NAT+IPSec ***

實驗拓撲圖:

 

實驗環境配置說明:

NAME   IP/CIDR              GATEWAY          
PC1    192.168.1.2/24       192.168.1.1      

PC2    192.168.2.2/24       192.168.2.1      
PC3    192.168.3.2/24       192.168.3.1      
PC4    40.0.0.2/24             40.0.0.1 

 

PC1模擬總公司LAN;PC2和PC3模擬分公司LAN;PC4模擬互聯網中的服務器.

R1,R2,R3模擬公司的出口路由;R4模擬互聯網.

 

實驗結果要求：

PC1能通過***能ping通PC2和PC3

PC1,PC2,PC3通過NAT端口轉換能ping通PC4

==================================R1配置========================

Router>en
Router#conf terminal
Router(config)#no ip domain-lookup
Router(config)#hostname r1
r1(config)#line console 0
r1(config-line)#no exec-timeout
r1(config-line)#logg synchronous
r1(config-line)#exit
r1(config)#interface f0/0
r1(config-if)#ip address 192.168.1.1 255.255.255.0
r1(config-if)#no shutdown
r1(config-if)#exit
r1(config)#interface serial 1/1
r1(config-if)#ip address 10.0.0.2 255.255.255.0
r1(config-if)#encapsulation ppp
r1(config-if)#no shutdown
r1(config)#ip route 0.0.0.0 0.0.0.0 s1/1
r1(config)#$ 100 deny ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255         //NAT部分
r1(config)#$ 100 deny ip 192.168.1.0 0.0.0.255 192.168.3.0 0.0.0.255
r1(config)#access-list 100 permit ip any any
r1(config)#ip nat inside source list 100 interface s1/1 overload         

r1(config)#interface f0/0
r1(config-if)#ip nat inside
r1(config-if)#exit
r1(config)#interface s1/1
r1(config-if)#ip nat outside
r1(config-if)#exit

 

r1(config)#crypto isakmp policy 10                                              //***部分
r1(config-isakmp)#hash md5
r1(config-isakmp)#group 5
r1(config-isakmp)#authentication pre-share
r1(config-isakmp)#lifetime 3600
r1(config-isakmp)#exit
r1(config)#crypto isakmp key passwd address 20.0.0.2
r1(config)#crypto isakmp key password address 30.0.0.2
r1(config)#crypto ipsec transform-set leaf ah-md5-hmac esp-3des esp-md5-hmac
r1(cfg-crypto-trans)#mode tunnel
r1(config)#access-list 101 permit ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
r1(config)#access-list 102 permit ip 192.168.1.0 0.0.0.255 192.168.3.0 0.0.0.255
r1(config)#crypto map *** 10 ipsec-isakmp
r1(config-crypto-map)#set peer 20.0.0.2
r1(config-crypto-map)#set transform-set leaf
r1(config-crypto-map)#match address 101
r1(config-crypto-map)#exit
r1(config)#crypto map *** 11 ipsec-isakmp
r1(config-crypto-map)#set peer 30.0.0.2
r1(config-crypto-map)#set transform-set leaf
r1(config-crypto-map)#match address 102
r1(config-crypto-map)#exit
r1(config)#interface s1/1
r1(config-if)#crypto map ***
r1(config-if)#exit

 

 

 

==============================R2配置============================
Router>en
Router#conf terminal
Router(config)#no ip domain-lookup
Router(config)#hostname r1
r2(config)#line console 0
r2(config-line)#no exec-timeout
r2(config-line)#logg synchronous
r2(config-line)#exit
r2(config)#interface f0/0
r2(config-if)#ip address 192.168.2.1 255.255.255.0
r2(config-if)#no shutdown
r2(config-if)#exit
r2(config)#interface s1/2
r2(config-if)#ip address 20.0.0.2 255.255.255.0
r2(config-if)#encapsulation ppp
r2(config-if)#no shutdown
r2(config)#ip route 0.0.0.0 0.0.0.0 s1/2
r2(config)#access-list 100 deny ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255
r2(config)#access-list 100 permit ip any any
r2(config)#ip nat inside source list 100 interface s1/2 overload
r2(config)#interface s1/2
r2(config-if)#ip nat outside
r2(config-if)#exit
r2(config)#interface f0/0
r2(config-if)#ip nat inside
r2(config-if)#exit

                  
r2(config)#crypto isakmp policy 10                                  //***部分
r2(config-isakmp)#hash md5
r2(config-isakmp)#authentication pre-share
r2(config-isakmp)#group 5
r2(config-isakmp)#lifetime 3600
r2(config-isakmp)#exit
r2(config)#crypto isakmp key passwd address 10.0.0.2
r2(config)#crypto ipsec transform-set li ah-md5-hmac esp-3des esp-md5-hmac
r2(cfg-crypto-trans)#mode tunnel
r2(config)#access-list 101 permit ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255
r2(config)#crypto map *** 10 ipsec-isakmp
r2(config-crypto-map)#set peer 10.0.0.2
r2(config-crypto-map)#set transform-set li
r2(config-crypto-map)#match address 101
r2(config-crypto-map)#exit
r2(config)#interface s1/2
r2(config-if)#crypto map ***
r2(config-if)#exit

