实验环境
Dynamips模拟器
Cisco IOS Software, 3700 Software (C3745-ADVIPSERVICESK9-M), Version 12.4(4)T, RELEASE SOFTWARE (fc1)
拓扑结构
如下图所示, R1和R3是×××隧道的两个对端设备。
其中R1的loop 0模拟终端pc1,代表连接到R1的×××内网172.16.1.0
R4模拟终端pc4,代表测试机
R5 f1/5与R3 f1/5之间的网络,代表×××内网172.16.5.0
R5的loop 0模拟终端pc5,代表连接到R5的办公室内网192.168.5.0
实验要求
使172.16.0.0(本实例为172.16.1.0、172.16.4.0和172.16.5.0三个子网)网段内的各子网互联。
并且192.168.5.0内网可以访问172.16.0.0 的子网。
操作步骤
1、基本配置
为各路由器的连接端口配置IP,这里以R3为例
R3(config)#int f1/2
R3(config-if)#no switchport
R3(config-if)#ip add 23.1.1.3 255.255.255.0
R3(config-if)#no shut
R3(config-if)#int f1/4
R3(config-if)#no switchport
R3(config-if)#ip add 172.16.4.3 255.255.255.0
R3(config-if)#no shut
R3(config-if)#int f1/5
R3(config-if)#no switchport
R3(config-if)#ip add 172.16.5.3 255.255.255.0
R3(config-if)#no shut
R3(config-if)#exit
使用Ping命令确认各路由器的直连口的互通性。此时跨路由器是无法访问的。
2、R1、R3配置路由
分别在R1和R3上配置默认路由
R1
R1(config)#ip route 0.0.0.0 0.0.0.0 12.1.1.2
R3
R3(config)#ip route 0.0.0.0 0.0.0.0 23.1.1.2
配置完成后,R1和R3可以互通。
3、R1、R3配置×××隧道
在R1上的配置,对端IP指定为R3上的f1/2口IP:
R1(config)#crypto isakmp enable
R1(config)#crypto isakmp policy 100
R1(config-isakmp)#authentication pre-share
R1(config-isakmp)#encryption des
R1(config-isakmp)#group 1
R1(config-isakmp)#hash md5
R1(config-isakmp)#lifetime 86400
R1(config-isakmp)#exit
R1(config)#
R1(config)#crypto isakmp identity address
R1(config)#crypto isakmp key cisco123 address 23.1.1.3
R1(config)#crypto ipsec transform-set r1set esp-des esp-md5-hmac
R1(cfg-crypto-trans)#exit
R1(config)#
R1(config)#$ 110 permit ip 172.16.1.0 0.0.0.255 172.16.4.0 0.0.0.255
R1(config)#$ 110 permit ip 172.16.1.0 0.0.0.255 172.16.5.0 0.0.0.255
R1(config)#$ 110 permit ip 172.16.4.0 0.0.0.255 172.16.1.0 0.0.0.255
R1(config)#$ 110 permit ip 172.16.5.0 0.0.0.255 172.16.1.0 0.0.0.255
R1(config)#
R1(config)#crypto map r1map 100 ipsec-isakmp
% NOTE: This new crypto map will remain disabled until a peer
and a valid access list have been configured.
R1(config-crypto-map)#match address 110
R1(config-crypto-map)#set peer 23.1.1.3
R1(config-crypto-map)#set transform-set r1set
R1(config-crypto-map)#set security-association lifetime kilobytes 86400
R1(config-crypto-map)#set pfs group1
R1(config-crypto-map)#exit
R1(config)#
R1(config)#int f1/1
R1(config-if)#no ip mroute-cache
R1(config-if)#no fair-queue
R1(config-if)#crypto map r1map
R1(config-if)#exit
R1(config)#
*Mar 1 02:12:00.819: %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is ON
在R3上的配置,基本与R1上的配置相同,对端IP指定为R3上的f1/2口IP::
R3(config)#crypto isakmp enable
R3(config)#crypto isakmp policy 100
R3(config-isakmp)#authentication pre-share
R3(config-isakmp)#encryption des
R3(config-isakmp)#group 1
R3(config-isakmp)#hash md5
R3(config-isakmp)#lifetime 86400
R3(config-isakmp)#exit
R3(config)#
R3(config)#crypto isakmp identity address
R3(config)#crypto isakmp key cisco123 address 12.1.1.1
R3(config)#crypto ipsec transform-set r3set esp-des esp-md5-hmac
R3(cfg-crypto-trans)#exit
R3(config)#
R3(config)#$ 110 permit ip 172.16.1.0 0.0.0.255 172.16.4.0 0.0.0.255
R3(config)#$ 110 permit ip 172.16.1.0 0.0.0.255 172.16.5.0 0.0.0.255
R3(config)#$ 110 permit ip 172.16.4.0 0.0.0.255 172.16.1.0 0.0.0.255
R3(config)#$ 110 permit ip 172.16.5.0 0.0.0.255 172.16.1.0 0.0.0.255
R3(config)#
R3(config)#crypto map r3map 100 ipsec-isakmp
% NOTE: This new crypto map will remain disabled until a peer
and a valid access list have been configured.
