背景:你们公司总部在北京,分公司在深圳,假如你你们公司的总部和分公司都只申请了一个可用的公网IP;而总部和分公司之间又经常有敏感的数据传输,并且总部和分公司和因工作需要又要求都能上互连网。
目标:如何在实现总部和分公司之间的数据的安全传输又同时满足总部和分公司都能上互连网的需求呢?
NAT和IPSEC×××结合使用能够满足该公司的需求。
R1
en
config t
no ip http server
no ip domain-loo
line con 0
loggin syn
no exec-t
end
conf t
host R1
int f0/0
ip add 202.0.0.1 255.255.255.0
no shut
exit
int lo0
ip add 1.1.1.1 255.255.255.0
no shut
exit
int lo1
ip add 2.2.2.2 255.255.255.0
no shut
exit
access-list 1 permit 1.1.1.0 0.0.0.255
route-map fornat permit 10
match ip add 1
exit
ip nat inside source route-map fornat interface f0/0 overload --定义允许进行NAT的流量和公网地址之间的映射
int f0/0
ip nat outside
exit
int lo1
ip nat inside
exit
ip route 0.0.0.0 0.0.0.0 f0/0
crypto isakmp enable --启用IKE
crypto isakmp policy 10 --建立IKE策略;根据具体安全要求可以建立多个IKE策略
hash md5 --密钥认证所用的算法有MD5和SHA-1两种,后者的安全行更高
authentication pre-share --使用手工指定的共享密码
encryption des --加密密钥所用的算法,如对安全性要求教高的话,可以用3DES加密算法
exit
crypto isakmp key 0 qqq111,,, address 203.0.0.1 --设置共享密钥和对端IP
crypto ipsec transform-set for*** esp-des esp-md5-hmac --配置IPSEC的传输模式
exit
crypto ipsec profile site2site --配置保密图
set transform-set for***
interface tunnel 0 --把保密图应用到端口上
ip add 5.5.5.5 255.255.255.0
tunnel source f0/0
tunnel destination 203.0.0.1
tunnel protection ipsec profile site2site
no shut
exit
router ospf 100
network 1.1.1.1 0.0.0.0 area 0
network 2.2.2.2 0.0.0.0 area 0
network 5.5.5.5 0.0.0.0 area 0
en
config t
no ip http server
no ip domain-loo
line con 0
loggin syn
no exec-t
end
conf t
host R1
int f0/0
ip add 202.0.0.1 255.255.255.0
no shut
exit
int lo0
ip add 1.1.1.1 255.255.255.0
no shut
exit
int lo1
ip add 2.2.2.2 255.255.255.0
no shut
exit
access-list 1 permit 1.1.1.0 0.0.0.255
route-map fornat permit 10
match ip add 1
exit
ip nat inside source route-map fornat interface f0/0 overload --定义允许进行NAT的流量和公网地址之间的映射
int f0/0
ip nat outside
exit
int lo1
ip nat inside
exit
ip route 0.0.0.0 0.0.0.0 f0/0
crypto isakmp enable --启用IKE
crypto isakmp policy 10 --建立IKE策略;根据具体安全要求可以建立多个IKE策略
hash md5 --密钥认证所用的算法有MD5和SHA-1两种,后者的安全行更高
authentication pre-share --使用手工指定的共享密码
encryption des --加密密钥所用的算法,如对安全性要求教高的话,可以用3DES加密算法
exit
crypto isakmp key 0 qqq111,,, address 203.0.0.1 --设置共享密钥和对端IP
crypto ipsec transform-set for*** esp-des esp-md5-hmac --配置IPSEC的传输模式
exit
crypto ipsec profile site2site --配置保密图
set transform-set for***
interface tunnel 0 --把保密图应用到端口上
ip add 5.5.5.5 255.255.255.0
tunnel source f0/0
tunnel destination 203.0.0.1
tunnel protection ipsec profile site2site
no shut
exit
router ospf 100
network 1.1.1.1 0.0.0.0 area 0
network 2.2.2.2 0.0.0.0 area 0
network 5.5.5.5 0.0.0.0 area 0
R3
en
config t
no ip http server
no ip domain-loo
line con 0
loggin syn
no exec-t
end
conf t
host R3
int f0/0
ip add 203.0.0.1 255.255.255.0
no shut
exit
int lo0
ip add 3.3.3.3 255.255.255.0
no shut
exit
int lo1
ip add 4.4.4.4 255.255.255.0
no shut
exit
access-list 1 permit 3.3.3.0 0.0.0.255
route-map fornat permit 10
match ip add 1
exit
ip nat inside source route-map fornat interface f0/0 overload
int f0/0
ip nat outside
exit
int lo1
ip nat inside
exit
ip route 0.0.0.0 0.0.0.0 f0/0
crypto isakmp enable
crypto isakmp policy 10
hash md5
authentication pre-share
encryption des
exit
crypto isakmp key 0 qqq111,,, address 202.0.0.1
crypto ipsec transform-set for*** esp-des esp-md5-hmac
exit
crypto ipsec profile site2site
set transform-set for***
interface tunnel 0
ip add 5.5.5.6 255.255.255.0
tunnel source f0/0
tunnel destination 202.0.0.1
tunnel protection ipsec profile site2site
no shut
exit
router ospf 100
network 3.3.3.3 0.0.0.0 area 0
network 4.4.4.4 0.0.0.0 area 0
network 5.5.5.6 0.0.0.0 area 0
en
config t
no ip http server
no ip domain-loo
line con 0
loggin syn
no exec-t
end
conf t
host R3
int f0/0
ip add 203.0.0.1 255.255.255.0
no shut
exit
int lo0
ip add 3.3.3.3 255.255.255.0
no shut
exit
int lo1
ip add 4.4.4.4 255.255.255.0
no shut
exit
access-list 1 permit 3.3.3.0 0.0.0.255
route-map fornat permit 10
match ip add 1
exit
ip nat inside source route-map fornat interface f0/0 overload
int f0/0
ip nat outside
exit
int lo1
ip nat inside
exit
ip route 0.0.0.0 0.0.0.0 f0/0
crypto isakmp enable
crypto isakmp policy 10
hash md5
authentication pre-share
encryption des
exit
crypto isakmp key 0 qqq111,,, address 202.0.0.1
crypto ipsec transform-set for*** esp-des esp-md5-hmac
exit
crypto ipsec profile site2site
set transform-set for***
interface tunnel 0
ip add 5.5.5.6 255.255.255.0
tunnel source f0/0
tunnel destination 202.0.0.1
tunnel protection ipsec profile site2site
no shut
exit
router ospf 100
network 3.3.3.3 0.0.0.0 area 0
network 4.4.4.4 0.0.0.0 area 0
network 5.5.5.6 0.0.0.0 area 0
结语:经过配置之后,既能满足总部和分公司之间数据的安全传输,又能满足,总部,分公司访问互连网。
转载于:https://blog.51cto.com/iverson/217308
扫一扫
9396
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
