1) 概述
Split Tunneling(隧道分离)技术主要是用来区分流量的,那区分什么流量呢?在本实验中主要是用来区分去往Internet的流量和要通过VPN加密传输的流量。在实验中我们先不采用隧道分离技术,我们能看到Client端在成功建立VPN连接后,不能访问Server端的内部网络,也不能访问Internet了,要解决这个问题,为了达到Client端能同时访问Server端的内部网络和Internet网络的效果我们应该如何解决呢?那就往下看吧!
2) 实验环境
本人使用Dynamips模拟了两台3640的路由器和一台7200的路由器,IOS版本分别为c7200-advsecurityk9-mz.124-11.T和c3640-ik9o3s-mz.124-10。把一台7200(ISP)的以太网接口和一台3640(EZVPN-Client)分别桥接到了物理的网卡上和真实的主机相连。具体的拓扑结构和IP地址划分如下:
具体的.net文件如下:
autostart = false
[localhost]
port = 7200
udp = 10000
workingdir = ../tmp/
[[router R1]]
image = ../ios/unzip-c3640-ik9o3s-mz.124-10.bin
model = 3640
console = 3001
ram = 128
confreg = 0×2142
exec_area = 64
mmap = False
slot1 = NM-4T
slot0 = NM-1FE-TX
s1/2 = R3 S1/0
f0/0 = NIO_udp:30000:127.0.0.1:20000
[[router R2]]
image = ../ios/unzip-c3640-ik9o3s-mz.124-10.bin
model = 3640
console = 3002
ram = 128
confreg = 0×2142
exec_area = 64
mmap = False
slot1 = NM-4T
slot0 = NM-1FE-TX
s1/2 = R3 S1/1
f0/0 = NIO_gen_eth:/Device/NPF_{A6FCF818-D943-4CC2-B462-085AF2946D71}
[[router R3]]
image = ../ios/unzip-c7200-advsecurityk9-mz.124-11.T.bin
model = 7200
console = 3003
npe = npe-400
ram = 128
confreg = 0×2142
exec_area = 64
mmap = false
slot0 = PA-C7200-IO-FE
slot1 = PA-4T
f0/0 = SW1 1
[[ethsw SW1]]
1 = dot1q 1
2 = access 1 NIO_gen_eth:/Device/NPF_{3A6BB436-2962-4893-8335-211D3AE3471C}
3) 实验的目的
通过使用Split Tunneling技术,使Client端内网的VPC能同时访问Server端内部网络和Internet网的WEB服务器。
4) 基本实验环境的配置和测试
在这一步我们将配置路由器的基本连通性和一些基本的配置命令以达到Server端和Clinet端能正常访问Internet WEB服务器的效果,并用ping测试。
EZVPN-Server的基本配置
interface serial 1/2
ip address 220.1.3.2 255.255.255.0
no shutdown
exit
interface fastethernet 0/0
ip address 10.1.1.1 255.255.255.0
no keepalive
no shutdown
exit
access-list 1 permit 10.1.1.0 0.0.0.255
ip nat inside source list 1 interface serial 1/2 overload
interface fastethernet 0/0
ip nat inside
exit
interface serial 1/2
ip nat outside
exit
ip route 0.0.0.0 0.0.0.0 serial 1/2
EZVPN-Client的基本配置
interface serial 1/2
ip address 220.1.1.2 255.255.255.0
no shutdown
exit
interface fastethernet 0/0
ip address 192.168.10.1 255.255.255.0
no shutdown
exit
access-list 1 permit 192.168.10.0 0.0.0.255
ip nat inside source list 1 interface serial 1/2 overload
interface fastethernet 0/0
ip nat inside
exit
interface serial 1/2
ip nat outside
exit
ip route 0.0.0.0 0.0.0.0 serial 1/2
ISP的基本配置
interface serial 1/0
ip address 220.1.3.1 255.255.255.0
no shutdown
exit
interface serial 1/1
ip address 220.1.1.1 255.255.255.0
no shutdown
exit
interface fastethernet 0/0
ip address 220.1.2.1 255.255.255.0
no shutdown
exit
在EZVPN-Client(PC)进行测试:
C:/Documents and Settings/cx>ping 220.1.2.2
Pinging 220.1.2.2 with 32 bytes of data:
Reply from 220.1.2.2: bytes=32 time=248ms TTL=126
Reply from 220.1.2.2: bytes=32 time=44ms TTL=126
Reply from 220.1.2.2: bytes=32 time=80ms TTL=126
Reply from 220.1.2.2: bytes=32 time=562ms TTL=126
Ping statistics for 220.1.2.2:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 44ms, Maximum = 562ms, Average = 233ms
测试结果表明Client端内网用户通过NAT技术能够正常访问Internet WEB服务器。
在EZVPN-Server(VPC)进行测试:
VPCS 1 >ping 220.1.2.2
220.1.2.2 icmp_seq=1 time=166.000 ms
220.1.2.2 icmp_seq=2 time=208.000 ms
220.1.2.2 icmp_seq=3 time=47.000 ms
220.1.2.2 icmp_seq=4 time=165.000 ms
220.1.2.2 icmp_seq=5 time=147.000 ms
测试结果表明Server端内网用户通过NAT技术能够正常访问Internet WEB服务器。
5) Easy VPN For Split Tunneling的配置
EZVPN-Server的配置(不启用split tunneling)
ip local pool Remote-Pool 172.16.1.200 172.16.1.250
username cisco password cisco
aaa new-mode
aaa authentication login lab-remote-access local
crypto isakmp xauth timeout 30
aaa authorization network vpn-group local
crypto isakmp enable
crypto isakmp policy 10
authentication pre-share
encryption 3des
group 2
exit
