*實驗要求:192.168.1.100/24通過IPSce***訪問172.16.1.100/24
*配置思路:
1)R1、R2、R3使用EIGRP通告接口公網網段(私網IP不能通告出去)
2)配置***使R1、R3各自的內網地址可以訪問R2的迴環地址2.2.2.2(模擬公網服務器)
3)配置IPSce***及R1、R3分別配置缺省路由指向R2
*IPSce***配置步驟:
1、建立ACL過濾感興趣流量
2、配置isakmp key及peer(對端路由公網IP)
3、配置isakmp policy策略
4、配置ipsec transform-set集
5、配置crypto map(即將以上配置集合應用)
6、應用到本地路由器出接口
*實驗配置:
R1#
crypto isakmp policy 1 配置isakmp策略
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp key cisco address 23.1.1.3 配置isakmp key及peer(對端路由公網IP)
crypto ipsec transform-set 10 esp-3desesp-md5-hmac 配置ipsectransform-set集
crypto map 1to3 10 ipsec-isakmp 配置Map(即將以上配置應用集合,Map名稱爲:1to3)
set peer 23.1.1.3
set transform-set 1
match address 100 匹配ACL100的流量經過IPSce ***轉發
interface FastEthernet 0/0
ip address 12.1.1.1 255.255.255.0
ip nat outside
crypto map 1to3 將Map應用到本地Wan口
no shutdown
interface FastEthernet 0/1
ip address 192.168.1.1 255.255.255.0
ip nat inside
no shutdown
router rip 使用RIP協議通告公網網段,使公網互通
network 12.1.1.0
no auto-summary
ip nat inside source list 101 interface FastEthernet 0/0 overload 匹配ACL101的流量經過NAT訪問Internet
ip route 0.0.0.0 0.0.0.0 12.1.1.2 使用缺省路由指向R2接口IP地址
access-list 100 permit ip 192.168.1.0 0.0.0.255 172.16.1.0 0.0.0.255 過濾經過IPSec ***的流量
access-list 101 deny ip 192.168.1.0 0.0.0.255 172.16.1.0 0.0.0.255 過濾源192.168.1.0到目地172.16.1.0的流量
access-list 101 permit ip any any 其他流量全部經過NAT訪問Internet
------------------------------------------------
R2#
interface Loopback 0
ip address 2.2.2.2 255.255.255.0 模擬公網服務器地址
interface FastEthernet 0/0
ip address 23.1.1.2 255.255.255.0
no shutdown
interface FastEthernet 0/1
ip address 12.1.1.2 255.255.255.0
no shutdown
router rip 使用RIP協議通告公網網段,使公網互通
network 12.1.1.0
network 2.2.2.0
network 23.1.1.0
no auto-summary
------------------------------------------------
R3#
crypto isakmp policy 10
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp key cisco address 12.1.1.1
crypto ipsec transform-set 1 esp-3desesp-md5-hmac
crypto map 3to1 10 ipsec-isakmp
set peer 12.1.1.1
set transform-set 1
match address 100
interface FastEthernet 0/0
ip address 172.16.1.1 255.255.255.0
ip nat inside
no shutdown
interface FastEthernet 0/1
ip address 23.1.1.3 255.255.255.0
ip nat outside
crypto map 3to1
no shutdown
router rip
network 23.1.1.0
no auto-summary
ip nat inside source list 101 interface FastEthernet 0/1 overload
ip route 0.0.0.0 0.0.0.0 23.1.1.2
access-list 100 permit ip 172.16.1.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 101 deny ip 172.16.1.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 101 permit ip any any
--------------------------------------------------------
查看R1的路由表:
--------------------------------------------------------------------------
查看R2路由表:
--------------------------------------------------------------------------------
查看R3路由器:
------------------------------------------------------------------
查看PC1:
----------------------------------------------------
查看PC2:
--------------------------------------------------
*實驗結果:通過配置IPSce***使得192.168.1.0/24可以訪問172.16.1.0/24網段。
--------------------------------------------------