Network Topological Diagram
案例目的:
1. OPE 集團網絡擴充,在香港,深圳,上海和北京都有辦事處,服務器和語音服務在深圳總部,email , Web 等服務器在香港。要實現各地辦事處內網均能訪問內部服務,語音系統採有IP語音,內部之間通話可免費。
2. 如上圖所示,只有香港公司擁有固定IP,其它三地均採用ADSL的PPPOE撥號,所獲IP爲動態IP.。
3. 按以上要求,完成站點到站點的IPsec ***建設, 已實現全網內部互通。。
Configuration
datetime msec
no service password-encryption
!
hostname HKRouter
!
boot-start-marker
boot system flash c2800nm-advsecurityk9-mz.124-24.T2.bin
boot-end-marker
!
logging message-counter syslog
logging buffered 51200 warnings
enable secret 5 $1$l0tK$ChTw8WdhXe1BnBIXc4ETo1
!
no aaa new-model
!
no dot11 syslog
no ip source-route
!
!
ip cef
!−−− 爲香港站點創建DHCP服務
no ip dhcp use vrf connected
ip dhcp excluded-address 20.89.5.1 20.89.5.255
ip dhcp excluded-address 20.89.4.0
ip dhcp excluded-address 20.89.0.1 20.89.3.255
!
ip dhcp pool OPEhkDHCP
network 20.89.0.0 255.255.0.0
dns-server 20.89.1.1
default-router 20.89.1.1
option 156 ascii "ftpservers=20.88.2.2,country=1,language=1,layer2tagging=0,vlanid=0"
option 4 ip 20.88.2.1
lease 30
!
!−−− 爲香港站點路由器指定DNS IP
ip name-server 203.186.94.22
ip name-server 203.80.96.33
!
multilink bundle-name authenticated
!−−− 唯有香港站點路由器擁有固定IP,建立PPTP ***服務
!
vpdn enable
!
vpdn-group 15
! Default PPTP VPDN group
accept-dialin
protocol pptp
virtual-template 1
!
!
!
!
!
!
username hkrouter privilege 15 secret 5 $1$x09g$2RA3BVbv/yn/UMaMxHHIe/
username AAAAA password 0 AAAAA
username BBBBB password 0 BBBBB
archive
log config
hidekeys
!
!
!−−−配置IPsec ***服務
crypto isakmp policy 1
hash md5
authentication pre-share
crypto isakmp key cisco address 0.0.0.0 0.0.0.0
!
!
crypto ipsec transform-set strong esp-3des esp-md5-hmac
!
crypto ipsec profile Cisco
set security-association lifetime seconds 120
set transform-set strong
!
!
!
!
!
!
!−−−香港做爲DM***的主服務器,唯一一個擁有固定IP
interface Tunnel1
ip address 20.90.1.1 255.255.0.0
no ip redirects
ip mtu 1440
no ip next-hop-self eigrp 1
ip nhrp authentication 12345678
ip nhrp map multicast dynamic
ip nhrp network-id 1
no ip split-horizon eigrp 1
tunnel source FastEthernet0/0
tunnel mode gre multipoint
tunnel key 123
tunnel protection ipsec profile Cisco
!
interface FastEthernet0/0
description $ETH-LAN$$ETH-SW-LAUNCH$$INTF-INFO-FE 0/0$
ip address 50.1.1.1 255.255.255.252
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
!
interface FastEthernet0/1
ip address 20.89.1.2 255.255.0.0
ip nat inside
ip virtual-reassembly
duplex auto
speed auto
!
!−−−香港做爲PPTP ***的主服務器
interface Virtual-Template1
ip unnumbered FastEthernet0/0
peer default ip address pool PPTPDHCP
no keepalive
ppp encrypt mppe auto
ppp authentication pap chap ms-chap
!
router eigrp 1
network 20.89.0.0 0.0.255.255
network 20.90.0.0 0.0.255.255
no auto-summary
!
ip local pool PPTPDHCP 20.90.2.1 20.90.2.254
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 50.1.1.2
ip http server
ip http authentication local
no ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
!
ip dns server
ip nat inside source list 1 interface FastEthernet0/0 overload
!
access-list 1 permit 20.0.0.0 0.255.255.255
!
!
!
!
!
control-plane
!
banner exec ^C
% Password expiration warning.
-----------------------------------------------------------------------
Cisco Configuration Professional (Cisco CP) is installed on this device
and it provides the default username "cisco" for one-time use. If you have
already used the username "cisco" to login to the router and your IOS image
supports the "one-time" user option, then this username has already expired.
You will not be able to login to the router with this username after you exit
this session.
It is strongly suggested that you create a new username with a privilege level
of 15 using the following command.
username <myuser> privilege 15 secret 0 <mypassword>
Replace <myuser> and <mypassword> with the username and password you want to
use.
-----------------------------------------------------------------------
^C
banner login ^C
-----------------------------------------------------------------------
Cisco Configuration Professional (Cisco CP) is installed on this device.
This feature requires the one-time use of the username "cisco" with the
password "cisco". These default credentials have a privilege level of 15.
YOU MUST USE CISCO CP or the CISCO IOS CLI TO CHANGE THESE PUBLICLY-KNOWN
CREDENTIALS
Here are the Cisco IOS commands.
username <myuser> privilege 15 secret 0 <mypassword>
no username cisco
Replace <myuser> and <mypassword> with the username and password you want
to use.
IF YOU DO NOT CHANGE THE PUBLICLY-KNOWN CREDENTIALS, YOU WILL NOT BE ABLE
TO LOG INTO THE DEVICE AGAIN AFTER YOU HAVE LOGGED OFF.
For more information about Cisco CP please follow the instructions in the
QUICK START GUIDE for your router or go to http://www.cisco.com/go/ciscocp
-----------------------------------------------------------------------
^C
!
line con 0
password cisco
login
line aux 0
line vty 0 4
privilege level 15
password cisco
login
transport input telnet
!
scheduler allocate 20000 1000
end