实验简单说明:
1.R3模拟公网,不做任何路由,也不允许做任何路由。
2.R2和R4模拟企业边界路由器,NAT上internet,和ipsec ***
3.R1和R5模拟内网机器。
R1#show run
Building configuration...
Current configuration : 1144 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname R1
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
!
resource policy
!
ip subnet-zero
no ip icmp rate-limit unreachable
ip cef
ip tcp synwait-time 5
!
!
no ip dhcp use vrf connected
!
!
no ip domain lookup
no ip ips deny-action ips-interface
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
username cisco privilege 15 password 0 cisco
!
!
!
!
!
!
interface FastEthernet0/0
no ip address
shutdown
duplex half
!
interface FastEthernet1/0
ip address 10.1.1.1 255.255.255.0
duplex auto
speed auto
!
interface FastEthernet1/1
no ip address
shutdown
duplex auto
speed auto
!
ip classless
ip route 0.0.0.0 0.0.0.0 10.1.1.2
no ip http server
no ip http secure-server
!
!
!
no cdp log mismatch duplex
!
!
!
!
control-plane
!
!
!
!
!
!
gatekeeper
shutdown
!
!
line con 0
exec-timeout 0 0
privilege level 15
logging synchronous
stopbits 1
line aux 0
exec-timeout 0 0
privilege level 15
logging synchronous
stopbits 1
line vty 0 4
password cisco
login local
line vty 5 15
password cisco
login local
!
!
end
R1#
R2#show run
Building configuration...
Current configuration : 1671 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname R2
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
!
resource policy
!
ip subnet-zero
no ip icmp rate-limit unreachable
ip cef
ip tcp synwait-time 5
!
!
no ip dhcp use vrf connected
!
!
no ip domain lookup
no ip ips deny-action ips-interface
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
crypto isakmp policy 1
encr 3des
hash md5
authentication pre-share
group 2
#######################################################################
说明:定义了ISAKMP policy 1,加密方式为3des,hash算法为md5,认证方式为Pre-Shared Keys (PSK),密钥算法(Diffie-Hellman)为group 2。
#######################################################################
crypto isakmp key cisco111 address 200.1.1.4
#######################################################################
说明:因为之前定义的认证方式为Pre-Shared Keys (PSK),所以需要定义认证密码,这里定义与peer 200.1.1.4的认证密码为cisco111,并且双方密码必须一致,否则无法建立IKE SA,其中0表示密码在running-config中显示为明文。
#######################################################################
!
!
crypto ipsec transform-set A-TO-B esp-3des esp-md5-hmac
#######################################################################
说明:配置了transform-set为A-TO-B,其中数据封装使用esp加3des加密,并且使用esp结合md5做hash计算,默认的IPsec mode为tunnel。
#######################################################################
!
crypto map |2| 1 ipsec-isakmp
set peer 200.1.1.4
set transform-set A-TO-B
match address ×××
#######################################################################
说明:在R2上配置crypto map为l2l,序号为1,即第1组策略,其中指定加密数据发往的对端为200.1.1.4,即和200.1.1.4建立IPsec隧道,调用的IPsec transform为A-TO-B,并且指定扩展ACL ×××中的流量为被保护的流量。
#######################################################################
!
!
!
!
interface FastEthernet0/0
no ip address
shutdown
duplex half
!
interface FastEthernet1/0
ip address 10.1.1.2 255.255.255.0
ip nat inside
ip virtual-reassembly
duplex auto
speed auto
!
interface FastEthernet1/1
ip address 100.1.1.2 255.255.255.0
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
crypto map |2|
#######################################################################
说明:将crypto map应用在公网的接口F1/1上
#######################################################################
!
ip classless
ip route 0.0.0.0 0.0.0.0 100.1.1.3
no ip http server
no ip http secure-server
!
!
ip nat inside source list NAT interface FastEthernet1/1 overload
!
ip access-list extended NAT
deny ip 10.1.1.0 0.0.0.255 192.168.1.0 0.0.0.255
permit ip any any
#######################################################################
说明:NAT中×××的流量不做NAT
#######################################################################
ip access-list extended ×××
permit ip 10.1.1.0 0.0.0.255 192.168.1.0 0.0.0.255
!
no cdp log mismatch duplex
!
!
!
!
control-plane
!
!
!
!
!
!
gatekeeper
shutdown
!
