实验目的
1、熟悉NAT的工作原理。
2、熟悉IPSEC VXN 的工作原理。
3、利用NAT 帮助内网(即ospf 2区域)设备访问公网(ospf 1),同时利用VXN 保护内网通讯。
实验拓扑
接口IP配置
R1(config)#interface loopback 0
R1(config-if)#ip address 1.1.1.1 255.255.255.0
R1(config)#interface e0/1
R1(config-if)#ip address 12.12.12.1 255.255.255.0
R1(config-if)#no shutdown
R1(config-if)#interface e0/0
R1(config-if)#ip address 192.168.15.1 255.255.255.0
R1(config-if)#no shutdown
R2(config)#interface loopback 0
R2(config-if)#ip address 2.2.2.2 255.255.255.0
R2(config)#interface e0/1
R2(config-if)#ip address 12.12.12.2 255.255.255.0
R2(config-if)#no shutdown
R2(config-if)#interface e0/2
R2(config-if)#ip address 23.23.23.2 255.255.255.0
R2(config-if)#no shutdown
R2(config-if)#interface e0/3
R2(config-if)#ip address 24.24.24.2 255.255.255.0
R2(config-if)#no shutdown
R3(config)#interface loopback 0
R3(config-if)#ip address 3.3.3.3 255.255.255.0
R3(config)#interface e0/2
R3(config-if)#ip address 23.23.23.3 255.255.255.0
R3(config-if)#no shutdown
R3(config-if)#interface e0/0
R3(config-if)#ip address 192.168.36.3 255.255.255.0
R3(config-if)#no shutdown
R4(config-if)#interface e0/3
R4(config-if)#ip address 24.24.24.4 255.255.255.0
R4(config-if)#no shutdown
R4(config-if)#interface e0/0
R4(config-if)#ip address 192.168.47.4 255.255.255.0
R4(config-if)#no shutdown
R4(config)#interface loopback 0
R4(config-if)#ip address 4.4.4.4 255.255.255.0
R5(config)#interface loopback 0
R5(config-if)#ip address 10.5.5.5 255.255.255.0
R5(config)#interface e0/0
R5(config-if)#ip address 192.168.15.5 255.255.255.0
R5(config-if)#no shutdown
R6(config)#interface e0/0
R6(config-if)#ip address 192.168.36.6 255.255.255.0
R6(config-if)#no shutdown
R6(config)#interface loopback 0
R6(config-if)#ip address 10.6.6.6 255.255.255.0
R7(config)#interface e0/0
R7(config-if)#ip address 192.168.47.7 255.255.255.0
R7(config-if)#no shutdown
R7(config)#interface loopback 0
R7(config-if)#ip address 10.7.7.7 255.255.255.0底层协议配置:
R1(config)#router ospf 2
R1(config-router)#network 192.168.15.0 0.0.0.255 area 0
R1(config-router)#router ospf 1
R1(config-router)#network 12.12.12.0 0.0.0.255 area 0
R2(config)#router ospf 1
R2(config-router)#network 2.2.2.2 0.0.0.0 area 0
R2(config-router)#network 23.23.23.0 0.0.0.255 area 0
R2(config-router)#network 24.24.24.0 0.0.0.255 area 0
R2(config-router)#network 12.12.12.0 0.0.0.255 area 0
R3(config)#router ospf 1
R3(config-router)#net 23.23.23.0 0.0.0.255 area 0
R3(config-router)#router ospf 2
R3(config-router)#network 192.168.36.0 0.0.0.255 area 0
R4(config)#router ospf 1
R4(config-router)#network 24.24.24.0 0.0.0.255 area 0
R4(config-router)#router ospf 2
R4(config-router)#network 192.168.47.0 0.0.0.255 area 0
R5(config)#router ospf 1
R5(config-router)#network 192.168.15.0 0.0.0.255 area 0
R5(config-router)#network 10.5.5.5 0.0.0.0 area 0
R6(config)#router ospf 2
R6(config-router)#network 10.6.6.6 0.0.0.0 area 0
R6(config-router)#network 192.168.36.0 0.0.0.255 area 0
R7(config)#router ospf 1
R7(config-router)#network 10.7.7.7 0.0.0.0 area 0
