一、 實驗拓樸圖
二、 實驗目的:
1、 RT4上實作PAT設定
2、 RT3上實作NAT設定
3、 PC遠端接入總部RT1,與RT1之間建立傳輸隧道
三、 實驗實作:
RT1:
aaa new-model //啟用AAA服務
!
aaa authentication login default local //認證預設本地登入
aaa authentication login nauguy local //認證從nauguy登入
aaa authorization network nauguy local //授權從nauguy登入
username cisco password 0 cisco //配置AAA認證的使用者名和密碼
crypto isakmp policy 1 //配置第一階段的政策
hash md5
authentication pre-share
group 2
crypto isakmp client configuration group nauguy //配置1.5階段政策,組名為nauguy
key 1234 //密鑰為1234
pool nauguy //本地位址池為naugy
acl 101 //分裂通道
crypto ipsec transform-set cisco esp-des esp-md5-hmac //配置第二階段政策
mode transport
crypto dynamic-map cisco 10
set transform-set cisco
crypto map hqh client authentication list nauguy //綁定認證清單nauguy
crypto map hqh isakmp authorization list nauguy //綁定授權清單nauguy
crypto map hqh client configuration address respond //配置位址下發回複
crypto map hqh 10 ipsec-isakmp dynamic cisco //綁定動态加密圖
interface Loopback0
ip address 192.168.3.1 255.255.255.0
interface Ethernet0/0
ip address 192.168.1.1 255.255.255.0
crypto map hqh
ip local pool nauguy 192.168.20.1 192.168.20.20 //本地位址池
ip route 0.0.0.0 0.0.0.0 192.168.1.2
access-list 101 permit ip 192.168.3.0 0.0.0.255 any
RT3:
ip address 202.103.95.112 255.255.255.0
ip nat outside
interface Ethernet1/0
ip address 192.168.2.1 255.255.255.0
ip nat inside
!
ip route 0.0.0.0 0.0.0.0 202.103.95.111
ip nat inside source list 100 interface Ethernet0/0 overload //靜态NAT配置
access-list 100 permit ip 192.168.2.0 0.0.0.255 any
RT4:
ip address 202.103.96.112 255.255.255.0
interface Ethernet0/1
ip address 192.168.1.2 255.255.255.0
ip route 0.0.0.0 0.0.0.0 202.103.96.111
!
ip nat inside source static udp 192.168.1.1 500 202.103.96.112 500 extendable
//靜态PAT,放通isakmp流量
ip nat inside source static udp 192.168.1.1 4500 202.103.96.112 4500 extendable
//靜态PAT,放通NAT-T後的4500端口的流量
RT1#show crypto engine connections active
ID Interface IP-Address State Algorithm Encrypt Decrypt
2 Ethernet0/0 192.168.1.1 set HMAC_MD5+DES_56_CB 0 0
2001 Ethernet0/0 192.168.1.1 set DES+MD5 4 0
2002 Ethernet0/0 192.168.1.1 set DES+MD5 0 4
C:\Documents and Settings\Administrator>ping 192.168.3.1
Pinging 192.168.3.1 with 32 bytes of data:
Reply from 192.168.3.1: bytes=32 time=88ms TTL=255
Reply from 192.168.3.1: bytes=32 time=65ms TTL=255
Reply from 192.168.3.1: bytes=32 time=72ms TTL=255
Reply from 192.168.3.1: bytes=32 time=74ms TTL=255
Ping statistics for 192.168.3.1:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 65ms, Maximum = 88ms, Average = 74ms
RT4#show ip nat translations
Pro Inside global Inside local Outside local Outside global
udp 202.103.96.112:500 192.168.1.1:500 --- ---
udp 202.103.96.112:4500 192.168.1.1:4500 202.103.95.112:1041 202.103.95.112:1041
udp 202.103.96.112:4500 192.168.1.1:4500 --- ---
RT4#
RT3#show ip nat translations
udp 202.103.95.112:1041 192.168.2.10:1041 202.103.96.112:4500 202.103.96.112:4500