Site-Site Ipsec ×××配置和验证
r2:此路由器代表公司总部,连接ISP和内部网络,nat转换和***都在此路由器上做
r2#show runn
Building configuration...
Current configuration : 1337 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname r2
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
memory-size iomem 5
!
!
ip cef
no ip domain lookup
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
crypto isakmp policy 1 ##确定***策略
encryption des ##加密使用对称加密算法des
group 1 ##密钥交换使用group 1
hash md5 ##认证用md5算法
authentication pre-share ##使用预共享密钥进行认证,此处由于默认使用加密算法为des和密钥交换为group 1,所以在show runn中看不到,但是必须配置
crypto isakmp key 6 cisco address 192.168.5.2 ##进行预共享的对等体和密钥
!
!
crypto ipsec transform-set ccnp ah-md5-hmac ##定义一个ipsec转换集名为ccnp,使用ah,未使用esp进行数据加密
!
crypto map mymap 1 ipsec-isakmp ##定义一个map名为mymap,此map引用acl110和刚定义的转换集ccnp,设置对等体地址
set peer 192.168.5.2 ##设置对等体地址
set transform-set ccnp ##引用刚定义的转换集ccnp
match address 110 ##引用acl 110
!
!
!
!
interface Ethernet0/0
no ip address
shutdown
half-duplex
!
interface Ethernet0/1
ip address 192.168.1.1 255.255.255.0
ip nat inside ##此接口为内网接口,启用nat转换
ip virtual-reassembly
half-duplex
!
interface Ethernet0/2
ip address 192.168.4.1 255.255.255.0
ip nat outside ##此接口为接ISP的公网口,启用nat转换,私有地址将被转换为此接口上的共有地址访问互联网
ip virtual-reassembly
half-duplex
crypto map mymap
!
interface Ethernet0/3
no ip address
shutdown
half-duplex
!
ip http server
no ip http secure-server
ip route 0.0.0.0 0.0.0.0 192.168.4.2 ##默认路由到ISP,下一跳地址为与ISP相连的地址
!
!
ip nat inside source list 100 interface Ethernet0/2 overload ##启用nat转换,引用acl 100,符合acl 100的地址将被转换
!
access-list 100 deny ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255 ##此acl定义nat需要转换的私有地址,先将需要***转换的地址拒绝掉
access-list 100 permit ip 192.168.1.0 0.0.0.255 any ##这是需要nat转换的私有地址
access-list 110 permit ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255 ##此acl定义***需要转换的地址,当192.168.1.0网段访问192.168.2.0网段时执行定义的isakmp和ipsec进行加密等
!
!
!
control-plane
!
!
!
!
!
!
!
!
!
!
line con 0
line aux 0
line vty 0 4
!
!
end
r2#
r1:此路由器充当公司总部pc
r1#ping 192.168.2.2 ##能够ping通代表公司分部的pc地址,说明***成功了
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.2.2, timeout is 2 seconds:
.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 120/194/232 ms
r1#ping 192.168.2.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.2.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 124/138/160 ms
r1#ping 192.168.2.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.2.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 104/164/216 ms
r1#ping 192.168.3.2 ##能够ping通代表互联网地址的3.2说明nat转换成功
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.3.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 80/151/220 ms
r1#show runn
Building configuration...
Current configuration : 806 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname r1
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
memory-size iomem 5
no ip routing
!
!
no ip cef
no ip domain lookup
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
interface Ethernet0/0
no ip address
no ip route-cache
shutdown
half-duplex
!
interface Ethernet0/1
ip address 192.168.1.2 255.255.255.0
no ip route-cache
half-duplex
!
interface Ethernet0/2
no ip address
no ip route-cache
shutdown
half-duplex
!
interface Ethernet0/3
no ip address
no ip route-cache
shutdown
half-duplex
!
ip default-gateway 192.168.1.1
ip http server
no ip http secure-server
!
!
!
!
!
!
control-plane
!
!
!
!
!
!
!
!
!
!
line con 0
line aux 0
line vty 0 4
!
!
end
r1#
r3:此路由器充当ISP路由器,连接了三个网络,一个3.0网段,4.0网段代表公司总部,5.0代表公司分部,此路由器配置简单,直接配3个地址就ok了
r3>en
r3#show runn
Building configuration...
