Router-to-Router Dynamic LAN-to-LAN ×××
1.拓撲
2.步驟
2.1基本連通性配置:
R5:
interface FastEthernet0/0
ip address 15.15.15.5 255.255.255.0
ip route 0.0.0.0 0.0.0.0 15.15.15.1
R1:
interface FastEthernet0/0
ip address 15.15.15.1 255.255.255.0
interface FastEthernet1/0
ip address 16.16.16.1 255.255.255.0
ip route 0.0.0.0 0.0.0.0 16.16.16.6
R6:
ip dhcp excluded-address 36.36.36.6
ip dhcp pool net36
network 36.36.36.0 255.255.255.0
default-router 36.36.36.6
interface FastEthernet0/0
ip address 36.36.36.6 255.255.255.0
interface FastEthernet1/0
ip address 16.16.16.6 255.255.255.0
interface Serial2/0
ip address 26.26.26.6 255.255.255.0
R2:
interface FastEthernet0/0
ip address 27.27.27.2 255.255.255.0
interface Serial2/0
ip address 26.26.26.2 255.255.255.0
ip route 0.0.0.0 0.0.0.0 26.26.26.6
R7:
interface FastEthernet0/0
ip address 27.27.27.7 255.255.255.0
ip route 0.0.0.0 0.0.0.0 FastEthernet0/0
R3:
interface FastEthernet0/0
ip address dhcp
interface FastEthernet0/1
ip address 38.38.38.3 255.255.255.0
ip route 0.0.0.0 0.0.0.0 FastEthernet0/0
R8:
interface FastEthernet1/0
ip address 38.38.38.8 255.255.255.0
ip route 0.0.0.0 0.0.0.0 FastEthernet1/0
2.2測試連通性:
R1到R2和R3的連通性:
R1#ping 36.36.36.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 36.36.36.1, timeout is 2 seconds:
.!!!.
Success rate is 60 percent (3/5), round-trip min/avg/max = 76/120/200 ms
R1#ping 26.26.26.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 26.26.26.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 8/66/100 ms
R1#
測試R1到北京內網和廣州內網的連通性:
R1#ping 27.27.27.7
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 27.27.27.7, timeout is 2 seconds:
U.U.U
Success rate is 0 percent (0/5)
R1#ping 38.38.38.8
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 38.38.38.8, timeout is 2 seconds:
U.U.U
Success rate is 0 percent (0/5)
R1#
說明:雖然R1有指向R6的默認路由,但R6只有公網路由26.26.26.0、36.36.36.0和16.16.16.0,
只能保證R1、R2、R3之間的通信,所以R1無法與北京和廣州的分公司內網通信。
同理:R5不能到達北京和廣州內網:
R5# ping 27.27.27.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 27.27.27.2, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
R5#ping 38.38.38.3
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 38.38.38.3, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
R5#
查看R6的路由表:
R6# show ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route
Gateway of last resort is not set
16.0.0.0/24 is subnetted, 1 subnets
C 16.16.16.0 is directly connected, FastEthernet1/0
36.0.0.0/24 is subnetted, 1 subnets
C 36.36.36.0 is directly connected, FastEthernet0/0
26.0.0.0/24 is subnetted, 1 subnets
C 26.26.26.0 is directly connected, Serial2/0
R6#
2.3配置Dynamic LAN-to-LAN ×××:
1.在R1上配置IKE策略:
R1(config)#crypto isakmp policy 1
R1(config-isakmp)#encryption 3des
R1(config-isakmp)#authentication pre-share
R1(config-isakmp)#hash sha
R1(config-isakmp)#group 2
R1(config-isakmp)#ex
2.在R1上配置通配符認證方法:
R1(config)#crypto keyring abc
R1(conf-keyring)#pre-shared-key address 0.0.0.0 0.0.0.0 key cisco123
R1(config)#crypto isakmp profile ppp
% A profile is deemed incomplete until it has match identity statements
R1(conf-isa-prof)#keyring abc
R1(conf-isa-prof)#match identity address 0.0.0.0
R1(conf-isa-prof)#ex
3.在R1上配置IPSec transform:
R1(config)#crypto ipsec transform-set myset esp-3des esp-sha-hmac
R1(cfg-crypto-trans)#ex
4.在R1上定義Dynamic map:
R1(config)#crypto dynamic-map mydyn 5
R1(config-crypto-map)#set transform-set myset
R1(config-crypto-map)#set isakmp-profile ppp
R1(config-crypto-map)#ex
R1(config)#
5.在R1上創建crypto map:
R1(config)#crypto map mymap 10 ipsec-isakmp dynamic mydyn
R1(config)#
6.在R1上將crypto map應用到出接口:
R1(config)#int f1/0
R1(config-if)#crypto map mymap
R1(config-if)#
*Mar 1 01:36:23.111: %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is ON
R1(config-if)#ex
R1(config)#
7.使用常規LAN-to-LAN ×××的方式配置R2:
R2(config)#crypto isakmp policy 1
R2(config-isakmp)#en 3
R2(config-isakmp)#ha s
R2(config-isakmp)#au p
R2(config-isakmp)#gr 2
R2(config-isakmp)#ex
R2(config)#crypto isakmp key 0 cisco123 address 16.16.16.1
R2(config)#crypto ipsec transform-set myset esp-3des esp-sha-hmac
R2(cfg-crypto-trans)#ex
R2(config)#access-list 100 permit ip 27.27.27.0 0.0.0.255 15.15.15.0 0.0.0.255
R2(config)#crypto map l2l 1 ipsec-isakmp
% NOTE: This new crypto map will remain disabled until a peer
and a valid access list have been configured.
