Amazon Virtual Private Cloud
网络管理员指南
AWS 服务或AWS文档中描述的功能,可能因地区/位置而异。请点击 Amazon AWS 入门,可查看中国地区的具体差异

示例:Cisco ASA 设备

如果您的客户网关是运行 Cisco ASA 8.2+ 软件的 Cisco ASA 设备,我们将在本部分中引导您完成由您的整合团队提供的配置信息示例。

示意图显示客户网关。您应当使用从整合团队收到的实际配置信息,然后将其应用到客户网关。

客户网关的宏观视图

下面的示意图显示您的客户网关的详细信息。请注意,VPN 由两个隧道构成。使用冗余隧道确保某个设备发生故障情况下的持续可用性。

 Cisco ASA 宏观示意图

请注意部分 Cisco ASA 仅支持活动/备用模式。使用这些 Cisco ASA 时,您一次只能有一个活动的隧道。仅在第一个隧道不可用的情况下,备用隧道才可用。借助该冗余度,您应该始终可以通过其中一个隧道连接到您的 VPC。

示例配置

本节中的配置是您的整合团队应提供的配置信息的示例。示例配置包含适用于您必须配置的各个隧道的一组信息。

示例配置包括示例值,以帮助您理解配置如何起作用。例如,我们提供 VPN 连接 ID (vpn-12345678) 和虚拟专用网关 ID (vgw-12345678) 的示例值以及 AWS 终端节点的占位符 (AWS_ENDPOINT_1AWS_ENDPOINT_2)。您将使用来源于所收到配置信息的实际值替换这些示例值。

您还必须:

  • 配置外部接口。

  • 确保 Crypto ISAKMP 策略序列号具有唯一性。

  • 确保 Crypto 列表策略序列号具有唯一性。

  • 确保 Crypto IPsec 转换集和 Crypto ISAKMP 策略序列与设备上配置的任何其他 IPsec 隧道一致。

  • 确保 SLA 监控号具有唯一性。

  • 对在客户网关和您的本地网络之间传输流量的全部路由选择进行配置。

重要

下面的配置信息是您的整合团队可望提供的示例。以下示例中的很多值将与您收到的实际配置信息不同。您必须使用实际值,而非此处所示的示例值,否则您的实施将会失败。

Copy
! Amazon Web Services ! Virtual Private Cloud ! ! AWS utilizes unique identifiers to manipulate the configuration of ! a VPN Connection. Each VPN Connection is assigned an identifier and is ! associated with two other identifiers, namely the ! Customer Gateway Identifier and Virtual Private Gateway Identifier. ! ! Your VPN Connection ID : vpn-12345678 ! Your Virtual Private Gateway ID : vgw-12345678 ! Your Customer Gateway ID : cgw-12345678 ! ! This configuration consists of two tunnels. Both tunnels must be ! configured on your Customer Gateway. Only a single tunnel will be up at a ! time to the VGW. ! ! You may need to populate these values throughout the config based on your setup: ! outside_interface - External interface of the ASA ! outside_access_in - Inbound ACL on the external interface ! amzn_vpn_map - Outside crypto map ! vpc_subnet and vpc_subnet_mask - VPC address range ! local_subnet and local_subnet_mask - Local subnet address range ! sla_monitor_address - Target address that is part of acl-amzn to run SLA monitoring ! ! -------------------------------------------------------------------------------- ! IPSec Tunnels ! -------------------------------------------------------------------------------- ! #1: Internet Key Exchange (IKE) Configuration ! ! A policy is established for the supported ISAKMP encryption, ! authentication, Diffie-Hellman, lifetime, and key parameters. ! ! Note that there are a global list of ISAKMP policies, each identified by ! sequence number. This policy is defined as #201, which may conflict with ! an existing policy using the same or lower number depending on ! the encryption type. If so, we recommend changing the sequence number to ! avoid conflicts and overlap. ! ! Please note, these sample configurations are for the minimum requirement of AES128, SHA1, and DH Group 2. ! You will need to modify these sample configuration files to take advantage of AES256, SHA256, or other DH groups like 2, 14-18, 22, 23, and 24. ! The address of the external interface for your customer gateway must be a static address. ! Your customer gateway may reside behind a device performing network address translation (NAT). ! To ensure that NAT traversal (NAT-T) can function, you must adjust your firewall rules to unblock UDP port 4500. If not behind NAT, we recommend disabling NAT-T. ! crypto isakmp identity address crypto isakmp enable outside_interface crypto isakmp policy 201 encryption aes authentication pre-share group 2 lifetime 28800 hash sha exit ! ! The tunnel group sets the Pre Shared Key used to authenticate the ! tunnel endpoints. ! tunnel-group AWS_ENDPOINT_1 type ipsec-l2l tunnel-group AWS_ENDPOINT_1 ipsec-attributes pre-shared-key password_here ! ! This option enables IPSec Dead Peer Detection, which causes periodic ! messages to be sent to ensure a Security Association remains operational. ! isakmp keepalive threshold 10 retry 10 exit ! tunnel-group AWS_ENDPOINT_2 type ipsec-l2l tunnel-group AWS_ENDPOINT_2 ipsec-attributes pre-shared-key password_here ! ! This option enables IPSec Dead Peer Detection, which causes periodic ! messages to be sent to ensure a Security Association remains operational. ! isakmp keepalive threshold 10 retry 10 exit ! -------------------------------------------------------------------------------- ! #2: Access List Configuration ! ! Access lists are configured to permit creation of tunnels and to send applicable traffic over them. ! This policy may need to be applied to an inbound ACL on the outside interface that is used to manage control-plane traffic. ! This is to allow VPN traffic into the device from the Amazon endpoints. ! access-list outside_access_in extended permit ip host AWS_ENDPOINT_1 host YOUR_UPLINK_ADDRESS access-list outside_access_in extended permit ip host AWS_ENDPOINT_2 host YOUR_UPLINK_ADDRESS ! ! The following access list named acl-amzn specifies all traffic that needs to be routed to the VPC. Traffic will ! be encrypted and transmitted through the tunnel to the VPC. Association with the IPSec security association ! is done through the "crypto map" command. ! ! This access list should contain a static route corresponding to your VPC CIDR and allow traffic from any subnet. ! If you do not wish to use the "any" source, you must use a single access-list entry for accessing the VPC range. ! If you specify more than one entry for this ACL without using "any" as the source, the VPN will function erratically. ! The any rule is also used so the security association will include the ASA outside interface where the SLA monitor ! traffic will be sourced from. ! See section #4 regarding how to restrict the traffic going over the tunnel ! ! access-list acl-amzn extended permit ip any vpc_subnet vpc_subnet_mask !--------------------------------------------------------------------------------- ! #3: IPSec Configuration ! ! The IPSec transform set defines the encryption, authentication, and IPSec ! mode parameters. ! Please note, you may use these additionally supported IPSec parameters for encryption like AES256 and other DH groups like 2, 5, 14-18, 22, 23, and 24. ! crypto ipsec ikev1 transform-set transform-amzn esp-aes esp-sha-hmac ! The crypto map references the IPSec transform set and further defines ! the Diffie-Hellman group and security association lifetime. The mapping is created ! as #1, which may conflict with an existing crypto map using the same ! number. If so, we recommend changing the mapping number to avoid conflicts. ! crypto map amzn_vpn_map 1 match address acl-amzn crypto map amzn_vpn_map 1 set pfs group2 crypto map amzn_vpn_map 1 set peer AWS_ENDPOINT_1 AWS_ENDPOINT_2 crypto map amzn_vpn_map 1 set transform-set transform-amzn crypto map amzn_vpn_map 1 set security-association lifetime seconds 3600 ! ! Only set this if you do not already have an outside crypto map, and it is not applied: ! crypto map amzn_vpn_map interface outside_interface ! ! Additional parameters of the IPSec configuration are set here. Note that ! these parameters are global and therefore impact other IPSec ! associations. ! ! This option instructs the firewall to clear the "Don't Fragment" ! bit from packets that carry this bit and yet must be fragmented, enabling ! them to be fragmented. ! crypto ipsec df-bit clear-df outside_interface ! ! This configures the gateway's window for accepting out of order ! IPSec packets. A larger window can be helpful if too many packets ! are dropped due to reordering while in transit between gateways. ! crypto ipsec security-association replay window-size 128 ! ! This option instructs the firewall to fragment the unencrypted packets ! (prior to encryption). ! crypto ipsec fragmentation before-encryption outside_interface ! ! This option causes the firewall to reduce the Maximum Segment Size of ! TCP packets to prevent packet fragmentation. sysopt connection tcpmss 1379 ! ! In order to keep the tunnel in an active or always up state, the ASA needs to send traffic to the subnet ! defined in acl-amzn. SLA monitoring can be configured to send pings to a destination in the subnet and ! will keep the tunnel active. This traffic needs to be sent to a target that will return a response. ! This can be manually tested by sending a ping to the target from the ASA sourced from the outside interface. ! A possible destination for the ping is an instance within the VPC. For redundancy multiple SLA monitors ! can be configured to several instances to protect against a single point of failure. ! ! The monitor is created as #1, which may conflict with an existing monitor using the same ! number. If so, we recommend changing the sequence number to avoid conflicts. ! sla monitor 1 type echo protocol ipIcmpEcho sla_monitor_address interface outside_interface frequency 5 exit sla monitor schedule 1 life forever start-time now ! ! The firewall must allow icmp packets to use "sla monitor" icmp permit any outside_interface !--------------------------------------------------------------------------------- ! #4: VPN Filter ! The VPN Filter will restrict traffic that is permitted through the tunnels. By default all traffic is denied. ! The first entry provides an example to include traffic between your VPC Address space and your office. ! You may need to run 'clear crypto isakmp sa', in order for the filter to take effect. ! ! access-list amzn-filter extended permit ip vpc_subnet vpc_subnet_mask local_subnet local_subnet_mask access-list amzn-filter extended deny ip any any group-policy filter internal group-policy filter attributes vpn-filter value amzn-filter tunnel-group AWS_ENDPOINT_1 general-attributes default-group-policy filter exit tunnel-group AWS_ENDPOINT_2 general-attributes default-group-policy filter exit !--------------------------------------------------------------------------------------- ! #5: NAT Exemption ! If you are performing NAT on the ASA you will have to add a nat exemption rule. ! This varies depending on how NAT is set up. It should be configured along the lines of: ! object network obj-SrcNet ! subnet 0.0.0.0 0.0.0.0 ! object network obj-amzn ! subnet vpc_subnet vpc_subnet_mask ! nat (inside,outside) 1 source static obj-SrcNet obj-SrcNet destination static obj-amzn obj-amzn ! If using version 8.2 or older, the entry would need to look something like this: ! nat (inside) 0 access-list acl-amzn ! Or, the same rule in acl-amzn should be included in an existing no nat ACL.

