一.概述:
在博客中收到一位朋友的提問,經過電話溝通後,瞭解到大概情況是:
A.總部有一條專線到合作伙伴
B.合作伙伴側不方便加回指路由,總部訪問合作伙伴時做PAT
C.現在想要分支L2L ***連接到總部之後,也PAT到合作伙伴
之前是用策略路由的方式將分支到合作伙伴的流量打到loopback口,並配置NAT,後來QQ羣裏有朋友提出使用GRE over IPSEC的方式,於是打算驗證一下。
二.基本思路:
A.如果合作伙伴方便加回指路由,其實只需把合作伙伴當作總部內網即可,不需要配置PAT。
B.分支機構想要***連接總部之後,再PAT到合作伙伴,則需要在總部路由器上配置loopback口,並且公網接口配置策略路由,將分支到合作伙伴的流量打到loopback,並進行PAT。
----這個已經在上一篇博文中驗證過,http://333234.blog.51cto.com/323234/1309446
C.用SVTI的方式,在總部路由器與分支路由器直接建立L2L ***,並且在總部路由器的tunnel接口和連接合作伙伴的專線接口配置NVI,使得分支去往合作伙伴的流量被PAT。
----因爲ASA不支持VTI,所以這種方式如果分支或總部一方用的是ASA防火牆,則不適用
三.測試拓撲:
四.基本配置:
A.Branch_Inside路由器:
interface Ethernet0/0
ip address 10.1.1.1 255.255.255.0
no shut
ip route 0.0.0.0 0.0.0.0 10.1.1.2
ip address 10.1.1.1 255.255.255.0
no shut
ip route 0.0.0.0 0.0.0.0 10.1.1.2
B.Branch路由器:
interface Ethernet0/0
ip address 10.1.1.2 255.255.255.0
ip nat inside
ip address 202.100.1.2 255.255.255.0
ip nat outside
ip address 10.1.1.2 255.255.255.0
ip nat inside
no shut
interface Ethernet0/1ip address 202.100.1.2 255.255.255.0
ip nat outside
no shut
ip route 0.0.0.0 0.0.0.0 202.100.1.3
ip access-list extended PAT
deny ip 10.1.1.0 0.0.0.255 192.168.1.0 0.0.0.255
deny ip 10.1.1.0 0.0.0.255 160.1.1.0 0.0.0.255
permit ip 10.1.1.0 0.0.0.255 any
deny ip 10.1.1.0 0.0.0.255 192.168.1.0 0.0.0.255
deny ip 10.1.1.0 0.0.0.255 160.1.1.0 0.0.0.255
permit ip 10.1.1.0 0.0.0.255 any
ip nat inside source list PAT interface Ethernet0/1 overload
C.Internet路由器:
interface Ethernet0/0
ip address 202.100.1.3 255.255.255.0
ip address 202.100.2.3 255.255.255.0
ip address 202.100.1.3 255.255.255.0
no shut
interface Ethernet0/1ip address 202.100.2.3 255.255.255.0
no shut
D.Center路由器:
interface Ethernet0/0
ip address 192.168.1.4 255.255.255.0
ip nat inside
ip address 192.168.1.4 255.255.255.0
ip nat inside
no shut
interface Ethernet0/1ip address 202.100.2.4 255.255.255.0
ip nat outside
no shut
interface Ethernet0/2ip address 172.16.1.2 255.255.255.252
no shut
ip route 0.0.0.0 0.0.0.0 202.100.2.3
ip route 160.1.1.0 255.255.255.0 172.16.1.1
ip access-list extended PAT
deny ip 192.168.1.0 0.0.0.255 10.1.1.0 0.0.0.255
deny ip 192.168.1.0 0.0.0.255 160.1.1.0 0.0.0.255
permit ip 192.168.1.0 0.0.0.255 any
deny ip 192.168.1.0 0.0.0.255 10.1.1.0 0.0.0.255
deny ip 192.168.1.0 0.0.0.255 160.1.1.0 0.0.0.255
permit ip 192.168.1.0 0.0.0.255 any
ip nat inside source list PAT interface Ethernet0/1 overload
E.Center_Inside路由器:
interface Ethernet0/0
ip address 192.168.1.5 255.255.255.0
no shut
ip route 0.0.0.0 0.0.0.0 192.168.1.4
F.Partner路由器:
interface Loopback0
ip address 160.1.1.6 255.255.255.0
interface Ethernet0/0
ip address 172.16.1.1 255.255.255.252
interface Ethernet0/0
ip address 172.16.1.1 255.255.255.252
no shut
----注意:沒有配置路由
五.總部內網到合作伙伴進行PAT配置:
----在Center總部路由器上配置
A.配置:
interface Ethernet0/0
ip nat enable
ip nat enable
interface Ethernet0/2
ip nat enable
ip nat enable
ip access-list extended Center-to-partner-PAT
permit ip 192.168.1.0 0.0.0.255 160.1.1.0 0.0.0.255
permit ip 192.168.1.0 0.0.0.255 160.1.1.0 0.0.0.255
ip nat source list Center-to-partner-PAT interface Ethernet0/2 overload
B.驗證:
Center_Inside#telnet 160.1.1.6
Trying 160.1.1.6 ... Open
User Access Verification
Password:
Partner>show users
Line User Host(s) Idle Location
0 con 0 idle 00:00:42
*130 vty 0 idle 00:00:00 172.16.1.2
Interface User Mode Idle Peer Address
Partner>
Trying 160.1.1.6 ... Open
User Access Verification
Password:
Partner>show users
Line User Host(s) Idle Location
0 con 0 idle 00:00:42
*130 vty 0 idle 00:00:00 172.16.1.2
