一.概述:
在博客中收到一位朋友的提问,经过电话沟通后,了解到大概情况是:
A.总部有一条专线到合作伙伴
B.合作伙伴侧不方便加回指路由,总部访问合作伙伴时做PAT
C.现在想要分支L2L ×××连接到总部之后,也PAT到合作伙伴
之前是用策略路由的方式将分支到合作伙伴的流量打到loopback口,并配置NAT,后来QQ群里有朋友提出使用GRE over IPSEC的方式,于是打算验证一下。
二.基本思路:
A.如果合作伙伴方便加回指路由,其实只需把合作伙伴当作总部内网即可,不需要配置PAT。
B.分支机构想要×××连接总部之后,再PAT到合作伙伴,则需要在总部路由器上配置loopback口,并且公网接口配置策略路由,将分支到合作伙伴的流量打到loopback,并进行PAT。
----这个已经在上一篇博文中验证过,http://333234.blog.51cto.com/323234/1309446
C.用SVTI的方式,在总部路由器与分支路由器直接建立L2L ×××,并且在总部路由器的tunnel接口和连接合作伙伴的专线接口配置NVI,使得分支去往合作伙伴的流量被PAT。
----因为ASA不支持VTI,所以这种方式如果分支或总部一方用的是ASA防火墙,则不适用
三
.测试拓扑:
四.基本配置:
A.Branch_Inside路由器:
interface Ethernet0/0
ip address 10.1.1.1 255.255.255.0
no shut
ip route 0.0.0.0 0.0.0.0 10.1.1.2
ip address 10.1.1.1 255.255.255.0
no shut
ip route 0.0.0.0 0.0.0.0 10.1.1.2
B.Branch路由器:
interface Ethernet0/0
ip address 10.1.1.2 255.255.255.0
ip nat inside
ip address 202.100.1.2 255.255.255.0
ip nat outside
ip address 10.1.1.2 255.255.255.0
ip nat inside
no shut
interface Ethernet0/1ip address 202.100.1.2 255.255.255.0
ip nat outside
no shut
ip route 0.0.0.0 0.0.0.0 202.100.1.3
ip access-list extended PAT
deny ip 10.1.1.0 0.0.0.255 192.168.1.0 0.0.0.255
deny ip 10.1.1.0 0.0.0.255 160.1.1.0 0.0.0.255
permit ip 10.1.1.0 0.0.0.255 any
deny ip 10.1.1.0 0.0.0.255 192.168.1.0 0.0.0.255
deny ip 10.1.1.0 0.0.0.255 160.1.1.0 0.0.0.255
permit ip 10.1.1.0 0.0.0.255 any
ip nat inside source list PAT interface Ethernet0/1 overload
C.Internet路由器:
interface Ethernet0/0
ip address 202.100.1.3 255.255.255.0
ip address 202.100.2.3 255.255.255.0
ip address 202.100.1.3 255.255.255.0
no shut
interface Ethernet0/1ip address 202.100.2.3 255.255.255.0
no shut
D.Center路由器:
interface Ethernet0/0
ip address 192.168.1.4 255.255.255.0
ip nat inside
ip address 192.168.1.4 255.255.255.0
ip nat inside
no shut
interface Ethernet0/1ip address 202.100.2.4 255.255.255.0
ip nat outside
no shut
interface Ethernet0/2ip address 172.16.1.2 255.255.255.252
no shut
ip route 0.0.0.0 0.0.0.0 202.100.2.3
ip route 160.1.1.0 255.255.255.0 172.16.1.1
ip access-list extended PAT
deny ip 192.168.1.0 0.0.0.255 10.1.1.0 0.0.0.255
deny ip 192.168.1.0 0.0.0.255 160.1.1.0 0.0.0.255
permit ip 192.168.1.0 0.0.0.255 any
deny ip 192.168.1.0 0.0.0.255 10.1.1.0 0.0.0.255
deny ip 192.168.1.0 0.0.0.255 160.1.1.0 0.0.0.255
permit ip 192.168.1.0 0.0.0.255 any
ip nat inside source list PAT interface Ethernet0/1 overload
E.Center_Inside路由器:
interface Ethernet0/0
ip address 192.168.1.5 255.255.255.0
no shut
ip route 0.0.0.0 0.0.0.0 192.168.1.4
F.Partner路由器:
interface Loopback0
ip address 160.1.1.6 255.255.255.0
interface Ethernet0/0
ip address 172.16.1.1 255.255.255.252
interface Ethernet0/0
ip address 172.16.1.1 255.255.255.252
no shut
----注意:没有配置路由
五.总部内网到合作伙伴进行PAT配置:
----在Center总部路由器上配置
A.配置:
interface Ethernet0/0
ip nat enable
ip nat enable
interface Ethernet0/2
ip nat enable
ip nat enable
ip access-list extended Center-to-partner-PAT
permit ip 192.168.1.0 0.0.0.255 160.1.1.0 0.0.0.255
permit ip 192.168.1.0 0.0.0.255 160.1.1.0 0.0.0.255
ip nat source list Center-to-partner-PAT interface Ethernet0/2 overload
B.验证:
Center_Inside#telnet 160.1.1.6
Trying 160.1.1.6 ... Open
User Access Verification
Password:
Partner>show users
Line User Host(s) Idle Location
0 con 0 idle 00:00:42
*130 vty 0 idle 00:00:00 172.16.1.2
Interface User Mode Idle Peer Address
Partner>
Trying 160.1.1.6 ... Open
User Access Verification
Password:
Partner>show users
Line User Host(s) Idle Location
0 con 0 idle 00:00:42
