wKiom1O2F2zTB7B9AAChE83UlGc831.jpg

    IPSec ×××有两种封装格式,一种是AH,一种是ESP,AH由于包含对数据包源目IP进行完整性校验,Nat是绝对不能部署的,否则,目的端在收到数据包由于完整性校验失败,而丢弃该数据包,而ESP可以部署Nat,却不能部署PAT,因为该数据包没有传输层报头,无法进行端口转化,而导致数据包在R3上被丢弃,Cisco IOS12.4开发了一种Nat-traver(nat穿越)技术,用来解决这样的问题,通过在IKE phase1阶段协商的数据包中有个VID字段,用来表明该路由器是否支持Nat-traver,而在3,4个数据包通过交换NAT-D(一种由源IP和源端口或者由目的IP和目的端口号的Hash值),通过交换比较知道是否进行了Nat-traverse,从而在后续的数据包以后都会在IP包头后添加一个UDP/4500的报头,来实现PAT,以下是部署的配置实例!


R1============================================================================

hostname R1


ip cef


crypto isakmp policy 10

 authentication pre-share

crypto isakmp key Cisco address 23.1.1.3

!

!

crypto ipsec transform-set CCIE esp-des esp-md5-hmac 

!

crypto map Cisco 10 ipsec-isakmp 

 set peer 23.1.1.3

 set transform-set CCIE 

 match address 100

!

interface Loopback0

 ip address 1.1.1.1 255.255.255.0

!

interface FastEthernet0/0

 ip address 12.1.1.1 255.255.255.0

 duplex auto

 speed auto

 crypto map Cisco

!

ip route 0.0.0.0 0.0.0.0 FastEthernet0/0 12.1.1.2

!

!

!

access-list 100 permit ip host 1.1.1.1 host 4.4.4.4



R2===========================================================================

hostname R2


interface FastEthernet0/0

 ip address 23.1.1.2 255.255.255.0

 duplex auto

 speed auto

!

interface FastEthernet1/0

 ip address 12.1.1.2 255.255.255.0

 duplex auto

 speed auto


R3==========================================================================

hostname R3


interface FastEthernet0/0

 ip address 34.1.1.3 255.255.255.0

 ip nat inside

 ip virtual-reassembly

 duplex auto

 speed auto

!

interface FastEthernet1/0

 ip address 23.1.1.3 255.255.255.0

 ip nat outside

 ip virtual-reassembly

 duplex auto

 speed auto

!

ip route 0.0.0.0 0.0.0.0 FastEthernet1/0 23.1.1.2

ip route 4.4.4.4 255.255.255.255 FastEthernet0/0 34.1.1.4

!

!

ip nat inside source list 100 interface FastEthernet1/0 overload

!

access-list 100 permit udp host 34.1.1.4 host 12.1.1.1 eq isakmp

access-list 100 permit udp host 34.1.1.4 host 12.1.1.1 eq non500-isakmp


R4============================================================================

hostname R4

crypto isakmp policy 10

 authentication pre-share

crypto isakmp key Cisco address 12.1.1.1

!

!

crypto ipsec transform-set CCIE esp-des esp-md5-hmac 

!

crypto map Cisco 10 ipsec-isakmp 

 set peer 12.1.1.1

 set transform-set CCIE 

 match address 100

!

interface Loopback0

 ip address 4.4.4.4 255.255.255.0

!

interface FastEthernet0/0

 no ip address

 shutdown

 duplex auto

 speed auto

!

interface FastEthernet1/0

 ip address 34.1.1.4 255.255.255.0

 duplex auto

 speed auto

 crypto map Cisco

!

no ip http server

no ip http secure-server

ip route 0.0.0.0 0.0.0.0 FastEthernet1/0 34.1.1.3

!

access-list 100 permit ip host 4.4.4.4 host 1.1.1.1