做此实验需开启NAT 穿越功能,cisco设备默认是开启的。
R2添加此2条命令是为了能够让外部穿越NAT设备以此来建立×××关系
ip nat inside source static udp 10.1.1.1 4500 interface Ethernet0/1 4500
ip nat inside source static udp 10.1.1.1 500 interface Ethernet0/1 500
若不加这2条命令那么×××建立必须是由内部发起,外部发起×××建立不起来。
先由Inside触发ping 1.1.1.1 so 2.2.2.2后,Outside就可以ping
2.2.2.2 so 1.1.1.1了。原因很简单,如果由外边发起ISAKMP的包抵达PIX后,R2无法
把这个包正确的送到目的地!因为PAT是一个多对一的转换。但是先由里边发起后,R2
维护了XLATE和CONNECTION表项,我们也知道R2对UDP的处理方法,在一定时间以内相
应的返回包是可以穿越R2进入Inside的,这样Outside就可以ping 2.2.2.2 so 1.1.1.1
了。
若设备部开启NAT穿越功能,那么只能是内部发起才能建立×××,而且建立×××通道模式是Tunnel模式,开启此功能后×××建立通道模式是tunnel UDP-Encaps
穿越PAT时,包结构: ...| UDP | ESP | DATA |...
配置
R1:
crypto isakmp policy 10
authentication pre-share
crypto isakmp key cisco address 202.100.1.2
crypto ipsec transform-set tran esp-3des esp-md5-hmac
crypto map map 10 ipsec-isakmp
set peer 202.100.1.2
set transform-set tran
match address ***
interface Ethernet0/0
ip address 10.1.1.1 255.255.255.0
half-duplex
crypto map map
interface Ethernet1/2
ip address 1.1.1.1 255.255.255.0
half-duplex
ip route 0.0.0.0 0.0.0.0 10.1.1.2
ip access-list extended ***
permit ip 1.1.1.0 0.0.0.255 2.2.2.0 0.0.0.255
R2:
interface Ethernet0/0
ip address 10.1.1.2 255.255.255.0
ip nat inside
ip virtual-reassembly
half-duplex
interface Ethernet0/1
ip address 202.100.1.1 255.255.255.0
ip nat outside
ip virtual-reassembly
half-duplex
ip route 0.0.0.0 0.0.0.0 Ethernet0/1
ip nat inside source list nat interface Ethernet0/1 overload
ip nat inside source static udp 10.1.1.1 4500 interface Ethernet0/1 4500
ip nat inside source static udp 10.1.1.1 500 interface Ethernet0/1 500
ip access-list standard nat
permit 1.1.1.0 0.0.0.255
permit 10.1.1.0 0.0.0.255
R3:
crypto isakmp policy 10
authentication pre-share
crypto isakmp key cisco address 202.100.1.1
crypto ipsec transform-set tran esp-3des esp-md5-hmac
crypto map map 10 ipsec-isakmp
set peer 202.100.1.1
set transform-set tran
match address ***
interface Ethernet0/1
ip address 202.100.1.2 255.255.255.0
half-duplex
crypto map map
interface Ethernet1/2
ip address 2.2.2.2 255.255.255.0
half-duplex
ip route 0.0.0.0 0.0.0.0 Ethernet0/1
ip access-list extended ***
permit ip 2.2.2.0 0.0.0.255 1.1.1.0 0.0.0.255
r1#sh cry isa sa
dst src state conn-id slot status
10.1.1.1 202.100.1.2 QM_IDLE 1 0 ACTIVE
r3#sh cry isa sa
dst src state conn-id slot status
202.100.1.1 202.100.1.2 QM_IDLE 1 0 ACTIVE
r2#sh ip nat tr
Pro Inside global Inside local Outside local Outside global
udp 202.100.1.1:500 10.1.1.1:500 202.100.1.2:500 202.100.1.2:500
udp 202.100.1.1:500 10.1.1.1:500 --- ---
udp 202.100.1.1:4500 10.1.1.1:4500 202.100.1.2:4500 202.100.1.2:4500
udp 202.100.1.1:4500 10.1.1.1:4500 --- ---
r1#sh cry ip sa
interface: Ethernet0/0
Crypto map tag: map, local addr 10.1.1.1
protected vrf: (none)
local ident (addr/mask/prot/port): (1.1.1.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (2.2.2.0/255.255.255.0/0/0)
current_peer 202.100.1.2 port 4500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 4, #pkts encrypt: 4, #pkts digest: 4
#pkts decaps: 4, #pkts decrypt: 4, #pkts verify: 4
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: 10.1.1.1, remote crypto endpt.: 202.100.1.2
path mtu 1500, ip mtu 1500, ip mtu idb Ethernet0/0
current outbound spi: 0xD0162EE3(3491114723)
inbound esp sas:
spi: 0xCC75A13E(3430261054)
transform: esp-3des esp-md5-hmac ,
in use settings ={Tunnel UDP-Encaps, }
conn id: 2002, flow_id: SW:2, crypto map: map
sa timing: remaining key lifetime (k/sec): (4509037/3570)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0xD0162EE3(3491114723)
transform: esp-3des esp-md5-hmac ,
in use settings ={Tunnel UDP-Encaps, }
conn id: 2001, flow_id: SW:1, crypto map: map
sa timing: remaining key lifetime (k/sec): (4509037/3569)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE
outbound ah sas:
outbound pcp sas:
r3#sh cry ip sa
interface: Ethernet0/1
Crypto map tag: map, local addr 202.100.1.2
protected vrf: (none)
local ident (addr/mask/prot/port): (2.2.2.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (1.1.1.0/255.255.255.0/0/0)
current_peer 202.100.1.1 port 4500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 4, #pkts encrypt: 4, #pkts digest: 4
#pkts decaps: 4, #pkts decrypt: 4, #pkts verify: 4
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 1, #recv errors 0
local crypto endpt.: 202.100.1.2, remote crypto endpt.: 202.100.1.1
path mtu 1500, ip mtu 1500, ip mtu idb Ethernet0/1
current outbound spi: 0xCC75A13E(3430261054)
inbound esp sas:
spi: 0xD0162EE3(3491114723)
transform: esp-3des esp-md5-hmac ,
in use settings ={Tunnel UDP-Encaps, }
conn id: 2002, flow_id: SW:2, crypto map: map
sa timing: remaining key lifetime (k/sec): (4431486/3535)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0xCC75A13E(3430261054)
transform: esp-3des esp-md5-hmac ,
in use settings ={Tunnel UDP-Encaps, }
conn id: 2001, flow_id: SW:1, crypto map: map
sa timing: remaining key lifetime (k/sec): (4431486/3535)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE
outbound ah sas:
outbound pcp sas:
转载于:https://blog.51cto.com/isjin/399477