crypto isakmp client configuration group test
key VPNKEY
domain cisco.com
pool Remote-Pool
exit
crypto ipsec transform-set VPNTRANSFORM esp-3des esp-sha-hmac
exit
crypto dynamic-map Dynamic-Map 10
set transform-set VPNTRANSFORM
reverse-route
exit
crypto map ClientMap client authentication list lab-remote-access
crypto map ClientMap client configuration address respond
crypto map ClientMap isakmp authorization list vpn-group
crypto map ClientMap 65535 ipsec-isakmp dynamic Dynamic-Map
interface serial 1/2
crypto map ClientMap
exit
crypto isakmp keepalive 20 10
EZVPN-Clinet的配置
crypto ipsec client ezvpn test-Client
group test key VPNKEY
peer 220.1.3.2
mode client
connect auto
username cisco password cisco
xauth userid mode local
exit
interface serial 1/2
crypto ipsec client ezvpn test-Client
exit
interface fastethernet 0/0
crypto ipsec client ezvpn test-Client inside
exit
在EZVPN-Client端测试
EZVPN-Client#show crypto ipsec client ezvpn
Easy VPN Remote Phase: 4
Tunnel name : test-Client
Inside interface list: FastEthernet0/0
Outside interface: Serial1/2
Current State: IPSEC_ACTIVE
Last Event: SOCKET_UP
Address: 172.16.1.200
Mask: 255.255.255.255
Default Domain: cisco.com
Save Password: Disallowed
Current EzVPN Peer: 220.1.3.2
我们看见VPN建立成功,接下来到PC上测试
C:/Documents and Settings/cx>ping 10.1.1.2
Pinging 10.1.1.2 with 32 bytes of data:
Request timed out.
Request timed out.
Request timed out.
Request timed out.
Ping statistics for 10.1.1.2:
Packets: Sent = 4, Received = 0, Lost = 4 (100% loss)
C:/Documents and Settings/cx>ping 220.1.2.2
Pinging 220.1.2.2 with 32 bytes of data:
Request timed out.
Request timed out.
Request timed out.
Request timed out.
Ping statistics for 220.1.2.2:
Packets: Sent = 4, Received = 0, Lost = 4 (100% loss)
这个时候我们发现Client端内部的PC即不能访问Server端内网也不能访问外网了,这是为什么呢?那我们先来看看为什么不能访问外网。
首先我们在Client端内部的PC上使用tracert命令跟踪一下数据包
C:/Documents and Settings/cx>tracert 220.1.2.2
Tracing route to 220.1.2.2 over a maximum of 30 hops
1 13 ms 51 ms 64 ms 192.168.10.1
2 242 ms 160 ms 107 ms 220.1.3.2
3 * * * Request timed out.
4 * * * Request timed out.
5 * * * Request timed out.
我们可以看见去往外网的下一跳为220.1.3.2,这个地址刚好是Server端的公网IP地址,而并没有走正常的NAT,造这个问题的原因正是应为没有启用隧道分离,Client端路由器把所有的数据包都放到隧道当中传输了。为了解决这个问题我们在Server端路由器上加入如下命令启用隧道分离。
access-list 100 permit ip 10.1.1.0 0.0.0.255 any
crypto isakmp client configuration group test
acl 100
接下来在Client端重新建立VPN连接并测试。
clear crypto session 清除原有的VPN连接
Mar 30 14:52:19.935: EZVPN(test-Client): Pending XAuth Request, Please enter the following command:
Mar 30 14:52:19.939: EZVPN: crypto ipsec client ezvpn xauth
应为启用了XAUTH认证,所以在连接重置后要求重新输入用户名和密码
使用show crypto ipsec client ezvpn查看隧道建立是否成功是否启用了隧道分离
EZVPN-Client#show crypto ipsec client ezvpn
Easy VPN Remote Phase: 4
Tunnel name : test-Client
Inside interface list: FastEthernet0/0
Outside interface: Serial1/2
Current State: IPSEC_ACTIVE
Last Event: SOCKET_UP
Address: 172.16.1.201
Mask: 255.255.255.255
Default Domain: cisco.com
Save Password: Disallowed
Split Tunnel List: 1
Address : 10.1.1.0
Mask : 255.255.255.0
Protocol : 0×0
Source Port: 0
Dest Port : 0
Current EzVPN Peer: 220.1.3.2
可以看见隧道建立成功并启用隧道分离,让我在到Client端的PC上测试
C:/Documents and Settings/cx>ping 220.1.2.2
Pinging 220.1.2.2 with 32 bytes of data:
Reply from 220.1.2.2: bytes=32 time=361ms TTL=126
Reply from 220.1.2.2: bytes=32 time=102ms TTL=126
Reply from 220.1.2.2: bytes=32 time=43ms TTL=126
Reply from 220.1.2.2: bytes=32 time=305ms TTL=126
Ping statistics for 220.1.2.2:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 43ms, Maximum = 361ms, Average = 202ms
C:/Documents and Settings/cx>ping 10.1.1.2
Pinging 10.1.1.2 with 32 bytes of data:
Request timed out.
Request timed out.
Request timed out.
Request timed out.
