實驗基本連通性:
Internet網配置:
enable
configure terminal
hostname Internet
line console 0
logg sy
exec-time 0 0
exit
no ip domain-lookup
interface fastethernet 0/1
ip add 100.1.1.1 255.255.255.0
no shut
exit
interface fastethernet 0/0
ip add 200.1.1.1 255.255.255.0
no shut
exit
interface ethernet 1/1
ip add 202.103.96.1 255.255.255.0
no shut
exit
interface ethernet 1/0
ip add 210.1.1.1 255.255.255.0
no shut
exit
ip dhcp excluded-address 210.1.1.1
ip dhcp pool wifi
network 210.1.1.0 255.255.255.0
default-router 210.1.1.1
dns-server 202.103.96.112
exit
總部配置:
enable
configure terminal
hostname Internet
line console 0
logg sy
exec-time 0 0
exit
no ip domain-lookup
interface fastethernet 0/1
ip add 100.1.1.2 255.255.255.0
no shut
ip nat outside
exit
interface fastethernet 0/0
ip add 192.168.1.254 255.255.255.0
no shut
ip nat inside
exit
ip route 0.0.0.0 0.0.0.0 100.1.1.1
ip dhcp excluded-address 192.168.1.254
ip dhcp pool zongbu
network 192.168.1.0 255.255.255.0
default-router 192.168.1.254
dns-server 202.103.96.112
exit
access-list 100 deny ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
access-list 100 permit ip 192.168.1.0 0.0.0.255 any
ip nat inside source list 100 interface FastEthernet0/1 overload
ip nat inside source static tcp 192.168.1.253 80 100.1.1.2 80
分部配置:
enable
configure terminal
hostname fenbu
line console 0
logg sy
exec-time 0 0
exit
no ip domain-lookup
interface fastethernet 0/0
ip add 200.1.1.2 255.255.255.0
no shut
ip nat outside
exit
interface fastethernet 0/1
ip add 192.168.2.254 255.255.255.0
no shut
ip nat inside
exit
ip route 0.0.0.0 0.0.0.0 200.1.1.1
ip dhcp excluded-address 192.168.2.254
ip dhcp pool zongbu
network 192.168.2.0 255.255.255.0
default-router 192.168.2.254
dns-server 202.103.96.112
exit
access-list 100 deny ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 100 permit ip 192.168.2.0 0.0.0.255 any
ip nat inside source list 100 interface FastEthernet0/0 overload
但由於***沒有做,外網和分部的PC是Ping不通內部的PC和服務器的。
現在進行***配置:
總部:
crypto isakmp policy 10
encr 3des
hash md5
authentication pre-share
crypto isakmp key tom address 200.1.1.2
crypto ipsec transform-set tim esp-3des esp-md5-hmac
access-list 101 permit ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
crypto map tom 11 ipsec-isakmp
set peer 200.1.1.2
set transform-set tim
match address 101
interface FastEthernet0/1
crypto map tom
aaa new-model
aaa authentication login eza local
aaa authorization network ezo local
username tang password 123
ip local pool ez 192.168.3.1 192.168.3.100
crypto isakmp client configuration group myez
key 123
pool ez
crypto dynamic-map ezmap 10
set transform-set tim
reverse-route
crypto map tom client authentication list eza
crypto map tom isakmp authorization list ezo
crypto map tom client configuration address respond
crypto map tom 10 ipsec-isakmp dynamic ezmap
(Easy ***是IPSEC ***的兩個階段之間的2.5階段,固階段一喝階段二都可以條用一樣的策略)
分部的配置:
crypto isakmp policy 10
encr 3des
hash md5
authentication pre-share
crypto isakmp key tom address 100.1.1.2
crypto ipsec transform-set tim esp-3des esp-md5-hmac
crypto map tom 10 ipsec-isakmp
set peer 100.1.1.2
set transform-set tim
match address 101
access-list 101 permit ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255
interface FastEthernet0/0
crypto map tom
測試:
Ipsec ***就是分部的ping總部的PC,來檢測連通性,Easy ***的連接測試在《Cisco PacketTracer 5.2模擬器的Easy ***實驗指南》中有說明。
當***都連通後,就能ping通內部的TFTP服務器了!
最後給大家留個問題,本實驗中,我已經解決了,Ipsec ***的***和NAT上網問題。但我無線筆記Easy ***接入總部後,只能訪問用IP來訪問內部Web服務器,而訪問不了Internet的Web服務器。這是爲什麼,應該如何解決。