一、 实验拓朴图
二、 实验目的:
1、 RT4上实现PAT设置
2、 RT3上实现NAT设置
3、 PC远程接入总部RT1,与RT1之间建立传输隧道
三、 实验实现:
RT1:
aaa new-model //启用AAA服务
!
aaa authentication login default local //认证默认本地登录
aaa authentication login nauguy local //认证从nauguy登录
aaa authorization network nauguy local //授权从nauguy登录
!
username cisco password 0 cisco //配置AAA认证的用户名和密码
!
crypto isakmp policy 1 //配置第一阶段的策略
hash md5
authentication pre-share
group 2
!
crypto isakmp client configuration group nauguy //配置1.5阶段策略,组名为nauguy
key 1234 //密钥为1234
pool nauguy //本地地址池为naugy
acl 101 //分裂通道
!
crypto ipsec transform-set cisco esp-des esp-md5-hmac //配置第二阶段策略
mode transport
!
crypto dynamic-map cisco 10
set transform-set cisco
!
crypto map hqh client authentication list nauguy //绑定认证列表nauguy
crypto map hqh isakmp authorization list nauguy //绑定授权列表nauguy
crypto map hqh client configuration address respond //配置地址下发回复
crypto map hqh 10 ipsec-isakmp dynamic cisco //绑定动态加密图
!
interface Loopback0
ip address 192.168.3.1 255.255.255.0
!
interface Ethernet0/0
ip address 192.168.1.1 255.255.255.0
crypto map hqh
!
ip local pool nauguy 192.168.20.1 192.168.20.20 //本地地址池
ip route 0.0.0.0 0.0.0.0 192.168.1.2
!
access-list 101 permit ip 192.168.3.0 0.0.0.255 any
!
RT3:
interface Ethernet0/0
ip address 202.103.95.112 255.255.255.0
ip nat outside
!
!
interface Ethernet1/0
ip address 192.168.2.1 255.255.255.0
ip nat inside
!
ip route 0.0.0.0 0.0.0.0 202.103.95.111
!
ip nat inside source list 100 interface Ethernet0/0 overload //静态NAT配置
!
access-list 100 permit ip 192.168.2.0 0.0.0.255 any
!
RT4:
!
interface Ethernet0/0
ip address 202.103.96.112 255.255.255.0
ip nat outside
!
interface Ethernet0/1
ip address 192.168.1.2 255.255.255.0
ip nat inside
!
ip route 0.0.0.0 0.0.0.0 202.103.96.111
!
ip nat inside source static udp 192.168.1.1 500 202.103.96.112 500 extendable
//静态PAT,放通isakmp流量
ip nat inside source static udp 192.168.1.1 4500 202.103.96.112 4500 extendable
//静态PAT,放通NAT-T后的4500端口的流量
!
RT1#show crypto engine connections active
ID Interface IP-Address State Algorithm Encrypt Decrypt
2 Ethernet0/0 192.168.1.1 set HMAC_MD5+DES_56_CB 0 0
2001 Ethernet0/0 192.168.1.1 set DES+MD5 4 0
2002 Ethernet0/0 192.168.1.1 set DES+MD5 0 4
C:\Documents and Settings\Administrator>ping 192.168.3.1
Pinging 192.168.3.1 with 32 bytes of data:
Reply from 192.168.3.1: bytes=32 time=88ms TTL=255
Reply from 192.168.3.1: bytes=32 time=65ms TTL=255
Reply from 192.168.3.1: bytes=32 time=72ms TTL=255
Reply from 192.168.3.1: bytes=32 time=74ms TTL=255
Ping statistics for 192.168.3.1:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 65ms, Maximum = 88ms, Average = 74ms
RT4#show ip nat translations
Pro Inside global Inside local Outside local Outside global
udp 202.103.96.112:500 192.168.1.1:500 --- ---
udp 202.103.96.112:4500 192.168.1.1:4500 202.103.95.112:1041 202.103.95.112:1041
udp 202.103.96.112:4500 192.168.1.1:4500 --- ---
RT4#
RT3#show ip nat translations
Pro Inside global Inside local Outside local Outside global
udp 202.103.95.112:1041 192.168.2.10:1041 202.103.96.112:4500 202.103.96.112:4500