目的:實現PC1與PC2通訊使用***隧道,PC1通過PAT能遠程telnet到R2。
1.建立連接.
pc1
int f 0/0
ip add 192.168.1.2 255.255.255.0
no sh
exit
no ip routing
ip default-gateway 192.168.1.1
pc2
int f 0/0
ip add 192.168.2.2 255.255.255.0
no sh
exit
no ip routing
ip default-gateway 192.168.2.1
R1
int f 0/0
ip add 10.0.0.1 255.255.255.0
no sh
exit
int f 1/0
ip add 192.168.10.2 255.255.255.0
no sh
access-list 100 deny ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
//此acl定義nat需要轉換的私有地址,先將需要***轉換的地址拒絕掉
access-list 100 per ip any any
//這是需要nat轉換的私有地址
ip nat inside so li 100 int f 0/0 o
//啓用nat轉換,引用acl 100,符合acl 100的地址將被轉換
ip nat in so stat udp 192.168.10.1 4500 int f 0/0 4500
ip nat in so stat udp 192.168.10.1 500 int f 0/0 500 (此4500和500的端口爲協議的端口號)
在R1路由器上實現nat-t穿越
int f 0/0
ip nat outside
int f 1/0
ip nat inside
ip route 0.0.0.0 0.0.0.0 10.0.0.2
ip route 192.168.1.0 255.255.255.0 192.168.10.1
# debug ip nat
R2
int f 0/0
ip add 10.0.0.2 255.255.255.0
no sh
int f 1/0
ip add 10.1.1.2 255.255.255.0
no sh
enab pass 123
line vty 0 4
pass 123
login
ASA1
int e 0/1
ip add 192.168.10.1 255.255.255.0
no shut
nameif outside
secu 0
int e 0/0
ip add 192.168.1.1 255.255.255.0
no sh
nameif inside
secu 100
route outside 0 0 192.168.10.2
cry isa en out
cry isa po 1
en des
gr 2
au pr
hash sha
exit
cry isa key benet-key add 10.1.1.1
access-list 100 per ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0
cry ipsec tran benet-set esp-des esp-sha-hmac
cry map benet-map 1 set tran benet-set
cry map benet-map 1 set peer 10.1.1.1
cry map benet-map 1 match add 100
cry map benet-map int outside
ASA2
int e 0/1
ip add 10.1.1.1 255.255.255.0
no sh
nameif outside
secu 0
exit
int e 0/0
ip add 192.168.2.1 255.255.255.0
no sh
nameif inside
secu 100
cry isa en ou
cry isa po 1
en des
gr 2
au pr
hash sha
exit
cry isa key benet-key add 10.0.0.1
access-list 100 per ip 192.168.2.0 255.255.255.0 192.168.1.0 255.255.255.0
cry ipsec tran benet-set esp-des esp-sha-hmac
cry map benet-map 1 set peer 10.0.0.1
cry map benet-map 1 set tran benet-set
cry map benet-map 1 match add 100
cry map benet-map int outside
route outside 0 0 10.1.1.2
2.驗證。
在R1開始BEBUG測試是否正確,當PC1與PC2通訊是DEBUG測試不會顯示PC1的真實地址二是ASA的地址,當PC1遠程telnet到R2是則會顯示PC1真實地址的轉換過程。