本帖最后由 oracat 于 2013-7-9 11:10 编辑
一.测试拓扑:
二.基本配置: A.R1
interface Loopback0
ip address 192.168.1.1 255.255.255.0
interface FastEthernet0/0
ip address 10.1.1.1 255.255.255.0
no shut
B.R2
interface Ethernet0/0
ip address 10.1.1.2 255.255.255.0
no shut
interface Ethernet0/1
ip address 202.100.1.2 255.255.255.0
no shut
C.R3
interface FastEthernet0/0
ip address 202.100.1.3 255.255.255.0
no shut
interface FastEthernet0/1
ip address 202.100.2.3 255.255.255.0
no shut
D.R4
interface Ethernet0/0
ip address 20.1.1.4 255.255.255.0
no shut
interface Ethernet0/2
ip address 30.1.1.4 255.255.255.0
no shut
interface Ethernet0/1
ip address 202.100.2.4 255.255.255.0
no shut
E.R5
interface Loopback0
ip address 192.168.2.5 255.255.255.0
interface FastEthernet0/0
ip address 20.1.1.5 255.255.255.0
no shut F.R6 interface Loopback0
ip address 192.168.3.6 255.255.255.0
interface FastEthernet0/0
ip address 30.1.1.6 255.255.255.0
no shut 三.静态路由和PAT配置:
A.静态路由配置:
①R1
ip route 0.0.0.0 0.0.0.0 10.1.1.2
②R2
ip route 0.0.0.0 0.0.0.0 202.100.1.3
ip route 192.168.1.0 255.255.255.0 10.1.1.1
③R4
ip route 0.0.0.0 0.0.0.0 202.100.2.3
ip route 192.168.2.0 255.255.255.0 20.1.1.5 ip route 192.168.3.0 255.255.255.0 30.1.1.6 ④R5
ip route 0.0.0.0 0.0.0.0 20.1.1.4 ⑤R6
ip route 0.0.0.0 0.0.0.0 30.1.1.4 B.动态PAT配置:
①R2
ip access-list extended 100
permit ip 192.168.1.0 0.0.0.255 any
permit ip 10.1.1.0 0.0.0.255 any
int e0/0
ip nat inside
int e0/1
ip nat outside
ip nat inside source list 100 interface e0/1
②R4
ip access-list extended 100
permit ip 192.168.2.0 0.0.0.255 any permit ip 192.168.3.0 0.0.0.255 any
permit ip 20.1.1.0 0.0.0.255 any permit ip 30.1.1.0 0.0.0.255 any int e0/0
ip nat inside
int e0/1
ip nat outside
ip nat inside source list 100 interface e0/1
C.静态PAT配置:
R2
ip nat inside source static udp 10.1.1.1 500 interface e0/1 500
ip nat inside source static udp 10.1.1.1 4500 interface e0/1 4500 四.VPN配置:
A.R1(HUB):
①第一阶段:
crypto keyring R4
pre-shared-key address 202.100.2.4 key cisco
crypto isakmp policy 10
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp profile isakmpprofile
keyring R4
match identity address 20.1.1.5 match identity address 30.1.1.6 virtual-template 1
---------isakmp profie中identity地址必须是真实地址,而不是NAT后地址
②第二阶段:
crypto ipsec transform-set transet esp-3des esp-sha-hmac
③ipsec profile关联第一阶段和第二阶段策略:
crypto ipsec profile ipsecprofile
set transform-set transet
set isakmp-profile isakmpprofile
④Dynamic VTI配置:
interface Loopback100
ip address 172.16.1.1 255.255.255.0
interface Virtual-Template1 type tunnel
ip unnumbered Loopback100
tunnel source FastEthernet0/0
tunnel mode ipsec ipv4
tunnel protection ipsec profile ipsecprofile
备注:不能在virtual-template接口直接配置IP地址。