R2(config-crypto-map)#set peer 16.16.16.1
R2(config-crypto-map)#set transform-set myset
R2(config-crypto-map)#match address 100
R2(config-crypto-map)#ex
R2(config)#int s2/0
R2(config-if)#crypto map l2l
R2(config-if)#
*Mar 1 01:56:13.811: %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is ON
R2(config-if)#
8.廣州供公司路由器R3(動態IP)的×××配置:
R3(config)#crypto isakmp policy 1
R3(config-isakmp)#en 3
R3(config-isakmp)#au p
R3(config-isakmp)#ha s
R3(config-isakmp)#gr 2
R3(config-isakmp)#ex
R3(config)#crypto isakmp key 0 cisco123 add 16.16.16.1
R3(config)#crypto ipsec trans myset esp-3 esp-sha-h
R3(cfg-crypto-trans)#ex
R3(config)#access-list 100 per ip 38.38.38.0 0.0.0.255 15.15.15.0 0.0.0.255
R3(config)#crypto map l2l 1 ipsec-isakmp
% NOTE: This new crypto map will remain disabled until a peer
and a valid access list have been configured.
R3(config-crypto-map)#set peer 16.16.16.1
R3(config-crypto-map)#set trans myset
R3(config-crypto-map)#match add 100
R3(config-crypto-map)#ex
R3(config)#int f0/0
R3(config-if)#cry map l2l
R3(config-if)#
*Oct 18 19:30:46.219: %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is ON
R3(config-if)#
3.驗證
3.1首先驗證北京和上海公司的×××連通性:
1.從Hub端上海公司R5向spoke端北京公司27.27.27.0發送流量:
R5#ping 27.27.27.7
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 27.27.27.7, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
R5#
說明:Dynamic LAN-to-LAN ×××中,hub端是不能事先向spoke端發起流量來觸發自己的SA建立的,所以上海到北京的流量不能通過。Hub端的SA只能有spoke端發送流量來觸發。
2.從spoke端北京公司27.27.27.0向hub端上海公司R5發送流量:
R7#ping 15.15.15.5
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 15.15.15.5, timeout is 2 seconds:
.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 132/174/248 ms
R7#
說明:spoke端向hub端發送的流量成功穿越×××隧道。
3.再次從hub端R5向spoke端27.27.27.0發送流量:
R5#ping 27.27.27.7
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 27.27.27.7, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 60/119/244 ms
R5#
說明:當從spoke端向hub端發送流量初始化後,hub端到spoke端的流量才能正常通過×××。
4.查看R1上的IKE SA的peers:
R1(config)#do show crypto isakmp peer
Peer: 26.26.26.2 Port: 500 Local: 16.16.16.1
Phase1 id: 26.26.26.2
R1(config)#
5.查看R1上的IKE SA:
R1(config)#do show crypto isakmp sa
dst src state conn-id slot status
16.16.16.1 26.26.26.2 QM_IDLE 1 0 ACTIVE
R1(config)#
6.查看R1上的IPSec SA:
R1(config)#do show crypto ipsec sa
interface: FastEthernet1/0
Crypto map tag: mymap, local addr 16.16.16.1
protected vrf: (none)
local ident (addr/mask/prot/port): (15.15.15.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (27.27.27.0/255.255.255.0/0/0)
current_peer 26.26.26.2 port 500
PERMIT, flags={}
#pkts encaps: 9, #pkts encrypt: 9, #pkts digest: 9
#pkts decaps: 9, #pkts decrypt: 9, #pkts verify: 9
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: 16.16.16.1, remote crypto endpt.: 26.26.26.2
path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet1/0
current outbound spi: 0x41F65F0(69166576)
inbound esp sas:
spi: 0xAC742101(2893291777)
transform: esp-3des esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 2001, flow_id: SW:1, crypto map: mymap
sa timing: remaining key lifetime (k/sec): (4395614/2615)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0x41F65F0(69166576)
transform: esp-3des esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 2002, flow_id: SW:2, crypto map: mymap
sa timing: remaining key lifetime (k/sec): (4395614/2612)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE
outbound ah sas:
outbound pcp sas:
R1(config)#
7.查看R1上的dynamic map相關參數:
R1(config)#do show crypto dynamic-map
Crypto Map Template"mydyn" 5
ISAKMP Profile: ppp
No matching address list set.
