做一个NAT 穿越×××的实验。
要求,从192.168.1.0 网段的去往172.16.1.0 网段的做×××,其它的地址做NAT转换,R1模拟成公网。
全部都做默认路由和静态路由就行了。
- R0 :
- interface Loopback0
- ip address 192.168.1.1 255.255.255.0
- !
- interface Serial1/0
- ip address 12.1.1.1 255.255.255.0
- serial restart-delay 0
- ip route 0.0.0.0 0.0.0.0 Serial1/0
- R1:
- interface Serial1/0
- ip address 12.1.1.2 255.255.255.0
- serial restart-delay 0
- interface Serial1/0
- ip address 12.1.1.2 255.255.255.0
- serial restart-delay 0
- ip route 172.16.1.0 255.255.255.0 Serial1/1
- ip route 192.168.1.0 255.255.255.0 Serial1/0
- r2:
- interface Loopback0
- ip address 172.16.1.1 255.255.255.0
- interface Serial1/0
- ip address 23.1.1.3 255.255.255.0
- serial restart-delay 0
- !
- ip route 0.0.0.0 0.0.0.0 Serial1/0
- R1#ping 172.16.1.1 sou lo0
- Type escape sequence to abort.
- Sending 5, 100-byte ICMP Echos to 172.16.1.1, timeout is 2 seconds:
- Packet sent with a source address of 192.168.1.1
- !!!!!
- Success rate is 100 percent (5/5), round-trip min/avg/max = 12/14/20 ms
第二步,建立×××链路:
- R0:
- !
- crypto isakmp policy 100
- authentication pre-share
- crypto isakmp key 6 yeelone address 23.1.1.3
- R2:
- crypto isakmp policy 100
- authentication pre-share
- crypto isakmp key 6 yeelone address 12.1.1.1
第三步,使用ipsec加密:
- R0:
- crypto ipsec transform-set cisco esp-des
- !
- crypto map ciscomap 100 ipsec-isakmp
- set peer 23.1.1.3
- set transform-set cisco
- match address 100
- access-list 100 permit ip 192.168.1.0 0.0.0.255 172.16.1.0 0.0.0.255
- interface Serial1/0
- ip address 12.1.1.1 255.255.255.0
- serial restart-delay 0
- crypto map ciscomap
- R2:
- crypto ipsec transform-set cisco esp-des
- !
- crypto map ciscomap 100 ipsec-isakmp
- set peer 12.1.1.1
- set transform-set cisco
- match address 100
- access-list 100 permit ip 172.16.1.0 0.0.0.255 192.168.1.0 0.0.0.255
- interface Serial1/0
- ip address 23.1.1.3 255.255.255.0
- serial restart-delay 0
- crypto map ciscomap
第四步,切入重点了,做nat:
- R0:
- access-list 120 deny ip 192.168.1.0 0.0.0.255 172.16.1.0 0.0.0.255
- access-list 120 permit ip any any
- ip nat pool cisconat 160.1.1.1 160.1.1.254 netmask 255.255.255.0
- ip nat inside source list 120 pool cisconat
- interface Loopback0
- ip address 192.168.1.1 255.255.255.0
- ip nat inside
- interface Serial1/0
- ip address 12.1.1.1 255.255.255.0
- ip nat outside
- R2:
- access-list 120 deny ip 172.16.1.0 0.0.0.255 192.168.1.0 0.0.0.255
- access-list 120 permit ip any any
- ip nat pool cisconat 202.1.1.1 202.1.1.254 netmask 255.255.255.0
- ip nat inside source list 120 pool cisconat
- interface Loopback0
- ip address 172.16.1.1 255.255.255.0
- ip nat inside
- ip virtual-reassembly
- !
- interface Serial1/0
- ip address 23.1.1.3 255.255.255.0
- ip nat outside
目前网络还没能互通。做最后一步:
- R2(config)#ip route 160.0.0.0 255.0.0.0 s1/1
- R2(config)#ip route 202.0.0.0 255.0.0.0 s1/0
这样就可以了。
本来是不太喜欢看到网上那些只晒配置的文章 的,不过现在自己也写了出来,感觉确实没什么好说的。只要做了实验,自己有什么不懂的,一般都会自己解决的。
唯一需要注意的是,我们用了两个ACL,一个用于将流量导向×××,做×××隧道传输。
一个用于捕获去往公网的流量,做NAT转换。
转载于:https://blog.51cto.com/yeelone/439703