用户端NAT远程拨号接入

一、 实验拓朴图

二、 实验目的:

1、 RT4上实现PAT设置

2、 RT3上实现NAT设置

3、 PC远程接入总部RT1,与RT1之间建立传输隧道

三、 实验实现:

RT1:

aaa new-model  //启用AAA服务

!

aaa authentication login default local  //认证默认本地登录

aaa authentication login nauguy local   //认证从nauguy登录

aaa authorization network nauguy local   //授权从nauguy登录

!

username cisco password 0 cisco  //配置AAA认证的用户名和密码

!

crypto isakmp policy 1  //配置第一阶段的策略

 hash md5

 authentication pre-share

 group 2

!

crypto isakmp client configuration group nauguy  //配置1.5阶段策略,组名为nauguy

 key 1234  //密钥为1234

 pool nauguy  //本地地址池为naugy

 acl 101  //分裂通道

!

crypto ipsec transform-set cisco esp-des esp-md5-hmac   //配置第二阶段策略

 mode transport

!

crypto dynamic-map cisco 10

 set transform-set cisco 

!

crypto map hqh client authentication list nauguy  //绑定认证列表nauguy

crypto map hqh isakmp authorization list nauguy  //绑定授权列表nauguy

crypto map hqh client configuration address respond  //配置地址下发回复

crypto map hqh 10 ipsec-isakmp dynamic cisco  //绑定动态加密图

!

interface Loopback0

 ip address 192.168.3.1 255.255.255.0

!

interface Ethernet0/0

 ip address 192.168.1.1 255.255.255.0

 crypto map hqh

!

ip local pool nauguy 192.168.20.1 192.168.20.20  //本地地址池

ip route 0.0.0.0 0.0.0.0 192.168.1.2

!

access-list 101 permit ip 192.168.3.0 0.0.0.255 any

!

RT3:

interface Ethernet0/0

 ip address 202.103.95.112 255.255.255.0

 ip nat outside

!

!

interface Ethernet1/0

 ip address 192.168.2.1 255.255.255.0

 ip nat inside

 

ip route 0.0.0.0 0.0.0.0 202.103.95.111

!

ip nat inside source list 100 interface Ethernet0/0 overload  //静态NAT配置

!

access-list 100 permit ip 192.168.2.0 0.0.0.255 any

!

RT4:

!

interface Ethernet0/0

 ip address 202.103.96.112 255.255.255.0

 ip nat outside

!

interface Ethernet0/1

 ip address 192.168.1.2 255.255.255.0

 ip nat inside

!

ip route 0.0.0.0 0.0.0.0 202.103.96.111

!         

ip nat inside source static udp 192.168.1.1 500 202.103.96.112 500 extendable

//静态PAT,放通isakmp流量

ip nat inside source static udp 192.168.1.1 4500 202.103.96.112 4500 extendable

                                      //静态PAT,放通NAT-T后的4500端口的流量

!

 

RT1#show crypto engine connections active

ID Interface IP-Address State Algorithm Encrypt Decrypt

2 Ethernet0/0 192.168.1.1 set HMAC_MD5+DES_56_CB 0 0

2001 Ethernet0/0 192.168.1.1 set DES+MD5 4 0

2002 Ethernet0/0 192.168.1.1 set DES+MD5 0 4

C:\Documents and Settings\Administrator>ping 192.168.3.1

Pinging 192.168.3.1 with 32 bytes of data:

Reply from 192.168.3.1: bytes=32 time=88ms TTL=255

Reply from 192.168.3.1: bytes=32 time=65ms TTL=255

Reply from 192.168.3.1: bytes=32 time=72ms TTL=255

Reply from 192.168.3.1: bytes=32 time=74ms TTL=255

Ping statistics for 192.168.3.1:

Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

Minimum = 65ms, Maximum = 88ms, Average = 74ms

RT4#show ip nat translations

Pro Inside global Inside local Outside local Outside global

udp 202.103.96.112:500 192.168.1.1:500 --- ---

udp 202.103.96.112:4500 192.168.1.1:4500 202.103.95.112:1041 202.103.95.112:1041

udp 202.103.96.112:4500 192.168.1.1:4500 --- ---

RT4#

RT3#show ip nat translations

Pro Inside global Inside local Outside local Outside global

udp 202.103.95.112:1041 192.168.2.10:1041 202.103.96.112:4500 202.103.96.112:4500

 

你可能感兴趣的:(nauguy...)