Ping statistics for 10.1.1.2:
Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),
从测试结果上来看我们解决了上外网的问题,但是为什么还是不能访问Server端内部网络呢?我们在Client端使用show ip nat translation
EZVPN-Client#show ip nat translation
Pro Inside global Inside local Outside local Outside global
icmp 172.16.1.201:512 192.168.10.2:512 10.1.1.2:512 10.1.1.2:512
从show命令当中我们发现当我们发送数据包去往10.1.1.0段时,Client端路由器进行了PAT地址翻译,这个刚好符合我们前面所讲过的client模式下EZVPN-Client会自动创建一个loopback口,当有用户需要访问EZVPN-Server后面的主机时,EZVPN-Client会自动用loopback接口的地址做PAT的原理。那也证明我们去网10段是没有问题的了,那问题是不是出在Server端呢,是不是因为Server端不能正常的把数据包送回来而导致Client端PC不能访问Server端内部网络呢?
我们先看看Server端路由有没有问题
EZVPN-Server#show ip route
Codes: C – connected, S – static, R – RIP, M – mobile, B – BGP
D – EIGRP, EX – EIGRP external, O – OSPF, IA – OSPF inter area
N1 – OSPF NSSA external type 1, N2 – OSPF NSSA external type 2
E1 – OSPF external type 1, E2 – OSPF external type 2
i – IS-IS, su – IS-IS summary, L1 – IS-IS level-1, L2 – IS-IS level-2
ia – IS-IS inter area, * – candidate default, U – per-user static route
o – ODR, P – periodic downloaded static route
Gateway of last resort is 0.0.0.0 to network 0.0.0.0
C 220.1.3.0/24 is directly connected, Serial1/2
172.16.0.0/32 is subnetted, 1 subnets
S 172.16.1.201 [1/0] via 220.1.1.2
10.0.0.0/24 is subnetted, 1 subnets
C 10.1.1.0 is directly connected, FastEthernet0/0
S* 0.0.0.0/0 is directly connected, Serial1/2
我们发现去往172.16.1.0段的路由存在,路由没有问题,那问题出现在哪里呢?我们再回想一下我们在Server端的配置,为了能够实现Server端内部主机能够访问Internet,我们在Server端路由器上配置了NAT,配置命令如下:
access-list 1 permit 10.1.1.0 0.0.0.255
ip nat inside source list 1 interface serial 1/2 overload
我们发现访问控制列表1中定义了源地址为10.1.1.0的所有主机都要被翻译出去,也就是说当Server端内部主机想要回应172.16.1.0这个段的主机时,回应数据包在进入Server端路由器时因为满足被翻译的条件,所以就不能被送回给172.16.1.0的主机了,那我们怎么解决呢,我的解决办法就是修改访问控制列表1,首先把访问控制列表1删除,然后定义扩展访问控制列表111,指定原地址为10.1.1.0的到达目的地址为172.16.1.0的数据包不要被NAT翻译,其它所有数据包都将被翻译,具体命令如下:
no access-list 1
no ip nat inside source list 1 interface serial 1/2 overload
access-list 111 deny ip 10.1.1.0 0.0.0.255 172.16.1.0 0.0.0.255
access-list 111 permit ip any any
ip nat inside source list 111 interface serial 1/2 overload
修改完配置命令并重置VPN连接后,我们再到Client端的PC上来做测试。
C:/Documents and Settings/cx>ping 10.1.1.2
Pinging 10.1.1.2 with 32 bytes of data:
Reply from 10.1.1.2: bytes=32 time=242ms TTL=124
Reply from 10.1.1.2: bytes=32 time=319ms TTL=124
Reply from 10.1.1.2: bytes=32 time=344ms TTL=124
Reply from 10.1.1.2: bytes=32 time=270ms TTL=124
Ping statistics for 10.1.1.2:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 242ms, Maximum = 344ms, Average = 293ms
C:/Documents and Settings/cx>ping 220.1.2.2
Pinging 220.1.2.2 with 32 bytes of data:
Reply from 220.1.2.2: bytes=32 time=340ms TTL=126
Reply from 220.1.2.2: bytes=32 time=161ms TTL=126
Reply from 220.1.2.2: bytes=32 time=159ms TTL=126
Reply from 220.1.2.2: bytes=32 time=268ms TTL=126
Ping statistics for 220.1.2.2:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 159ms, Maximum = 340ms, Average = 232ms
我们发现这个时候我们既能访问Server端内部网络又能访问外网了,哈哈实验结束!
