背景:你們公司總部在北京,分公司在深圳,假如你你們公司的總部和分公司都只申請了一個可用的公網IP;而總部和分公司之間又經常有敏感的數據傳輸,並且總部和分公司和因工作需要又要求都能上互連網。
目標:如何在實現總部和分公司之間的數據的安全傳輸又同時滿足總部和分公司都能上互連網的需求呢?
NAT和IPSEC***結合使用能夠滿足該公司的需求。
R1
en
config t
no ip http server
no ip domain-loo
line con 0
loggin syn
no exec-t
end
conf t
host R1
int f0/0
ip add 202.0.0.1 255.255.255.0
no shut
exit
int lo0
ip add 1.1.1.1 255.255.255.0
no shut
exit
int lo1
ip add 2.2.2.2 255.255.255.0
no shut
exit
access-list 1 permit 1.1.1.0 0.0.0.255
route-map fornat permit 10
match ip add 1
exit
ip nat inside source route-map fornat interface f0/0 overload --定義允許進行NAT的流量和公網地址之間的映射
int f0/0
ip nat outside
exit
int lo1
ip nat inside
exit
ip route 0.0.0.0 0.0.0.0 f0/0
crypto isakmp enable --啓用IKE
crypto isakmp policy 10 --建立IKE策略;根據具體安全要求可以建立多個IKE策略
hash md5 --密鑰認證所用的算法有MD5和SHA-1兩種,後者的安全行更高
authentication pre-share --使用手工指定的共享密碼
encryption des --加密密鑰所用的算法,如對安全性要求教高的話,可以用3DES加密算法
exit
crypto isakmp key 0 qqq111,,, address 203.0.0.1 --設置共享密鑰和對端IP
crypto ipsec transform-set for*** esp-des esp-md5-hmac --配置IPSEC的傳輸模式
exit
crypto ipsec profile site2site --配置保密圖
set transform-set for***
interface tunnel 0 --把保密圖應用到端口上
ip add 5.5.5.5 255.255.255.0
tunnel source f0/0
tunnel destination 203.0.0.1
tunnel protection ipsec profile site2site
no shut
exit
router ospf 100
network 1.1.1.1 0.0.0.0 area 0
network 2.2.2.2 0.0.0.0 area 0
network 5.5.5.5 0.0.0.0 area 0
en
config t
no ip http server
no ip domain-loo
line con 0
loggin syn
no exec-t
end
conf t
host R1
int f0/0
ip add 202.0.0.1 255.255.255.0
no shut
exit
int lo0
ip add 1.1.1.1 255.255.255.0
no shut
exit
int lo1
ip add 2.2.2.2 255.255.255.0
no shut
exit
access-list 1 permit 1.1.1.0 0.0.0.255
route-map fornat permit 10
match ip add 1
exit
ip nat inside source route-map fornat interface f0/0 overload --定義允許進行NAT的流量和公網地址之間的映射
int f0/0
ip nat outside
exit
int lo1
ip nat inside
exit
ip route 0.0.0.0 0.0.0.0 f0/0
crypto isakmp enable --啓用IKE
crypto isakmp policy 10 --建立IKE策略;根據具體安全要求可以建立多個IKE策略
hash md5 --密鑰認證所用的算法有MD5和SHA-1兩種,後者的安全行更高
authentication pre-share --使用手工指定的共享密碼
encryption des --加密密鑰所用的算法,如對安全性要求教高的話,可以用3DES加密算法
exit
crypto isakmp key 0 qqq111,,, address 203.0.0.1 --設置共享密鑰和對端IP
crypto ipsec transform-set for*** esp-des esp-md5-hmac --配置IPSEC的傳輸模式
exit
crypto ipsec profile site2site --配置保密圖
set transform-set for***
interface tunnel 0 --把保密圖應用到端口上
ip add 5.5.5.5 255.255.255.0
tunnel source f0/0
tunnel destination 203.0.0.1
tunnel protection ipsec profile site2site
no shut
exit
router ospf 100
network 1.1.1.1 0.0.0.0 area 0
network 2.2.2.2 0.0.0.0 area 0
network 5.5.5.5 0.0.0.0 area 0
R3
en
config t
no ip http server
no ip domain-loo
line con 0
loggin syn
no exec-t
end
conf t
host R3
int f0/0
ip add 203.0.0.1 255.255.255.0
no shut
exit
int lo0
ip add 3.3.3.3 255.255.255.0
no shut
exit
int lo1
ip add 4.4.4.4 255.255.255.0
no shut
exit
access-list 1 permit 3.3.3.0 0.0.0.255
route-map fornat permit 10
match ip add 1
exit
ip nat inside source route-map fornat interface f0/0 overload
int f0/0
ip nat outside
exit
int lo1
ip nat inside
exit
ip route 0.0.0.0 0.0.0.0 f0/0
crypto isakmp enable
crypto isakmp policy 10
hash md5
authentication pre-share
encryption des
exit
crypto isakmp key 0 qqq111,,, address 202.0.0.1
crypto ipsec transform-set for*** esp-des esp-md5-hmac
exit
crypto ipsec profile site2site
set transform-set for***
interface tunnel 0
ip add 5.5.5.6 255.255.255.0
tunnel source f0/0
tunnel destination 202.0.0.1
tunnel protection ipsec profile site2site
no shut
exit
router ospf 100
network 3.3.3.3 0.0.0.0 area 0
network 4.4.4.4 0.0.0.0 area 0
network 5.5.5.6 0.0.0.0 area 0
en
config t
no ip http server
no ip domain-loo
line con 0
loggin syn
no exec-t
end
conf t
host R3
int f0/0
ip add 203.0.0.1 255.255.255.0
no shut
exit
int lo0
ip add 3.3.3.3 255.255.255.0
no shut
exit
int lo1
ip add 4.4.4.4 255.255.255.0
no shut
exit
access-list 1 permit 3.3.3.0 0.0.0.255
route-map fornat permit 10
match ip add 1
exit
ip nat inside source route-map fornat interface f0/0 overload
int f0/0
ip nat outside
exit
int lo1
ip nat inside
exit
ip route 0.0.0.0 0.0.0.0 f0/0
crypto isakmp enable
crypto isakmp policy 10
hash md5
authentication pre-share
encryption des
exit
crypto isakmp key 0 qqq111,,, address 202.0.0.1
crypto ipsec transform-set for*** esp-des esp-md5-hmac
exit
crypto ipsec profile site2site
set transform-set for***
interface tunnel 0
ip add 5.5.5.6 255.255.255.0
tunnel source f0/0
tunnel destination 202.0.0.1
tunnel protection ipsec profile site2site
no shut
exit
router ospf 100
network 3.3.3.3 0.0.0.0 area 0
network 4.4.4.4 0.0.0.0 area 0
network 5.5.5.6 0.0.0.0 area 0
結語:經過配置之後,既能滿足總部和分公司之間數據的安全傳輸,又能滿足,總部,分公司訪問互連網。