IPSec和NAT配合使用的实验

刚做完的实验，贴出来大家分享，虽然不是Cisco的设备，命令几乎完全相同，大家理解就行了。

环境：两台博达2750路由器（1*E，1*FE），两台PC实验目的：两台路由器通过E0/1连接，实现IPSec VPN，使两台PC互访，并且都能分别通过路由器的NAT访问互联网。

配置：

RouterARouterA#sh run

Building configuration...

Current configuration:

!

!version 1.3.1E

service timestamps log date

service timestamps debug date

no service password-encryption

!

hostname RouterA

!

!

!

crypto ipsec transform-set one

!

crypto map aaa 100 ipsec-manual

set peer 192.0.0.2

set security-association inbound esp 256 cipher abcdabcdabcdabcd

set security-association outbound esp 1257 cipher 1234123412341234

set transform-set one

match address test

!

!

interface FastEthernet0/0

ip address 172.16.1.1 255.255.255.0

no ip directed-broadcast

ip nat inside

!

interface Ethernet0/1

ip address 192.0.0.1255.255.255.0

no ip directed-broadcast

crypto map aaa

duplex half

ip nat outside

!

interface Serial0/0

no ip address

no ip directed-broadcast

!

interface Async0/0

no ip address

no ip directed-broadcast

!

!

ip route default 192.0.0.3

!

!

!

!

!

ip access-list standard nat-2

permit 172.16.1.0 255.255.255.0

!

ip access-list extended test

permit ip 192.0.0.1255.255.255.0 192.0.0.2 255.255.255.0!

!

!

!

ip nat outside source static 192.0.0.2 172.16.2.2

ip nat inside source static 172.16.1.2 192.0.0.1

ip nat inside source list nat-2 interface Ethernet0/1

!

!

!

RouterB：

RouterB#sh run

Building configuration...

Current configuration:

!

!version 1.3.1E

service timestamps log date

service timestamps debug date

no service password-encryption

!

hostname RouterB

!

!

!

crypto ipsec transform-set one

!

crypto map aaa 100 ipsec-manual

set peer 192.0.0.1

set security-association inbound esp 1257 cipher 1234123412341234

set security-association outbound esp 256 cipher abcdabcdabcdabcd

set transform-set one

match address test

!

!

interface FastEthernet0/0

ip address 172.16.2.1 255.255.255.0

no ip directed-broadcast

duplex half

ip nat inside

!

interface Ethernet0/1

ip address 192.0.0.2 255.255.255.248

no ip directed-broadcast

crypto map aaa

ip nat outside

!

interface Serial0/0

no ip address

no ip directed-broadcast

!

interface Async0/0

no ip address

no ip directed-broadcast

!

!

ip route default 192.0.0.3

!

!

!

!

!

ip access-list standard internet

permit 172.16.2.0 255.255.255.0

!

ip access-list extended test

permit ip 192.0.0.2 255.255.255.0 192.0.0.1 255.255.255.0

!

!

!

!

ip nat inside source static 172.16.2.2 192.0.0.2

ip nat outside source static 192.0.0.1 172.16.1.2

ip nat inside source list internet interface Ethernet0/1

!

!

!