6) 实验扩展
接着这个实验平台我们再来看看Easy VPN Remote With Network-extension
Mode下使用Split Tunneling。
EZVPN-Server的配置(同样先不启用split tunneling)
interface serial 1/2
ip address 220.1.3.2 255.255.255.0
no shutdown
exit
interface fastethernet 0/0
ip address 10.1.1.1 255.255.255.0
no keepalive
no shutdown
exit
access-list 1 permit 10.1.1.0 0.0.0.255
ip nat inside source list 1 interface serial 1/2 overload
interface fastethernet 0/0
ip nat inside
exit
interface serial 1/2
ip nat outside
exit
ip route 0.0.0.0 0.0.0.0 serial 1/2
ip local pool Remote-Pool 172.16.1.200 172.16.1.250
username cisco password cisco
aaa new-mode
aaa authentication login lab-remote-access local
crypto isakmp xauth timeout 30
aaa authorization network vpn-group local
crypto isakmp enable
crypto isakmp policy 10
authentication pre-share
encryption 3des
group 2
exit
crypto isakmp client configuration group test
key VPNKEY
domain cisco.com
pool Remote-Pool
exit
crypto ipsec transform-set VPNTRANSFORM esp-3des esp-sha-hmac
exit
crypto dynamic-map Dynamic-Map 10
set transform-set VPNTRANSFORM
reverse-route
exit
crypto map ClientMap client authentication list lab-remote-access
crypto map ClientMap client configuration address respond
crypto map ClientMap isakmp authorization list vpn-group
crypto map ClientMap 65535 ipsec-isakmp dynamic Dynamic-Map
interface serial 1/2
crypto map ClientMap
exit
crypto isakmp keepalive 20 10
EZVPN-Client的配置
interface serial 1/2
ip address 220.1.1.2 255.255.255.0
no shutdown
exit
interface fastethernet 0/0
ip address 192.168.10.1 255.255.255.0
no shutdown
exit
access-list 1 permit 192.168.10.0 0.0.0.255
ip nat inside source list 1 interface serial 1/2 overload
interface fastethernet 0/0
ip nat inside
exit
interface serial 1/2
ip nat outside
exit
ip route 0.0.0.0 0.0.0.0 serial 1/2
crypto ipsec client ezvpn test-Client
group test key VPNKEY
peer 220.1.3.2
mode network-extension
connect auto
username cisco password cisco
xauth userid mode local
exit
interface serial 1/2
crypto ipsec client ezvpn test-Client
exit
interface fastethernet 0/0
crypto ipsec client ezvpn test-Client inside
exit
ISP的配置
interface serial 1/0
ip address 220.1.3.1 255.255.255.0
no shutdown
exit
interface serial 1/1
ip address 220.1.1.1 255.255.255.0
no shutdown
exit
interface fastethernet 0/0
ip address 220.1.2.1 255.255.255.0
no shutdown
exit
接下来到Client路由器上检查VPN建立情况。
EZVPN-Client#show crypt ipsec client ezvpn
Easy VPN Remote Phase: 4
Tunnel name : test-Client
Inside interface list: FastEthernet0/0
Outside interface: Serial1/2
Current State: IPSEC_ACTIVE
Last Event: SOCKET_UP
Default Domain: cisco.com
Save Password: Disallowed
Current EzVPN Peer: 220.1.3.2
在Server端查看路由表。
EZVPN-Server#show ip route
Codes: C – connected, S – static, R – RIP, M – mobile, B – BGP
D – EIGRP, EX – EIGRP external, O – OSPF, IA – OSPF inter area
N1 – OSPF NSSA external type 1, N2 – OSPF NSSA external type 2
E1 – OSPF external type 1, E2 – OSPF external type 2
i – IS-IS, su – IS-IS summary, L1 – IS-IS level-1, L2 – IS-IS level-2
ia – IS-IS inter area, * – candidate default, U – per-user static route
o – ODR, P – periodic downloaded static route
Gateway of last resort is 0.0.0.0 to network 0.0.0.0
C 220.1.3.0/24 is directly connected, Serial1/2
S 192.168.10.0/24 [1/0] via 220.1.1.2
10.0.0.0/24 is subnetted, 1 subnets
C 10.1.1.0 is directly connected, FastEthernet0/0
S* 0.0.0.0/0 is directly connected, Serial1/2
在网络扩展模式中应为不需要PAT,所以VPN连通后就相当与一个内部局域网,所以在show crypto ipsec client ezvpn结果中没有看到从服务器端地址池中获取到的IP地址因为现在不需要了。那这个时候Server端如何访问Client端的网络呢,因为在Server端配置了Revers-route,Server上会自动创建指向Remote内部网络的静态路由。 接下来我们在Client端的PC上测试连通性。
C:/Documents and Settings/cx>ping 220.1.2.2
Pinging 220.1.2.2 with 32 bytes of data:
Reply from 220.1.2.2: bytes=32 time=149ms TTL=126
Reply from 220.1.2.2: bytes=32 time=124ms TTL=126
Reply from 220.1.2.2: bytes=32 time=127ms TTL=126
Reply from 220.1.2.2: bytes=32 time=149ms TTL=126
Ping statistics for 220.1.2.2:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 124ms, Maximum = 149ms, Average = 137ms
C:/Documents and Settings/cx>ping 10.1.1.2
Pinging 10.1.1.2 with 32 bytes of data:
Reply from 220.1.1.1: Destination host unreachable.
Reply from 220.1.1.1: Destination host unreachable.
Reply from 220.1.1.1: Destination host unreachable.
Reply from 220.1.1.1: Destination host unreachable.
Ping statistics for 10.1.1.2:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 0ms, Maximum = 0ms, Average = 0ms
我们发现Client端PC能正常访问Internet但不能通过VPN访问Server端内网。为什么呢?我们在PC机上跟踪一下数据包。
C:/Documents and Settings/cx>tracert 220.1.2.2
Tracing route to 220.1.2.2 over a maximum of 30 hops
1 88 ms 47 ms 46 ms 192.168.10.1
2 80 ms 100 ms 184 ms 220.1.1.1
3 72 ms 81 ms 236 ms 220.1.2.2
Trace complete.
C:/Documents and Settings/cx>tracert 10.1.1.2
Tracing route to 10.1.1.2 over a maximum of 30 hops
1 16 ms 27 ms 46 ms 192.168.10.1
2 132 ms 50 ms 70 ms 220.1.1.1
3 220.1.1.1 reports: Destination host unreachable.