Security association lifetime: 4608000 kilobytes/3600 seconds
PFS (Y/N): N
Transform sets={
myset,
}
R1(config)#
3.2查看R2上的相關參數(參照R1):
R2#show cry isakmp peers
Peer: 16.16.16.1 Port: 500 Local: 26.26.26.2
Phase1 id: 16.16.16.1
R2#show cry isakmp sa
dst src state conn-id slot status
16.16.16.1 26.26.26.2 QM_IDLE 1 0 ACTIVE
R2#show cry ipsec sa
interface: Serial2/0
Crypto map tag: l2l, local addr 26.26.26.2
protected vrf: (none)
local ident (addr/mask/prot/port): (27.27.27.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (15.15.15.0/255.255.255.0/0/0)
current_peer 16.16.16.1 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 9, #pkts encrypt: 9, #pkts digest: 9
#pkts decaps: 9, #pkts decrypt: 9, #pkts verify: 9
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 1, #recv errors 0
local crypto endpt.: 26.26.26.2, remote crypto endpt.: 16.16.16.1
path mtu 1500, ip mtu 1500, ip mtu idb Serial2/0
current outbound spi: 0xAC742101(2893291777)
inbound esp sas:
spi: 0x41F65F0(69166576)
transform: esp-3des esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 2001, flow_id: SW:1, crypto map: l2l
sa timing: remaining key lifetime (k/sec): (4432449/2370)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0xAC742101(2893291777)
transform: esp-3des esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 2002, flow_id: SW:2, crypto map: l2l
sa timing: remaining key lifetime (k/sec): (4432449/2368)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE
outbound ah sas:
outbound pcp sas:
R2#
3.3下面是廣州公司路由器R3與上海路由器R1之間×××連通性的驗證:
1.從hub端(上海公司路由器R5)向spoke端(廣州公司38.38.38.0)發流量:
R5#ping 38.38.38.8
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 38.38.38.8, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
R5#
說明:和預期的一樣,hub端不能事先向spoke端發起流量建立SA。
2.從spoke端(廣州公司38.38.38.0)向hub端(上海公司R5)發送×××觸發流量:
R8#ping 15.15.15.5
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 15.15.15.5, timeout is 2 seconds:
...!.
Success rate is 20 percent (1/5), round-trip min/avg/max = 204/204/204 ms
R8#
R8#ping 15.15.15.5
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 15.15.15.5, timeout is 2 seconds:
!.!.!
Success rate is 60 percent (3/5), round-trip min/avg/max = 128/186/240 ms
R8#ping 15.15.15.5
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 15.15.15.5, timeout is 2 seconds:
!.!..
Success rate is 40 percent (2/5), round-trip min/avg/max = 164/196/228 ms
R8#
說明:從spoke端(廣州公司38.38.38.0)的流量成功穿越×××到達hub端。
3.再次從hub端(上海公司路由器R5)向spoke端(廣州公司38.38.38.0)發流量:
R5#ping 38.38.38.8
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 38.38.38.8, timeout is 2 seconds:
!.!.!
