VPN Remote Access — различия между версиями
Moiseevvi (обсуждение | вклад) |
Moiseevvi (обсуждение | вклад) (→PIX (Nat only)) |
||
(не показано 7 промежуточных версий этого же участника) | |||
Строка 1: | Строка 1: | ||
− | + | = VPN удаленного доступа (remote access) = | |
− | + | == Топология == | |
<code> | <code> | ||
users------PIX-----------inet | users------PIX-----------inet | ||
Строка 9: | Строка 9: | ||
users 10.0.0.0/24 | users 10.0.0.0/24 | ||
dmz 10.11.12.13/24 | dmz 10.11.12.13/24 | ||
− | inet 212.192.80.150 | + | inet 212.192.80.150,151,152 |
vpn = users via outside | vpn = users via outside | ||
Строка 20: | Строка 20: | ||
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! | !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! | ||
+ | </code> | ||
+ | |||
+ | == Cisco PIX == | ||
+ | |||
+ | <code> | ||
+ | |||
pixfirewall# sh run | pixfirewall# sh run | ||
Строка 114: | Строка 120: | ||
</code> | </code> | ||
+ | == PIX (Nat only) == | ||
+ | <code> | ||
+ | interface Ethernet0 | ||
+ | nameif outside | ||
+ | security-level 0 | ||
+ | ip address 212.192.88.150 255.255.255.0 | ||
+ | no shut | ||
+ | ! | ||
+ | interface Ethernet1 | ||
+ | nameif inside | ||
+ | security-level 100 | ||
+ | ip address 10.0.0.1 255.255.255.0 | ||
+ | no shut | ||
+ | ! | ||
+ | interface Ethernet2 | ||
+ | nameif dmz | ||
+ | security-level 50 | ||
+ | ip address 10.11.12.1 255.255.255.0 | ||
+ | no shut | ||
+ | ! | ||
+ | same-security-traffic permit intra-interface | ||
+ | ! | ||
+ | object-group network LAN | ||
+ | network-object 10.0.0.0 255.255.255.0 | ||
+ | ! | ||
+ | access-list NO-NAT extended permit ip 10.0.0.0 255.255.255.0 10.0.0.0 255.255.255.0 | ||
+ | access-list NO-NAT extended permit ip 10.0.0.0 255.255.255.0 host 10.11.12.13 | ||
+ | ! | ||
+ | access-list TO-DMZ extended permit tcp any host 212.192.88.150 eq 4321 | ||
+ | access-list LAN extended permit ip object-group LAN any | ||
+ | access-list NO-NAT-DMZ extended permit ip host 10.11.12.13 10.0.0.0 255.255.255.0 | ||
+ | |||
+ | global (outside) 123 interface | ||
+ | nat (outside) 123 access-list LAN | ||
+ | nat (inside) 123 access-list LAN | ||
+ | |||
+ | nat (inside) 0 access-list NO-NAT | ||
+ | nat (dmz) 0 access-list NO-NAT-DMZ | ||
+ | |||
+ | static (dmz,outside) tcp interface 4321 10.11.12.13 ssh netmask 255.255.255.255 | ||
+ | |||
+ | access-group TO-DMZ in interface outside | ||
+ | route outside 0.0.0.0 0.0.0.0 212.192.88.1 1 | ||
+ | |||
+ | policy-map global_policy | ||
+ | class inspection_default | ||
+ | inspect icmp | ||
+ | ! | ||
+ | service-policy global_policy global | ||
+ | </code> | ||
+ | |||
+ | == Cisco ASA == | ||
+ | |||
+ | <code> | ||
+ | ciscoasa# sh run | ||
+ | : Saved | ||
+ | : | ||
+ | ASA Version 9.1(5) | ||
+ | ! | ||
+ | ip local pool net10 10.0.0.200-10.0.0.210 mask 255.255.255.0 | ||
+ | ! | ||
+ | interface GigabitEthernet0/0 | ||
+ | nameif outside | ||
+ | security-level 0 | ||
+ | ip address 212.192.88.150 255.255.255.0 | ||
+ | no shut | ||
+ | ! | ||
+ | interface GigabitEthernet0/1 | ||
+ | nameif inside | ||
+ | security-level 100 | ||
+ | ip address 10.0.0.1 255.255.255.0 | ||
+ | no shut | ||
+ | ! | ||
+ | interface GigabitEthernet0/2 | ||
+ | nameif dmz | ||
+ | security-level 50 | ||
+ | ip address 10.11.12.1 255.255.255.0 | ||
+ | no shut | ||
+ | ! | ||
+ | same-security-traffic permit intra-interface | ||
+ | ! | ||
+ | object network DMZ | ||