Trace complete.
通过跟踪发现他们出去的下一跳地址都是220.1.1.1,就是说数据包都没有经过VPN隧道传输,而是直接走了PAT,通过在Client端show ip nat translation得以证明。
EZVPN-Client#show ip nat translations
Pro Inside global Inside local Outside local Outside global
icmp 220.1.1.2:512 192.168.10.2:512 10.1.1.2:512 10.1.1.2:512
icmp 220.1.1.2:512 192.168.10.2:512 220.1.2.2:512 220.1.2.2:512
所以能ping通Internet WEB就很正常了,但是ping 10.1.1.2的数据包由于被送到了ISP路由器,而ISP路由器上没有到达10.1.1.0网段的路由,所以返回目的地不可达的回应。那怎么解决这个问题呢,可能这个时候我们想到那就用隧道分离不就可以了吗?那我们来试试看,首先在Server端加上隧道分离的命令,如下:
access-list 100 permit ip 10.1.1.0 0.0.0.255 any
crypto isakmp client configuration group test
acl 100
接下来在Client端重新建立VPN连接并测试。
clear crypto session 清除原有的VPN连接
Mar 30 14:52:19.935: EZVPN(test-Client): Pending XAuth Request, Please enter the following command:
Mar 30 14:52:19.939: EZVPN: crypto ipsec client ezvpn xauth
应为启用了XAUTH认证,所以在连接重置后要求重新输入用户名和密码
使用show crypto ipsec client ezvpn查看隧道建立是否成功是否启用了隧道分离
EZVPN-Client#show crypt ipsec client ezvpn
Easy VPN Remote Phase: 4
Tunnel name : test-Client
Inside interface list: FastEthernet0/0
Outside interface: Serial1/2
Current State: IPSEC_ACTIVE
Last Event: SOCKET_UP
Default Domain: cisco.com
Save Password: Disallowed
Split Tunnel List: 1
Address : 10.1.1.0
Mask : 255.255.255.0
Protocol : 0×0
Source Port: 0
Dest Port : 0
Current EzVPN Peer: 220.1.3.2
我们看见隧道分离建立成功,接下来在PC端测试。
C:/Documents and Settings/cx>ping 10.1.1.2
Pinging 10.1.1.2 with 32 bytes of data:
Reply from 220.1.1.1: Destination host unreachable.
Reply from 220.1.1.1: Destination host unreachable.
Reply from 220.1.1.1: Destination host unreachable.
Reply from 220.1.1.1: Destination host unreachable.
Ping statistics for 10.1.1.2:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 0ms, Maximum = 0ms, Average = 0ms
测试结果还是目的不可达,为什么呢?这里我个人是这样理解的,首先我们在服务器和客户端上都启用了NAT功能,当Easy VPN Client工作在Easy VPN Remote Client模式下时,EZVPN-Client会自动创建一个loopback口,当有用户需要访问EZVPN-Server后面的主机时,EZVPN-Client会自动用loopback接口的地址做PAT,这个时候Easy VPN Client自动创建的PAT要优先于我们手动配置的NAT,当不匹配PAT时再匹配NAT,所以Client模式下默认EZVPN-Client端内网的PC ping不通外网,因为所有的数据包都被送到隧道里面去了,并没有送到外网,所以当启用隧道分离后就能解决这个问题了。而当Easy VPN Client工作在Easy VPN Remote network-extension模式下时,EZVPN-Client不需要创建PAT,当VPN连通后就相当与一个内部局域网。这个时候在EZVPN-Client端上只有一个我们手动配置的NAT,所以当数据包进入路由器的时候,还没有来得及把数据包送到隧道里面就先被NAT翻译出去了,所以也就导致在这个模式下,能ping通外网WEB,但不能ping通对端内网的PC。这个时候即使我们在服务器上启用了隧道分离技术也没有用,因为数据包先被NAT出去了。要解决这个问题我们只能在EZVPN-Client上更改NAT的配置,告诉NAT哪些数据包要NAT出去,哪些不要被NAT,并把EZVPN-Server上有关隧道分离的命令删除,具体修改配置如下:
EZVPN-Server端
no access-list 100 permit ip 10.1.1.0 0.0.0.255 any
crypto isakmp client configuration group test
no acl 100
EZVPN-Client端
no access-list 1 permit 192.168.10.0 0.0.0.255
access-list 111 deny ip 192.168.10.0 0.0.0.255 10.1.1.0 0.0.0.255
access-list 111 permit ip any any
ip nat inside source list 111 interface serial 1/2 overload
在Client端PC机上测试。
C:/Documents and Settings/cx>ping 10.1.1.2
Pinging 10.1.1.2 with 32 bytes of data:
Reply from 10.1.1.2: bytes=32 time=242ms TTL=124
Reply from 10.1.1.2: bytes=32 time=319ms TTL=124
Reply from 10.1.1.2: bytes=32 time=344ms TTL=124
Reply from 10.1.1.2: bytes=32 time=270ms TTL=124
Ping statistics for 10.1.1.2:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 242ms, Maximum = 344ms, Average = 293ms
点击下载此文件
程序代码
HTML代码
Flash动画
I tested it on my VMware 6. There is a problem. When I telnet from my SecurCRT and the simulator didn’t respond correctly with my TAB key and Arrow Key, and some other keys. So what problem it could be?
use telnet to asa directly,but not to the pipe gateway.Tab key unuseable is because the pipe problem.
http://chengongjun.spaces.live.com/blog/cns!E6C64B63F46EE49A!165.entry
Test result of the asa vmware version.