R3(config-crypto-map)#match address 110
R3(config-crypto-map)#set peer 12.1.1.1
R3(config-crypto-map)#set transform-set r3set
R3(config-crypto-map)#set security-association lifetime kilobytes 86400
R3(config-crypto-map)#set pfs group1
R3(config-crypto-map)#exit
R3(config)#
R3(config)#int f1/2
R3(config-if)#no ip mroute-cache
R3(config-if)#no fair-queue
R3(config-if)#crypto map r3map
R3(config-if)#exit
R3(config)#
*Mar 1 02:12:37.863: %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is ON
4、连通测试
R1#ping 172.16.4.3 source 172.16.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.4.3, timeout is 2 seconds:
Packet sent with a source address of 172.16.1.1
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 12/39/60 ms
----------------------------------------------------------
R1#ping 172.16.5.3 source 172.16.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.5.3, timeout is 2 seconds:
Packet sent with a source address of 172.16.1.1
.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 12/49/76 ms
----------------------------------------------------------
R1#ping 172.16.4.4 source 172.16.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.4.4, timeout is 2 seconds:
Packet sent with a source address of 172.16.1.1
.....
Success rate is 0 percent (0/5)
----------------------------------------------------------
R1#ping 172.16.5.5 source 172.16.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.5.5, timeout is 2 seconds:
Packet sent with a source address of 172.16.1.1
.....
Success rate is 0 percent (0/5)
可见,此时172.16.1.1能ping通R3上的172.16.4.3、172.16.5.3,但不能ping通R4、R5,当然,R4、R5也无法ping通172.16.1.1。R4、R5之间也是无法访问的。
因为此时的R4、R5具有路由功能,但却没有路由设置。
5、将R4置为PC机终端
关闭R4的路由功能,并为其设置默认网关,使其成为一台PC终端。
R4(config)#no ip routing
R4(config)#ip default-gateway 172.16.4.3
此时,172.16.1.1和R4可以直接互相ping通,
R1#ping 172.16.4.4 source 172.16.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.4.4, timeout is 2 seconds:
Packet sent with a source address of 172.16.1.1
.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 56/75/88 ms
6、在R5上建立默认路由
R5(config)#ip route 0.0.0.0 0.0.0.0 172.16.5.3
配置好路由后,R5可以与pc1、pc4(R4)相互ping通,
R5(config)#do ping 172.16.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.1.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 24/50/104 ms
----------------------------------------------------------
R5(config)#do ping 172.16.4.4
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.4.4, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 12/33/60 ms
----------------------------------------------------------
R1#ping 172.16.5.5 source 172.16.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.5.5, timeout is 2 seconds:
Packet sent with a source address of 172.16.1.1
.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 36/56/88 ms
7、在R5上建立NAT
R5(config)#int f1/5
R5(config-if)#ip nat outside
R5(config-if)#exit
R5(config)#int loop 0
R5(config-if)#ip nat inside
R5(config-if)#exit
R5(config)#ip nat pool p1 172.16.5.5 172.16.5.5 netmask 255.255.255.0
R5(config)#access-list 1 permit 192.168.5.0 0.0.0.255
R5(config)#ip nat inside source list 1 pool p1 overload
R5(config)#exit
R5#ping 172.16.1.1 source 192.168.5.5
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.1.1, timeout is 2 seconds:
Packet sent with a source address of 192.168.5.5
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 12/72/128 ms
当然了,外面是ping不进来的。
注:这是个小实验,把×××和NAT的知识串到一起来学习。
实际中×××网络又是如何搭建的?本实验中内网如何上外网?还有待研究。
本文出自 “一树清劲” 博客,请务必保留此出处http://sunshyfangtian.blog.51cto.com/1405751/807960