client-to-siteVPN和site-to-siteVPN配置詳情

client-to-site VPN配置

拓撲圖如下：

       client-to-site VPN

client:192.168.110.0/24        路由器內網:10.0.1.0/24   外網:210.41.166.124


//啓用3A認證
aaa new-model

aaa authentication login vpn-en local

aaa authorization network vpn-or local 

//3A用戶名和密碼
username root password 123456

ip local pool vpn-pool 192.168.110.1 192.168.110.254
ip route 0.0.0.0 0.0.0.0 210.41.166.1

//相互之間不進行NAT轉換
access-list 100 deny   ip 10.0.1.0 0.0.0.255 192.168.110.0 0.0.0.255
access-list 100 permit ip any any

//定義感興趣的流
access-list 101 permit ip 10.0.1.0 0.0.0.255 192.168.110.0 0.0.0.255

//實現NAT配置
ip nat inside source list 100 interface FastEthernet0/1 overload

//IKE 1階段
crypto isakmp policy 20
 encr 3des
 hash sha
 authentication pre-share
 group 2

//IKE 2階段
crypto ipsec transform-set vpn-client esp-3des esp-sha-hmac


//對發建立VPN連接的用戶名myvpn和密碼123cisco
crypto isakmp client configuration group myvpn
 key 123cisco
 pool vpn-pool
 acl 101

//配置動態映射表
crypto dynamic-map dymap 20
 set transform-set vpn-client 
 reverse-route

//授權
crypto map test client authentication list vpn-en
//認證
crypto map test isakmp authorization list vpn-or
//客戶端迴應
crypto map test client configuration address respond
crypto map test 20 ipsec-isakmp dynamic dymap 

//內網
int fa0/0
 ip address 10.0.1.254 255.255.255.0
 ip nat inside

//外網
int fa0/1
 ip address 210.41.166.124 255.255.255.0
 ip nat outside
 crypto map test

site-to-siteVPN 配置

拓撲圖如下：

    site-to-site VPN


R1路由器內網:10.0.1.0/24   外網:210.41.166.124
R2路由器內網:10.0.2.0/24   外網:210.41.166.123



R1

//相互之間不進行NAT轉換
access-list 100 deny   ip 10.0.1.0 0.0.0.255 10.0.2.0 0.0.0.255
access-list 100 permit ip any any

//定義感興趣的流
access-list 101 permit ip 10.0.1.0 0.0.0.255 10.0.2.0 0.0.0.255


ip local pool vpn-pool 192.168.110.1 192.168.110.254
ip route 0.0.0.0 0.0.0.0 210.41.166.1
//實現NAT配置
ip nat inside source list 100 interface FastEthernet0/1 overload

//IKE 1階段
crypto isakmp policy 20
 encr 3des
 hash sha
 authentication pre-share
 group 2
crypto isakmp key cisco address 210.41.166.123

//IKE第二階段
crypto ipsec transform-set ccnp esp-3des esp-sha-hmac 

//建立地址映射
crypto map vpn-map 20 ipsec-isakmp 
 set peer 210.41.166.123
 set transform-set ccnp 
 match address 101

//內網
int fa0/0
 ip address 10.0.1.254 255.255.255.0
 ip nat inside

//外網
int fa0/1
 ip address 210.41.166.124 255.255.255.0
 ip nat outside
 crypto map vpn-map


R2



//相互之間不進行NAT轉換
access-list 100 deny   ip 10.0.2.0 0.0.0.255 10.0.1.0 0.0.0.255
access-list 100 permit ip any any

//定義感興趣的流
access-list 101 permit ip 10.0.2.0 0.0.0.255 10.0.1.0 0.0.0.255

//實現NAT配置
ip nat inside source list 100 interface FastEthernet0/1 overload

//IKE 1階段
crypto isakmp policy 20
 encr 3des
 hash sha
 authentication pre-share
 group 2
crypto isakmp key cisco address 210.41.166.124

//IKE第二階段
crypto ipsec transform-set ccnp esp-3des esp-sha-hmac 

//建立地址映射
crypto map vpn-map 20 ipsec-isakmp 
 set peer 210.41.166.124
 set transform-set ccnp 
 match address 101

//內網
int fa0/0
 ip address 10.0.2.254 255.255.255.0
 ip nat inside

//外網
int fa0/1
 ip address 210.41.166.123 255.255.255.0
 ip nat outside
 crypto map vpn-map

OK ！！！

client-to-siteVPN和site-to-siteVPN配置詳情

藍橋15屆stema編程題密碼鎖-動態規劃 C++和Python最後一道題

2021看雪SDC議題回顧 | SaTC：一種全新的物聯網設備漏洞自動化挖掘方法

C# 代碼學習

Kafka存儲機制

aws語音呼叫調用，告警電話

【轉】[C#] WebAPI 防止併發調用二（冥等性）

HTTP URL 詳解

得物 ZooKeeper SLA 也可以 99.99%

創新工具：2024年開發者必備的一款表格控件（二）

車牌識別控制檯可快速整合二次開發

廣義表的存儲結構（廣義表的遞歸算法，複製廣義表，求廣義表的深度）

手機推薦（目前來看）

串的模式匹配算法(求子串位置的定位函數Index(S,T,pos))

串操作應用舉例（文本編輯）

圖的數組(鄰接矩陣)存儲結構

https://yachay.unat.edu.pe/blog/index.php?comment_area=format_blog&comment_component=blog&comment_co

linux以太網驅動總結