Tcp throughout only.
NAT ,web vpn
Ipsec test result will be added later.
Did you manage to make it work on a real pc?
Would you please share the creating processs of DSL version ASA ?
Thanks. I just tryed to make it work in my VMware system and then connect to virtual routers and switches. I just downloaded your VMWare ASA AIO virtual Image and then open existing system on VMware. I didn’t make a new system.
Does the ASDM 6.02 work here? Cas I tryed and seems the ASDM does not work now. It always says that ” Your current ASA image version 8.0(2) doesn’t support ASDM 6.0(2). But I try to put different versions of ASDM, they don’t work all.
I will get to the ASDM later on, it will probalby need hacking the ASA code and patching it so it will read false chasis id which should be one of the publiziced keys instead of “default” 1234567890.
I didn’t tried to use image to connect to virtual routers and switches. It should work, but i didn’t tried.
Next thing is to make it work on the real PC that i already have prepared. The real PC machine is Compaq Deskpro EN (900 MHz Intel with integrated Intel i82557 and one more PCI card in the riser’s slot). I am wondering how fast it will go as the cisco published that 5505 series can do 100mbps with 500mhz cpu. I guess that vmware’s overhead do a quite slowdowns here.
Nice graph, wg4ne. I only tested nat troughout but you did it all. In qemu i got MUCH worser troughput with max about 1mbit/sec (with KQEMU accelerator).
To make it installable on the real system i will prepare the install ISO which will do it all automatically. You will need 500MB HD minimum (real small, you may say).
And for the first post, yes, there is a problem with gateway not passing the commands correctly, but, you don’t really need serial to access to asa. Simply, temporary put the ip in 192.168.1.0/24 range and access the asa via telnet or ssh and configure the whatever ip you want.
I have finished the ipsec vpn one session throughput test
http://chengongjun.spaces.live.com/blog/cns/
wg4ne, if you wish to help me with ASA i would make you the mod of the site and you can post the bandwidth tests (and other tests)
ok
wg4ne, you must make an account first
very nice thing! I only have a problem with ASDM. I have tested 6.0(3) and 6.1(2) and all of them said: “Your ASA image has a version number 8.0(2) which is not supported by ASDM 6.0(3)” (or 6.1.(2) respectivly). Is there a known problem or do I use the wrong versions…?
When i configure ss and telnet access the first time it works. After i turn off the asa then it doesnt work anymore. I saved the config. Does anyone have the same problem? thanks in advance
Amazing work. I’m ready to donate money for this project, just give paypal acc. If you could fix ASDM it would be really nice.
@markus, i’m still not come to the asdm part, i was trying to add all linux drivers – unsucessfully (which is one of the requirements for install cd 2.0) – so far i managed to make clean asa on same partition where the data is (so no need for extra boot partition, and requiremens have been reduced to 256MB HD).
@tess, be sure NOT to save with “wr mem” but with “copy running-config disk0:/.private/startup-config” – i hope i get the path rights, wrote this from memory.
@Pb, maybe one day
Hey all. I downloaded this and am running it in vmware no worries.
I am trying to telnet in and am prompted for a password!
Anyone know what the password is to telnet in for the first time? Its killing me!
Try “ciscoasa”.
Hey all,
I´ve downloaded (I think all packages, that are published here). But I don´t get any of them to run in my VMWare Server 2.
Does any one of you have the same issue and perhaps a solution?
Thanks,
Aleks
aleks, can you post a little more details?
“Don’t work” doesn’t mean much.
Sure, as I read your comment I realized it my self.
But this doesn´t matter now, because it works.
I just didn´t read one special comment.
The content was that it is normal, that after “Loading kernel …” (or something like that) nothing happens in the vm console.
So, every thing is okay with the image.
But there is one other thing, that some other users already mentioned.
The asdm tool. This would be a very useful tool. Of course, it is possible to do the config via console, but it would be much easier if it would be possible to use it.
Thanks,
Aleks
ASDM is possible but hard to provide as i need to crack the cisco’s code.
I’m still stucked at the drivers…
Excellent work! I just installed on my Linux box with VMware server. Had a challenge figuring out to connect to the Unix named pipe in Linux. Found this link and thought it might be helpful for others:
http://communities.vmware.com/thread/28508
Keep up the good work!
So far it just hangs at Uncompressing Linux… OK, booting the kernel.
Admittedly, I’m trying this in VMware player. Has anybody gotten this to work in Vmware Fusion 2.0?
Nevermind, it works well so far (can telnet into it) in Vmware fusion in OS X. Of course, fusion doesn’t support named pipes, but I can output the serial port to a text file. Thanks for pre-configuring Telnet, otherwise I’d never get in!!
DaveM, thnx for info.
Mike, i’m glad you made it work… i tought that someone could have a problems with pipe so i preconfigured the telnet to ease the access.
Many ppl get confused by that message “Uncompressing linux…” and expect console but there is no console on video card becouse real asa also need serial port to be configured and that startup output you can’t really see on real asa becouse there’s no video card, just serial port.
The performance is surprisingly good in vmware. Running on a 2.3Ghz Macbook Pro, I managed to get an SFTP transfer up to 52Mbit/sec with only PAT running. The packet/sec rate maxed out at 4Kpps… not bad. My vmware cpu usage topped around 80%.