Current configuration : 708 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname r3
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
memory-size iomem 5
!
!
ip cef
no ip domain lookup
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
interface Ethernet0/0
ip address 192.168.3.1 255.255.255.0 ##与代表互联网地址的3.0网段相连
half-duplex
!
interface Ethernet0/1
ip address 192.168.4.2 255.255.255.0 ##与代表公司总部的路由器相连
half-duplex
!
interface Ethernet0/2
ip address 192.168.5.1 255.255.255.0 ##与代表公司分部的路由器相连
half-duplex
!
interface Ethernet0/3
no ip address
shutdown
half-duplex
!
ip http server
no ip http secure-server
!
!
!
!
!
!
control-plane
!
!
!
!
!
!
!
!
!
!
line con 0
line aux 0
line vty 0 4
!
!
end
r3#
r4:与公司分部相连的路由器,此路由器的配置和r2相似,不再单独介绍,只说不同点
2, changed state to up
r4(config-if)#
r4(config-if)#
r4(config-if)#
r4(config-if)#
r4(config-if)#ex
r4(config)#in e0/1
r4(config-if)#ip nat ou
r4(config-if)#ip nat outside
r4(config-if)#
*Mar 1 00:12:48.551: %LINEPROTO-5-UPDOWN: Line protocol on Interface NVI0, changed state to upex
r4(config)#in e0/2
r4(config-if)#ip nat ins
r4(config-if)#ex
r4(config)#acc
r4(config)#access-list 100 den
r4(config)#$ 100 deny ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255
r4(config)#acc
r4(config)#access-list 100 per
r4(config)#access-list 100 permit ip 192.168.2.0 0.0.0.255 any
r4(config)#ip nat inside sourc list 100 in
r4(config)#ip nat inside sourc list 100 interface e0/1 ove
r4(config)#ip route 0.0.0.0 0.0.0.0 192.168.5.1
r4(config)#
r4(config)#
r4(config)#
r4(config)#
r4(config)#
r4(config)#
r4(config)#
r4(config)#
r4(config)#
r4(config)#
r4(config)#
r4(config)#
r4(config)#
r4(config)#
r4(config)#acc
r4(config)#access-list 110 per
r4(config)#$ 110 permit ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255
r4(config)#cry
r4(config)#crypto is
r4(config)#crypto isakmp po
r4(config)#crypto isakmp policy ?
<1-10000> Priority of protection suite
r4(config)#crypto isakmp policy 1 ?
<cr>
r4(config)#crypto isakmp policy 1
r4(config-isakmp)#en
r4(config-isakmp)#encryption des
r4(config-isakmp)#hash mdt
^
% Invalid input detected at '^' marker.
r4(config-isakmp)#hash md5
r4(config-isakmp)#auth
r4(config-isakmp)#authentication pre
r4(config-isakmp)#authentication pre-share
r4(config-isakmp)#gr
r4(config-isakmp)#group 1
r4(config-isakmp)#ex
r4(config)#cry
r4(config)#crypto is
r4(config)#crypto isakmp key 6 cisco add ?
A.B.C.D Peer IP address
r4(config)#crypto isakmp key 6 cisco add 192.168.4.1 ?
A.B.C.D Peer IP subnet mask
no-xauth Bypasses XAuth for this peer
<cr>
r4(config)#crypto isakmp key 6 cisco add 192.168.4.1
r4(config)#cry ip
r4(config)#cry ipsec tran
r4(config)#cry ipsec transform-set ccnp ?
ah-md5-hmac AH-HMAC-MD5 transform
ah-sha-hmac AH-HMAC-SHA transform
comp-lzs IP Compression using the LZS compression algorithm
esp-3des ESP transform using 3DES(EDE) cipher (168 bits)
esp-aes ESP transform using AES cipher
esp-des ESP transform using DES cipher (56 bits)
esp-md5-hmac ESP transform using HMAC-MD5 auth
esp-null ESP transform w/o cipher
esp-seal ESP transform using SEAL cipher (160 bits)
esp-sha-hmac ESP transform using HMAC-SHA auth
r4(config)#cry ipsec transform-set ccnp ah
r4(config)#cry ipsec transform-set ccnp ah-m
r4(config)#cry ipsec transform-set ccnp ah-md5-hmac
r4(cfg-crypto-trans)#exit
r4(config)#cry
r4(config)#crypto map mymap 1 ips
r4(config)#crypto map mymap 1 ipsec-is
r4(config)#crypto map mymap 1 ipsec-isakmp
% NOTE: This new crypto map will remain disabled until a peer
and a valid access list have been configured.
