NAT对VPN的影响

NAT对VPN的影响R1R3R2R1R2R3初始配置interfaceLoopback0ipaddress1.1.1.1255.255.255.255interfaceSerial1/1ipaddress10.1.12.1255.255.255.0serialrestart-delay0iproute0.0.0.00.0.0.010.1.12.2初始配置interfaceLoopback0ipaddress2.2.2.2255.255.255.255interfaceSerial1/0ipaddress10.1.12.2255.255.255.0serialrestart-delay0interfaceSerial1/1ipaddress10.1.23.2255.255.255.0serialrestart-delay0初始配置interfaceLoopback0ipaddress3.3.3.3255.255.255.255interfaceSerial1/0ipaddress10.1.23.3255.255.255.0serialrestart-delay0iproute0.0.0.00.0.0.010.1.23.2正常的L2L配置access-list100permitiphost1.1.1.1host3.3.3.3cryptoisakmppolicy10authenticationpre-sharecryptoisakmpkeyciscoaddress10.1.23.3cryptoipsectransform-setciscoesp-3desesp-md5-hmaccryptomapcisco10ipsec-isakmpsetpeer10.1.23.3settransform-setciscomatchaddress100interfaceSerial1/1ipaddress10.1.12.1255.255.255.0serialrestart-delay0cryptomapcisco正常的L2L配置access-list100permitiphost3.3.3.3host1.1.1.1cryptoisakmppolicy10authenticationpre-sharecryptoisakmpkeyciscoaddress10.1.12.1cryptoipsectransform-setciscoesp-3desesp-md5-hmaccryptomapcisco10ipsec-isakmpsetpeer10.1.12.1settransform-setciscomatchaddress100interfaceSerial1/0ipaddress10.1.23.3255.255.255.0serialrestart-delay0cryptomapcisco配置PATAccess-list101permitip1.1.1.00.0.0.255anyInterfaceloopback0IpnatinsideInterfaces1/0IpnatoutsideIpnatinsidesourcelist101interfaces1/0overload(IPSEC会不通，因为流量在出去的时候会改变成s1/0的地址，不符合了感兴趣流)解决办法1：Access-list101denyip1.1.1.00.0.0.2552.2.2.00.0.0.255(把感兴趣流deny掉，要在原来的ACL前加)解决办法2：Interfaceloopback100Ipadd33.33.33.33255.255.255.255Access-list102permitip1.1.1.00.0.0.2552.2.2.00.0.0.255Route-maptestMatchipadd102Setinterfaceloopback100Ints1/0Ippolicyroute-maptest(原理：使用了将流量不进行转换的方式。PAT实现有3个条件：1，要匹配感兴趣流2，要从inside接口进入3，要从outside接口出去在内部接口调用时发现了去感兴趣流的流量，但是并没有送到出接口，而是送到了环回口，环回口是本地地址，去环回口的流量还是要送会本地的，然后再从s1/1的outside接口出去，打破了PAT的实现条件，虽然匹配了感兴趣流，从inside接口进入，但是送到了环口，再从环口出去，那对于outside来说这个流量并不是从inside收到的，而是从loopback地址收到的，所以不会转换