[EVE-NG] ASA - Site to Site VPN between ASA (2부)

- Eve-ng 네트워크 설정은 Bridge로 내 PC IP와 같은 네트워크. (192.168.2.0/24) 

- UAT는 UAT만 접속, PRO는 PRO만 접속 가능

REMOTE (ASA)

! 
interface GigabitEthernet0/0 
 nameif outside 
 security-level 0 
 ip address 111.111.111.2 255.255.255.0  
! 
interface GigabitEthernet0/1 
 nameif inside 
 security-level 100 
 ip address 192.168.100.1 255.255.255.0  
!
route outside 0.0.0.0 0.0.0.0 111.111.111.1 1
route inside 192.168.10.0 255.255.255.0 192.168.100.2 1
route inside 192.168.20.0 255.255.255.0 192.168.100.2 1
!
object network RE_PRO
 host 192.168.10.10

object network RE_UAT
 host 192.168.20.20

object network LO_PRO
 host 192.168.30.100

object network LO_UAT
 host 192.168.30.200

object-group network REMOTE
 network-object object RE_PRO
 network-object object RE_UAT
!
object-group network LOCAL
 network-object object LO_PRO
 network-object object LO_UAT
!
access-list outside_cryptomap extended permit ip object-group REMOTE object-group LOCAL
!
nat (inside,outside) source static REMOTE REMOTE destination static LOCAL LOCAL no-proxy-arp route-lookup
!
crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac  
crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac  
crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac  
crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac  
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac  
crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac  
crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS esp-aes esp-sha-hmac  
crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS mode transport 
crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS esp-aes esp-md5-hmac  
crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS mode transport 
crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS esp-aes-192 esp-sha-hmac  
crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS mode transport 
crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS esp-aes-192 esp-md5-hmac  
crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS mode transport 
crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS esp-aes-256 esp-sha-hmac  
crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS mode transport 
crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS esp-aes-256 esp-md5-hmac  
crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS mode transport 
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac  
crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac  
crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS esp-3des esp-sha-hmac  
crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS mode transport 
crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS esp-3des esp-md5-hmac  
crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS mode transport 
crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac  
crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac  
crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS esp-des esp-sha-hmac  
crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS mode transport 
crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS esp-des esp-md5-hmac  
crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS mode transport 
!
crypto ipsec security-association pmtu-aging infinite 
crypto map outside_map 1 match address outside_cryptomap 
crypto map outside_map 1 set peer 111.111.111.1  
crypto map outside_map 1 set ikev1 transform-set ESP-3DES-SHA 
crypto map outside_map interface outside
!
crypto ikev1 enable outside
 crypto ikev1 policy 1
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
!
group-policy GroupPolicy_111.111.111.1 internal 
group-policy GroupPolicy_111.111.111.1 attributes 
 vpn-tunnel-protocol ikev1  
dynamic-access-policy-record DfltAccessPolicy 
tunnel-group 111.111.111.1 type ipsec-l2l 
tunnel-group 111.111.111.1 general-attributes 
 default-group-policy GroupPolicy_111.111.111.1 
tunnel-group 111.111.111.1 ipsec-attributes 
 ikev1 pre-shared-key cisco 
!
policy-map global_policy
 class inspection_default
  inspect icmp
!

LOCAL (ASA)

interface GigabitEthernet0/0
 nameif outside
 security-level 0
 ip address 111.111.111.1 255.255.255.0 
!
interface GigabitEthernet0/1
 nameif inside
 security-level 100
 ip address 192.168.30.1 255.255.255.0 
!
route outside 0.0.0.0 0.0.0.0 111.111.111.2 
!
!
object network RE_PRO
 host 192.168.10.10