R7(config-router)#network 192.168.47.0 0.0.0.255 area 0 检查ospf邻接关系建立情况,确保R1 R3 R4 确保学到各自内网路由。此时R5 R6 R7 是没办法和公网的2.2.2.2通讯的。
R1#show ip os neighbor
Neighbor ID Pri State Dead Time Address Interface
2.2.2.2 1 FULL/BDR 00:00:36 12.12.12.2 Ethernet0/1
10.5.5.5 1 FULL/BDR 00:00:35 192.168.15.5 Ethernet0/0
R3#show ip ospf neighbor
Neighbor ID Pri State Dead Time Address Interface
10.6.6.6 1 FULL/BDR 00:00:35 192.168.36.6 Ethernet0/0
2.2.2.2 1 FULL/DR 00:00:36 23.23.23.2 Ethernet0/2
R4#show ip ospf neighbor
Neighbor ID Pri State Dead Time Address Interface
10.7.7.7 1 FULL/BDR 00:00:33 192.168.47.7 Ethernet0/0
2.2.2.2 1 FULL/DR 00:00:32 24.24.24.2 Ethernet0/3 R1#show ip route ospf
Gateway of last resort is not set
2.0.0.0/32 is subnetted, 1 subnets
O 2.2.2.2 [110/11] via 12.12.12.2, 00:12:20, Ethernet0/1
10.0.0.0/32 is subnetted, 1 subnets
O 10.5.5.5 [110/11] via 192.168.15.5, 00:10:20, Ethernet0/0
23.0.0.0/24 is subnetted, 1 subnets
O 23.23.23.0 [110/20] via 12.12.12.2, 00:12:20, Ethernet0/1
24.0.0.0/24 is subnetted, 1 subnets
O 24.24.24.0 [110/20] via 12.12.12.2, 00:12:20, Ethernet0/1
R3#show ip route ospf
Gateway of last resort is not set
2.0.0.0/32 is subnetted, 1 subnets
O 2.2.2.2 [110/11] via 23.23.23.2, 00:12:19, Ethernet0/2
10.0.0.0/32 is subnetted, 1 subnets
O 10.6.6.6 [110/11] via 192.168.36.6, 00:06:47, Ethernet0/0
12.0.0.0/24 is subnetted, 1 subnets
O 12.12.12.0 [110/20] via 23.23.23.2, 00:12:19, Ethernet0/2
24.0.0.0/24 is subnetted, 1 subnets
O 24.24.24.0 [110/20] via 23.23.23.2, 00:12:19, Ethernet0/2
R4#show ip route ospf
Gateway of last resort is not set
2.0.0.0/32 is subnetted, 1 subnets
O 2.2.2.2 [110/11] via 24.24.24.2, 00:11:38, Ethernet0/3
10.0.0.0/32 is subnetted, 1 subnets
O 10.7.7.7 [110/11] via 192.168.47.7, 00:06:26, Ethernet0/0
12.0.0.0/24 is subnetted, 1 subnets
O 12.12.12.0 [110/20] via 24.24.24.2, 00:11:38, Ethernet0/3
23.0.0.0/24 is subnetted, 1 subnets
O 23.23.23.0 [110/20] via 24.24.24.2, 00:11:38, Ethernet0/3 R1 R3 R4 配置静态缺省指向ISP,将其通过ospf发送给内网。
R1(config)#ip route 0.0.0.0 0.0.0.0 12.12.12.2
R1(config)#router ospf 2
R1(config-router)#default-information originate
R3(config)#ip route 0.0.0.0 0.0.0.0 23.23.23.2
R3(config)#router ospf 2
R3(config-router)#default-information originate
R4(config)#ip route 0.0.0.0 0.0.0.0 24.24.24.2
R4(config)#router ospf 2
R4(config-router)#default-information originate 如上配置完成后,请校验R5 R6 R7 是否通过OSPF 获得缺省路由。
R5#show ip route ospf
Gateway of last resort is 192.168.15.1 to network 0.0.0.0
O*E2 0.0.0.0/0 [110/1] via 192.168.15.1, 00:02:22, Ethernet0/0
R6#show ip route ospf
Gateway of last resort is 192.168.36.3 to network 0.0.0.0
O*E2 0.0.0.0/0 [110/1] via 192.168.36.3, 00:01:30, Ethernet0/0
R7#show ip route ospf
Gateway of last resort is 192.168.47.4 to network 0.0.0.0
O*E2 0.0.0.0/0 [110/1] via 192.168.47.4, 00:01:57, Ethernet0/0 同时我们发现R5 R6 R7 依旧无法访问公网,数据包能出去,但是无法返回。
R6#ping 2.2.2.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 2.2.2.2, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5) R1 R3 R4 配置NAT。
R1(config)#interface e0/0