+ | host 10.11.12.13 | ||
+ | ! | ||
+ | object network LAN1 | ||
+ | subnet 10.0.0.0 255.255.255.0 | ||
+ | ! | ||
+ | object-group network LAN | ||
+ | network-object 10.0.0.0 255.255.255.0 | ||
+ | ! | ||
+ | access-list TO-DMZ extended permit tcp any host 10.11.12.13 eq ssh | ||
+ | ! | ||
+ | nat (outside,outside) source dynamic LAN interface | ||
+ | nat (outside,inside) source static LAN LAN | ||
+ | ! | ||
+ | object network DMZ | ||
+ | nat (dmz,outside) static interface service tcp smtp 4321 | ||
+ | object network LAN1 | ||
+ | nat (inside,outside) dynamic pat-pool interface | ||
+ | ! | ||
+ | access-group TO-DMZ in interface outside | ||
+ | ! | ||
+ | route outside 0.0.0.0 0.0.0.0 212.192.88.1 1 | ||
+ | ! | ||
+ | crypto ipsec ikev1 transform-set TRANS_ESP_3DES_SHA esp-3des esp-sha-hmac | ||
+ | crypto ipsec ikev1 transform-set TRANS_ESP_3DES_SHA mode transport | ||
+ | ! | ||
+ | crypto dynamic-map CM 65535 set ikev1 transform-set TRANS_ESP_3DES_SHA | ||
+ | crypto map OUTSIDE 65535 ipsec-isakmp dynamic CM | ||
+ | crypto map OUTSIDE interface outside | ||
+ | ! | ||
+ | crypto isakmp identity address | ||
+ | crypto ikev1 enable outside | ||
+ | crypto ikev1 policy 10 | ||
+ | authentication pre-share | ||
+ | encryption 3des | ||
+ | hash sha | ||
+ | group 2 | ||
+ | lifetime 86400 | ||
+ | crypto ikev1 policy 65535 | ||
+ | authentication pre-share | ||
+ | encryption 3des | ||
+ | hash sha | ||
+ | group 2 | ||
+ | lifetime 86400 | ||
+ | ! | ||
+ | group-policy DefaultRAGroup internal | ||
+ | group-policy DefaultRAGroup attributes | ||
+ | dns-server value 212.192.64.2 | ||
+ | vpn-tunnel-protocol ikev1 l2tp-ipsec | ||
+ | ! | ||
+ | username cisco password cisco mschap | ||
+ | ! | ||
+ | tunnel-group DefaultRAGroup general-attributes | ||
+ | address-pool net10 | ||
+ | default-group-policy DefaultRAGroup | ||
+ | tunnel-group DefaultRAGroup ipsec-attributes | ||
+ | ikev1 pre-shared-key 11111 | ||
+ | tunnel-group DefaultRAGroup ppp-attributes | ||
+ | no authentication chap | ||
+ | authentication ms-chap-v2 | ||
+ | ! | ||
+ | policy-map global_policy | ||
+ | class inspection_default | ||
+ | inspect icmp | ||
+ | ! | ||
+ | : end | ||
+ | </code> | ||
[[категория:Лекции]] [[категория:Сети]] [[категория:Cisco]] [[категория:VPN]] | [[категория:Лекции]] [[категория:Сети]] [[категория:Cisco]] [[категория:VPN]] |
Текущая версия на 10:05, 5 марта 2020
Содержание
[убрать]VPN удаленного доступа (remote access)
Топология
users------PIX-----------inet
| |
| |
DMZ RemoteAccess VPN
users 10.0.0.0/24
dmz 10.11.12.13/24
inet 212.192.80.150,151,152
vpn = users via outside
users -> inet = NAT
users -> dmz = allow
vpn -> users = allow
vpn -> dmz = allow
vpn -> inet = NAT
inet -> dmz = port-forward 4321->22 static nat
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
Cisco PIX
pixfirewall# sh run
PIX Version 7.2(1)
!
domain-name psu.ru
!
interface Ethernet0
nameif outside
security-level 0
ip address 212.192.88.150 255.255.255.0
no shut
!
interface Ethernet1
nameif inside
security-level 100
ip address 10.0.0.1 255.255.255.0
no shut
!
interface Ethernet2
nameif dmz
security-level 50
ip address 10.11.12.1 255.255.255.0
no shut
!
same-security-traffic permit intra-interface
!
object-group network LAN
network-object 10.0.0.0 255.255.255.0
!
access-list NO-NAT extended permit ip 10.0.0.0 255.255.255.0 10.0.0.0 255.255.255.0
access-list NO-NAT extended permit ip 10.0.0.0 255.255.255.0 host 10.11.12.13
!
