r2:此路由器代表公司总部,连接ISP和内部网络,nat转换和***都在此路由器上做
r2#show runn
Building configuration...
Current configuration : 1337 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname r2
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
memory-size iomem 5
!
!
ip cef
no ip domain lookup
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
crypto isakmp policy 1 ##确定***策略
encryption des ##加密使用对称加密算法des
group 1 ##密钥交换使用group 1
hash md5 ##认证用md5算法
authentication pre-share ##使用预共享密钥进行认证,此处由于默认使用加密算法为des和密钥交换为group 1,所以在show runn中看不到,但是必须配置
crypto isakmp key 6 cisco address 192.168.5.2 ##进行预共享的对等体和密钥
!
!
crypto ipsec transform-set ccnp ah-md5-hmac ##定义一个ipsec转换集名为ccnp,使用ah,未使用esp进行数据加密
!
crypto map mymap 1 ipsec-isakmp ##定义一个map名为mymap,此map引用acl110和刚定义的转换集ccnp,设置对等体地址
set peer 192.168.5.2 ##设置对等体地址
set transform-set ccnp ##引用刚定义的转换集ccnp
match address 110 ##引用acl 110
!
!
!
!
interface Ethernet0/0
no ip address
shutdown
half-duplex
!
interface Ethernet0/1
ip address 192.168.1.1 255.255.255.0
ip nat inside ##此接口为内网接口,启用nat转换
ip virtual-reassembly
half-duplex
!
interface Ethernet0/2
ip address 192.168.4.1 255.255.255.0
ip nat outside ##此接口为接ISP的公网口,启用nat转换,私有地址将被转换为此接口上的共有地址访问互联网
ip virtual-reassembly
half-duplex
crypto map mymap
!
interface Ethernet0/3
no ip address
shutdown
half-duplex
!
ip http server
no ip http secure-server
ip route 0.0.0.0 0.0.0.0 192.168.4.2 ##默认路由到ISP,下一跳地址为与ISP相连的地址
!
!
ip nat inside source list 100 interface Ethernet0/2 overload ##启用nat转换,引用acl 100,符合acl 100的地址将被转换
!
access-list 100 deny ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255 ##此acl定义nat需要转换的私有地址,先将需要***转换的地址拒绝掉
access-list 100 permit ip 192.168.1.0 0.0.0.255 any ##这是需要nat转换的私有地址
access-list 110 permit ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255 ##此acl定义***需要转换的地址,当192.168.1.0网段访问192.168.2.0网段时执行定义的isakmp和ipsec进行加密等
!
!
!
control-plane
!
!
!
!
!
!
!
!
!
!
line con 0
line aux 0
line vty 0 4
!
!
end
r2#
r1:此路由器充当公司总部pc
r1#ping 192.168.2.2 ##能够ping通代表公司分部的pc地址,说明***成功了
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.2.2, timeout is 2 seconds:
.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 120/194/232 ms
r1#ping 192.168.2.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.2.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 124/138/160 ms
r1#ping 192.168.2.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.2.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 104/164/216 ms
r1#ping 192.168.3.2 ##能够ping通代表互联网地址的3.2说明nat转换成功
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.3.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 80/151/220 ms
r1#show runn
Building configuration...
Current configuration : 806 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname r1
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
memory-size iomem 5
no ip routing
!
!
no ip cef
no ip domain lookup
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
interface Ethernet0/0
no ip address
no ip route-cache
shutdown
half-duplex
!
interface Ethernet0/1
ip address 192.168.1.2 255.255.255.0
no ip route-cache
half-duplex
!
interface Ethernet0/2
no ip address
no ip route-cache
shutdown
half-duplex
!
interface Ethernet0/3
no ip address
no ip route-cache
shutdown
half-duplex
!
ip default-gateway 192.168.1.1
ip http server
no ip http secure-server
!
!
!
!
!
!
control-plane
!
!
!
!
!
!
!
!
!
!
line con 0
line aux 0
line vty 0 4
!
!
end
r1#
r3:此路由器充当ISP路由器,连接了三个网络,一个3.0网段,4.0网段代表公司总部,5.0代表公司分部,此路由器配置简单,直接配3个地址就ok了
r3>en
r3#show runn
Building configuration...