R1(config-if)#ip nat inside
R1(config-if)#interface e0/1
R1(config-if)#ip nat outside
R1(config)#access-list 105 deny ip 10.5.5.0 0.0.0.255 10.6.6.0 0.0.0.255
R1(config)#access-list 105 deny ip 10.5.5.0 0.0.0.255 10.7.7.0 0.0.0.255
R1(config)#access-list 105 permit ip 10.5.5.0 0.0.0.255 any
R1(config)#ip nat inside source list 105 interface e0/1 overload
R3(config)#interface e0/0
R3(config-if)#ip nat inside
R3(config-if)#interface e0/2
R3(config-if)#ip nat outside
R3(config)#access-list 106 deny ip 10.6.6.0 0.0.0.255 10.5.5.0 0.0.0.255
R3(config)#access-list 106 permit ip 10.6.6.0 0.0.0.255 any
R3(config)#ip nat inside source list 106 interface e0/2 overload
R4(config)#interface e0/0
R4(config-if)#ip nat inside
R4(config-if)#interface e0/3
R4(config-if)#ip nat outside
R4(config)#access-list 107 deny ip 10.7.7.0 0.0.0.255 10.5.5.0 0.0.0.255
R4(config)#access-list 107 permit ip 10.7.7.0 0.0.0.255 any
R4(config)#ip nat inside source list 107 interface e0/3 overload R1 R3 R4 上创建TUNNEL,完成路由信息的共享。
R1(config)#interface tunnel 13
R1(config-if)#ip address 172.16.13.1 255.255.255.0
R1(config-if)#tunnel source e0/1
R1(config-if)#tunnel destination 23.23.23.3
R1(config-if)#tunnel mode gre ip
R1(config-if)#ip ospf 2 area 0
R1(config)#interface tunnel 14
R1(config-if)#ip address 172.16.14.1 255.255.255.0
R1(config-if)#tunnel source e0/1
R1(config-if)#tunnel destination 24.24.24.4
R1(config-if)#tunnel mode gre ip
R1(config-if)#ip ospf 2 area 2
R3(config)#interface tunnel 13
R3(config-if)#ip address 172.16.13.3 255.255.255.0
R3(config-if)#tunnel source e0/2
R3(config-if)#tunnel destination 12.12.12.1
R3(config-if)#tunnel mode gre ip
R3(config-if)#ip ospf 2 area 0
R4(config)#interface tunnel 14
R4(config-if)#ip address 172.16.14.4 255.255.255.0
R4(config-if)#tunnel source e0/3
R4(config-if)#tunnel destination 12.12.12.1
R4(config-if)#tunnel mode gre ip
R4(config-if)#ip ospf 2 area 0 确认R5 R6 R7相互学习路由,且能PING 通。
R5#show ip route ospf
Gateway of last resort is 192.168.15.1 to network 0.0.0.0
O*E2 0.0.0.0/0 [110/1] via 192.168.15.1, 00:38:13, Ethernet0/0
10.0.0.0/8 is variably subnetted, 4 subnets, 2 masks
O 10.6.6.6/32 [110/1021] via 192.168.15.1, 00:06:20, Ethernet0/0
O 10.7.7.7/32 [110/1021] via 192.168.15.1, 00:01:59, Ethernet0/0
172.16.0.0/24 is subnetted, 2 subnets
O 172.16.13.0 [110/1010] via 192.168.15.1, 00:13:26, Ethernet0/0
O 172.16.14.0 [110/1010] via 192.168.15.1, 00:01:59, Ethernet0/0
O 192.168.36.0/24 [110/1020] via 192.168.15.1, 00:06:20, Ethernet0/0
O 192.168.47.0/24 [110/1020] via 192.168.15.1, 00:01:59, Ethernet0/0 R5#ping 10.6.6.6
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.6.6.6, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms
R5#ping 10.7.7.7
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.7.7.7, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms 完成R1 R3 R4 上的IPSEC VPN 通讯。
R1(config)#crypto isakmp enable
R1(config)#crypto isakmp policy 1
R1(config-isakmp)#authentication pre-share
R1(config-isakmp)#encryption des
R1(config-isakmp)#hash md5
R1(config-isakmp)#group 1