Success rate is 60 percent (3/5), round-trip min/avg/max = 204/217/228 ms
R5#ping 38.38.38.8
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 38.38.38.8, timeout is 2 seconds:
!.!.!
Success rate is 60 percent (3/5), round-trip min/avg/max = 148/220/272 ms
R5#
說明:當從spoke端向hub端觸發流量後,hub端與spoke端的流量才能通過×××。
4.查看R1上的相關參數:
R1#show cry isakmp peer
Peer: 26.26.26.2 Port: 500 Local: 16.16.16.1
Phase1 id: 26.26.26.2
Peer: 36.36.36.1 Port: 500 Local: 16.16.16.1
Phase1 id: 36.36.36.1
R1#show cry isakmp sa
dst src state conn-id slot status
16.16.16.1 26.26.26.2 QM_IDLE 1 0 ACTIVE
16.16.16.1 36.36.36.1 QM_IDLE 2 0 ACTIVE
R1#show cry ipsec sa
interface: FastEthernet1/0
Crypto map tag: mymap, local addr 16.16.16.1
protected vrf: (none)
local ident (addr/mask/prot/port): (15.15.15.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (27.27.27.0/255.255.255.0/0/0)
current_peer 26.26.26.2 port 500
PERMIT, flags={}
#pkts encaps: 14, #pkts encrypt: 14, #pkts digest: 14
#pkts decaps: 14, #pkts decrypt: 14, #pkts verify: 14
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: 16.16.16.1, remote crypto endpt.: 26.26.26.2
path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet1/0
current outbound spi: 0x41F65F0(69166576)
inbound esp sas:
spi: 0xAC742101(2893291777)
transform: esp-3des esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 2001, flow_id: SW:1, crypto map: mymap
sa timing: remaining key lifetime (k/sec): (4395613/1046)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0x41F65F0(69166576)
transform: esp-3des esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 2002, flow_id: SW:2, crypto map: mymap
sa timing: remaining key lifetime (k/sec): (4395613/1043)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE
outbound ah sas:
outbound pcp sas:
protected vrf: (none)
local ident (addr/mask/prot/port): (15.15.15.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (38.38.38.0/255.255.255.0/0/0)
current_peer 36.36.36.1 port 500
PERMIT, flags={}
#pkts encaps: 16, #pkts encrypt: 16, #pkts digest: 16
#pkts decaps: 12, #pkts decrypt: 12, #pkts verify: 12
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: 16.16.16.1, remote crypto endpt.: 36.36.36.1
path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet1/0
current outbound spi: 0x23231BC(36843964)
inbound esp sas:
spi: 0xDA7CCED8(3665612504)
transform: esp-3des esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 2003, flow_id: SW:3, crypto map: mymap
sa timing: remaining key lifetime (k/sec): (4419243/3185)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0x23231BC(36843964)
transform: esp-3des esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 2004, flow_id: SW:4, crypto map: mymap
sa timing: remaining key lifetime (k/sec): (4419242/3181)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE
outbound ah sas:
outbound pcp sas:
R1#
5.查看廣州路由器R3上的相關參數:
R3#show cry isakmp peers
Peer: 16.16.16.1 Port: 500 Local: 36.36.36.1
Phase1 id: 16.16.16.1
R3#show cry isakmp sa
IPv4 Crypto ISAKMP SA
dst src state conn-id slot status
16.16.16.1 36.36.36.1 QM_IDLE 1001 0 ACTIVE
IPv6 Crypto ISAKMP SA
R3#show cry ipsec sa
interface: FastEthernet0/0
Crypto map tag: l2l, local addr 36.36.36.1
protected vrf: (none)
local ident (addr/mask/prot/port): (38.38.38.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (15.15.15.0/255.255.255.0/0/0)
current_peer 16.16.16.1 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 13, #pkts encrypt: 13, #pkts digest: 13
#pkts decaps: 16, #pkts decrypt: 16, #pkts verify: 16
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 1, #recv errors 0
local crypto endpt.: 36.36.36.1, remote crypto endpt.: 16.16.16.1
path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/0
current outbound spi: 0xDA7CCED8(3665612504)
inbound esp sas:
spi: 0x23231BC(36843964)
transform: esp-3des esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 1, flow_id: 1, crypto map: l2l
