IPSec ×××有两种封装格式,一种是AH,一种是ESP,AH由于包含对数据包源目IP进行完整性校验,Nat是绝对不能部署的,否则,目的端在收到数据包由于完整性校验失败,而丢弃该数据包,而ESP可以部署Nat,却不能部署PAT,因为该数据包没有传输层报头,无法进行端口转化,而导致数据包在R3上被丢弃,Cisco IOS12.4开发了一种Nat-traver(nat穿越)技术,用来解决这样的问题,通过在IKE phase1阶段协商的数据包中有个VID字段,用来表明该路由器是否支持Nat-traver,而在3,4个数据包通过交换NAT-D(一种由源IP和源端口或者由目的IP和目的端口号的Hash值),通过交换比较知道是否进行了Nat-traverse,从而在后续的数据包以后都会在IP包头后添加一个UDP/4500的报头,来实现PAT,以下是部署的配置实例!
R1============================================================================
hostname R1
ip cef
crypto isakmp policy 10
authentication pre-share
crypto isakmp key Cisco address 23.1.1.3
!
!
crypto ipsec transform-set CCIE esp-des esp-md5-hmac
!
crypto map Cisco 10 ipsec-isakmp
set peer 23.1.1.3
set transform-set CCIE
match address 100
!
interface Loopback0
ip address 1.1.1.1 255.255.255.0
!
interface FastEthernet0/0
ip address 12.1.1.1 255.255.255.0
duplex auto
speed auto
crypto map Cisco
!
ip route 0.0.0.0 0.0.0.0 FastEthernet0/0 12.1.1.2
!
!
!
access-list 100 permit ip host 1.1.1.1 host 4.4.4.4
R2===========================================================================
hostname R2
interface FastEthernet0/0
ip address 23.1.1.2 255.255.255.0
duplex auto
speed auto
!
interface FastEthernet1/0
ip address 12.1.1.2 255.255.255.0
duplex auto
speed auto
R3==========================================================================
hostname R3
interface FastEthernet0/0
ip address 34.1.1.3 255.255.255.0
ip nat inside
ip virtual-reassembly
duplex auto
speed auto
!
interface FastEthernet1/0
ip address 23.1.1.3 255.255.255.0
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
!
ip route 0.0.0.0 0.0.0.0 FastEthernet1/0 23.1.1.2
ip route 4.4.4.4 255.255.255.255 FastEthernet0/0 34.1.1.4
!
!
ip nat inside source list 100 interface FastEthernet1/0 overload
!
access-list 100 permit udp host 34.1.1.4 host 12.1.1.1 eq isakmp
access-list 100 permit udp host 34.1.1.4 host 12.1.1.1 eq non500-isakmp
R4============================================================================
hostname R4
crypto isakmp policy 10
authentication pre-share
crypto isakmp key Cisco address 12.1.1.1
!
!
crypto ipsec transform-set CCIE esp-des esp-md5-hmac
!
crypto map Cisco 10 ipsec-isakmp
set peer 12.1.1.1
set transform-set CCIE
match address 100
!
interface Loopback0
ip address 4.4.4.4 255.255.255.0
!
interface FastEthernet0/0
no ip address
shutdown
duplex auto
speed auto
!
interface FastEthernet1/0
ip address 34.1.1.4 255.255.255.0
duplex auto
speed auto
crypto map Cisco
!
no ip http server
no ip http secure-server
ip route 0.0.0.0 0.0.0.0 FastEthernet1/0 34.1.1.3
!
access-list 100 permit ip host 4.4.4.4 host 1.1.1.1
转载于:https://blog.51cto.com/8947509/1434313