R1(config)#crypto isakmp key cisco address 172.16.13.3
R1(config)#crypto isakmp key cisco address 172.16.14.4
R1(config)#ip access-list extended vpn
R1(config-ext-nacl)#permit ip 10.5.5.0 0.0.0.255 10.6.6.0 0.0.0.255
R1(config-ext-nacl)#permit ip 10.5.5.0 0.0.0.255 10.7.7.0 0.0.0.255
R1(config)#crypto ipsec transform-set r1-tr esp-des esp-md5-hmac
R1(cfg-crypto-trans)#mode tunnel
R1(config)#crypto map r1-map 1 ipsec-isakmp
R1(config-crypto-map)#set peer 172.16.13.3
R1(config-crypto-map)#set peer 172.16.14.4
R1(config-crypto-map)#set transform-set r1-tr
R1(config-crypto-map)#match address vpn
R1(config)#interface tunnel 13
R1(config-if)#crypto map r1-map
R1(config-if)#interface tunnel 14
R1(config-if)#crypto map r1-map
R3(config)#crypto isakmp enable
R3(config)#crypto isakmp policy 1
R3(config-isakmp)#authentication pre-share
R3(config-isakmp)#encryption des
R3(config-isakmp)#hash md5
R3(config-isakmp)#group 1
R3(config)#crypto isakmp key cisco address 172.16.13.1
R3(config)#ip access-list extended vpn
R3(config-ext-nacl)#permit ip 10.6.6.0 0.0.0.255 10.5.5.0 0.0.0.255
R3(config)#crypto ipsec transform-set r3-tr esp-des esp-md5-hmac
R3(cfg-crypto-trans)#mode tunnel
R3(config)#crypto map r3-map 1 ipsec-isakmp
R3(config-crypto-map)#set peer 172.16.13.1
R3(config-crypto-map)#set transform-set r3-tr
R3(config-crypto-map)#match address vpn
R3(config)#interface tunnel 13
R3(config-if)#crypto map r3-map
R4(config)#crypto isakmp enable
R4(config)#crypto isakmp policy 1
R4(config-isakmp)#authentication pre-share
R4(config-isakmp)#encryption des
R4(config-isakmp)#hash md5
R4(config-isakmp)#group 1
R4(config)#crypto isakmp key cisco address 172.16.14.1
R4(config)#ip access-list extended vpn
R4(config-ext-nacl)#permit ip 10.7.7.0 0.0.0.255 10.5.5.0 0.0.0.255
R4(config)#crypto ipsec transform-set r4-tr esp-des esp-md5-hmac
R4(cfg-crypto-trans)#mode tunnel
R4(config)#crypto map r4-map 1 ipsec-isakmp
R4(config-crypto-map)#set peer 172.16.14.1
R4(config-crypto-map)#set transform-set r4-tr
R4(config-crypto-map)#match address vpn
R4(config)#interface tunnel 14
R4(config-if)#crypto map r4-map 完成如上配置后,R5 R6,R5 R7 用PING 做连通性测试。
R5#ping 10.6.6.6 source 10.5.5.5
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.6.6.6, timeout is 2 seconds:
Packet sent with a source address of 10.5.5.5
.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 2/2/3 ms
R5#ping 10.7.7.7 source 10.5.5.5
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.7.7.7, timeout is 2 seconds:
Packet sent with a source address of 10.5.5.5
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/2 ms R1#show crypto engine connections active
Crypto Engine Connections
ID Type Algorithm Encrypt Decrypt LastSeqN IP-Address
1 IPsec DES+MD5 0 9 9 172.16.13.1
2 IPsec DES+MD5 9 0 0 172.16.13.1
3 IPsec DES+MD5 0 5 5 172.16.14.1
4 IPsec DES+MD5 5 0 0 172.16.14.1
1001 IKE MD5+DES 0 0 0 172.16.13.1
1002 IKE MD5+DES 0 0 0 172.16.14.1 如上现象表明VXN 已经工作,且对传递数据进行了加密、解密。
扫一扫
254
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
