IPSec如果使用AH加密封装的话无法穿过NAT和PAT,采用ESP封装的话无法通过PAT但是可以通过NAT,解决的方法有NAT-T,IPSec over UDP,IPSec over TCP。NAT-T是共有的方法,与后面的两种方法的原理基本一致,都是通过加入一个UDP或者TCP字段提供端口满足PAT的端口转换的原则。
下面的实验演示如果IPSec如果通过PAT实现联通。
拓扑:
说明:
1. R2模拟外部网络,开启loopback 0模拟外部网络2.2.2.0/24;R3模拟内部网络,开启loopback 0模拟内部网络192.168.3.0/24;R1模拟PAT设备。
2. R1:NAT ;R2:OUTSIDE;R3:INSIDE
*R4和SW1在本实验中并未使用到。
1. 基本配置,实现网络畅通
R1:
interface Serial1/0
ip address 12.1.1.1 255.255.255.0
serial restart-delay 0
!
interface Serial1/1
ip address 13.1.1.1 255.255.255.0
serial restart-delay 0
!
ip route 2.2.2.0 255.255.255.0 Serial1/0 12.1.1.2
ip route 192.168.3.0 255.255.255.0 Serial1/1 13.1.1.3
R2:
interface Loopback0
ip address 2.2.2.2 255.255.255.0
!
interface Serial1/0
ip address 12.1.1.2 255.255.255.0
serial restart-delay 0
!
ip route 0.0.0.0 0.0.0.0 Serial1/0 12.1.1.1
R3:
interface Loopback0
ip address 192.168.3.1 255.255.255.0
!
interface Serial1/0
ip address 13.1.1.3 255.255.255.0
serial restart-delay 0
!
ip route 0.0.0.0 0.0.0.0 Serial1/0 13.1.1.1
2. 测试网络
INSIDE#ping 2.2.2.2 sou 192.168.3.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 2.2.2.2, timeout is 2 seconds:
Packet sent with a source address of 192.168.3.1
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 48/64/80 ms
通了。下一步开始在NAT上作PAT的相关配置。
3. 配置PAT
NAT(config)#acce 10 per 13.1.1.0 0.0.0.255
NAT(config)#acce 10 deny an
NAT(config)#ip nat in sour list 10 int s1/0 over
NAT(config)#in s1/0
NAT(config-if)#ip nat out
NAT(config-if)#in s1/1
NAT(config-if)#ip nat in
上面的access-list 10是一个重要的配置。一般情况我们配置转换的列表是拿内网的网段作转换,但是这里我们拿了NAT与INSIDE设备之间的直连链路作转换。因为我们后面在配置IPSec的时候,加密点就有这个链路的一端参与,而通信点都是被加密进去了。这里一定要注意了。
4. 配置IPSec
IPSec在R2,R4上配置。
R3(INSIDE):
crypto isakmp policy 10
authentication pre-share
group 2
crypto isakmp key cisco address 12.1.1.2
!
crypto ipsec transform-set ×××-trans esp-des esp-md5-hmac
!
crypto map ×××-map 10 ipsec-isakmp
set peer 12.1.1.2
set transform-set ×××-trans
match address 100
access-list 100 permit ip 192.168.3.0 0.0.0.255 2.2.2.0 0.0.0.255
access-list 100 deny ip any any
R2(OUTSIDE):
crypto isakmp policy 10
authentication pre-share
group 2
crypto isakmp key cisco address 12.1.1.1
!
crypto ipsec transform-set ×××-trans esp-des esp-md5-hmac
!
crypto map ×××-map 10 ipsec-isakmp
set peer 12.1.1.1
set transform-set ×××-trans
match address 100
!
access-list 100 permit ip 2.2.2.0 0.0.0.255 192.168.3.0 0.0.0.255
access-list 100 deny ip any any
*上面一定要注意的R2的配置,他的peer是12.1.1.1而非13.1.1.3!!!因为13.1.1.3经过PAT转换后就是12.1.1.1。
5. 测试IPSec
INSIDE#ping 2.2.2.2 sou l0
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 2.2.2.2, timeout is 2 seconds:
Packet sent with a source address of 192.168.3.1
.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 28/58/100 ms
INSIDE#sh crypto engine connections active
ID Interface IP-Address State Algorithm Encrypt Decrypt
1 Serial1/0 13.1.1.3 set HMAC_SHA+DES_56_CB 0 0
2001 Serial1/0 13.1.1.3 set DES+MD5 0 4
2002 Serial1/0 13.1.1.3 set DES+MD5 4 0
NAT#sh ip nat trans
Pro Inside global Inside local Outside local Outside global
udp 12.1.1.1:4500 13.1.1.3:4500 12.1.1.2:4500 12.1.1.2:4500
好,这个小实验到此结束。