1、  实验拓扑

Cisco ipsec-***对边缘设备的流量控制2、  实验说明

R1A公司边缘站点内的业务路由器,主营业务的网络为1.1.1.1/24;

R2A公司的边缘站点路由器,负责与B公司建立×××通道和传输加密数据;

R3是互联网中的路由器;

R4B公司的边缘站点路由器,负责与A公司建立×××通道和传输加密数据;

R5B公司边缘站点内的业务路由器,主营业务的网络为2.2.2.2/24;

现要求:R1仅可以通过×××访问R5HTTP业务(R5上:ip http server

R5仅可以通过×××访问R1TELNET业务;其他业务不允许通过×××访问;

3、实验配置:

R1#show run

no ip domain lookup

!

username cisco password 0 cisco

!

interface Loopback0

 ipaddress 1.1.1.1 255.255.255.0

!

interface FastEthernet0/0

 ipaddress 192.168.1.1 255.255.255.0

 duplex auto

 speed auto

!

router ospf 10

 log-adjacency-changes

 network 1.1.1.0 0.0.0.255 area 0

 network 192.168.1.0 0.0.0.255 area 0

!

ip forward-protocol nd

!

line con 0

 exec-timeout 0 0

 logging synchronous

line aux 0

line vty 0 4

 password cisco

 login local

 transport input telnet

 

R2#show run

crypto isakmp policy 10

 encr3des

 hashmd5

 authentication pre-share

 group 2

crypto isakmp key cisco address202.100.1.18

!

crypto ipsec transform-set ccna ah-md5-hmacesp-3des

!

crypto map ccna 10 ipsec-isakmp

 setpeer 202.100.1.18

 setip access-group crypto.inbound in

 setip access-group crypto.outbound out

 settransform-set ccna

 match address ***

!

interface FastEthernet0/0

 ipaddress 192.168.1.2 255.255.255.0

 duplex auto

 speed auto

!

interface FastEthernet0/1

 ipaddress 202.100.1.1 255.255.255.248

 ipaccess-group site1.inbound in

 ipaccess-group site1.outbound out

 duplex auto

 speed auto

 crypto map ccna

!

router ospf 10

 log-adjacency-changes

 network 192.168.1.0 0.0.0.255 area 0

 default-information originate always

!

ip forward-protocol nd

ip route 0.0.0.0 0.0.0.0 202.100.1.2

!

no ip http server

no ip http secure-server

!

ip access-list extended crypto.inbound

 permit tcp 2.2.2.0 0.0.0.255 eq www 1.1.1.00.0.0.255

 permit tcp 2.2.2.0 0.0.0.255 1.1.1.0 0.0.0.255eq telnet

ip access-list extended crypto.outbound

 permit tcp 1.1.1.0 0.0.0.255 eq telnet 2.2.2.00.0.0.255

 permit tcp 1.1.1.0 0.0.0.255 2.2.2.0 0.0.0.255eq www

ip access-list extended site1.inbound

 permit esp host 202.100.1.18 host 202.100.1.1

 permit ahp host 202.100.1.18 host 202.100.1.1

ip access-list extended site1.outbound

 permit esp host 202.100.1.1 host 202.100.1.18

 permit ahp host 202.100.1.1 host 202.100.1.18

ip access-list extended ***

 permit ip 1.1.1.0 0.0.0.255 2.2.2.0 0.0.0.255

 

R3#show run

interface FastEthernet0/0

 ipaddress 202.100.1.17 255.255.255.248

 duplex auto

 speed auto

!

interface FastEthernet0/1

 ipaddress 202.100.1.2 255.255.255.248

 duplex auto

 speed auto

 

R4#show run

crypto isakmp policy 10

 encr3des

 hashmd5

 authentication pre-share

 group 2

crypto isakmp key cisco address 202.100.1.1

!

crypto ipsec transform-set ccna ah-md5-hmacesp-3des

!

crypto map ccna 10 ipsec-isakmp

 setpeer 202.100.1.1

 set ip access-group crypto.inbound in   

set ip access-group crypto.outbound out

 settransform-set ccna

 match address ***

!

interface FastEthernet0/0

 ipaddress 202.100.1.18 255.255.255.248

 ipaccess-group site1.inbound in            

 ipaccess-group site1.outbound out

 duplex auto

 speed auto

 crypto map ccna

!

interface FastEthernet0/1

 ipaddress 192.168.2.2 255.255.255.0

 duplex auto

 speed auto

!

router ospf 10

 log-adjacency-changes

 network 192.168.2.0 0.0.0.255 area 0

 default-information originate always

!

ip forward-protocol nd

ip route 0.0.0.0 0.0.0.0 202.100.1.17

!

no ip http server

no ip http secure-server

!

ip access-list extended crypto.inbound      

 permit tcp 1.1.1.0 0.0.0.255 eq telnet 2.2.2.00.0.0.255

 permit tcp 1.1.1.0 0.0.0.255 2.2.2.0 0.0.0.255eq www

ip access-list extended crypto.outbound     

 permit tcp 2.2.2.0 0.0.0.255 eq www 1.1.1.00.0.0.255

 permit tcp 2.2.2.0 0.0.0.255 1.1.1.0 0.0.0.255eq telnet

ip access-list extended site1.inbound      

 permit esp host 202.100.1.1 host 202.100.1.18

 permit ahp host 202.100.1.1 host 202.100.1.18

ip access-list extended site1.outbound   

 permit esp host 202.100.1.18 host 202.100.1.1

 permit ahp host 202.100.1.18 host 202.100.1.1

ip access-list extended ***

 permit ip 2.2.2.0 0.0.0.255 1.1.1.0 0.0.0.255

R5#showrun

interface Loopback0

 ipaddress 2.2.2.2 255.255.255.0

!