Current configuration : 708 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname r3
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
memory-size iomem 5
!
!
ip cef
no ip domain lookup
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
interface Ethernet0/0
ip address 192.168.3.1 255.255.255.0 ##与代表互联网地址的3.0网段相连
half-duplex
!
interface Ethernet0/1
ip address 192.168.4.2 255.255.255.0 ##与代表公司总部的路由器相连
half-duplex
!
interface Ethernet0/2
ip address 192.168.5.1 255.255.255.0 ##与代表公司分部的路由器相连
half-duplex
!
interface Ethernet0/3
no ip address
shutdown
half-duplex
!
ip http server
no ip http secure-server
!
!
!
!
!
!
control-plane
!
!
!
!
!
!
!
!
!
!
line con 0
line aux 0
line vty 0 4
!
!
end
r3#
r4:与公司分部相连的路由器,此路由器的配置和r2相似,不再单独介绍,只说不同点
2, changed state to up
r4(config-if)#
r4(config-if)#
r4(config-if)#
r4(config-if)#
r4(config-if)#ex
r4(config)#in e0/1
r4(config-if)#ip nat ou
r4(config-if)#ip nat outside
r4(config-if)#
*Mar 1 00:12:48.551: %LINEPROTO-5-UPDOWN: Line protocol on Interface NVI0, changed state to upex
r4(config)#in e0/2
r4(config-if)#ip nat ins
r4(config-if)#ex
r4(config)#acc
r4(config)#access-list 100 den
r4(config)#$ 100 deny ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255
r4(config)#acc
r4(config)#access-list 100 per
r4(config)#access-list 100 permit ip 192.168.2.0 0.0.0.255 any
r4(config)#ip nat inside sourc list 100 in
r4(config)#ip nat inside sourc list 100 interface e0/1 ove
r4(config)#ip route 0.0.0.0 0.0.0.0 192.168.5.1
r4(config)#
r4(config)#
r4(config)#
r4(config)#
r4(config)#
r4(config)#
r4(config)#
r4(config)#
r4(config)#
r4(config)#
r4(config)#
r4(config)#
r4(config)#
r4(config)#
r4(config)#acc
r4(config)#access-list 110 per
r4(config)#$ 110 permit ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255
r4(config)#cry
r4(config)#crypto is
r4(config)#crypto isakmp po
r4(config)#crypto isakmp policy ?
<1-10000> Priority of protection suite
r4(config)#crypto isakmp policy 1 ?
r4(config)#crypto isakmp policy 1
r4(config-isakmp)#en
r4(config-isakmp)#encryption des
r4(config-isakmp)#hash mdt
^
% Invalid input detected at '^' marker.
r4(config-isakmp)#hash md5
r4(config-isakmp)#auth
r4(config-isakmp)#authentication pre
r4(config-isakmp)#authentication pre-share
r4(config-isakmp)#gr
r4(config-isakmp)#group 1
r4(config-isakmp)#ex
r4(config)#cry
r4(config)#crypto is
r4(config)#crypto isakmp key 6 cisco add ?
A.B.C.D Peer IP address
r4(config)#crypto isakmp key 6 cisco add 192.168.4.1 ?
A.B.C.D Peer IP subnet mask
no-xauth Bypasses XAuth for this peer
r4(config)#crypto isakmp key 6 cisco add 192.168.4.1
r4(config)#cry ip
r4(config)#cry ipsec tran
r4(config)#cry ipsec transform-set ccnp ?
ah-md5-hmac AH-HMAC-MD5 transform
ah-sha-hmac AH-HMAC-SHA transform
comp-lzs IP Compression using the LZS compression algorithm
esp-3des ESP transform using 3DES(EDE) cipher (168 bits)
esp-aes ESP transform using AES cipher
esp-des ESP transform using DES cipher (56 bits)
esp-md5-hmac ESP transform using HMAC-MD5 auth
esp-null ESP transform w/o cipher
esp-seal ESP transform using SEAL cipher (160 bits)
esp-sha-hmac ESP transform using HMAC-SHA auth
r4(config)#cry ipsec transform-set ccnp ah
r4(config)#cry ipsec transform-set ccnp ah-m
r4(config)#cry ipsec transform-set ccnp ah-md5-hmac
r4(cfg-crypto-trans)#exit
r4(config)#cry
r4(config)#crypto map mymap 1 ips
r4(config)#crypto map mymap 1 ipsec-is
r4(config)#crypto map mymap 1 ipsec-isakmp
% NOTE: This new crypto map will remain disabled until a peer
and a valid access list have been configured.
