0.0.1 255.255.255.0
 +
no shut
 +
!
 +
interface Ethernet2
 +
nameif dmz
 +
security-level 50
 +
ip address 10.11.12.1 255.255.255.0
 +
no shut
 +
!
 +
same-security-traffic permit intra-interface
 +
!
 +
object-group network LAN
 +
network-object 10.0.0.0 255.255.255.0
 +
!
 +
access-list NO-NAT extended permit ip 10.0.0.0 255.255.255.0 10.0.0.0 255.255.255.0
 +
access-list NO-NAT extended permit ip 10.0.0.0 255.255.255.0 host 10.11.12.13
 +
!
 +
access-list TO-DMZ extended permit tcp any host 212.192.88.150 eq 4321
 +
access-list LAN extended permit ip object-group LAN any
 +
access-list NO-NAT-DMZ extended permit ip host 10.11.12.13 10.0.0.0 255.255.255.0
 +
 +
global (outside) 123 interface
 +
nat (outside) 123 access-list LAN
 +
nat (inside) 123 access-list LAN
 +
 +
nat (inside) 0 access-list NO-NAT
 +
nat (dmz) 0 access-list NO-NAT-DMZ
 +
 +
static (dmz,outside) tcp interface 4321 10.11.12.13 ssh netmask 255.255.255.255
 +
 +
access-group TO-DMZ in interface outside
 +
route outside 0.0.0.0 0.0.0.0 212.192.88.1 1
 +
 +
policy-map global_policy
 +
class inspection_default
 +
  inspect icmp
 +
!
 +
service-policy global_policy global
 +
</code>
 +
 +
== Cisco ASA ==
 +
 +
<code>
 +
ciscoasa# sh run
 +
: Saved
 +
:
 +
ASA Version 9.1(5)
 +
!
 +
ip local pool net10 10.0.0.200-10.0.0.210 mask 255.255.255.0
 +
!
 +
interface GigabitEthernet0/0
 +
nameif outside
 +
security-level 0
 +
ip address 212.192.88.150 255.255.255.0
 +
no shut
 +
!
 +
interface GigabitEthernet0/1
 +
nameif inside
 +
security-level 100
 +
ip address 10.0.0.1 255.255.255.0
 +
no shut
 +
!
 +
interface GigabitEthernet0/2
 +
nameif dmz
 +
security-level 50
 +
ip address 10.11.12.1 255.255.255.0
 +
no shut
 +
!
 +
same-security-traffic permit intra-interface
 +
!
 +
object network DMZ
 +
host 10.11.12.13
 +
!
 +
object network LAN1
 +
subnet 10.0.0.0 255.255.255.0
 +
!
 +
object-group network LAN
 +
network-object 10.0.0.0 255.255.255.0
 +
!
 +
access-list TO-DMZ extended permit tcp any host 10.11.12.13 eq ssh
 +
!
 +
nat (outside,outside) source dynamic LAN interface
 +
nat (outside,inside) source static LAN LAN
 +
!
 +
object network DMZ
 +
nat (dmz,outside) static interface service tcp smtp 4321
 +
object network LAN1
 +
nat (inside,outside) dynamic pat-pool interface
 +
!
 +
access-group TO-DMZ in interface outside
 +
!
 +
route outside 0.0.0.0 0.0.0.0 212.192.88.1 1
 +
!
 +
crypto ipsec ikev1 transform-set TRANS_ESP_3DES_SHA esp-3des esp-sha-hmac
 +
crypto ipsec ikev1 transform-set TRANS_ESP_3DES_SHA mode transport
 +
!
 +
crypto dynamic-map CM 65535 set ikev1 transform-set TRANS_ESP_3DES_SHA
 +
crypto map OUTSIDE 65535 ipsec-isakmp dynamic CM
 +
crypto map OUTSIDE interface outside
 +
!
 +
crypto isakmp identity address
 +
crypto ikev1 enable outside
 +
crypto ikev1 policy 10
 +
authentication pre-share
 +
encryption 3des
 +
hash sha
 +
group 2
 +
lifetime 86400
 +
crypto ikev1 policy 65535
 +
authentication pre-share
 +
encryption 3des
 +
hash sha
 +
group 2
 +
lifetime 86400
 +
!
 +
group-policy DefaultRAGroup internal
 +
group-policy DefaultRAGroup attributes
 +
dns-server value 212.192.64.2
 +
vpn-tunnel-protocol ikev1 l2tp-ipsec
 +
!
 +
username cisco password cisco mschap
 +
!
 +
tunnel-group DefaultRAGroup general-attributes
 +
address-pool net10
 +
default-group-policy DefaultRAGroup
 +
tunnel-group DefaultRAGroup ipsec-attributes
 +
ikev1 pre-shared-key 11111
 +
tunnel-group DefaultRAGroup ppp-attributes
 +
no authentication chap
 +
authentication ms-chap-v2
 +
!
 +
policy-map global_policy
 +
class inspection_default
 +
  inspect icmp
 +
!
 +
: end
 +
</code>
 
