思科路由器L2L×××解决地址重叠并实现同时能上公网的配置

一.概述：

   LAN-to-LAN IPSEC ×××如果两端内网地址重叠，互相不能访问，需要配置静态NAT,才能实现互相访问，参考如下链接：http://xuanbo.blog.51cto.com/499334/410541，地址重叠的问题解决了，但是却导致不能上公网，经过测试，借助loopback口，用策略路由，混合使用IP NAT inside/outside 和NVI （ip nat enable），可以解决地址重叠，并且内部主机还能上公网，特记录下来。

二.基本思路：

A.解决地址重叠的问题：

---配置静态NAT，两边内网对于对方来说都是另外一个网段，从而实现两边内网通过主机位地址一对一访问。

B.解决不能上公网的问题：

---混合使用两种不同方式的NAT，并通过策略路由，根据需要进行静态NAT和动态PAT上公网

C.利用的特性：

---NAT在IPSEC ×××之前进行

---路由器有两种配置NAT的方法，一种传统的接口下ip nat inside/outside方式，一种NAT Virtual Interface (NVI)方式，在接口下配置ip nat enable,两种方式可以同时并存

---能成功进行NAT首先需要存在路由，另外一个必须的条件是：从ip nat inside接口进入，从ip nat outside接口出，或者从一个ip nat enable接口进入，从另外一个ip nat enable接口出

---对于传统方式的L2L ×××配置，路由器内网口和外网口作为一对ip nat enable口，使得内网上公网的流量能够PAT上公网；PBR把×××流量送到loopbak口，loopbak口和外网口作为一对ip nat inside/outside，在×××之前就进行NAT。

---对于SVTI方式的L2L ×××配置，路由器内网口和外网口作为一对ip nat enable口，使得内网上公网的流量能够PAT上公网；PBR把×××流量送到loopbak口，loopbak口和tunnel口作为一对ip nat inside/outside，在×××之前就进行NAT。

三.测试拓扑：

四.基本配置：

A.总部Server路由器：

interface Ethernet0/0
ip address 10.1.1.2 255.255.255.0

no shut

ip route 0.0.0.0 0.0.0.0 10.1.1.1

B.总部Center路由器：

interface Ethernet0/0
ip address 10.1.1.1 255.255.255.0
no shut
interface Ethernet0/1
ip address 202.100.1.1 255.255.255.0
no shut
ip route 0.0.0.0 0.0.0.0 202.100.1.10

C.Internet路由器：

interface Ethernet0/0
ip address 202.100.1.10 255.255.255.0
no shut
interface Ethernet0/1
ip address 202.100.2.10 255.255.255.0
no shut

C.Branch路由器：

interface Ethernet0/0
ip address 10.1.1.1 255.255.255.0
no shut
interface Ethernet0/1
ip address 202.100.2.1 255.255.255.0
no shut
ip route 0.0.0.0 0.0.0.0 202.100.2.10

E.分支inside路由器：

interface Ethernet0/0
ip address 10.1.1.2 255.255.255.0
no shut
ip route 0.0.0.0 0.0.0.0 10.1.1.1

五.L2L IPSEC ×××配置：

A.Center路由器：

①第一阶段策略：
crypto isakmp policy 10
hash md5
authentication pre-share
group 2
crypto isakmp key cisco address 202.100.2.1

②第二阶段转换集：

crypto ipsec transform-set transet esp-des esp-md5-hmac

③感兴趣流：

ip access-list extended ***
permit ip 172.16.1.0 0.0.0.255 10.1.1.0 0.0.0.255

④配置cryto map并在接口应用：

crypto map crymap 10 ipsec-isakmp
set peer 202.100.2.1
set transform-set transet
match address ***
interface e0/1
 crypto map crymap
B.Branch路由器：

①第一阶段策略：

crypto isakmp policy 10
hash md5
authentication pre-share
group 2
crypto isakmp key cisco address 202.100.1.1

②第二阶段转换集：

crypto ipsec transform-set transet esp-des esp-md5-hmac

③感兴趣流：

ip access-list extended ***
permit ip 10.1.1.0 0.0.0.255 172.16.1.0 0.0.0.255

④配置cryto map并在接口应用：

crypto map crymap 10 ipsec-isakmp
set peer 202.100.1.1
set transform-set transet
match address ***
interface e0/1
 crypto map crymap

六.NAT配置：

A.上公网PAT配置：
①Center路由器：
int e0/0
ip nat enable
int e0/1
ip nat enable
ip access-list extended Internet
deny   ip 10.1.1.0 0.0.0.255 192.168.1.0 0.0.0.255
permit ip 10.1.1.0 0.0.0.255 any
ip nat source list Internet interface Ethernet0/1 overload
测试：
Server#ping 202.100.1.10

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 202.100.1.10, timeout is 2 seconds:
..!!!
Success rate is 60 percent (3/5), round-trip min/avg/max = 108/141/160 ms
Server#