object network RE_UAT
 host 192.168.20.20

object network LO_PRO
 host 192.168.30.100

object network LO_UAT
 host 192.168.30.200

object-group network REMOTE
 network-object object RE_PRO
 network-object object RE_UAT
!
object-group network LOCAL
 network-object object LO_PRO
 network-object object LO_UAT
!
access-list outside_cryptomap extended permit ip object-group LOCAL object-group REMOTE
!
nat (inside,outside) source static LOCAL LOCAL destination static REMOTE REMOTE no-proxy-arp route-lookup
!
crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac  
crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac  
crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac  
crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac  
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac  
crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac  
crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS esp-aes esp-sha-hmac  
crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS mode transport 
crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS esp-aes esp-md5-hmac  
crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS mode transport 
crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS esp-aes-192 esp-sha-hmac  
crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS mode transport 
crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS esp-aes-192 esp-md5-hmac  
crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS mode transport 
crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS esp-aes-256 esp-sha-hmac  
crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS mode transport 
crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS esp-aes-256 esp-md5-hmac  
crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS mode transport 
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac  
crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac  
crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS esp-3des esp-sha-hmac  
crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS mode transport 
crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS esp-3des esp-md5-hmac  
crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS mode transport 
crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac  
crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac  
crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS esp-des esp-sha-hmac  
crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS mode transport 
crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS esp-des esp-md5-hmac  
crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS mode transport 
!
crypto ipsec security-association pmtu-aging infinite 
crypto map outside_map 1 match address outside_cryptomap 
crypto map outside_map 1 set peer 111.111.111.2  
crypto map outside_map 1 set ikev1 transform-set ESP-3DES-SHA 
crypto map outside_map interface outside
!
crypto ikev1 enable outside 
 crypto ikev1 policy 1 
 authentication pre-share 
 encryption 3des 
 hash sha 
 group 2 
 lifetime 86400
!
group-policy GroupPolicy_111.111.111.2 internal 
group-policy GroupPolicy_111.111.111.2 attributes 
 vpn-tunnel-protocol ikev1  
dynamic-access-policy-record DfltAccessPolicy 
tunnel-group 111.111.111.2 type ipsec-l2l 
tunnel-group 111.111.111.2 general-attributes 
 default-group-policy GroupPolicy_111.111.111.2
tunnel-group 111.111.111.2 ipsec-attributes 
 ikev1 pre-shared-key cisco 
!
===================
policy-map global_policy 
 class inspection_default
  inspect icmp
===================
이 설정은 최종 검증 후 넣어서 설정 전후 비교 필요 
!

REMOTE PRO (192.16810.10 to 192.168.30.100)

VPCS> ping 192.168.30.100

84 bytes from 192.168.30.100 icmp_seq=2 ttl=63 time=14.634 ms
84 bytes from 192.168.30.100 icmp_seq=3 ttl=63 time=8.714 ms
84 bytes from 192.168.30.100 icmp_seq=4 ttl=63 time=4.725 ms
84 bytes from 192.168.30.100 icmp_seq=5 ttl=63 time=6.644 ms

REMOTE UAT (192.16820.20 to 192.168.30.200)

VPCS> ping 192.168.30.200

84 bytes from 192.168.30.200 icmp_seq=1 ttl=63 time=6.620 ms
84 bytes from 192.168.30.200 icmp_seq=2 ttl=63 time=8.266 ms
84 bytes from 192.168.30.200 icmp_seq=3 ttl=63 time=8.402 ms
84 bytes from 192.168.30.200 icmp_seq=4 ttl=63 time=7.503 ms

- 현재는 REMOTE와 LOCAL간 어디든 접속 가능.

  고객사에서 외부에서 특정 서버에서 내부의 특정 서버만 접속요청할 경우.

  LAB에서는 PRO에서 PRO만 접속 가능하게...

 

LOCAL (ASA) 에 inside 경로 조정

access-list inside_access_in extended permit ip object LO_PRO object RE_PRO
access-group inside_access_in in interface inside

- 알고나면 간단하지만 알기전에 꽤 고생한 LAB 테스트

- ASDM 공통

- NAT (LOCAL ASDM)

- Access Rules (LOCAL ASDM)