=======================R3配置====================================
Router>en
Router#conf terminal
Router(config)#no ip domain-lookup
Router(config)#hostname r1
r3(config)#line console 0
r3(config-line)#no exec-timeout
r3(config-line)#logg synchronous
r3(config-line)#exit
r3(config)#interface f0/0
r3(config-if)#ip address 192.168.3.1 255.255.255.0
r3(config-if)#no shutdown
r3(config-if)#exit
r3(config)#interface s1/3
r3(config-if)#ip address 30.0.0.2 255.255.255.0
r3(config-if)#encapsulation ppp
r3(config-if)#no shutdown
r3(config-if)#exit
r3(config)#ip route 0.0.0.0 0.0.0.0 s1/3
r3(config)#access-list 100 deny ip 192.168.3.0 0.0.0.255 192.168.1.0 0.0.0.255     //NAT部分
r3(config)#access-list 100 permit ip any any
r3(config)#ip nat inside source list 100 interface s1/3 overload
r3(config)#interface s1/3
r3(config-if)#ip nat outside
r3(config-if)#exit
r3(config)#interface f0/0
r3(config-if)#ip nat inside
r3(config-if)#exit

r3(config)#crypto isakmp policy 10
r3(config-isakmp)#hash md5
r3(config-isakmp)#authentication pre-share
r3(config-isakmp)#lifetime 3600
r3(config-isakmp)#group 5
r3(config-isakmp)#exit
r3(config)#crypto isakmp key password address 10.0.0.2
r3(config)#crypto ipsec transform-set kun ah-md5-hmac esp-3des esp-md5-hmac
r3(cfg-crypto-trans)#mode tunnel
r3(config)#access-list 102 permit ip 192.168.3.0 0.0.0.255 192.168.1.0 0.0.0.255
r3(config)#crypto map *** 10 ipsec-isakmp
r3(config-crypto-map)#set peer 10.0.0.2
r3(config-crypto-map)#set transform-set kun
r3(config-crypto-map)#match address 102
r3(config-crypto-map)#exit
r3(config)#interface s1/3
r3(config-if)#crypto map ***
r3(config-if)#exit

====================R4配置=======================================
Router>en
Router#conf terminal
Router(config)#no ip domain-lookup
Router(config)#hostname r1
r4(config)#line console 0
r4config-line)#no exec-timeout
r4(config-line)#logg synchronous
r4(config-line)#exit
r4(config)#interface f0/0
r4(config-if)#ip address 40.0.0.1 255.255.255.0
r4(config-if)#no shutdown
r4(config-if)#exit
r4(config)#interface s1/1
r4(config-if)#ip address 10.0.0.1 255.255.255.0
r4(config-if)#encapsulation ppp
r4(config-if)#clock rate 64000
r4(config-if)#no shutdown
r4(config-if)#exit
r4(config)#interface s1/2
r4(config-if)#ip address 20.0.0.1 255.255.255.0
r4(config-if)#encapsulation ppp
r4(config-if)#clock rate 64000
r4(config-if)#no shutdown
r4(config-if)#exit
r4(config)#interface s1/3
r4(config-if)#ip address 30.0.0.1 255.255.255.0
r4(config-if)#encapsulation ppp
r4(config-if)#clock rate 64000
r4(config-if)#no shutdown
r4(config-if)#exit

 

==========================測試================================

使用PC1測試:

 

VPCS 1 >ping 192.168.2.2
192.168.2.2 icmp_seq=1 time=219.000 ms
192.168.2.2 icmp_seq=2 time=125.000 ms
192.168.2.2 icmp_seq=3 time=125.000 ms
192.168.2.2 icmp_seq=4 time=156.000 ms
192.168.2.2 icmp_seq=5 time=109.000 ms

VPCS 1 >ping 192.168.3.2
192.168.3.2 icmp_seq=1 time=172.000 ms
192.168.3.2 icmp_seq=2 time=156.000 ms
192.168.3.2 icmp_seq=3 time=125.000 ms
192.168.3.2 icmp_seq=4 time=63.000 ms
192.168.3.2 icmp_seq=5 time=156.000 ms

VPCS 1 >ping 40.0.0.2
40.0.0.2 icmp_seq=1 time=78.000 ms
40.0.0.2 icmp_seq=2 time=78.000 ms
40.0.0.2 icmp_seq=3 time=109.000 ms
40.0.0.2 icmp_seq=4 time=93.000 ms
40.0.0.2 icmp_seq=5 time=78.000 ms        

 

使用PC2測試:

 

VPCS 2 >ping 40.0.0.2
40.0.0.2 icmp_seq=1 time=141.000 ms
40.0.0.2 icmp_seq=2 time=94.000 ms
40.0.0.2 icmp_seq=3 time=93.000 ms
40.0.0.2 icmp_seq=4 time=110.000 ms
40.0.0.2 icmp_seq=5 time=78.000 ms

 

使用PC3測試:

VPCS 3 >ping 40.0.0.2
40.0.0.2 icmp_seq=1 time=125.000 ms
40.0.0.2 icmp_seq=2 time=94.000 ms
40.0.0.2 icmp_seq=3 time=125.000 ms
40.0.0.2 icmp_seq=4 time=109.000 ms
40.0.0.2 icmp_seq=5 time=125.000 ms