Internet#debug ip icmp
ICMP packet debugging is on
Internet#
*Mar  1 02:59:13.535: ICMP: echo reply sent, src 202.100.1.10, dst 202.100.1.1
*Mar  1 02:59:13.687: ICMP: echo reply sent, src 202.100.1.10, dst 202.100.1.1
*Mar  1 02:59:13.831: ICMP: echo reply sent, src 202.100.1.10, dst 202.100.1.1
②Branch路由器：
int e0/0
ip nat enable
int e0/1
ip nat enable
ip access-list extended Internet
deny   ip 10.1.1.0 0.0.0.255 172.16.1.0 0.0.0.255
permit ip 10.1.1.0 0.0.0.255 any
ip nat source list Internet interface Ethernet0/1 overload
测试：
Inside#ping 202.100.2.10

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 202.100.2.10, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 60/98/184 ms
Inside#
Internet#debug ip icmp
ICMP packet debugging is on
*Mar  1 03:04:22.363: ICMP: echo reply sent, src 202.100.2.10, dst 202.100.2.1
*Mar  1 03:04:22.519: ICMP: echo reply sent, src 202.100.2.10, dst 202.100.2.1
*Mar  1 03:04:22.575: ICMP: echo reply sent, src 202.100.2.10, dst 202.100.2.1
*Mar  1 03:04:22.659: ICMP: echo reply sent, src 202.100.2.10, dst 202.100.2.1
*Mar  1 03:04:22.715: ICMP: echo reply sent, src 202.100.2.10, dst 202.100.2.1
B.解决地址重叠静态NAT及策略路由设置：
-----只在Center路由器上配置：
①静态NAT：
interface loopback0
ip add 1.1.1.1 255.255.255.252
ip nat inside
interface E0/1
ip nat outside
ip nat inside source static network 10.1.1.0 172.16.1.0 /24
ip nat outside source static network 10.1.1.0 192.168.1.0 /24
②策略路由：
ip access-list extended ×××
permit ip 10.1.1.0 0.0.0.255 192.168.1.0 0.0.0.255
route-map ××× permit 10
match ip address ×××
set interface Loopback0
③测试（既能访问互联网，又能访问×××)：
Server#ping 202.100.1.10

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 202.100.1.10, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 64/112/200 ms
Server#ping 192.168.1.2

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.1.2, timeout is 2 seconds:
.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 200/229/280 ms
Server#

七.后记：

如果×××采用的不是传统方式配置，而采用的Static VTI配置，配置的方式略微不同：

A.×××配置：

①Center路由器：

crypto isakmp policy 10

hash md5

authentication pre-share

group 2

crypto isakmp key cisco address 202.100.2.1

crypto ipsec transform-set transet esp-des esp-md5-hmac

crypto ipsec profile ipsecprofile

set transform-set transet

interface Tunnel0

ip address 123.1.1.1 255.255.255.0

tunnel source Ethernet0/1

tunnel destination 202.100.2.1

tunnel mode ipsec ipv4

tunnel protection ipsec profile ipsecprofile

②Branch路由器：

crypto isakmp policy 10

hash md5

authentication pre-share

group 2

crypto isakmp key cisco address 202.100.1.1

crypto ipsec transform-set transet esp-des esp-md5-hmac

crypto ipsec profile ipsecprofile

set transform-set transet

interface Tunnel0

ip address 123.1.1.2 255.255.255.0

tunnel source Ethernet0/1

tunnel destination 202.100.1.1

tunnel mode ipsec ipv4

tunnel protection ipsec profile ipsecprofile

B.上公网PAT配置：

---跟前面相同

C.路由设置：

---引导×××流量到tunnel口，可以静态路由，也可以动态路由，这里使用静态路由

①Center路由器：

ip route 192.168.1.0 255.255.255.0 123.1.1.2

②Branch路由器：

ip route 172.16.1.0 255.255.255.0 123.1.1.1

D.静态NAT及策略路由设置：

----在centter路由器上配置

①静态NAT:

interface loopback 0

ip nat inside

interface tun 0

ip nat outside

ip nat inside  source static network 10.1.1.0 172.16.1.0  /24

ip nat outside source static network 10.1.1.0 192.168.1.0 /24

②策略路由：

ip access-list extended ×××

permit ip 10.1.1.0 0.0.0.255 192.168.1.0 0.0.0.255

route-map ××× permit 10

match ip address ×××

set interface loopbak 0

interface Ethernet0/0

ip policy route-map ×××

E.测试（既能访问互联网，又能访问×××)：

Server#ping 202.100.1.10

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 202.100.1.10, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 60/104/200 ms

Server#

Server#ping 192.168.1.2

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 192.168.1.2, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 228/258/284 ms

Server#

Inside#debug ip icmp

ICMP packet debugging is on

Inside#

*Mar  1 12:04:14.645: ICMP: echo reply sent, src 10.1.1.2, dst 172.16.1.2

*Mar  1 12:04:14.949: ICMP: echo reply sent, src 10.1.1.2, dst 172.16.1.2

*Mar  1 12:04:15.169: ICMP: echo reply sent, src 10.1.1.2, dst 172.16.1.2

*Mar  1 12:04:15.385: ICMP: echo reply sent, src 10.1.1.2, dst 172.16.1.2

*Mar  1 12:04:15.633: ICMP: echo reply sent, src 10.1.1.2, dst 172.16.1.2

转载于:https://blog.51cto.com/333234/1222622