拓扑图如下:
说明:ISP之间使用OSPF动态路由协议,R1和R3模拟边界路由,并启用PAT,PC1和PC2模拟内网主机。
要求:PC1和PC2能够使用私有IP加密互访,其他Internet流量使用常规PAT访问。
各设备配置如下:
PC1:
conf t
int f0/0
ip add 192.168.0.1 255.255.255.0
no shut
exit
no ip routing
ip default-gateway 192.168.0.2
end
wr
PC2:
conf t
int f0/0
ip add 172.16.0.1 255.255.255.0
no shut
exit
no ip routing
ip default-gateway 172.16.0.2
end
wr
R1:
conf t
int e0/0
ip add 192.168.0.2 255.255.255.0
duplex full
ip nat inside
no shut
int e0/1
ip add 1.0.0.1 255.255.255.252
duplex full
ip nat outside
no shut
exit
access-list 1 permit any
ip nat inside source list 1 interface e0/1 overload
ip route 0.0.0.0 0.0.0.0 1.0.0.2
crypto isakmp enable
crypto isakmp policy 1
encryption aes
hash sha
group 2
authentication pre-share
exit
crypto isakmp key 0 IPSEC-TUNNEL address 2.0.0.1
access-list 100 permit gre host 1.0.0.1 host 2.0.0.1
access-list 100 permit ip 192.168.0.0 0.0.0.255 172.16.0.0 0.0.0.255
crypto ipsec transform-set myset ah-sha-hmac esp-md5-hmac esp-3des
mode tunnel
exit
crypto map mymap 1 ipsec-isakmp
match address 100
set transform-set myset
set peer 2.0.0.1
exit
int e0/1
crypto map mymap
int tunnel 0
ip add 100.0.0.1 255.255.255.252
tunnel source 1.0.0.1
tunnel destination 2.0.0.1
crypto map mymap
keepalive 2 3
no shutdown
exit
ip route 172.16.0.0 255.255.255.0 tunnel 0
do wr
R3:
conf t
int e0/1
ip add 172.16.0.2 255.255.255.0
duplex full
ip nat inside
no shut
int e0/0
ip add 2.0.0.1 255.255.255.252
duplex full
ip nat outside
no shut
exit
access-list 1 permit any
ip nat inside source list 1 interface e0/0 overload
ip route 0.0.0.0 0.0.0.0 2.0.0.2
crypto isakmp enable
crypto isakmp policy 1
encryption aes
hash sha
group 2
authentication pre-share
exit
crypto isakmp key 0 IPSEC-TUNNEL address 1.0.0.1
access-list 100 permit gre host 2.0.0.1 host 1.0.0.1
access-list 100 permit ip 172.16.0.0 0.0.0.255 192.168.0.0 0.0.0.255
crypto ipsec transform-set myset ah-sha-hmac esp-md5-hmac esp-3des
mode tunnel
exit
crypto map mymap 1 ipsec-isakmp
match address 100
set transform-set myset
set peer 1.0.0.1
exit
int e0/0
crypto map mymap
int tunnel 0
ip add 100.0.0.2 255.255.255.252
tunnel source 2.0.0.1
tunnel destination 1.0.0.1
crypto map mymap
keepalive 2 3
no shutdown
exit
ip route 192.168.0.0 255.255.255.0 tunnel 0
do wr
ISP1:
conf t
int e0/1
ip add 1.0.0.2 255.255.255.252
duplex full
no shut
int e0/0
ip add 12.0.0.1 255.255.255.252
duplex full
no shut
exit
router ospf 100
network 1.0.0.0 0.0.0.3 area 0
network 12.0.0.0 0.0.0.3 area 0
exit
do wr
ISP2:
conf t
int e0/0
ip add 12.0.0.2 255.255.255.252
duplex full
no shut
int e0/1
ip add 2.0.0.2 255.255.255.252
duplex full
no shut
exit
router ospf 100
network 2.0.0.0 0.0.0.3 area 0
network 12.0.0.0 0.0.0.3 area 0
exit
do wr
转载于:https://blog.51cto.com/yinkai/1561538