一.概述:
在博客中收到一位朋友的提問,經過電話溝通後,瞭解到大概情況是:
A.總部有一條專線到合作伙伴
B.合作伙伴側不方便加回指路由,總部訪問合作伙伴時做PAT
C.現在想要分支L2L ***連接到總部之後,通過總部的專線PAT到合作伙伴
二.基本思路:
A.如果合作伙伴方便加回指路由,其實只需把合作伙伴當作總部內網即可,不需要配置PAT。
B.分支機構想要***連接總部之後,通過總部的專線PAT到合作伙伴,需要在總部路由器上配置loopback口,並且公網接口配置策略路由,將分支到合作伙伴的流量打到loopback,並進行PAT。
三.測試拓撲:
四.基本配置:
A.Branch_Inside路由器:
interface Ethernet0/0
ip address 10.1.1.1 255.255.255.0
no shut
ip route 0.0.0.0 0.0.0.0 10.1.1.2
ip address 10.1.1.1 255.255.255.0
no shut
ip route 0.0.0.0 0.0.0.0 10.1.1.2
B.Branch路由器:
interface Ethernet0/0
ip address 10.1.1.2 255.255.255.0
ip nat inside
ip address 202.100.1.2 255.255.255.0
ip nat outside
ip address 10.1.1.2 255.255.255.0
ip nat inside
no shut
interface Ethernet0/1ip address 202.100.1.2 255.255.255.0
ip nat outside
no shut
ip route 0.0.0.0 0.0.0.0 202.100.1.3
ip access-list extended PAT
deny ip 10.1.1.0 0.0.0.255 192.168.1.0 0.0.0.255
deny ip 10.1.1.0 0.0.0.255 160.1.1.0 0.0.0.255
permit ip 10.1.1.0 0.0.0.255 any
deny ip 10.1.1.0 0.0.0.255 192.168.1.0 0.0.0.255
deny ip 10.1.1.0 0.0.0.255 160.1.1.0 0.0.0.255
permit ip 10.1.1.0 0.0.0.255 any
ip nat inside source list PAT interface Ethernet0/1 overload
C.Internet路由器:
interface Ethernet0/0
ip address 202.100.1.3 255.255.255.0
ip address 202.100.2.3 255.255.255.0
ip address 202.100.1.3 255.255.255.0
no shut
interface Ethernet0/1ip address 202.100.2.3 255.255.255.0
no shut
D.Center路由器:
interface Ethernet0/0
ip address 192.168.1.4 255.255.255.0
ip nat inside
interface Ethernet0/1
ip address 202.100.2.4 255.255.255.0
ip nat outside
ip address 172.16.1.2 255.255.255.252
ip address 192.168.1.4 255.255.255.0
ip nat inside
interface Ethernet0/1
ip address 202.100.2.4 255.255.255.0
ip nat outside
no shut
interface Ethernet0/2ip address 172.16.1.2 255.255.255.252
no shut
ip route 0.0.0.0 0.0.0.0 202.100.2.3
ip route 160.1.1.0 255.255.255.0 172.16.1.1
ip access-list extended PAT
deny ip 192.168.1.0 0.0.0.255 10.1.1.0 0.0.0.255
deny ip 192.168.1.0 0.0.0.255 160.1.1.0 0.0.0.255
permit ip 192.168.1.0 0.0.0.255 any
deny ip 192.168.1.0 0.0.0.255 10.1.1.0 0.0.0.255
deny ip 192.168.1.0 0.0.0.255 160.1.1.0 0.0.0.255
permit ip 192.168.1.0 0.0.0.255 any
ip nat inside source list PAT interface Ethernet0/1 overload
E.Center_Inside路由器:
interface Ethernet0/0
ip address 192.168.1.5 255.255.255.0
no shut
ip route 0.0.0.0 0.0.0.0 192.168.1.4
F.Partner路由器:
interface Loopback0
ip address 160.1.1.6 255.255.255.0
interface Ethernet0/0
ip address 172.16.1.1 255.255.255.252
interface Ethernet0/0
ip address 172.16.1.1 255.255.255.252
no shut
----注意:沒有配置路由
五.總部內網到合作伙伴進行PAT配置:
A.配置:
interface Ethernet0/0
ip nat enable
ip nat enable
interface Ethernet0/2
ip nat enable
ip nat enable
ip access-list extended Center-to-partner-PAT
permit ip 192.168.1.0 0.0.0.255 160.1.1.0 0.0.0.255
permit ip 192.168.1.0 0.0.0.255 160.1.1.0 0.0.0.255
ip nat source list Center-to-partner-PAT interface Ethernet0/2 overload
B.驗證:
Center_Inside#telnet 160.1.1.6
Trying 160.1.1.6 ... Open
User Access Verification
Password:
Partner>show users
Line User Host(s) Idle Location
0 con 0 idle 00:00:42
*130 vty 0 idle 00:00:00172.16.1.2
Interface User Mode Idle Peer Address
Partner>
Trying 160.1.1.6 ... Open
User Access Verification
Password:
Partner>show users
Line User Host(s) Idle Location
0 con 0 idle 00:00:42
*130 vty 0 idle 00:00:00172.16.1.2
Interface User Mode Idle Peer Address
Partner>
六.分支到總部的L2L ***配置:
A.Branch路由器:
crypto isakmp policy 10
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp key cisco address 202.100.2.4
crypto ipsec transform-set transet esp-des esp-md5-hmac