r4(config-crypto-map)#mat
r4(config-crypto-map)#match add 110
r4(config-crypto-map)#set tr
r4(config-crypto-map)#set transform-set ccnp
r4(config-crypto-map)#set peer 192.168.4.1
r4(config-crypto-map)#ex
r4(config)#in e0/1
r4(config-if)#cry map mymap
r4(config-if)#ex
*Mar 1 00:18:34.063: %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is ON
r4(config)#end
r4#show ru
*Mar 1 00:19:44.447: %SYS-5-CONFIG_I: Configured from console by consolenn
Building configuration...
Current configuration : 1337 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname r4
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
memory-size iomem 5
!
!
ip cef
no ip domain lookup
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
crypto isakmp policy 1 ##与r2配置必须相同,只是对等体地址换成r2公网接口地址
hash md5
authentication pre-share
crypto isakmp key 6 cisco address 192.168.4.1
!
!
crypto ipsec transform-set ccnp ah-md5-hmac
!
crypto map mymap 1 ipsec-isakmp
set peer 192.168.4.1
set transform-set ccnp
match address 110
!
!
!
!
interface Ethernet0/0
no ip address
shutdown
half-duplex
!
interface Ethernet0/1
ip address 192.168.5.2 255.255.255.0
ip nat outside
ip virtual-reassembly
half-duplex
crypto map mymap
!
interface Ethernet0/2
ip address 192.168.2.1 255.255.255.0
ip nat inside
ip virtual-reassembly
half-duplex
!
interface Ethernet0/3
no ip address
shutdown
half-duplex
!
ip http server
no ip http secure-server
ip route 0.0.0.0 0.0.0.0 192.168.5.1
!
!
ip nat inside source list 100 interface Ethernet0/1 overload
!
access-list 100 deny ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 100 permit ip 192.168.2.0 0.0.0.255 any
access-list 110 permit ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255
!
!
!
control-plane
!
!
!
!
!
!
!
!
!
!
line con 0
line aux 0
line vty 0 4
!
!
end
r4#
r5:此路由器为公司分部的pc,需要访问公司总部的1.0网段
r5>en
r5#show runn
Building configuration...
Current configuration : 806 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname r5
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
memory-size iomem 5
no ip routing
!
!
no ip cef
no ip domain lookup
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
interface Ethernet0/0
no ip address
no ip route-cache
shutdown
half-duplex
!
interface Ethernet0/1
ip address 192.168.2.2 255.255.255.0
no ip route-cache
half-duplex
!
interface Ethernet0/2
no ip address
no ip route-cache
shutdown
half-duplex
!
interface Ethernet0/3
no ip address
no ip route-cache
shutdown
half-duplex
!
ip default-gateway 192.168.2.1
ip http server
no ip http secure-server
!
!
!
!
!
!
control-plane
!
!
!
!
!
!
!
!
!
!
line con 0
line aux 0
line vty 0 4
!
!
end
r5#ping 192.168.1.2 ##与代表公司总部的pc能够ping通,代表***成功
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.1.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 124/135/144 ms
r5#
r6:此路由器代表互联网上的服务器资源
r6>en
r6#show runn
Building configuration...
Current configuration : 806 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname r6
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
memory-size iomem 5
no ip routing
!
!
no ip cef
no ip domain lookup
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
interface Ethernet0/0
no ip address
no ip route-cache
shutdown
half-duplex
!
interface Ethernet0/1
ip address 192.168.3.2 255.255.255.0
no ip route-cache
half-duplex
!
interface Ethernet0/2
no ip address
no ip route-cache
shutdown
half-duplex
!
interface Ethernet0/3
no ip address
no ip route-cache
shutdown
half-duplex
!
ip default-gateway 192.168.3.1
ip http server
no ip http secure-server
!
!
!
!
!
!
control-plane
!
!
!
!
!
!
!
!
