Network Topological Diagram

ADSL PPPOE+NAT+mGRE+NHRP+EIGRP+IPsec ×××+PPTP ××× 组成DM××× 实现动态IP 之间全网互通(一)_第1张图片

案例目的:


1. OPE 集团网络扩充,在香港,深圳,上海和北京都有办事处,服务器和语音服务在深圳总部,email , Web 等服务器在香港。要实现各地办事处内网均能访问内部服务,语音系统采有IP语音,内部之间通话可免费。

2. 如上图所示,只有香港公司拥有固定IP,其它三地均采用ADSL的PPPOE拨号,所获IP为动态IP.。

3. 按以上要求,完成站点到站点的IPsec ×××建设, 已实现全网内部互通。。

Configuration

datetime msec
no service password-encryption
!
hostname HKRouter
!
boot-start-marker
boot system flash c2800nm-advsecurityk9-mz.124-24.T2.bin
boot-end-marker
!
logging message-counter syslog
logging buffered 51200 warnings
enable secret 5 $1$l0tK$ChTw8WdhXe1BnBIXc4ETo1
!
no aaa new-model
!
no dot11 syslog
no ip source-route
!
!
ip cef
!−−− 为香港站点创建DHCP服务
no ip dhcp use vrf connected
ip dhcp excluded-address 20.89.5.1 20.89.5.255
ip dhcp excluded-address 20.89.4.0
ip dhcp excluded-address 20.89.0.1 20.89.3.255
!
ip dhcp pool OPEhkDHCP
network 20.89.0.0 255.255.0.0
dns-server 20.89.1.1
default-router 20.89.1.1
option 156 ascii "ftpservers=20.88.2.2,country=1,language=1,layer2tagging=0,vlanid=0"
option 4 ip 20.88.2.1
lease 30
!
!−−− 为香港站点路由器指定DNS IP
ip name-server 203.186.94.22
ip name-server 203.80.96.33
!
multilink bundle-name authenticated
!−−− 唯有香港站点路由器拥有固定IP,建立PPTP ×××服务
!
vpdn enable
!
vpdn-group 15
! Default PPTP VPDN group
accept-dialin
protocol pptp
virtual-template 1
!
!
!
!
!
!
username hkrouter privilege 15 secret 5 $1$x09g$2RA3BVbv/yn/UMaMxHHIe/
username AAAAA password 0 AAAAA
username BBBBB password 0 BBBBB
archive
log config
hidekeys
!
!
!−−−配置IPsec ×××服务
crypto isakmp policy 1
hash md5
authentication pre-share
crypto isakmp key cisco address 0.0.0.0 0.0.0.0
!
!
crypto ipsec transform-set strong esp-3des esp-md5-hmac
!
crypto ipsec profile Cisco
set security-association lifetime seconds 120
set transform-set strong
!
!
!
!
!
!
!−−−香港做为DM×××的主服务器,唯一一个拥有固定IP
interface Tunnel1
ip address 20.90.1.1 255.255.0.0
no ip redirects
ip mtu 1440
no ip next-hop-self eigrp 1
ip nhrp authentication 12345678
ip nhrp map multicast dynamic
ip nhrp network-id 1
no ip split-horizon eigrp 1
tunnel source FastEthernet0/0
tunnel mode gre multipoint
tunnel key 123
tunnel protection ipsec profile Cisco
!
interface FastEthernet0/0
description $ETH-LAN$$ETH-SW-LAUNCH$$INTF-INFO-FE 0/0$
ip address 50.1.1.1 255.255.255.252
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
!
interface FastEthernet0/1
ip address 20.89.1.2 255.255.0.0
ip nat inside
ip virtual-reassembly
duplex auto
speed auto
!
!−−−香港做为PPTP ×××的主服务器
interface Virtual-Template1
ip unnumbered FastEthernet0/0
peer default ip address pool PPTPDHCP
no keepalive
ppp encrypt mppe auto
ppp authentication pap chap ms-chap
!
router eigrp 1
network 20.89.0.0 0.0.255.255
network 20.90.0.0 0.0.255.255
no auto-summary
!
ip local pool PPTPDHCP 20.90.2.1 20.90.2.254
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 50.1.1.2
ip http server
ip http authentication local
no ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
!
ip dns server
ip nat inside source list 1 interface FastEthernet0/0 overload
!
access-list 1 permit 20.0.0.0 0.255.255.255
!
!
!
!
!
control-plane
!
banner exec ^C
% Password expiration warning.
-----------------------------------------------------------------------
Cisco Configuration Professional (Cisco CP) is installed on this device
and it provides the default username "cisco" for one-time use. If you have
already used the username "cisco" to login to the router and your IOS p_w_picpath
supports the "one-time" user option, then this username has already expired.
You will not be able to login to the router with this username after you exit
this session.
It is strongly suggested that you create a new username with a privilege level
of 15 using the following command.
username privilege 15 secret 0
Replace and with the username and password you want to
use.
-----------------------------------------------------------------------
^C
banner login ^C
-----------------------------------------------------------------------
Cisco Configuration Professional (Cisco CP) is installed on this device.
This feature requires the one-time use of the username "cisco" with the
password "cisco". These default credentials have a privilege level of 15.
YOU MUST USE CISCO CP or the CISCO IOS CLI TO CHANGE THESE PUBLICLY-KNOWN
CREDENTIALS
Here are the Cisco IOS commands.
username privilege 15 secret 0
no username cisco
Replace and with the username and password you want
to use.
IF YOU DO NOT CHANGE THE PUBLICLY-KNOWN CREDENTIALS, YOU WILL NOT BE ABLE
TO LOG INTO THE DEVICE AGAIN AFTER YOU HAVE LOGGED OFF.
For more information about Cisco CP please follow the instructions in the
QUICK START GUIDE for your router or go to http://www.cisco.com/go/ciscocp
-----------------------------------------------------------------------
^C
!
line con 0
password cisco
login
line aux 0
line vty 0 4
privilege level 15
password cisco
login
transport input telnet
!
scheduler allocate 20000 1000
end