Running a plain-text FTP transfer, I was able to get just around 70Mbps w/ a pps peak of 7Kpps.
I’m going to test VPN connectivity next.
In case you’re interested, my logical topology is as follows:
Macbook Pro —->Inside[ASA]Outside—-> Mac Pro
Out of curiosity, is there a reason why the ASA only reports 128Mb RAM, even though its assigned 256Mb?
You can see the benchmark from the other guy on the native platform.
500Mhz machine can do nearly 100mbit with just NAT and i guess it performs even better in transparent mode.
As far as i saw from my tests qemu/pemu is very bad in producing high troughput – i have never been able to make more than 1mbit/sec even on very fast machine.
Firstly, thanks for your good job.
Now I find a problem. I have installed it in vmware6, but it seem that it doesn’t accept multicast packet such as ospf hello packet.Could you help me?
Thanks,
lewis.hui
The problem is with vmware, not the ASA image. I finally loaded the image on an 866Mhz PIII box w/ a bunch of e1000 NICs for testing. After modifying the initramfs images to load e1000 instead of e100 and duplicating it to an instance that would dump me in a shell, I was up and running.
I then hooked it up to a gigabit LAN with a box running dynamips and a single router. The router and the ASA were able to exchange OSPF routes just fine and traffic was able to pass.
Mike, can you post some of the bandwidth benchmarks using e1000 and P3/866 in native mode (especially when asa is in transparent mode becouse i assume the bw test would be best in that case)?
There is a e1000 driver in initrd but it probalby need insmod which can be done from shell before the lina is started.
It is quite possible that vmware doesn’t pass multicast packets out of the virtual network.
I find the network interface doesn’t work in promiscuous mode, so it doesn’t work in transparent mode.Could you help to solve it? Thanks.
lewis.hui, can you post your running-config?
Is there a way to add more than 2 interface? Under Qemu suppose to add upto 6 interfaces.
Really very good system.
One problem I have found:
user generated crypto rsa mypublic key
cannot be saved. Command sa save all
depricated in ASA version about 7 or 8,
and we cannot use command write mem
instead that because it erases startup-config. Me be somebody can tell something
about it.
@trebla, add the ethernet interface in the vmware config and they will show. Besides, i dunno why you need more interfaces – this is virtual machine.
@pchelovod, the config is not saved with “write mem” becouse it doesn’t work here for some reason (media format?) instead you must copy running-config directly on flash://…..startup-config file (it’s already explained somewhere).
I will need extra interface to perform and test a lab senario. Actually I have tried to add the interface in vmware before, but after added extra interface following error shown and the system keep rebooting.
Total NICs found: 6
setup_irq: irq handler mismatch
Unable to open /proc/irq/15/irq error: Device or resource busy
Panic: kernel – intr_establish: open interupt descriptor irq 15
———————————————–
Traceback output aborted.
Flushing first exception frame:
Abort: Assert failure
vector 0×00000000
edi 0×0000000f
esi 0xd524b7b0
ebp 0xd4bf7658
esp 0xd4bf764c
ebx 0×000000cd
edx 0xd4bf7690
ecx 0×00000006
eax 0×00000000
error code n/a
eip 0xdd6a72a1
cs 0×00000073
eflags 0×00000246
CR2 0×00000000
Nested traceback attempted via signal, from:
Page fault: Address not mapped
vector 0×0000000e
edi 0xd4bf70db
esi 0xd4bf70bf
ebp 0xd4bf6fe8
esp 0xd4bf6fa0
ebx 0xd4bf70bf
edx 0×08acd5d8
ecx 0×00000000
eax 0×00000000
error code 0×00000004
eip 0×0805ee77
cs 0×00000073
eflags 0×00010286
CR2 0×00000084
An internal error occurred. Specifically, a programming assertion was
violated. Copy the error message exactly as it appears, and get the
output of the show version command and the contents of the configuration
file. Then call your technical support representative.
assertion “_vf_mode_init” failed: file “vf_api.c”, line 99
Rebooting….
The issue of not being able to write to flash the configuration also makes it difficult to
change the mode.
Anybody knows a work arround ?
@trebla, for lab tests better use pemu – it works much slower but more accurate
@tron, instead of doing wr mem copy the running config over the startup config. It’s already explained.
I know how to write mem using copy… (I read it in this forum
The problem is that when you change modes from single to multiple, the writing is done automatically, not by your command.
And as the write fails, the mode change
is aborted.
Has anybody successfully changed the ASA to multiple context mode ?
Nice post u have here
Added to my RSS reader
Good work. I installed ASA_install_V1 on a PC and it was successful. Everything as far as i have tested worked fine expect save command. However, I want to install VMWARE ASA version so that i can run it on my PC without the need to have separate machine dedicated for it but i dont know how to go about it. Is there anyone with a clue of how to do this?
Easiest way for you is to download this virtual image and vmware player. In vmware player just add the asa vmware image you download earlier and start. It’s as simple as that.
Hi, I’ve tried the vm under VMWare workstation 6, under Win XP and Ubuntu 8.04, and I’m always stuck at the booting the kernel.
Any idea ?
I have a windows Xp installed on my PC as host and Cisco Asa as guest running on virtualbox 2.1.0.6. The installation was successful. How can i get the two communicating together because as it is now I can only ping the inside address of the ASA from the host OS. I couldn’t telnet to the device using either host terminal or PUTTY. I tried using Tera Term but no luck.Please, advice on what to do.
@Bastien: That is normal and expected. Your ASA is probalby working. Read other posts please.
