Easy ×××+split tunneling+NAT BY JYH 2014.3.25 转发申明,谢谢。

  • Cisco

拓扑图:

4b90f603738da9777de87289b251f8198718e349


目的:1.要求分部所有员工可以访问总部内网192.168.1.0,同时可以访问互联网。

      2.要求出差人员及个人电脑通过cisco ××× client软件拨入访问总部内网服务器,同时可以访问互联网。

      3.要求总部服务器接受虚拟用户拨入,通过NAT同时可以访问互联网。

接下来大家跟我来通过以上拓扑图进行配置:

Internet路由器配置:(为方便后期粘贴配置)

conf t

interface FastEthernet0/0

 ip address 200.1.1.1 255.255.255.0

no shut

exit

interface FastEthernet0/1

 ip address 100.1.1.1 255.255.255.0

no shut

exit

interface FastEthernet1/0

 ip address 210.1.1.1 255.255.255.0 

no shut

exit

interface FastEthernet1/1

 ip address 220.1.1.1 255.255.255.0

no shut

exit

======================================================================

总部路由配置:

conf t

interface FastEthernet0/0

 ip address 192.168.1.254 255.255.255.0

 ip nat inside

exit

interface FastEthernet0/1

 ip address 100.1.1.2 255.255.255.0

 ip nat outside

exit

ip route 0.0.0.0 0.0.0.0 100.1.1.1

ip nat inside source list 101 interface FastEthernet0/1 overload

access-list 100 permit ip 192.168.1.0 0.0.0.255 any

access-list 101 deny   ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255

access-list 101 permit ip 192.168.2.0 0.0.0.255 any

exit

===================================================================================

分部路由配置:

conf t

interface FastEthernet0/0

 ip address 200.1.1.2 255.255.255.0

 ip nat outside

no shut

exit

interface FastEthernet0/1

 ip address 172.16.1.254 255.255.255.0

 ip nat inside

no shut

exit

ip route 0.0.0.0 0.0.0.0 200.1.1.1

ip nat inside source list 1 interface FastEthernet0/0 overload

access-list 1 permit 172.16.1.0 0.0.0.255

==================================================================================

配置VPCS:

b812c8fcc3cec3fdfbe350d7d488d43f869427b6

添加LOOPBACK虚拟网卡--控制面板-添加新硬件--网络配置器,详见下图:

34fae6cd7b899e512f99ccb640a7d933c8950d78

添加VMware虚拟网卡

359b033b5bb5c9ea8779f541d739b6003bf3b38e

配置loopback网卡及VMware网卡IP地址:

loopback:

e7cd7b899e510fb32f1f8635db33c895d1430c09

VMware8虚拟网卡需要到虚拟机里配置IP,会多出一个本地连接2:

72f082025aafa40f60553f7fa964034f79f01984

连接性配置完成。

=============================================================================================

配置总部路由IPSEC×××:

aaa new-model(开启AAA认证)

aaa authentication login eza local (命名eza,对eza认证)

aaa authorization network ezo local(命名ezo,对ezo的事件授权)

username cisco password cisco(创建用户名密码)

crypto isakmp policy 10(Ipsec 阶段一的安全参数配置)


hash md5


authentication pre-share


group 2


ip local pool ez 192.168.2.1 192.168.2.10(Easy ××× 接入后所分配的地址)

crypto isakmp client configuration group myez(Easy ×××的组和密码配置)

key 123

pool ez

acl 100

crypto ipsec transform-set tim esp-3des esp-md5-hmac(IPSec阶段二的配置)

crypto dynamic-map ezmap 10(动态加密图)


set transform-set tim 


reverse-route(反向路由注入)

(以下是对Easy ×××的认证,授权配置,list是调用上面的AAA的配置名)

crypto map tom client authentication list eza

crypto map tom isakmp authorization list ezo

crypto map tom client configuration address respond

crypto map tom 10 ipsec-isakmp dynamic ezmap(最后,动态加密图必须有静态绑定)


interface FastEthernet0/1

crypto map tom(绑定到接口)

=================================================================================

测试连接:

在虚拟机VMware里安装cisco client ×××--点击New:

4034970a304e251f7ab8175aa586c9177e3e53c1

拨入成功后测试连接:

ping 192.168.1.1

ping 210.1.1.2

分部×××拨入总部访问内网192.168.1.254及210.1.1.2应该全通了。

=======================

个人电脑或在外出差同事电脑用××× client拨入总部内网测试:

ping 192.168.1.1

ping 210.1.1.2

全通。

=====================================================================

总部电脑通NAT访问互联网测试:

ping 210.1.1.2

======================================

通通通,哈哈,本实验完成!

收藏于 2014-03-25

来自于百度空间