案例拓扑图

clip_p_w_picpath002[4]

思科(3640)实现

Step 1:A路由器的基本配置

A(config)#do sho run

Building configuration...

Current configuration : 1410 bytes

!

version 12.4

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname A

!

boot-start-marker

boot-end-marker

!

!

no aaa new-model

memory-size iomem 5

!

!

ip cef

no ip domain lookup

ip domain name lab.local

!

crypto isakmp policy 1

authentication pre-share

crypto isakmp key 123 address 61.130.132.1

crypto isakmp key 123 address 61.130.133.1

!

!

crypto ipsec transform-set ***c ah-md5-hmac esp-des esp-md5-hmac

crypto ipsec transform-set ***b ah-md5-hmac esp-des esp-md5-hmac

!

crypto map ***-set 100 ipsec-isakmp

set peer 61.130.132.1

set transform-set ***b

match address 110

crypto map ***-set 200 ipsec-isakmp

set peer 61.130.133.1

set transform-set ***c

match address 120

!

!

!

!

!

interface Loopback0

ip address 192.168.1.254 255.255.255.0

!

interface FastEthernet0/0

ip address 61.130.131.1 255.255.255.252

duplex auto

speed auto

crypto map ***-set

!

no ip http server

no ip http secure-server

!

ip route 0.0.0.0 0.0.0.0 61.130.131.2

!

!

access-list 110 permit ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255

access-list 120 permit ip 192.168.1.0 0.0.0.255 192.168.3.0 0.0.0.255

!

!

control-plane

!

line con 0

exec-timeout 0 0

privilege level 15

logging synchronous

line aux 0

exec-timeout 0 0

privilege level 15

logging synchronous

line vty 0 4

login

!

!

End

Step 2:路由器B的配置

B(config)#do sho run

Building configuration...

Current configuration : 1125 bytes

!

version 12.4

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname B

!

boot-start-marker

boot-end-marker

!

!

no aaa new-model

memory-size iomem 5

!

!

ip cef

no ip domain lookup

ip domain name lab.local

!

crypto isakmp policy 1

authentication pre-share

crypto isakmp key 123 address 61.130.131.1

!

!

crypto ipsec transform-set ***a ah-md5-hmac esp-des esp-md5-hmac

!

crypto map ***-set 100 ipsec-isakmp

set peer 61.130.131.1

set transform-set ***a

match address 110

!

!

!

!

interface Loopback0

ip address 192.168.2.254 255.255.255.0

!

interface FastEthernet0/0

ip address 61.130.132.1 255.255.255.252

duplex auto

speed auto

crypto map ***-set

!

no ip http server

no ip http secure-server

!

ip route 0.0.0.0 0.0.0.0 61.130.132.2

!

!

access-list 110 permit ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255

!

!

control-plane

!

line con 0

exec-timeout 0 0

privilege level 15

logging synchronous

line aux 0

exec-timeout 0 0

privilege level 15

logging synchronous

line vty 0 4

login

!

!

End

Step 3:路由器C的配置

C(config)#do sho run

Building configuration...

Current configuration : 1125 bytes

!

version 12.4

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname C

!

boot-start-marker

boot-end-marker

!

!

no aaa new-model

memory-size iomem 5

!

!

ip cef

no ip domain lookup

ip domain name lab.local

!

crypto isakmp policy 1

authentication pre-share

crypto isakmp key 123 address 61.130.131.1

!

!

crypto ipsec transform-set ***a ah-md5-hmac esp-des esp-md5-hmac

!

crypto map ***-set 100 ipsec-isakmp

set peer 61.130.131.1

set transform-set ***a

match address 110

!

!

!

!

interface Loopback0

ip address 192.168.3.254 255.255.255.0

!

interface FastEthernet0/0

ip address 61.130.133.1 255.255.255.252

duplex auto

speed auto

crypto map ***-set

!

no ip http server

no ip http secure-server

!

ip route 0.0.0.0 0.0.0.0 61.130.133.2

!

!

access-list 110 permit ip 192.168.3.0 0.0.0.255 192.168.1.0 0.0.0.255

!

!

control-plane

!

line con 0

exec-timeout 0 0

privilege level 15

logging synchronous

line aux 0

exec-timeout 0 0

privilege level 15

logging synchronous

line vty 0 4

login

!

!

End

Step 4:ISP配置,核心配置就是三个接口地址

interface FastEthernet0/0

ip address 61.130.131.2 255.255.255.252

duplex auto

speed auto

!

interface FastEthernet0/1

ip address 61.130.132.2 255.255.255.252

duplex auto

speed auto

!

interface FastEthernet2/0

ip address 61.130.133.2 255.255.255.252

duplex auto

speed auto

!

Step 5:测试

从路由器A使用扩展PING,ping 路由器B

clip_p_w_picpath002

从路由器A使用扩展PING,ping 路由器C

 

clip_p_w_picpath002[6]