Interface User Mode Idle Peer Address
Partner>
六.分支到總部的L2L ***配置:
----以SVTI的方式建立site-to-site ***
A.Branch路由器:
crypto isakmp policy 10
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp key cisco address 202.100.2.4
crypto ipsec transform-set transet esp-des esp-md5-hmac
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp key cisco address 202.100.2.4
crypto ipsec transform-set transet esp-des esp-md5-hmac
crypto ipsec profile Ipsec_prfile
set transform-set transet
interface Tunnel0
ip address 123.1.1.1 255.255.255.0
tunnel source Ethernet0/1
tunnel destination 202.100.2.4
set transform-set transet
interface Tunnel0
ip address 123.1.1.1 255.255.255.0
tunnel source Ethernet0/1
tunnel destination 202.100.2.4
tunnel protection ipsec profile Ipsec_prfile
ip route 160.1.1.0 255.255.255.0 Tunnel0
ip route 192.168.1.0 255.255.255.0 Tunnel0
ip route 192.168.1.0 255.255.255.0 Tunnel0
B.Center路由器:
crypto isakmp policy 10
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp key cisco address 202.100.1.2
crypto ipsec transform-set transet esp-des esp-md5-hmac
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp key cisco address 202.100.1.2
crypto ipsec transform-set transet esp-des esp-md5-hmac
crypto ipsec profile Ipsec_prfile
set transform-set transet
set transform-set transet
interface Tunnel0
ip address 123.1.1.2 255.255.255.0
tunnel source Ethernet0/1
tunnel destination 202.100.1.2
tunnel protection ipsec profile Ipsec_prfile
ip route 10.1.1.0 255.255.255.0 Tunnel0
ip address 123.1.1.2 255.255.255.0
tunnel source Ethernet0/1
tunnel destination 202.100.1.2
tunnel protection ipsec profile Ipsec_prfile
ip route 10.1.1.0 255.255.255.0 Tunnel0
C.驗證:
Branch_Inside#ping 192.168.1.5
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.1.5, timeout is 2 seconds:
.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 120/182/264 ms
Branch_Inside#
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.1.5, timeout is 2 seconds:
.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 120/182/264 ms
Branch_Inside#
Center_Inside#
*Mar 1 10:07:25.293: ICMP: echo reply sent, src 192.168.1.5, dst 10.1.1.1
*Mar 1 10:07:25.561: ICMP: echo reply sent, src 192.168.1.5, dst 10.1.1.1
*Mar 1 10:07:25.701: ICMP: echo reply sent, src 192.168.1.5, dst 10.1.1.1
*Mar 1 10:07:25.809: ICMP: echo reply sent, src 192.168.1.5, dst 10.1.1.1
*Mar 1 10:07:25.293: ICMP: echo reply sent, src 192.168.1.5, dst 10.1.1.1
*Mar 1 10:07:25.561: ICMP: echo reply sent, src 192.168.1.5, dst 10.1.1.1
*Mar 1 10:07:25.701: ICMP: echo reply sent, src 192.168.1.5, dst 10.1.1.1
*Mar 1 10:07:25.809: ICMP: echo reply sent, src 192.168.1.5, dst 10.1.1.1
七.配置分支到合作伙伴的PAT:
-----都是在Center路由器上配置
A.配置PAT:
interface Tunnel0
ip nat enable
interface Ethernet0/2
ip nat enable
ip nat enable
ip access-list extended Branch-to-partner
permit ip 10.1.1.0 0.0.0.255 160.1.1.0 0.0.0.255
permit ip 10.1.1.0 0.0.0.255 160.1.1.0 0.0.0.255
ip nat source list Branch-to-partner interface Ethernet0/2 overload
D.驗證:
Branch_Inside#telnet 160.1.1.6
Trying 160.1.1.6 ... Open
User Access Verification
Password:
Partner>show users
Line User Host(s) Idle Location
0 con 0 idle 09:00:47
*130 vty 0 idle 00:00:00 172.16.1.2
Interface User Mode Idle Peer Address
Partner>
Trying 160.1.1.6 ... Open
User Access Verification
Password:
Partner>show users
Line User Host(s) Idle Location
0 con 0 idle 09:00:47
*130 vty 0 idle 00:00:00 172.16.1.2
Interface User Mode Idle Peer Address
Partner>