IPSec和NAT配合使用的实验

王朝other·作者佚名  2008-05-19
窄屏简体版  字體: |||超大  

刚做完的实验,贴出来大家分享,虽然不是Cisco的设备,命令几乎完全相同,大家理解就行了。

环境:两台博达2750路由器(1*E,1*FE),两台PC实验目的:两台路由器通过E0/1连接,实现IPSec VPN,使两台PC互访,并且都能分别通过路由器的NAT访问互联网。

配置:

RouterARouterA#sh run

Building configuration...

Current configuration:

!

!version 1.3.1E

service timestamps log date

service timestamps debug date

no service password-encryption

!

hostname RouterA

!

!

!

crypto ipsec transform-set one

!

crypto map aaa 100 ipsec-manual

set peer 192.0.0.2

set security-association inbound esp 256 cipher abcdabcdabcdabcd

set security-association outbound esp 1257 cipher 1234123412341234

set transform-set one

match address test

!

!

interface FastEthernet0/0

ip address 172.16.1.1 255.255.255.0

no ip directed-broadcast

ip nat inside

!

interface Ethernet0/1

ip address 192.0.0.1255.255.255.0

no ip directed-broadcast

crypto map aaa

duplex half

ip nat outside

!

interface Serial0/0

no ip address

no ip directed-broadcast

!

interface Async0/0

no ip address

no ip directed-broadcast

!

!

ip route default 192.0.0.3

!

!

!

!

!

ip access-list standard nat-2

permit 172.16.1.0 255.255.255.0

!

ip access-list extended test

permit ip 192.0.0.1255.255.255.0 192.0.0.2 255.255.255.0!

!

!

!

ip nat outside source static 192.0.0.2 172.16.2.2

ip nat inside source static 172.16.1.2 192.0.0.1

ip nat inside source list nat-2 interface Ethernet0/1

!

!

!

RouterB:

RouterB#sh run

Building configuration...

Current configuration:

!

!version 1.3.1E

service timestamps log date

service timestamps debug date

no service password-encryption

!

hostname RouterB

!

!

!

crypto ipsec transform-set one

!

crypto map aaa 100 ipsec-manual

set peer 192.0.0.1

set security-association inbound esp 1257 cipher 1234123412341234

set security-association outbound esp 256 cipher abcdabcdabcdabcd

set transform-set one

match address test

!

!

interface FastEthernet0/0

ip address 172.16.2.1 255.255.255.0

no ip directed-broadcast

duplex half

ip nat inside

!

interface Ethernet0/1

ip address 192.0.0.2 255.255.255.248

no ip directed-broadcast

crypto map aaa

ip nat outside

!

interface Serial0/0

no ip address

no ip directed-broadcast

!

interface Async0/0

no ip address

no ip directed-broadcast

!

!

ip route default 192.0.0.3

!

!

!

!

!

ip access-list standard internet

permit 172.16.2.0 255.255.255.0

!

ip access-list extended test

permit ip 192.0.0.2 255.255.255.0 192.0.0.1 255.255.255.0

!

!

!

!

ip nat inside source static 172.16.2.2 192.0.0.2

ip nat outside source static 192.0.0.1 172.16.1.2

ip nat inside source list internet interface Ethernet0/1

!

!

!

 
 
 
免责声明:本文为网络用户发布,其观点仅代表作者个人观点,与本站无关,本站仅提供信息存储服务。文中陈述内容未经本站证实,其真实性、完整性、及时性本站不作任何保证或承诺,请读者仅作参考,并请自行核实相关内容。
 
 
© 2005- 王朝網路 版權所有 導航