[[категория:Лекции]] [[категория:Сети]] [[категория:Cisco]] [[категория:VPN]]
 
[[категория:Лекции]] [[категория:Сети]] [[категория:Cisco]] [[категория:VPN]]

Текущая версия на 10:05, 5 марта 2020

VPN удаленного доступа (remote access)

Топология

  users------PIX-----------inet
              |              |
              |              |
             DMZ          RemoteAccess VPN

users 10.0.0.0/24
dmz   10.11.12.13/24
inet  212.192.80.150,151,152
vpn = users via outside

users -> inet = NAT
users -> dmz = allow
vpn   -> users = allow
vpn   -> dmz = allow
vpn   -> inet = NAT
inet  -> dmz = port-forward 4321->22 static nat 

!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

Cisco PIX



pixfirewall# sh run
PIX Version 7.2(1) 
!
domain-name psu.ru
!
interface Ethernet0
 nameif outside
 security-level 0
 ip address 212.192.88.150 255.255.255.0 
 no shut
!
interface Ethernet1
 nameif inside
 security-level 100
 ip address 10.0.0.1 255.255.255.0 
 no shut
!
interface Ethernet2
 nameif dmz
 security-level 50
 ip address 10.11.12.1 255.255.255.0 
 no shut
!
same-security-traffic permit intra-interface
!
object-group network LAN
 network-object 10.0.0.0 255.255.255.0
!
access-list NO-NAT extended permit ip 10.0.0.0 255.255.255.0 10.0.0.0 255.255.255.0 
access-list NO-NAT extended permit ip 10.0.0.0 255.255.255.0 host 10.11.12.13 
!
access-list TO-DMZ extended permit tcp any host 212.192.88.150 eq 4321 
access-list LAN extended permit ip object-group LAN any 
access-list NO-NAT-DMZ extended permit ip host 10.11.12.13 10.0.0.0 255.255.255.0 

ip local pool net10 10.0.0.200-10.0.0.210 mask 255.255.255.0

global (outside) 123 interface
nat (outside) 123 access-list LAN
nat (inside) 123 access-list LAN

nat (inside) 0 access-list NO-NAT
nat (dmz) 0 access-list NO-NAT-DMZ

static (dmz,outside) tcp interface 4321 10.11.12.13 ssh netmask 255.255.255.255 

access-group TO-DMZ in interface outside
route outside 0.0.0.0 0.0.0.0 212.192.88.1 1

group-policy DefaultRAGroup internal
group-policy DefaultRAGroup attributes
 dns-server value 212.192.64.2
 vpn-tunnel-protocol IPSec l2tp-ipsec 

username cisco password cisco mschap

crypto ipsec transform-set TRANS_ESP_3DES_SHA esp-3des esp-sha-hmac 
crypto ipsec transform-set TRANS_ESP_3DES_SHA mode transport

crypto dynamic-map CM 65535 set transform-set TRANS_ESP_3DES_SHA

crypto map OUTSIDE 65535 ipsec-isakmp dynamic CM
crypto map OUTSIDE interface outside

crypto isakmp identity address 
crypto isakmp enable outside

crypto isakmp policy 10
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
crypto isakmp nat-traversal  20

tunnel-group DefaultRAGroup general-attributes
 address-pool net10
 default-group-policy DefaultRAGroup

tunnel-group DefaultRAGroup ipsec-attributes
 pre-shared-key 11111

tunnel-group DefaultRAGroup ppp-attributes
 no authentication chap
 authentication ms-chap-v2

policy-map global_policy
 class inspection_default
  inspect icmp 
!
service-policy global_policy global

