思科路由器Ez***解决地址重叠测试

一.概述:
  Ez***,如果硬件客户端身后的地址,与Ez*** server身后的地址重叠,即使是client模式的单向访问也无法实现,需要配置静态NAT,为了不影响总部上公网,需要把静态NAT与动态PAT分开。
二.基本思路:
A.Ez*** Client模式:
----这种只是分支机构单向访问总部,在总部配置静态NAT,使得分支机构访问总部主机时认为是另外一个网段的地址
----为了能够使得总部配置静态NAT还能上公网,总部路由器的内网口和外网口作为ip nat enable的一对口,配置PAT;将loopback和外网口分别配置ip nat inside和ip nat outside,作为一对口,配置静态NAT,同时为了使流量能够到达loopback口,在内网口配置PBR,将需要***的流量打到loopback口,流量在进行***之前就进行静态NAT。
B.Ez*** network-extension或network-plus模式:
----这两种种方式,因为可以双方向互访,为了实现双方向互访,需要总部配置对内和对外的两条静态NAT,同时为了能把静态NAT和动态PAT上公网的流量分开,采用不同的NAT配置方法来实现。
三.测试拓扑:
172844815.jpg

四.基本配置:
A.总部Server路由器:
interface Ethernet0/0
ip address 10.1.1.2 255.255.255.0
no shut
ip route 0.0.0.0 0.0.0.0 10.1.1.1
B.总部Center路由器:
interface Ethernet0/0
ip address 10.1.1.1 255.255.255.0
no shut
interface Ethernet0/1
ip address 202.100.1.1 255.255.255.0
no shut
ip route 0.0.0.0 0.0.0.0 202.100.1.10
C.Internet路由器:
interface Ethernet0/0
ip address 202.100.1.10 255.255.255.0
no shut
interface Ethernet0/1
ip address 202.100.2.10 255.255.255.0
no shut
D.Branch路由器:
interface Ethernet0/0
ip address 10.1.1.1 255.255.255.0
no shut
interface Ethernet0/1
ip address 202.100.2.1 255.255.255.0
no shut
ip route 0.0.0.0 0.0.0.0 202.100.2.10
E.分支inside路由器:
interface Ethernet0/0
ip address 10.1.1.2 255.255.255.0
no shut
ip route 0.0.0.0 0.0.0.0 10.1.1.1
五.Ez***配置:
A.Ez*** Server总部Center路由器:
①第一阶段:

crypto isakmp policy 10
authentication pre-share
en des
group 2
hash md5
crypto isakmp client configuration group ipsecgroup
key cisco
②第1.5阶段XAUTH配置:
aaa new-model
aaa authentication login noacs line none
line console 0
 login authentication noacs
line aux 0
 login authentication noacs
username xll password xll
aaa authentication login xauth-authen local
③第1.5阶段MODE-CFG配置:
ip local pool ippool 123.1.1.100 123.1.1.200
ip access-list extended split
permit ip 172.16.1.0 0.0.0.255 any
aaa authorization network mcfg-author local
crypto isakmp client configuration group ipsecgroup
 pool ippool
 acl split
④第2阶段转换集与动态map配置:
crypto ipsec transform-set ez***set esp-des esp-md5-hmac
crypto dynamic-map dymap 10
set transform-set ez***set
reverse-route
⑤第2阶段crypto map配置:
crypto map cry-map client authentication list xauth-authen
crypto map cry-map isakmp authorization list mcfg-author
crypto map cry-map client configuration address respond
crypto map cry-map 10 ipsec-isakmp dynamic dymap
interface E0/1
crypto map cry-map
B.Ez***硬件客户端Branch路由器配置:
①Ez***基本配置:

crypto ipsec client ez*** Ez-Client
connect manual
group ipsecgroup key cisco
mode client
peer 202.100.1.1
interface e0/0
crypto ipsec client ez*** Ez-Client inside
interface e0/1
crypto ipsec client ez*** Ez-Client outside
②手动触发Ez***连接:
crypto ipsec client ez*** connect
crypto ipsec client ez*** xauth
Username: xll
Password: xll
Branch#
*Mar  1 00:05:21.047: %CRYPTO-6-EZ***_CONNECTION_UP: (Client)  User=  Group=ipsecgroup  Client_public_addr=202.100.2.1  Server_public_addr=202.100.1.1  Assigned_client_addr=123.1.1.100  
Branch#show crypto ipsec client ez***
Easy *** Remote Phase: 4

