Cisco ASA - 在多个站点到站点隧道之间路由流量

Cisco ASA - 在多个站点到站点隧道之间路由流量

我们拥有 Cisco ASA,为我们的客户提供多个站点隧道。我们的大多数员工都使用标准 VPN 客户端连接到 ASA。

但是,我们还希望允许拥有静态连接或多台 PC 的员工使用站点隧道。

我们如何允许来自 Employee1thruX <-> Cisco ASA <-> 所有客户隧道的流量,同时不允许 CustomerA 隧道 <-> Cisco ASA <-> CustomerB 隧道的流量?

答案1

类似这样的内容 -192.168.168.0/24似乎有点小;如果需要,那么也为它们创建一个对象组。

same-security-traffic permit intra-interface

object-group network Client_Networks
 ! Load up client network assignments here, so the ACLs don't get huge:
 network-object 192.0.2.0 255.255.255.0
 network-object 198.51.100.0 255.255.255.0

! ACL for tunnel to an example client - this one's on the 192.0.2.0 range.
! The entry covers traffic between the local net and the client
access-list outside_cryptomap_client_1 extended permit ip 172.16.89.0 255.255.255.0 192.0.2.0 255.255.255.0
! And this is needed for the traffic between the employee nets and the client
access-list outside_cryptomap_client_1 extended permit ip 192.168.168.0 255.255.255.0 192.0.2.0 255.255.255.0

! ACL for the tunnel to an employee - we'll stick them on 192.168.168.32/30;
! For the purposes of the tunnel, the client networks are local networks.
! The entry's going to create a ton of IPSec SAs -- makes a mess, but not a lot of choice.
access-list outside_cryptomap_employee_1 extended permit ip object-group Client_Networks 192.168.168.32 255.255.255.252
! And, the local whatnot.
access-list outside_cryptomap_employee_1 extended permit ip 172.16.89.0 255.255.255.0 192.168.168.32 255.255.255.252

! all the other config for the site-to-site tunnels..
crypto map outside_map 1 match address outside_cryptomap_client_1
! ...
crypto map outside_map 501 match address outside_cryptomap_employee_1

如果你有任何 NAT继续,由于您使用的是 RFC1918 范围,因此您可能会这样做,您需要全面 NAT 豁免,以匹配加密 ACL 中的所有流量。

! add to an existing NAT exemption ACL, if you have one.  Otherwise, make one..
! local to clients
access-list outside_nat0_outbound extended permit ip 172.16.89.0 255.255.255.0 object-group Client_Networks
! local to employees
access-list outside_nat0_outbound extended permit ip 172.16.89.0 255.255.255.0 192.168.168.0 255.255.255.0
! employees to clients
access-list outside_nat0_outbound extended permit ip 192.168.168.0 255.255.255.0 object-group Client_Networks
nat (Public) 0 access-list outside_nat0_outbound

当然,您需要在员工所在地配置远程 VPN 端点,将客户端网络作为远程网络,并与站点到站点连接的加密 ACL 相匹配。

相关内容