PIX (Nat only)

interface Ethernet0
 nameif outside
 security-level 0
 ip address 212.192.88.150 255.255.255.0 
 no shut
!
interface Ethernet1
 nameif inside
 security-level 100
 ip address 10.0.0.1 255.255.255.0 
 no shut
!
interface Ethernet2
 nameif dmz
 security-level 50
 ip address 10.11.12.1 255.255.255.0 
 no shut
!
same-security-traffic permit intra-interface
!
object-group network LAN
 network-object 10.0.0.0 255.255.255.0
!
access-list NO-NAT extended permit ip 10.0.0.0 255.255.255.0 10.0.0.0 255.255.255.0 
access-list NO-NAT extended permit ip 10.0.0.0 255.255.255.0 host 10.11.12.13 
!
access-list TO-DMZ extended permit tcp any host 212.192.88.150 eq 4321 
access-list LAN extended permit ip object-group LAN any 
access-list NO-NAT-DMZ extended permit ip host 10.11.12.13 10.0.0.0 255.255.255.0 

global (outside) 123 interface
nat (outside) 123 access-list LAN
nat (inside) 123 access-list LAN

nat (inside) 0 access-list NO-NAT
nat (dmz) 0 access-list NO-NAT-DMZ

static (dmz,outside) tcp interface 4321 10.11.12.13 ssh netmask 255.255.255.255 

access-group TO-DMZ in interface outside
route outside 0.0.0.0 0.0.0.0 212.192.88.1 1

policy-map global_policy
 class inspection_default
  inspect icmp 
!
service-policy global_policy global

Cisco ASA

ciscoasa# sh run
: Saved
:
ASA Version 9.1(5) 
!
ip local pool net10 10.0.0.200-10.0.0.210 mask 255.255.255.0
!
interface GigabitEthernet0/0
 nameif outside
 security-level 0
 ip address 212.192.88.150 255.255.255.0 
 no shut
!
interface GigabitEthernet0/1
 nameif inside
 security-level 100
 ip address 10.0.0.1 255.255.255.0 
 no shut
!
interface GigabitEthernet0/2
 nameif dmz
 security-level 50
 ip address 10.11.12.1 255.255.255.0 
 no shut
!
same-security-traffic permit intra-interface
!
object network DMZ
 host 10.11.12.13
!
object network LAN1
 subnet 10.0.0.0 255.255.255.0
!
object-group network LAN
 network-object 10.0.0.0 255.255.255.0
!
access-list TO-DMZ extended permit tcp any host 10.11.12.13 eq ssh 
!
nat (outside,outside) source dynamic LAN interface
nat (outside,inside) source static LAN LAN
!
object network DMZ
 nat (dmz,outside) static interface service tcp smtp 4321 
object network LAN1
 nat (inside,outside) dynamic pat-pool interface
!
access-group TO-DMZ in interface outside
!
route outside 0.0.0.0 0.0.0.0 212.192.88.1 1 
!
crypto ipsec ikev1 transform-set TRANS_ESP_3DES_SHA esp-3des esp-sha-hmac 
crypto ipsec ikev1 transform-set TRANS_ESP_3DES_SHA mode transport
!
crypto dynamic-map CM 65535 set ikev1 transform-set TRANS_ESP_3DES_SHA
crypto map OUTSIDE 65535 ipsec-isakmp dynamic CM
crypto map OUTSIDE interface outside
!
crypto isakmp identity address 
crypto ikev1 enable outside
crypto ikev1 policy 10
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 65535
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
!
group-policy DefaultRAGroup internal
group-policy DefaultRAGroup attributes
 dns-server value 212.192.64.2
 vpn-tunnel-protocol ikev1 l2tp-ipsec
! 
username cisco password cisco mschap
!
tunnel-group DefaultRAGroup general-attributes
 address-pool net10
 default-group-policy DefaultRAGroup
tunnel-group DefaultRAGroup ipsec-attributes
 ikev1 pre-shared-key 11111
tunnel-group DefaultRAGroup ppp-attributes
 no authentication chap
 authentication ms-chap-v2
!
policy-map global_policy
 class inspection_default
  inspect icmp 
!
: end