!
!
line con 0
line aux 0
line vty 0 4
!
!
end
r6#
转载于:https://blog.51cto.com/ccnpnetwork/992657
Site-Site Ipsec ×××配置和验证相关推荐
- Packet Tracer - 使用 CLI 配置并验证站点间 IPsec VPN
Packet Tracer - 使用 CLI 配置并验证站点间 IPsec VPN 地址分配表 设备 接口 IP 地址 子网掩码 默认网关 交换机端口 R1 G0/0 192.168.1.1 255. ...
- ASA IPSEC ×××配置
一.IPSEC ××× (site to site) 第一步:在外部接口启用IKE协商 crypto isakmp enable outside 第二步:配置isakmp协商 策略 isakmp 策略 ...
- 【Windows Server 2019】网络负载均衡服务配置与管理——安装配置及验证
目录 4. 安装和配置网络负载均衡服务 4.1 安装NLB服务 4.2 创建NLB集群 4.3 将服务器添加到集群 5. 验证负载均衡服务器 5.1 拓扑说明 5.2 安装IIS服务 5.3 验证负载 ...
- Cisco ASA IPSec配置流程(9.8.2)
Cisco ASA IPSec 配置流程(9.8.2) 定义感兴趣流: object-group network remote //创建peer的地址组network-object 192.168.1 ...
- Cisco IPSec *** 配置详解
前言: ×××作为一项成熟的技术,广泛应用于组织总部和分支机构之间的组网互联,其利用组织已有的互联网出口,虚拟出一条"专线",将组织的分支机构和总部连接起来,组成一个大的局域网.I ...
- cisco 模拟器安装及交换机的基本配置实验心得_软考网络工程师级配置题总结 | 交换机配置、路由器配置、广域网接入配置、L2TP配置、IPSec配置、PIX防火墙配置...
软考网络工程师级配置题总结 一. 交换机配置 1. 交换机的基本配置 Enable 进入特权模式 Config terminal 进入配置模式 Enable password cisco 设置enab ...
- h3c 虚拟服务器 下一跳,H3C MSR路由器IPsec配置指导说明
1.7 IPsec典型配置举例 1.7.1 采用手工方式建立保护IPv4报文的IPsec隧道 1. 组网需求 在 Router A和 Router B之间建立一条 IPsec隧道,对 Host A ...
- 神州数码防火墙IPSec配置
模拟实验: E0/1(10.1.1.1/24)-- FW-1--E0/7(192.168.255.1/24) _______ E0/7(192.168.255.2/24)----- FW-2----E ...
- 商业虚拟专用网络技术六IPSec配置
一.配置IPSec 1.配置的前提 配置IPSec前需要做好准备工作: (1).网络可达 需要确定网络流量的可达性,就是从出站口发送的数据包是否能够通过网络到达指定IP地址的设备. (2).确定需要保 ...
- 远程访问VPN配置与验证实验:构建安全的远程连接
远程访问VPN配置与验证实验:构建安全的远程连接 [实验目的] 理解远程访问 VPN的含义. 掌握远程访问 VPN的含义. 掌握VPN Client软件的使用. 验证配置. [实验拓扑] 实验拓扑如下 ...
最新文章
- Jetson Nano and VIM3硬件参数对比及目标检测性能对比
- 用SHELL脚本来防SSH暴力破解
- Linux下查看CPU/内存/硬盘的shell命令
- 在ASP.NET MVC5中使用特性路由
- java如何实现封装_java如何实现封装
- codeforces1498 D. Bananas in a Microwave(背包+优化)
- layui上传图片,前端直接拷代码,后端……
- JavaScript覆盖率统计实现
- Java删除list
- 五分钟搭建一个MarkDown文档解析器
- SharePoint 2010列表中新增的唯一性验证
- linux硬盘格式哪个好,linux使用哪种硬盘分区格式会比较好
- vue全局引入字体并使用
- 网友问答 | 关于I2C电平转换电路
- GBase 8c V3.0.0数据类型——备份控制函数
- 【转载】日志等级及使用情形
- sin n次方 x 的降幂公式
- uniapp ios端云打包失败,求助
- 数字电路仿真软件Minecraft—(3)方块更新感应电路
- python绘制多边形样例_Python绘制多边形