*130 vty 0 idle 00:00:00 172.16.1.2
Interface User Mode Idle Peer Address
Partner>
六.分支到总部的L2L ×××配置:
----以SVTI的方式建立site-to-site ×××
A.Branch路由器:
crypto isakmp policy 10
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp key cisco address 202.100.2.4
crypto ipsec transform-set transet esp-des esp-md5-hmac
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp key cisco address 202.100.2.4
crypto ipsec transform-set transet esp-des esp-md5-hmac
crypto ipsec profile Ipsec_prfile
set transform-set transet
interface Tunnel0
ip address 123.1.1.1 255.255.255.0
tunnel source Ethernet0/1
tunnel destination 202.100.2.4
set transform-set transet
interface Tunnel0
ip address 123.1.1.1 255.255.255.0
tunnel source Ethernet0/1
tunnel destination 202.100.2.4
tunnel protection ipsec profile Ipsec_prfile
ip route 160.1.1.0 255.255.255.0 Tunnel0
ip route 192.168.1.0 255.255.255.0 Tunnel0
ip route 192.168.1.0 255.255.255.0 Tunnel0
B.Center路由器:
crypto isakmp policy 10
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp key cisco address 202.100.1.2
crypto ipsec transform-set transet esp-des esp-md5-hmac
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp key cisco address 202.100.1.2
crypto ipsec transform-set transet esp-des esp-md5-hmac
crypto ipsec profile Ipsec_prfile
set transform-set transet
set transform-set transet
interface Tunnel0
ip address 123.1.1.2 255.255.255.0
tunnel source Ethernet0/1
tunnel destination 202.100.1.2
tunnel protection ipsec profile Ipsec_prfile
ip route 10.1.1.0 255.255.255.0 Tunnel0
ip address 123.1.1.2 255.255.255.0
tunnel source Ethernet0/1
tunnel destination 202.100.1.2
tunnel protection ipsec profile Ipsec_prfile
ip route 10.1.1.0 255.255.255.0 Tunnel0
C.验证:
Branch_Inside#ping 192.168.1.5
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.1.5, timeout is 2 seconds:
.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 120/182/264 ms
Branch_Inside#
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.1.5, timeout is 2 seconds:
.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 120/182/264 ms
Branch_Inside#
Center_Inside#
*Mar 1 10:07:25.293: ICMP: echo reply sent, src 192.168.1.5, dst 10.1.1.1
*Mar 1 10:07:25.561: ICMP: echo reply sent, src 192.168.1.5, dst 10.1.1.1
*Mar 1 10:07:25.701: ICMP: echo reply sent, src 192.168.1.5, dst 10.1.1.1
*Mar 1 10:07:25.809: ICMP: echo reply sent, src 192.168.1.5, dst 10.1.1.1
*Mar 1 10:07:25.293: ICMP: echo reply sent, src 192.168.1.5, dst 10.1.1.1
*Mar 1 10:07:25.561: ICMP: echo reply sent, src 192.168.1.5, dst 10.1.1.1
*Mar 1 10:07:25.701: ICMP: echo reply sent, src 192.168.1.5, dst 10.1.1.1
*Mar 1 10:07:25.809: ICMP: echo reply sent, src 192.168.1.5, dst 10.1.1.1
七.配置分支到合作伙伴的PAT:
-----都是在Center路由器上配置
A.配置PAT:
interface Tunnel0
ip nat enable
interface Ethernet0/2
ip nat enable
ip nat enable
ip access-list extended Branch-to-partner
permit ip 10.1.1.0 0.0.0.255 160.1.1.0 0.0.0.255
permit ip 10.1.1.0 0.0.0.255 160.1.1.0 0.0.0.255
ip nat source list Branch-to-partner interface Ethernet0/2 overload
D.验证:
Branch_Inside#telnet 160.1.1.6
Trying 160.1.1.6 ... Open
User Access Verification
Password:
Partner>show users
Line User Host(s) Idle Location
0 con 0 idle 09:00:47
*130 vty 0 idle 00:00:00 172.16.1.2
Interface User Mode Idle Peer Address
Partner>
Trying 160.1.1.6 ... Open
User Access Verification
Password:
Partner>show users
Line User Host(s) Idle Location
0 con 0 idle 09:00:47
*130 vty 0 idle 00:00:00 172.16.1.2
Interface User Mode Idle Peer Address
Partner>