S2S ×××如何穿越NAT_第1张图片

GW1:1.1.1.0/24 –>202.1.1.1

GW2:2.2.2.0/24 –>64.1.1.1

GW1:

crypto isakmp policy 10
authentication pre-share
crypto isakmp key cisco address 64.1.1.1
!
crypto ipsec transform-set SET esp-3des esp-md5-hmac
!
crypto map cisco 10 ipsec-isakmp
set peer 64.1.1.1
set transform-set SET
set pfs group5
match address ***
!
interface Loopback0
ip address 1.1.1.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
!

interface FastEthernet1/0
ip address 202.1.1.1 255.255.255.0
ip nat outside
ip virtual-reassembly in
duplex auto
speed auto
crypto map cisco
!
ip nat inside source list PAT interface FastEthernet1/0 overload
ip route 0.0.0.0 0.0.0.0 202.1.1.10
!
ip access-list extended PAT
deny   ip 1.1.1.0 0.0.0.255 2.2.2.0 0.0.0.255 //Deny掉感兴趣,让感兴趣流不转换
permit ip 1.1.1.0 0.0.0.255 any
ip access-list extended ***
permit ip 1.1.1.0 0.0.0.255 2.2.2.0 0.0.0.255

S2S ×××如何穿越NAT_第2张图片