Tunnel name : Ez-Client
Inside interface list: Ethernet0/0
Outside interface: Ethernet0/1
Current State: IPSEC_ACTIVE
Last Event: SOCKET_UP
Address: 123.1.1.100
Mask: 255.255.255.255
Save Password: Disallowed
Split Tunnel List: 1
      Address    : 172.16.1.0
      Mask       : 255.255.255.0
      Protocol   : 0x0
      Source Port: 0
      Dest Port  : 0
Current Ez*** Peer: 202.100.1.1
----这时虽然***能连接上去但是,无法连接内网
六.NAT及策略路由配置:
A.动态PAT配置:
①总部Center路由器配置:
interface Ethernet0/0
ip nat enable
interface Ethernet0/1
ip nat enable
ip access-list extended Internet
deny   ip 10.1.1.0 0.0.0.255 123.1.1.0 0.0.0.255
permit ip 10.1.1.0 0.0.0.255 any
ip nat source list Internet interface Ethernet0/1 overload
测试:
Server#ping 202.100.1.10  

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 202.100.1.10, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 48/105/216 ms
Server#
②分支branch路由器配置:
interface Ethernet0/0
ip nat enable
interface Ethernet0/1
ip nat enable
ip access-list extended Internet
deny   ip 10.1.1.0 0.0.0.255 172.16.1.0 0.0.0.255
permit ip 10.1.1.0 0.0.0.255 any
ip nat source list Internet interface Ethernet0/1 overload
测试:
Inside#ping 202.100.2.1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 202.100.2.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 20/60/120 ms
B.静态NAT及策略路由配置:
---只需在总部Center路由器上配置
interface Loopback0
ip address 1.1.1.1 255.255.255.252
ip nat inside
interface Ethernet0/1
ip nat outside
ip nat inside source static network 10.1.1.0 172.16.1.0 /24
ip access-list extended ***
permit ip 10.1.1.0 0.0.0.255 123.1.1.0 0.0.0.255
route-map *** permit 10
match ip address ***
set interface Loopback0
interface Ethernet0/0
ip policy route-map ***
C.测试:
clear crypto ipsec client ez***
crypto ipsec client ez*** connect
crypto ipsec client ez*** xauth
Username: xll
Password: xll
*Mar  1 00:09:33.803: %CRYPTO-6-EZ***_CONNECTION_UP: (Client)  User=  Group=ipsecgroup  Client_public_addr=202.100.2.1  Server_public_addr=202.100.1.1  Assigned_client_addr=123.1.1.101  
Branch#
Inside#ping 172.16.1.2

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.1.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 196/265/392 ms
Inside#
七.后记:
----如果Ez***采用的是网络拓展模式或者网络拓展加模式,因为两边都可以主动发起访问,配置的方式跟上面有所不同,跟L2L IPSEC ***类似:
A.动态PAT配置:
①总部Center路由器配置:

interface Ethernet0/0
ip nat enable
interface Ethernet0/1
ip nat enable
ip access-list extended Internet
deny   ip 10.1.1.0 0.0.0.255 192.168.1.0 0.0.0.255
permit ip 10.1.1.0 0.0.0.255 any
ip nat source list Internet interface Ethernet0/1 overload
②分支branch路由器配置:
interface Ethernet0/0
ip nat enable
interface Ethernet0/1
ip nat enable
ip access-list extended Internet
deny   ip 10.1.1.0 0.0.0.255 172.16.1.0 0.0.0.255
permit ip 10.1.1.0 0.0.0.255 any
ip nat source list Internet interface Ethernet0/1 overload
B.静态NAT及策略路由配置:
①总部Center路由器:

interface Loopback0
ip address 1.1.1.1 255.255.255.252
ip nat inside
interface Ethernet0/1
ip nat outside
ip nat inside source   static network 10.1.1.0 172.16.1.0 /24
ip nat Outside source  static network 10.1.1.0 192.168.1.0 /24
ip access-list extended ***
permit ip 10.1.1.0 0.0.0.255 192.168.1.0  0.0.0.255
route-map *** permit 10
match ip address ***
set interface Loopback0
interface Ethernet0/0
ip policy route-map ***
②分支Branch路由器
interface Loopback0
ip address 192.168.1.1 255.255.255.0
crypto ipsec client ez*** Ez-Client inside
----这个将分支机构被NAT的网络通过反向路由注入的方式注入到总部Center路由器
----测试时发现如果Server不配置反向路由注入,即使配置了隧道分离,客户端还是把***流量送到了互联网。
C.测试:
clear crypto ipsec client ez***
crypto ipsec client ez*** connect
crypto ipsec client ez*** xauth
Username: xll
Password: xll
Branch#
*Mar  1 00:11:53.395: %CRYPTO-6-EZ***_CONNECTION_UP: (Client)  User=  Group=ipsecgroup  Client_public_addr=202.100.2.1  Server_public_addr=202.100.1.1  NEM_Remote_Subnets=10.1.1.0/255.255.255.0  192.168.1.0/255.255.255.0    

