誉天安全CCIE小波老师NAT-T+IPSEC实验配置

敖少波NAT-T——IPSEC实验拓扑图配制VPN_gateway1R1#conftEnterconfigurationcommands,oneperline.EndwithCNTL/Z.R1(config)#inte0/0R1(config-if)#ipadd202.103.12.1255.255.255.0R1(config-if)#noshuR1(config-if)#exitR1(config)#intloop0R1(config-if)#ipadd192.168.1.1255.255.255.0R1(config-if)#noshuR1(config-if)#exitR1(config)#iproute0.0.0.00.0.0.0e0/0R1(config)#cryptoisakmppolicy10R1(config-isakmp)#encr3desR1(config-isakmp)#authenticationpre-shareR1(config-isakmp)#group2R1(config-isakmp)#cryptoisakmpkeyciscoaddress202.103.12.2R1(config)#cryptoipsectransform-setmysetesp-3desesp-sha-hmacR1(cfg-crypto-trans)#exitR1(config)#cryptomapMAP10ipsec-isakmp%NOTE:Thisnewcryptomapwillremaindisableduntilapeerandavalidaccesslisthavebeenconfigured.R1(config-crypto-map)#setpeer202.103.12.2R1(config-crypto-map)#settransform-setmysetR1(config-crypto-map)#setpfsgroup2R1(config-crypto-map)#matchaddress101R1(config-crypto-map)#exitR1(config)#inte0/0R1(config-if)#cryptomapMAPR1(config-if)#exitR1(config)#access-list101permitip192.168.1.00.0.0.255172.16.2.00.0.0.255武汉恒骏网络技术有限公司027-6315855913657288418QQ：474339332武汉誉天Cisco/RHCE认证：誉天论坛：武汉誉天Cisco/RHCE认证：誉天论坛：敖少波配制FIREWALLr2#conftEnterconfigurationcommands,oneperline.EndwithCNTL/Z.r2(config)#inte0/0r2(config-if)#ipadd202.103.12.2255.255.255.0r2(config-if)#noshur2(config-if)#ipnatoutr2(config-if)#exitr2(config)#inte0/1r2(config-if)#ipadd172.16.1.1255.255.255.0r2(config-if)#noshur2(config-if)#ipnatinsr2(config)#iproute0.0.0.00.0.0.0e0/0r2(config)#iproute172.16.2.0255.255.255.0e0/1r2(config)#access-list101perip172.16.0.00.0.255.255anyr2(config)#ipnatinsidesoulist101inte0/0overr2(config)#ipnatinsidesoustaesp172.16.1.2inte0/0r2(config)#ipnatinsidesoustaudp172.16.1.2500inte0/0500配制VPN_gateway2R3#conftEnterconfigurationcommands,oneperline.EndwithCNTL/Z.R3(config)#inte0/1R3(config-if)#ipadd172.16.1.2255.255.255.0R3(config-if)#noshuR3(config-if)#exitR3(config)#intloop0R3(config-if)#ipadd172.16.2.1255.255.255.0R3(config-if)#noshuR3(config-if)#exitR3(config)#iproute0.0.0.00.0.0.0e0/1R3(config)#access-list101permitip172.16.2.00.0.0.255192.168.1.00.0.0.255R3(config)#cryptoisakmppolicy10R3(config-isakmp)#encr3desR3(config-isakmp)#authenticationpre-shareR3(config-isakmp)#group2R3(config-isakmp)#cryptoisakmpkeyciscoaddress202.103.12.1R3(config)#cryptoipsectransform-setmysetesp-3desesp-sha-hmacR3(cfg-crypto-trans)#exitR3(config)#cryptomapMAP10ipsec-isakmp%NOTE:Thisnewcryptomapwillremaindisableduntilapeerandavalidaccesslisthavebeenconfigured.R3(config-crypto-map)#setpeer202.103.12.1武汉恒骏网络技术有限公司027-6315855913657288418QQ：474339332武汉誉天Cisco/RHCE认证：誉天论坛：武汉誉天Cisco/RHCE认证：誉天论坛：敖少波R3(config-crypto-map)#settransform-setmysetR3(config-crypto-map)#setpfsgroup2R3(config-crypto-map)#matchaddress101R3(config-crypto-map)#exitR3(config)#inte0/1R3(config-if)#cryptomapMAP现在我们来看VPN的IKE阶段的邻居关系。现在我们在没有FIREWALL的那端来出发流量。现在我们通过日志可以看出VPN的对等体已经UP。我们可以看到VPN的邻居已经起来了现在我们来看看加密的情况。武汉恒骏网络技术有限公司027-6315855913657288418QQ：474339332武汉誉天Cisco/RHCE认证：誉天论坛：武汉誉天Cisco/RHCE认证：誉天论坛：敖少波武汉恒骏网络技术有限公司027-6315855913657288418QQ：474339332武汉誉天Cisco/RHCE认证：誉天论坛：武汉誉天Cisco/RHCE认证：誉天论坛：敖少波我们在来NAT设备上面看看NAT的穿透情况方案二配制VPN_gateway1r1#conftEnterconfigurationcommands,oneperline.EndwithCNTL/Z.r1(config)#interfaceLoopback0r1(config-if)#ipaddress192.168.1.1255.255.255.0r1(config-if)#interfaceEthernet0/0武汉恒骏网络技术有限公司027-6315855913657288418QQ：474339332武汉誉天Cisco/RHCE认证：誉天论坛：武汉誉天Cisco/RHCE认证：誉天论坛：敖少波r1(config-if)#ipaddress202.103.12.1255.255.255.0r1(config-if)#noshur1(config-if)#exitr1(config)#cryptoisakmppolicy10r1(config-isakmp)#hashmd5r1(config-isakmp)#authenticationpre-sharer1(config-isakmp)#group5r1(config-isakmp)#cryptoisakmpkey6cisco123address1.1.1.1r1(config)#cryptoipsectransform-setccieesp-desesp-sha-hmacr1(cfg-crypto-trans)#exitr1(config)#cryptomapvpn12310ipsec-isakmp%NOTE:Thisnewcryptomapwillremaindisableduntilapeerandavalidaccesslisthavebeenconfigured.r1(config-crypto-map)#setpeer1.1.1.1r1(config-crypto-map)#settransform-setccier1(config-crypto-map)#matchaddress100r1(config-crypto-map)#inte0/0r1(config-if)#cryptomapvpn123r1(config-if)#exitr1(config)#iproute0.0.0.00.0.0.0202.103.12.2r1(config)#access-list100permitip192.168.1.00.0.0.255172.16.2.00.0.0.255配制NATr2#conftEnterconfigurationcommands,oneperline.EndwithCNTL/Z.r2(config)#interfaceEthernet0/0r2(config-if)#ipaddress202.103.12.2255.255.255.0r2(config-if)#ipnatoutsider2(config-if)#ipvirtual-reassemblyr2(config-if)#noshur2(config-if)#interfaceEthernet0/1r2(config-if)#ipaddress172.16.1.1255.255.255.0r2(config-if)#ipnatinsider2(config-if)#ipvirtual-reassemblyr2(config-if)#noshur2(config-if)#exitr2(config)#iproute0.0.0.00.0.0.0202.103.12.1r2(co