NAT部分
1、配置NAT匹配流量
ip access-list extended nat-inside
permit ip host 10.16.8.1 192.169.0.0 0.0.255.255
2、配置NAT Pool
ip nat pool src-pool 192.168.29.10 192.168.29.20 prefix-length 24
3、配置NAT轉換
ip nat inside source list nat-inside pool src-pool overload
IPSEC 部分
1、配置isakmp policy
crypto isakmp policy 1
encr aes
authentication pre-share
group 2
2、配置對端地址和密鑰
crypto isakmp key Passw0rd address 131.5.12.184
3、配置隧道模式
crypto ipsec security-association lifetime seconds 28800
crypto ipsec transform-set jieru esp-aes esp-sha-hmac
mode tunnel
4、配置感興趣流
注意:感興趣流的源地址爲NAT轉換後的pool的地址
ip access-list extended dataflow
permit ip 192.168.29.0 0.0.0.255 192.169.0.0 0.0.255.255
5、配置ipsec-isakmp
crypto map remote-jieru 10 ipsec-isakmp
set peer 131.5.12.184
set transform-set jieru
match address dataflow
6、關聯接口
int g0/0/0
crypto map remote-jieru
總結
通過這種方式讓第三方平臺配置後接入我端,我端的配置不會因爲對端感興趣流的調整而改變,能夠減輕工作量。