如何测试客户网关配置

将 Cisco ASA 用作客户网关时,仅有一个隧道将处于 UP 状态。第二个隧道也应该配置,但仅能在第一个隧道停机时使用。第一个隧道处于 UP 状态时,第二个隧道不能处于 UP 状态。您的控制台将显示仅有一个隧道正在运行并且将显示第二个隧道为停机状态。这是 Cisco ASA 客户网关隧道的预期行为,因为作为客户网关的 ASA 仅能一次支持单个隧道处于运行状态。

您可以测试每条隧道的网关配置。

如需测试每条隧道的客户网关配置

  • 确保静态路由已添加到 VPN 连接,以便流量可以返回到您的客户网关。例如,如果您的本地子网前缀是 198.10.0.0/16,则需要为您的 VPN 连接添加一条具有该 CIDR 范围的静态路由。确保两条隧道都有通往您的 VPC 的静态路由。

然后,您必须测试每个隧道的连接性,方法是在您的 VPC 中启动一个实例,从您的家庭网络 Ping 该实例。在您开始之前,确保完成以下操作:

  • 使用可以响应 Ping 请求的 AMI。我们建议您使用 Amazon Linux AMI 之一。

  • 配置实例的安全组和网络 ACL,以启用入站 ICMP 流量。

  • 确保已配置 VPN 连接路由 – 您的子网路由表必须包含到虚拟专用网关的路由。有关更多信息,请参阅Amazon VPC 用户指南中的在路由表中启用路由传播

如需测试各条隧道的端到端连接性

  1. 请将 Amazon Linux AMI 的任一实例启动到您的 VPC。当您从 AWS 管理控制台中启动一个实例时,启动向导将列出 Amazon Linux AMI。有关更多信息,请参阅 Amazon VPC 入门指南

  2. 当实例开始运行后,获取其私有 IP 地址(例如 10.0.0.4)。 控制台显示的地址是实例详细信息的一部分。

  3. 在您的本地网络中的系统上,对实例的 IP 地址使用 ping 命令。确保您发出 ping 的计算机位于客户网关后。成功的响应内容应类似如下所示。

    Copy
    ping 10.0.0.4
    Pinging 10.0.0.4 with 32 bytes of data:
    
    Reply from 10.0.0.4: bytes=32 time<1ms TTL=128
    Reply from 10.0.0.4: bytes=32 time<1ms TTL=128
    Reply from 10.0.0.4: bytes=32 time<1ms TTL=128
    
    Ping statistics for 10.0.0.4:
    Packets: Sent = 3, Received = 3, Lost = 0 (0% loss),
    
    Approximate round trip times in milliseconds:
    Minimum = 0ms, Maximum = 0ms, Average = 0ms

    注意

    如果您从客户网关路由器向实例发出 ping,请确保您的 ping 消息信源为内部 IP 地址,而非隧道 IP 地址。部分 AMI 不响应从隧道 IP 地址发出的 ping 消息。

  4. (可选) 为测试隧道故障转移,您可临时禁用您的客户网关上的一个隧道,然后重复上一步。您无法禁用 VPN 连接的 AWS 端的隧道。

如果您的隧道测试不成功,请参见 排查 Cisco ASA 客户网关的连接性问题