!
line con 0
exec-timeout 0 0
privilege level 15
logging synchronous
stopbits 1
line aux 0
exec-timeout 0 0
privilege level 15
logging synchronous
stopbits 1
line vty 0 4
login
!
!
end
R2#
R3#show run
Building configuration...
Current configuration : 1012 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname R3
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
!
resource policy
!
ip subnet-zero
no ip icmp rate-limit unreachable
ip cef
ip tcp synwait-time 5
!
!
no ip dhcp use vrf connected
!
!
no ip domain lookup
no ip ips deny-action ips-interface
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
interface FastEthernet0/0
no ip address
shutdown
duplex half
!
interface FastEthernet1/0
ip address 200.1.1.3 255.255.255.0
duplex auto
speed auto
!
interface FastEthernet1/1
ip address 100.1.1.3 255.255.255.0
duplex auto
speed auto
!
ip classless
no ip http server
no ip http secure-server
!
!
!
no cdp log mismatch duplex
!
!
!
!
control-plane
!
!
!
!
!
!
gatekeeper
shutdown
!
!
line con 0
exec-timeout 0 0
privilege level 15
logging synchronous
stopbits 1
line aux 0
exec-timeout 0 0
privilege level 15
logging synchronous
stopbits 1
line vty 0 4
login
!
!
end
R3#
R4#show run
Building configuration...
Current configuration : 1674 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname R4
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
!
resource policy
!
ip subnet-zero
no ip icmp rate-limit unreachable
ip cef
ip tcp synwait-time 5
!
!
no ip dhcp use vrf connected
!
!
no ip domain lookup
no ip ips deny-action ips-interface
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
crypto isakmp policy 1
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp key cisco111 address 100.1.1.2
!
!
crypto ipsec transform-set B-TO-A esp-3des esp-md5-hmac
!
crypto map |2| 1 ipsec-isakmp
set peer 100.1.1.2
set transform-set B-TO-A
match address ×××
!
!
!
!
interface FastEthernet0/0
no ip address
shutdown
duplex half
!
interface FastEthernet1/0
ip address 200.1.1.4 255.255.255.0
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
crypto map |2|
!
interface FastEthernet1/1
ip address 192.168.1.4 255.255.255.0
ip nat inside
ip virtual-reassembly
duplex auto
speed auto
!
ip classless
ip route 0.0.0.0 0.0.0.0 200.1.1.3
no ip http server
no ip http secure-server
!
!
ip nat inside source list NAT interface FastEthernet1/0 overload
!
ip access-list extended NAT
deny ip 192.168.1.0 0.0.0.255 10.1.1.0 0.0.0.255
permit ip any any
ip access-list extended ×××
permit ip 192.168.1.0 0.0.0.255 10.1.1.0 0.0.0.255
!
no cdp log mismatch duplex
!
!
!
!
control-plane
!
!
!
!
!
!
gatekeeper
shutdown
!
!
line con 0
exec-timeout 0 0
privilege level 15
logging synchronous
stopbits 1
line aux 0
exec-timeout 0 0
privilege level 15
logging synchronous
stopbits 1
line vty 0 4
login
!
!
end
R4#
R5#show run
Building configuration...
Current configuration : 1150 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname R5
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
!
resource policy
!
ip subnet-zero
no ip icmp rate-limit unreachable
ip cef
ip tcp synwait-time 5
!
!
no ip dhcp use vrf connected
!
!
no ip domain lookup
no ip ips deny-action ips-interface
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
username cisco privilege 15 password 0 cisco
!
!
!
!
!
!
interface FastEthernet0/0
no ip address
shutdown
duplex half
!
interface FastEthernet1/0
no ip address
shutdown
duplex auto
speed auto
!
interface FastEthernet1/1
ip address 192.168.1.5 255.255.255.0
duplex auto
speed auto
!
ip classless
ip route 0.0.0.0 0.0.0.0 192.168.1.4
no ip http server
no ip http secure-server
!
!
!
no cdp log mismatch duplex
!
!
!
!
control-plane
!
!
!
!
!
!
gatekeeper
shutdown
!
!
line con 0
exec-timeout 0 0
privilege level 15
logging synchronous
stopbits 1
line aux 0
exec-timeout 0 0
privilege level 15
logging synchronous
stopbits 1
line vty 0 4
password cisco
login local
line vty 5 15
password cisco
login local
!
!
end
R5#