B.R5(Spoke):
①第一阶段:
crypto isakmp policy 10
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp key cisco address 202.100.1.2
②第二阶段:
crypto ipsec transform-set transet esp-3des esp-sha-hmac
③ipsec profile关联第二阶段策略:
crypto ipsec profile ipsecprofile
set transform-set transet
④Static VTI配置:
interface Tunnel0
ip address 172.16.1.5 255.255.255.0
tunnel source FastEthernet0/0
tunnel destination 202.100.1.2
tunnel mode ipsec ipv4
tunnel protection ipsec profile ipsecprofile C.R6(Spoke):
①第一阶段:
crypto isakmp policy 10
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp key cisco address 202.100.1.2
②第二阶段:
crypto ipsec transform-set transet esp-3des esp-sha-hmac
③ipsec profile关联第二阶段策略:
crypto ipsec profile ipsecprofile
set transform-set transet
④Static VTI配置:
interface Tunnel0
ip address 172.16.1.6 255.255.255.0
tunnel source FastEthernet0/0
tunnel destination 202.100.1.2
tunnel mode ipsec ipv4
tunnel protection ipsec profile ipsecprofile C.动态路由配置:
①R1
router eigrp 10
network 172.16.1.0 0.0.0.255
network 192.168.1.0
no auto-summary
②R5
router eigrp 10
network 172.16.1.0 0.0.0.255
network 192.168.2.0
no auto-summary ③R6
router eigrp 10
network 172.16.1.0 0.0.0.255
network 192.168.3.0
no auto-summary 五.验证: R1#show ip int brief
Interface IP-Address OK? Method Status Protocol
FastEthernet0/0 10.1.1.1 YES manual up up
FastEthernet0/1 unassigned YES unset administratively down down
Virtual-Access1 unassigned YES unset down down
Virtual-Template1 172.16.1.1 YES TFTP down down
Virtual-Access2 172.16.1.1 YES TFTP up up
Virtual-Access3 172.16.1.1 YES TFTP up up
Loopback0 192.168.1.1 YES manual up up
Loopback100 172.16.1.1 YES manual up up
R1#show crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst src state conn-id slot status
10.1.1.1 202.100.2.4 QM_IDLE 1006 0 ACTIVE
10.1.1.1 202.100.2.4 QM_IDLE 1005 0 ACTIVE R1#show crypto engine connections active
Crypto Engine Connections
ID Interface Type Algorithm Encrypt Decrypt IP-Address
11 Fa0/0 IPsec 3DES+SHA 0 475 10.1.1.1
12 Fa0/0 IPsec 3DES+SHA 491 0 10.1.1.1
13 Fa0/0 IPsec 3DES+SHA 0 242 10.1.1.1
14 Fa0/0 IPsec 3DES+SHA 244 0 10.1.1.1
1005 Fa0/0 IKE MD5+3DES 0 0 10.1.1.1
1006 Fa0/0 IKE MD5+3DES 0 0 10.1.1.1
| 
所有IT类厂商认证考试题库下载
【新盟教育】2023最新华为HCIA全套视频合集【网工基础全覆盖】---国sir公开课合集
【新盟教育】网工小白必看的!2023最新版华为认证HCIA Datacom零基础全套实战课
原创_超融合自动化运维工具cvTools
重量级~~30多套JAVA就业班全套 视频教程(请尽快下载,链接失效后不补)
链接已失效【超过几百G】EVE 国内和国外镜像 全有了 百度群分享
某linux大佬,积累多年的电子书(约300本)
乾颐堂现任明教教主Python完整版
乾颐堂 教主技术进化论 2018-2019年 最新31-50期合集视频(各种最新技术杂谈视频)
Python学习视频 0起点视频 入门到项目实战篇 Python3.5.2视频教程 共847集 能学102天
约21套Python视频合集 核心基础视频教程(共310G,已压缩)
最新20180811录制 IT爱好者-清风羽毛 - 网络安全IPSec VPN实验指南视频教程
最新20180807录制EVE开机自启动虚拟路由器并桥接物理网卡充当思科路由器
[复制链接]