interface FastEthernet0/1

 ipaddress 192.168.2.1 255.255.255.0

 duplex auto

 speed auto

!

router ospf 10

 log-adjacency-changes

 network 2.2.2.0 0.0.0.255 area 0

 network 192.168.2.0 0.0.0.255 area 0

!

ip forward-protocol nd

!

ip http server

4、实验结果数据:

R1#show ip route

Codes: C - connected, S - static, R - RIP,M - mobile, B - BGP

      D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area

      N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2

      E1 - OSPF external type 1, E2 - OSPF external type 2

      i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2

      ia - IS-IS inter area, * - candidate default, U - per-user static route

      o - ODR, P - periodic downloaded static route

 

Gateway of last resort is 192.168.1.2 tonetwork 0.0.0.0

    1.0.0.0/24 is subnetted, 1 subnets

C      1.1.1.0 is directly connected, Loopback0

C   192.168.1.0/24 is directly connected, FastEthernet0/0

O*E2 0.0.0.0/0 [110/1] via 192.168.1.2,01:20:44, FastEthernet0/0

 

R2#showip route

Codes: C - connected, S - static, R - RIP,M - mobile, B - BGP

      D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area

      N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2

      E1 - OSPF external type 1, E2 - OSPF external type 2

      i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2

      ia - IS-IS inter area, * - candidate default, U - per-user static route

      o - ODR, P - periodic downloaded static route

 

Gateway of last resort is 202.100.1.2 tonetwork 0.0.0.0

    1.0.0.0/32 is subnetted, 1 subnets

O      1.1.1.1 [110/11] via 192.168.1.1, 01:21:14, FastEthernet0/0

    202.100.1.0/29 is subnetted, 1 subnets

C      202.100.1.0 is directly connected, FastEthernet0/1

C   192.168.1.0/24 is directly connected, FastEthernet0/0

S*  0.0.0.0/0 [1/0] via 202.100.1.2

 

R2#showcrypto isakmp sa

dst             src             state          conn-id slot status

202.100.1.18    202.100.1.1     QM_IDLE              1    0 ACTIVE

 

R2#showcrypto engine connections active

  IDInterface            IP-Address      State Algorithm           Encrypt  Decrypt

   1FastEthernet0/1      202.100.1.1     set   HMAC_MD5+3DES_56_C        0        0

2001 FastEthernet0/1      202.100.1.1     set   MD5+3DES                158        0

2002 FastEthernet0/1      202.100.1.1     set   MD5+3DES                  0      182

 

R4#showip route

Codes: C - connected, S - static, R - RIP,M - mobile, B - BGP

      D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area

      N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2

      E1 - OSPF external type 1, E2 - OSPF external type 2

      i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2

      ia - IS-IS inter area, * - candidate default, U - per-user static route

      o - ODR, P - periodic downloaded static route

 

Gateway of last resort is 202.100.1.17 tonetwork 0.0.0.0

    2.0.0.0/32 is subnetted, 1 subnets

O      2.2.2.2 [110/11] via 192.168.2.1, 01:17:48, FastEthernet0/1

    202.100.1.0/29 is subnetted, 1 subnets

C      202.100.1.16 is directly connected, FastEthernet0/0

C   192.168.2.0/24 is directly connected, FastEthernet0/1

S*  0.0.0.0/0 [1/0] via 202.100.1.17

 

R4#showcrypto isakmp sa

dst             src             state          conn-id slot status

202.100.1.18    202.100.1.1     QM_IDLE              1    0 ACTIVE

 

R4#showcrypto engine connections active

  IDInterface            IP-Address      State Algorithm           Encrypt  Decrypt

   1FastEthernet0/0      202.100.1.18    set   HMAC_MD5+3DES_56_C        0        0

2001 FastEthernet0/0      202.100.1.18    set   MD5+3DES                202        0

2002 FastEthernet0/0      202.100.1.18    set   MD5+3DES                  0      144

 

R5#showip route

Codes: C - connected, S - static, R - RIP,M - mobile, B - BGP

      D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area

      N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2

      E1 - OSPF external type 1, E2 - OSPF external type 2

      i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2

      ia - IS-IS inter area, * - candidate default, U - per-user static route

      o - ODR, P - periodic downloaded static route

Gateway of last resort is 192.168.2.2 tonetwork 0.0.0.0

 

    2.0.0.0/24 is subnetted, 1 subnets

C      2.2.2.0 is directly connected, Loopback0

C   192.168.2.0/24 is directly connected, FastEthernet0/1

O*E2 0.0.0.0/0 [110/1] via 192.168.2.2,01:19:23, FastEthernet0/1

 

2、业务测试:

R1#telnet2.2.2.2 80 /source-interface loopback 0

Trying 2.2.2.2, 80 ... Open

get /

HTTP/1.1 400 Bad Request

Date: Fri, 01 Mar 2002 01:30:54 GMT

Server: cisco-IOS

Connection: close

Accept-Ranges: none

 

400 Bad Request              //测试到R5HTTP业务端口是正常的

 

R5#telnet1.1.1.1 /source-interface loopback 0

Trying 1.1.1.1 ... Open

 

 

User Access Verification

 

Username:                  //测试到R1TELNET业务端口也是正常的

 

R1#ping 2.2.2.2 source 1.1.1.1

 

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 2.2.2.2,timeout is 2 seconds:

Packet sent with a source address of1.1.1.1

.....

Success rate is 0 percent (0/5)         //测试PING业务不通也是正常的

(总结:本次实验主要是针对边缘站点的配置,边缘站点在此次的实验中,起到了过滤流量的重要作用,这样站点间访问不仅安全,

还能节省站点间的链路带宽,通过ACL过滤站点间流量是很重要的)