sa timing: remaining key lifetime (k/sec): (4576678/3065)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0xDA7CCED8(3665612504)
transform: esp-3des esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 2, flow_id: 2, crypto map: l2l
sa timing: remaining key lifetime (k/sec): (4576679/3065)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE
outbound ah sas:
outbound pcp sas:
R3#
4.測試NAT對Dynamic LAN-to-LAN ×××的影響:
4.1在R3上配置NAT:
R3(config)#int f0/0
R3(config-if)#ip nat outside
*Oct 18 20:19:27.023: %LINEPROTO-5-UPDOWN: Line protocol on Interface NVI0, changed state to up
R3(config-if)#int f0/1
R3(config-if)#ip nat inside
R3(config-if)#ex
R3(config)#access-list 110 permit ip any any
R3(config)#ip nat inside source list 110 interface f0/0 overload
4.2測試hub端R5發往北京公司(沒有NAT)和廣州公司(有NAT)的流量情況:
R5#ping 27.27.27.7
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 27.27.27.7, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 136/157/208 ms
R5#ping 38.38.38.8
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 38.38.38.8, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
R5#
4.3查看廣州路由器R3上的NAT轉換情況:
R3#show ip nat translations
Pro Inside global Inside local Outside local Outside global
icmp 36.36.36.1:5 38.38.38.8:5 15.15.15.5:5 15.15.15.5:5
R3#
說明:可以看到廣州公司38.38.38.0去往上海15.15.15.0的流量唄NAT轉換了,所以最後沒能通過IPSec。
4.4在R3上配置ACL使感興趣流量繞過NAT:
R3(config)#no access-list 110
R3(config)#access-list 110 deny ip 38.38.38.0 0.0.0.255 15.15.15.0 0.0.0.255
R3(config)#access-list 110 permit ip any any
R3(config)#exit
R3#clear ip nat translation *
R3#
4.5再次從上海15.15.15.0向廣州38.38.38.0和北京27.27.27.0發送流量:
R5#ping 38.38.38.8
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 38.38.38.8, timeout is 2 seconds:
!.!.!
Success rate is 60 percent (3/5), round-trip min/avg/max = 212/261/340 ms
R5#
R5#ping 27.27.27.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 27.27.27.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 100/137/216 ms
R5#
說明:配置ACL繞過NAT,上海公司到北京和廣州的流量再次通過IPsec ×××隧道穿越了Internet。因此在IPSec ×××中,保證需要被IPSec保護的流量繞過NAT轉換,否則×××連通失敗。
5.發現一個疑問,請求高手指點。
爲什麼上海公司15.15.15.0和廣州公司R8 38.38.38.8之間互相ping的結果都是!.!.! ?上海和R3的38.38.38.3之間ping的結果卻正常。
請看:
R1#ping 38.38.38.8 so 15.15.15.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 38.38.38.8, timeout is 2 seconds:
Packet sent with a source address of 15.15.15.1
.!...
Success rate is 20 percent (1/5), round-trip min/avg/max = 156/156/156 ms
R1#
R5#ping 38.38.38.8
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 38.38.38.8, timeout is 2 seconds:
!.!.!
Success rate is 60 percent (3/5), round-trip min/avg/max = 212/261/340 ms
R5#
R8#ping 15.15.15.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 15.15.15.1, timeout is 2 seconds:
!.!.!
Success rate is 60 percent (3/5), round-trip min/avg/max = 172/184/196 ms
R8#
R8#ping 15.15.15.5
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 15.15.15.5, timeout is 2 seconds:
!.!.!
Success rate is 60 percent (3/5), round-trip min/avg/max = 160/197/260 ms
R8#
R3的38.38.38.3與上海15.15.15.0之間ping正常:
R3#ping 15.15.15.5 so 38.38.38.3
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 15.15.15.5, timeout is 2 seconds:
Packet sent with a source address of 38.38.38.3
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 128/235/340 ms
R3#
R3#ping 15.15.15.5 so 38.38.38.3
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 15.15.15.5, timeout is 2 seconds:
Packet sent with a source address of 38.38.38.3
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 76/126/172 ms
R3#
R5#ping 38.38.38.3
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 38.38.38.3, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 100/155/212 ms
R5#
R1#ping 38.38.38.3 so 15.15.15.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 38.38.38.3, timeout is 2 seconds:
Packet sent with a source address of 15.15.15.1
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 88/110/144 ms
R1#
R3和R2的唯一區別就是R3的外部接口配置的IP是DHCP。