一.概述:
在博客中收到一位朋友的提问,经过电话沟通后,了解到大概情况是:
A.总部有一条专线到合作伙伴
B.合作伙伴侧不方便加回指路由,总部访问合作伙伴时做PAT
C.现在想要分支L2L ×××连接到总部之后,通过总部的专线PAT到合作伙伴
二.基本思路:
A.如果合作伙伴方便加回指路由,其实只需把合作伙伴当作总部内网即可,不需要配置PAT。
B.分支机构想要×××连接总部之后,通过总部的专线PAT到合作伙伴,需要在总部路由器上配置loopback口,并且公网接口配置策略路由,将分支到合作伙伴的流量打到loopback,并进行PAT。
.测试拓扑:
分支机构L2L ××× 到总部再PAT通过专线到合作伙伴_第1张图片
四.基本配置:
A.Branch_Inside路由器:
interface Ethernet0/0
ip address 10.1.1.1 255.255.255.0
no shut
ip route 0.0.0.0 0.0.0.0 10.1.1.2
B.Branch路由器:
interface Ethernet0/0
ip address 10.1.1.2 255.255.255.0
ip nat inside
no shut
interface Ethernet0/1
ip address 202.100.1.2 255.255.255.0
ip nat outside
no shut
ip route 0.0.0.0 0.0.0.0 202.100.1.3
ip access-list extended PAT
deny ip 10.1.1.0 0.0.0.255 192.168.1.0 0.0.0.255
deny ip 10.1.1.0 0.0.0.255 160.1.1.0 0.0.0.255
permit ip 10.1.1.0 0.0.0.255 any
ip nat inside source list PAT interface Ethernet0/1 overload
C.Internet路由器:
interface Ethernet0/0
ip address 202.100.1.3 255.255.255.0
no shut
interface Ethernet0/1
ip address 202.100.2.3 255.255.255.0
no shut
D.Center路由器:
interface Ethernet0/0
ip address 192.168.1.4 255.255.255.0
ip nat inside
interface Ethernet0/1
ip address 202.100.2.4 255.255.255.0
ip nat outside
no shut
interface Ethernet0/2
ip address 172.16.1.2 255.255.255.252
no shut
ip route 0.0.0.0 0.0.0.0 202.100.2.3
ip route 160.1.1.0 255.255.255.0 172.16.1.1
ip access-list extended PAT
deny ip 192.168.1.0 0.0.0.255 10.1.1.0 0.0.0.255
deny ip 192.168.1.0 0.0.0.255 160.1.1.0 0.0.0.255
permit ip 192.168.1.0 0.0.0.255 any
ip nat inside source list PAT interface Ethernet0/1 overload
E.Center_Inside路由器:
interface Ethernet0/0
ip address 192.168.1.5 255.255.255.0
no shut
ip route 0.0.0.0 0.0.0.0 192.168.1.4
F.Partner路由器:
interface Loopback0
ip address 160.1.1.6 255.255.255.0
interface Ethernet0/0
ip address 172.16.1.1 255.255.255.252
no shut
----注意:没有配置路由
五.总部内网到合作伙伴进行PAT配置:
A.配置:
interface Ethernet0/0
ip nat enable
interface Ethernet0/2
ip nat enable
ip access-list extended Center-to-partner-PAT
permit ip 192.168.1.0 0.0.0.255 160.1.1.0 0.0.0.255
ip nat source list Center-to-partner-PAT interface Ethernet0/2 overload
B.验证:
Center_Inside#telnet 160.1.1.6
Trying 160.1.1.6 ... Open


User Access Verification

Password:
Partner>show users
Line User Host(s) Idle Location
0 con 0 idle 00:00:42
*130 vty 0 idle 00:00:00 172.16.1.2

Interface User Mode Idle Peer Address

Partner>
六.分支到总部的L2L ×××配置:
A.Branch路由器:
crypto isakmp policy 10
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp key cisco address 202.100.2.4
crypto ipsec transform-set transet esp-des esp-md5-hmac
ip access-list extended ×××
permit ip 10.1.1.0 0.0.0.255 192.168.1.0 0.0.0.255
permit ip 10.1.1.0 0.0.0.255 160.1.1.0 0.0.0.255
crypto map crymap 10 ipsec-isakmp
set peer 202.100.2.4
set transform-set transet
match address ×××
interface Ethernet0/1
crypto map crymap
B.Center路由器:
crypto isakmp policy 10
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp key cisco address 202.100.1.2
crypto ipsec transform-set transet esp-des esp-md5-hmac
ip access-list extended ×××
permit ip 192.168.1.0 0.0.0.255 10.1.1.0 0.0.0.255
permit ip 160.1.1.0 0.0.0.255 10.1.1.0 0.0.0.255
crypto map crymap 10 ipsec-isakmp
set peer 202.100.1.2
set transform-set transet
match address ×××
interface Ethernet0/1
crypto map crymap
C.验证:
Branch_Inside#ping 192.168.1.5

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.1.5, timeout is 2 seconds:
.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 120/182/264 ms
Branch_Inside#
Center_Inside#
*Mar 1 10:07:25.293: ICMP: echo reply sent, src 192.168.1.5, dst 10.1.1.1
*Mar 1 10:07:25.561: ICMP: echo reply sent, src 192.168.1.5, dst 10.1.1.1
*Mar 1 10:07:25.701: ICMP: echo reply sent, src 192.168.1.5, dst 10.1.1.1
*Mar 1 10:07:25.809: ICMP: echo reply sent, src 192.168.1.5, dst 10.1.1.1
七.配置分支到合作伙伴的PAT:
-----都是在Center路由器上配置
A.添加loopback口:
interface Loopback0
ip address 100.1.1.1 255.255.255.0
B.配置策略路由,将流量打到loopback口:
ip access-list extended Branch-to-partner
permit ip 10.1.1.0 0.0.0.255 160.1.1.0 0.0.0.255
route-map Branch-to-partner permit 10
match ip address Branch-to-partner
set ip next-hop 100.1.1.2
interface Ethernet0/1
ip policy route-map Branch-to-partner
---注意:下一跳地址为loopback的直连任意其他地址,非接口地址;是在×××加密点接口上应用route-map
C.配置PAT:
interface Loopback0
ip nat enable
interface Ethernet0/2
ip nat enable
ip nat source list Branch-to-partner interface Ethernet0/2 overload
D.验证:
Branch_Inside#telnet 160.1.1.6
Trying 160.1.1.6 ... Open


User Access Verification

Password:
Partner>show users
Line User Host(s) Idle Location
0 con 0 idle 09:00:47
*130 vty 0 idle 00:00:00 172.16.1.2

Interface User Mode Idle Peer Address

Partner>