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp key cisco address 202.100.2.4
crypto ipsec transform-set transet esp-des esp-md5-hmac
ip access-list extended ***
permit ip 10.1.1.0 0.0.0.255 192.168.1.0 0.0.0.255
permit ip 10.1.1.0 0.0.0.255 160.1.1.0 0.0.0.255
crypto map crymap 10 ipsec-isakmp
set peer 202.100.2.4
set transform-set transet
match address ***
permit ip 10.1.1.0 0.0.0.255 192.168.1.0 0.0.0.255
permit ip 10.1.1.0 0.0.0.255 160.1.1.0 0.0.0.255
crypto map crymap 10 ipsec-isakmp
set peer 202.100.2.4
set transform-set transet
match address ***
interface Ethernet0/1
crypto map crymap
crypto map crymap
B.Center路由器:
crypto isakmp policy 10
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp key cisco address 202.100.1.2
crypto ipsec transform-set transet esp-des esp-md5-hmac
ip access-list extended ***encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp key cisco address 202.100.1.2
crypto ipsec transform-set transet esp-des esp-md5-hmac
permit ip 192.168.1.0 0.0.0.255 10.1.1.0 0.0.0.255
permit ip 160.1.1.0 0.0.0.255 10.1.1.0 0.0.0.255
crypto map crymap 10 ipsec-isakmp
set peer 202.100.1.2
set transform-set transet
match address ***
crypto map crymap 10 ipsec-isakmp
set peer 202.100.1.2
set transform-set transet
match address ***
interface Ethernet0/1
crypto map crymap
crypto map crymap
C.驗證:
Branch_Inside#ping 192.168.1.5
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.1.5, timeout is 2 seconds:
.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 120/182/264 ms
Branch_Inside#
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.1.5, timeout is 2 seconds:
.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 120/182/264 ms
Branch_Inside#
Center_Inside#
*Mar 1 10:07:25.293: ICMP: echo reply sent, src 192.168.1.5, dst 10.1.1.1
*Mar 1 10:07:25.561: ICMP: echo reply sent, src 192.168.1.5, dst 10.1.1.1
*Mar 1 10:07:25.701: ICMP: echo reply sent, src 192.168.1.5, dst 10.1.1.1
*Mar 1 10:07:25.809: ICMP: echo reply sent, src 192.168.1.5, dst 10.1.1.1
*Mar 1 10:07:25.293: ICMP: echo reply sent, src 192.168.1.5, dst 10.1.1.1
*Mar 1 10:07:25.561: ICMP: echo reply sent, src 192.168.1.5, dst 10.1.1.1
*Mar 1 10:07:25.701: ICMP: echo reply sent, src 192.168.1.5, dst 10.1.1.1
*Mar 1 10:07:25.809: ICMP: echo reply sent, src 192.168.1.5, dst 10.1.1.1
七.配置分支到合作伙伴的PAT:
-----都是在Center路由器上配置
A.添加loopback口:
interface Loopback0
ip address 100.1.1.1 255.255.255.0
ip address 100.1.1.1 255.255.255.0
B.配置策略路由,將流量打到loopback口:
ip access-list extended Branch-to-partner
permit ip 10.1.1.0 0.0.0.255 160.1.1.0 0.0.0.255
permit ip 10.1.1.0 0.0.0.255 160.1.1.0 0.0.0.255
route-map Branch-to-partner permit 10
match ip address Branch-to-partner
set ip next-hop 100.1.1.2
match ip address Branch-to-partner
set ip next-hop 100.1.1.2
interface Ethernet0/1
ip policy route-map Branch-to-partner
ip policy route-map Branch-to-partner
---注意:下一跳地址爲loopback的直連任意其他地址,非接口地址;是在***加密點接口上應用route-map
C.配置PAT:
interface Loopback0
ip nat enable
interface Ethernet0/2
ip nat enable
ip nat enable
ip nat source list Branch-to-partner interface Ethernet0/2 overload
D.驗證:
Branch_Inside#telnet 160.1.1.6
Trying 160.1.1.6 ... Open
User Access Verification
Password:
Partner>show users
Line User Host(s) Idle Location
0 con 0 idle 09:00:47
*130 vty 0 idle 00:00:00172.16.1.2
Interface User Mode Idle Peer Address
Partner>
Trying 160.1.1.6 ... Open
User Access Verification
Password:
Partner>show users
Line User Host(s) Idle Location
0 con 0 idle 09:00:47
*130 vty 0 idle 00:00:00172.16.1.2
Interface User Mode Idle Peer Address
Partner>