Inside#ping 172.16.1.2

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.1.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 192/258/348 ms
Inside#
----ping的同时在对方debug ip icmp,可以看到回包
Server#
*Mar  2 22:11:07.472: ICMP: echo reply sent, src 10.1.1.2, dst 192.168.1.2
*Mar  2 22:11:07.740: ICMP: echo reply sent, src 10.1.1.2, dst 192.168.1.2
*Mar  2 22:11:07.972: ICMP: echo reply sent, src 10.1.1.2, dst 192.168.1.2
*Mar  2 22:11:08.160: ICMP: echo reply sent, src 10.1.1.2, dst 192.168.1.2
*Mar  2 22:11:08.412: ICMP: echo reply sent, src 10.1.1.2, dst 192.168.1.2

反过来也能通:
Server#ping 192.168.1.2

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.1.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 176/248/372 ms
Inside#
*Mar  2 19:21:54.933: ICMP: echo reply sent, src 10.1.1.2, dst 172.16.1.2
*Mar  2 19:21:55.273: ICMP: echo reply sent, src 10.1.1.2, dst 172.16.1.2
*Mar  2 19:21:55.481: ICMP: echo reply sent, src 10.1.1.2, dst 172.16.1.2
*Mar  2 19:21:55.669: ICMP: echo reply sent, src 10.1.1.2, dst 172.16.1.2
*Mar  2 19:21:55.857: ICMP: echo reply sent, src 10.1.1.2, dst 172.16.1.2

已标记关键词 清除标记
相关推荐
<p> <strong><span style="font-size:16px;color:#003399;">会用Python分析金融数据 or 金融行业会用Python</span></strong> </p> <p> <strong><span style="font-size:16px;color:#003399;">职场竞争力更高</span></strong> </p> <p> <br /> </p> <p> <img src="https://img-bss.csdnimg.cn/202012231042221925.png" alt="" /> </p> <p> <br /> </p> <p> <br /> </p> <p> <strong><span style="font-size:16px;color:#003399;">Python金融数据分析入门到实战</span></strong> </p> <p> <strong><span style="font-size:16px;color:#003399;">Get√金融行业数据分析必备技能</span></strong> </p> <p> <img src="https://img-bss.csdnimg.cn/202012231042438069.png" alt="" /> </p> <p> <br /> </p> <p> <br /> </p> <p> <strong><span style="font-size:16px;color:#003399;">以股票量化交易为应用场景</span></strong> </p> <p> <strong><span style="font-size:16px;color:#003399;">完成技术指标实现的全过程</span></strong> </p> <p> <br /> </p> <p> <span style="font-size:14px;">课程选取股票量化交易为应用场景,由股票数据的获取、技术指标的实现,逐步进阶到策略的设计</span><span style="font-size:14px;">和回测,由浅入深、由技术到思维地为同学们讲解Python金融数据分析在股票量化交易中的应用</span><span style="font-size:14px;">。</span> </p> <p> <br /> </p> <p> <span style="font-size:14px;"><br /> </span> </p> <p> <img src="https://img-bss.csdnimg.cn/202012231043183686.png" alt="" /> </p> <p> <br /> </p> <p> <br /> </p> <p> <strong><span style="font-size:16px;color:#003399;">以Python为编程语言</span></strong> </p> <p> <strong><span style="font-size:16px;color:#003399;">解锁3大主流数据分析工具</span></strong> </p> <p> <br /> </p> <p> <span style="font-size:14px;">Python做金融具有先天优势,课程提取了Python数据分析工具NumPy、Pandas及可视化工具</span><span style="font-size:14px;">Matplotlib的关键点详细讲解,帮助同学掌握数据分析的关键技能。</span> </p> <p> <img src="https://img-bss.csdnimg.cn/202012231043472858.png" alt="" /> </p> <p> <strong><span style="font-size:16px;color:#003399;"><br /> </span></strong> </p> <p> <strong><span style="font-size:16px;color:#003399;">2大购课福利</span></strong> </p> <p> <strong><span style="font-size:16px;color:#003399;"><br /> </span></strong> </p> <p> <img src="https://img-bss.csdnimg.cn/202012300628195864.png" alt="" /> </p>
©️2020 CSDN 皮肤主题: 大白 设计师:CSDN官方博客 返回首页