access-list TO-DMZ extended permit tcp any host 212.192.88.150 eq 4321
access-list LAN extended permit ip object-group LAN any
access-list NO-NAT-DMZ extended permit ip host 10.11.12.13 10.0.0.0 255.255.255.0
ip local pool net10 10.0.0.200-10.0.0.210 mask 255.255.255.0
global (outside) 123 interface
nat (outside) 123 access-list LAN
nat (inside) 123 access-list LAN
nat (inside) 0 access-list NO-NAT
nat (dmz) 0 access-list NO-NAT-DMZ
static (dmz,outside) tcp interface 4321 10.11.12.13 ssh netmask 255.255.255.255
access-group TO-DMZ in interface outside
route outside 0.0.0.0 0.0.0.0 212.192.88.1 1
group-policy DefaultRAGroup internal
group-policy DefaultRAGroup attributes
dns-server value 212.192.64.2
vpn-tunnel-protocol IPSec l2tp-ipsec
username cisco password cisco mschap
crypto ipsec transform-set TRANS_ESP_3DES_SHA esp-3des esp-sha-hmac
crypto ipsec transform-set TRANS_ESP_3DES_SHA mode transport
crypto dynamic-map CM 65535 set transform-set TRANS_ESP_3DES_SHA
crypto map OUTSIDE 65535 ipsec-isakmp dynamic CM
crypto map OUTSIDE interface outside
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp nat-traversal 20
tunnel-group DefaultRAGroup general-attributes
address-pool net10
default-group-policy DefaultRAGroup
tunnel-group DefaultRAGroup ipsec-attributes
pre-shared-key 11111
tunnel-group DefaultRAGroup ppp-attributes
no authentication chap
authentication ms-chap-v2
policy-map global_policy
class inspection_default
inspect icmp
!
service-policy global_policy global
PIX (Nat only)
interface Ethernet0
nameif outside
security-level 0
ip address 212.192.88.150 255.255.255.0
no shut
!
interface Ethernet1
nameif inside
security-level 100
ip address 10.0.0.1 255.255.255.0
no shut
!
interface Ethernet2
nameif dmz
security-level 50
ip address 10.11.12.1 255.255.255.0
no shut
!
same-security-traffic permit intra-interface
!
object-group network LAN
network-object 10.0.0.0 255.255.255.0
!
access-list NO-NAT extended permit ip 10.0.0.0 255.255.255.0 10.0.0.0 255.255.255.0
access-list NO-NAT extended permit ip 10.0.0.0 255.255.255.0 host 10.11.12.13
!
access-list TO-DMZ extended permit tcp any host 212.192.88.150 eq 4321
access-list LAN extended permit ip object-group LAN any
access-list NO-NAT-DMZ extended permit ip host 10.11.12.13 10.0.0.0 255.255.255.0
global (outside) 123 interface
nat (outside) 123 access-list LAN
nat (inside) 123 access-list LAN
nat (inside) 0 access-list NO-NAT
nat (dmz) 0 access-list NO-NAT-DMZ
static (dmz,outside) tcp interface 4321 10.11.12.13 ssh netmask 255.255.255.255
access-group TO-DMZ in interface outside
route outside 0.0.0.0 0.0.0.0 212.192.88.1 1
policy-map global_policy
class inspection_default
inspect icmp
!
service-policy global_policy global
Cisco ASA
ciscoasa# sh run
: Saved
:
ASA Version 9.1(5)
!
ip local pool net10 10.0.0.200-10.0.0.210 mask 255.255.255.0
!
interface GigabitEthernet0/0
nameif outside
security-level 0
ip address 212.192.88.150 255.255.255.0
no shut
!
interface GigabitEthernet0/1
nameif inside
security-level 100
ip address 10.0.0.1 255.255.255.0
no shut
!
interface GigabitEthernet0/2
nameif dmz
security-level 50
ip address 10.11.12.1 255.255.255.0
no shut
!
same-security-traffic permit intra-interface
!
object network DMZ
host 10.11.12.13
!
object network LAN1
subnet 10.0.0.0 255.255.255.0
!
object-group network LAN
network-object 10.0.0.0 255.255.255.0
!
access-list TO-DMZ extended permit tcp any host 10.11.12.13 eq ssh
!
nat (outside,outside) source dynamic LAN interface
nat (outside,inside) source static LAN LAN
!
object network DMZ
nat (dmz,outside) static interface service tcp smtp 4321
object network LAN1
nat (inside,outside) dynamic pat-pool interface
!
access-group TO-DMZ in interface outside
!
route outside 0.0.0.0 0.0.0.0 212.192.88.1 1
!
crypto ipsec ikev1 transform-set TRANS_ESP_3DES_SHA esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set TRANS_ESP_3DES_SHA mode transport
!
crypto dynamic-map CM 65535 set ikev1 transform-set TRANS_ESP_3DES_SHA
crypto map OUTSIDE 65535 ipsec-isakmp dynamic CM
crypto map OUTSIDE interface outside
!
crypto isakmp identity address
crypto ikev1 enable outside
crypto ikev1 policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 65535
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
!
group-policy DefaultRAGroup internal
group-policy DefaultRAGroup attributes
dns-server value 212.192.64.2
vpn-tunnel-protocol ikev1 l2tp-ipsec
!
username cisco password cisco mschap
!
tunnel-group DefaultRAGroup general-attributes
address-pool net10
default-group-policy DefaultRAGroup
tunnel-group DefaultRAGroup ipsec-attributes
ikev1 pre-shared-key 11111
tunnel-group DefaultRAGroup ppp-attributes
no authentication chap
authentication ms-chap-v2
!
policy-map global_policy
class inspection_default
inspect icmp
!
: end