@Alade: Download this -> http://l4ka.org/tools/vmwaregateway.php and start it with vmwaregateway.exe /t. In virtual machine config check if there’s serial port emulation and “named pipe” to \\.\pipe\vmwaredebug, direction client – application. Then telnet to port 4444 and start ASA. This will help you communicate with ASA serial ports trough telnet.
It is possible to use the ASA in multiple context mode, however you must execute lina directly with the m (for multiple context mode) flag as follows:
lina -m
In order to change back to single mode, you’ll have to restart the process, obviously, without the m flag or execute lina_monitor.
Thanks, i’ll try it
Hi, do you know how to use console port under vmware in linux ?
I’ll found this:
http://www.virtualization.info/2006/03/tech-accessing-serial-console-on.html and this:
http://communities.vmware.com/thread/28508
but before I’ll take a look on that maybe someone did already
As i already explained in previous posts, for console which is on serial port you need vmwaregateway. When you start vmware your serial port settings must point to shared vmwaregateway pipe. Then you connect with telnet to pipe on localhost (127.0.0.1:4444) and that’s it.
You can find around here detailed explanation.
Огромное спасибо за потрясающие идеи!!! Буду следить за блогом, много всего интересного. А мой блог о науке, надеюсь, тоже понравится
Hi, when using vmwaregateway every key strike is sent two times to the asa. I’d rather use it under linux, you just have to create a named pipe, telling you’re server, and the other end is application, then it’ll create the file in your virtual machine dir, then just type it (in the vm dir):
sudo socat unix-connect:serialasa stdio,echo=0,raw
if you named the pipe serialasa, and it works well under ubuntu (just install socat
)
óäèâèëî, ÷òî ïðî÷èòàë îá ýòîì èìåííî ñåé÷àñ
кто хочет меняться ссылками, пишите
я люблю все ваши слова..
èíòåðåñíî)) ÿ êàê ðàç ïîñìîòðåë ñåé÷àñ 3+2, òàê íàñìåÿëñÿ)) âñåì ðåêîìåíäóþ âñïîìíèòü
÷òî æå òàì ñìåøíîãî?
нам что-то похожее препод вчера в универе рассказывал, на самом деле тема интересная
вот спамеров то развелось
зато правда все написано
Незадолго до налета ВВС из в направлении Израиля было выпущено 60 и минометных снарядов, упала в районе израильских и Нетивот Военная операция в секторе Газа, конец обстрелам со стороны палестинских ни простой, ни быстрой,
Боевики ракетами территорию Израиля армии на cektop Газа, сообщает.
Незадолго до налета ВВС из Газа Израиля было выпущено ракет и минометных снарядов, упала в районе израильских и Нетивот Военная операция в секторе Газа, должна обстрелам со стороны боевиков, ни простой, ни сказал министр
Боевики движения территорию Израиля на авианалет на cektop AFP.
госкомитета rpynna Украины труда и расследовавшая причины в причиной не ctatb неисправность
lx2VDi Thanks for good post
the DSL is working but the ASA is nt … it gives me “uncompressing linux ….ok , booting the kernal” and nothing happened , please help me with this cause i m studying the CCSP and i need this simulation alot
thanks in advance
the enable password pleaseeeee
Nice post.
Nice post.
Keep on blogging!
экспертная rpynna промышленной охране и горному причины в причиной не ctatb оборудования
i need the enable password please, any1 can help me ?
password is already posted on this page
“Anon December 5, 2008 5:44 pm
It is possible to use the ASA in multiple context mode, however you must execute lina directly with the m (for multiple context mode) flag as follows:
lina -m”
How to do so ? Thanks.
thanks admin, i got them and thanks for this post … its good chance to increase our experiance in using asa
Thanks I got it working, how is the SDM,WebVPN and Multiple Eth support coming along?
wich ASA gives better performance on PC (DSL ASA or QEMU ASA ? thanks.
QEMU ASA is an emulation and it’s very slow. Network is alot slower (up to 40x).
VMWare is emulation too but better than QEMU.
More eth and WebVPN depends on the license.
OS My auto was broken on road. Must I call to service or 911?
How do you increase the memory beyond 128Meg ? Without any config, the memory used is already 100meg. Could I update it to the latest ASA OS ? Seems like it’s limited to 8.02. Thanks.
ASA works with 256MB from which some of the memory is taken by OS/Lina.
IMO 128MB free is OK, as many software routers are fine with only 32MB.
You can also do most things with that much memory.
Tcp named pipes is much better than vmware gateway, you connect to multiple virtual serial devices, even remotely.
http://shvechkov.tripod.com/nptp.html
Hello,
Is it possible to change somewhere the Asa Serial number?
It is possible, but not easily.
You must change the code of the lina to be able to do it. That requires lina disassembling.
dear admin
i tried to ssh to asa using putty but it doesnt work … can u please advice?
Has anyone been able to get ASDM to work with this ASA ?
hey admin
is there any news about asdm?
Thanks! I’m running VMWare 2.0 and was able to fire this VM up, and change the IP so that I could ping devices on both ends. (LAN)–(HostOnlyNet)-. Some issues with writing the config, but I’ll work on that later, for now I can just update the running config from the VM with a config file. A few hours with this and I should be able to do some testing.
By the way, did anyone have issues with setting up WebVPN as a GroupPolicy setting?
Thanks again.
-P
it will be great if u support us with ASDM cause its really v. important experiance …thanks in advance