r4(config-crypto-map)#mat
r4(config-crypto-map)#match add 110
r4(config-crypto-map)#set tr
r4(config-crypto-map)#set transform-set ccnp
r4(config-crypto-map)#set peer 192.168.4.1
r4(config-crypto-map)#ex
r4(config)#in e0/1
r4(config-if)#cry map mymap
r4(config-if)#ex
*Mar 1 00:18:34.063: %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is ON
r4(config)#end
r4#show ru
*Mar 1 00:19:44.447: %SYS-5-CONFIG_I: Configured from console by consolenn
Building configuration...
Current configuration : 1337 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname r4
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
memory-size iomem 5
!
!
ip cef
no ip domain lookup
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
crypto isakmp policy 1 ##与r2配置必须相同,只是对等体地址换成r2公网接口地址
hash md5
authentication pre-share
crypto isakmp key 6 cisco address 192.168.4.1
!
!
crypto ipsec transform-set ccnp ah-md5-hmac
!
crypto map mymap 1 ipsec-isakmp
set peer 192.168.4.1
set transform-set ccnp
match address 110
!
!
!
!
interface Ethernet0/0
no ip address
shutdown
half-duplex
!
interface Ethernet0/1
ip address 192.168.5.2 255.255.255.0
ip nat outside
ip virtual-reassembly
half-duplex
crypto map mymap
!
interface Ethernet0/2
ip address 192.168.2.1 255.255.255.0
ip nat inside
ip virtual-reassembly
half-duplex
!
interface Ethernet0/3
no ip address
shutdown
half-duplex
!
ip http server
no ip http secure-server
ip route 0.0.0.0 0.0.0.0 192.168.5.1
!
!
ip nat inside source list 100 interface Ethernet0/1 overload
!
access-list 100 deny ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 100 permit ip 192.168.2.0 0.0.0.255 any
access-list 110 permit ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255
!
!
!
control-plane
!
!
!
!
!
!
!
!
!
!
line con 0
line aux 0
line vty 0 4
!
!
end
r4#
r5:此路由器为公司分部的pc,需要访问公司总部的1.0网段
r5>en
r5#show runn
Building configuration...
Current configuration : 806 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname r5
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
memory-size iomem 5
no ip routing
!
!
no ip cef
no ip domain lookup
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
interface Ethernet0/0
no ip address
no ip route-cache
shutdown
half-duplex
!
interface Ethernet0/1
ip address 192.168.2.2 255.255.255.0
no ip route-cache
half-duplex
!
interface Ethernet0/2
no ip address
no ip route-cache
shutdown
half-duplex
!
interface Ethernet0/3
no ip address
no ip route-cache
shutdown
half-duplex
!
ip default-gateway 192.168.2.1
ip http server
no ip http secure-server
!
!
!
!
!
!
control-plane
!
!
!
!
!
!
!
!
!
!
line con 0
line aux 0
line vty 0 4
!
!
end
r5#ping 192.168.1.2 ##与代表公司总部的pc能够ping通,代表***成功
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.1.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 124/135/144 ms
r5#
r6:此路由器代表互联网上的服务器资源
r6>en
r6#show runn
Building configuration...
Current configuration : 806 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname r6
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
memory-size iomem 5
no ip routing
!
!
no ip cef
no ip domain lookup
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
interface Ethernet0/0
no ip address
no ip route-cache
shutdown
half-duplex
!
interface Ethernet0/1
ip address 192.168.3.2 255.255.255.0
no ip route-cache
half-duplex
!
interface Ethernet0/2
no ip address
no ip route-cache
shutdown
half-duplex
!
interface Ethernet0/3
no ip address
no ip route-cache
shutdown
half-duplex
!
ip default-gateway 192.168.3.1
ip http server
no ip http secure-server
!
!
!
!
!
!
control-plane
!
!
!
!
!
!
!
!
!
!
line con 0
line aux 0
line vty 0 4
!
!
end
r6#