gre+IPSE+NAT+策略路由实验

合集下载

相关主题

1、下载文档前请自行甄别文档内容的完整性，平台不提供额外的编辑、内容补充、找答案等附加服务。
2、"仅部分预览"的文档,不可在线预览部分如存在完整性等问题,可反馈申请退款(可完整预览的文档不适用该条件!)。
3、如文档侵犯您的权益，请联系客服反馈,我们会尽快为您处理(人工客服工作时间：9:00-18:30)。

实例1 站点-站点IPSEC VPN+NA T+策略路由配置

要求：

（1）网络10.2.2.0/24 与10.1.1.0/2通信使用VPN

（2）网络10.2.2.0/24 、10.1.1.0/2与Internet通信使用NA T

1.R1的配置

hostname r1

!

crypto isakmp policy 10

hash md5

authentication pre-share

crypto isakmp key cisco123 address 200.1.1.2

!

crypto ipsec transform-set myset esp-des esp-md5-hmac

!

crypto map mymap 10 ipsec-isakmp

set peer 200.1.1.2

set transform-set myset

match address 100

!

interface Ethernet0/0

ip address 10.2.2.1 255.255.255.0

ip nat inside

ip virtual-reassembly

half-duplex

!

interface Ethernet0/1

ip address 100.1.1.1 255.255.255.0

ip nat outside

crypto map mymap

!

ip route 0.0.0.0 0.0.0.0 100.1.1.2

!

ip nat inside source route-map nonat interface Ethernet0/1 overload !

access-list 100 permit ip 10.2.2.0 0.0.0.255 10.1.1.0 0.0.0.255 access-list 120 deny ip 10.2.2.0 0.0.0.255 10.1.1.0 0.0.0.255 access-list 120 permit ip 10.2.2.0 0.0.0.255 any

!

route-map nonat permit 10

match ip address 120

!

2.R3的配置：

hostname r3

!

crypto isakmp policy 10

hash md5

authentication pre-share

crypto isakmp key cisco123 address 100.1.1.1

!

crypto ipsec transform-set myset esp-des esp-md5-hmac

!

crypto map mymap 10 ipsec-isakmp

set peer 100.1.1.1

set transform-set myset

match address 100

!

interface Ethernet0/0

ip address 10.1.1.1 255.255.255.0

ip nat inside

!

interface Ethernet0/1

ip address 200.1.1.2 255.255.255.0

ip nat outside

crypto map mymap

!

ip route 0.0.0.0 0.0.0.0 200.1.1.1

!

ip nat inside source route-map nonat interface Ethernet0/1 overload

!

access-list 100 permit ip 10.1.1.0 0.0.0.255 10.2.2.0 0.0.0.255

access-list 120 deny ip 10.1.1.0 0.0.0.255 10.2.2.0 0.0.0.255

access-list 120 permit ip 10.1.1.0 0.0.0.255 any

!

route-map nonat permit 10

match ip address 120

!

3.R2的配置

hostname r2

!

interface Ethernet0/0

ip address 200.2.2.1 255.255.255.0

!

interface Ethernet0/1

ip address 100.1.1.2 255.255.255.0

!

interface Ethernet0/2

ip address 200.1.1.1 255.255.255.0

测试：

r1#show crypto isakmp sa

dst src state conn-id slot status

100.1.1.1 200.1.1.2 QM_IDLE 1 0 ACTIVE r1#show crypto ipsec sa

interface: Ethernet0/1

Crypto map tag: mymap, local addr 100.1.1.1

protected vrf: (none)

local ident (addr/mask/prot/port): (10.2.2.0/255.255.255.0/0/0)

remote ident (addr/mask/prot/port): (10.1.1.0/255.255.255.0/0/0)

current_peer 200.1.1.2 port 500

PERMIT, flags={origin_is_acl,}

#pkts encaps: 149, #pkts encrypt: 149, #pkts digest: 149