史萊姆論壇 - 查看單個文章

psac · 2003-12-13, 07:05 PM

剛用7400做了測試，讓兩個私網的IP可以上INTERNET和保證兩個私網的私有通訊。
LAN（192.168.2.0)--（G0/1）7400（G0/0）-----------（G0/0）7400--（G0/1）------LAN
7400的版本c7400-jk8o3s-mz.122-4.B7.bin
VPN-SERVER-R的配置如下：
!
version 12.2
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname VPN_SERVER_R
!
enable secret 5 $1$/xUJ$FPUpACBRvHlu3GuShRfAS1
enable password cisco
!
ip subnet-zero
!
!
!
ip audit notify log
ip audit po max-events 100
ip ssh time-out 120
ip ssh authentication-retries 3
!
crypto isakmp policy 10
authentication pre-share
crypto isakmp key abc2001 address 10.72.200.102
!
!
crypto ipsec transform-set abc-des esp-des esp-sha-hmac
crypto mib ipsec flowmib history tunnel size 200
!
crypto map abc 20 ipsec-isakmp
set peer 10.72.200.102
set transform-set abc-des
match address 105
!
!
!
!
interface GigabitEthernet0/0
ip address 10.72.200.124 255.255.255.240
ip nat outside
duplex auto
speed auto
media-type rj45
crypto map abc
!
interface GigabitEthernet0/1
ip address 192.168.2.1 255.255.255.0
ip nat inside
duplex auto
speed auto
media-type rj45
!
ip nat inside source route-map abc interface GigabitEthernet0/0 overload
ip classless
ip route 0.0.0.0 0.0.0.0 10.72.200.113
no ip http server
ip pim bidir-enable
!
access-list 105 permit ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 150 deny ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 150 permit ip 192.168.2.0 0.0.0.255 any
dialer-list 1 protocol ip permit
dialer-list 1 protocol ipx permit
!
route-map abc permit 10
match ip address 150
!
!
!
call rsvp-sync
!
!
mgcp profile default
!
dial-peer cor custom
!
!
!
!
gatekeeper
shutdown
!
!
line con 0
line aux 0
line vty 0 4
password cisco
login
!
!
end
VPN-SEVER的配置如下：
!
version 12.2
no parser cache
no service single-slot-reload-enable
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname vpn_server
!
logging rate-limit console 10 except errors
enable secret 5 $1$oOeg$gKas7oy5fsdCRLob2YQ/m1
!
ip subnet-zero
!
!
!
ip audit notify log
ip audit po max-events 100
ip ssh time-out 120
ip ssh authentication-retries 3
no ip dhcp-client network-discovery
!
crypto isakmp policy 10
authentication pre-share
crypto isakmp key abc2001 address 10.72.200.124
!
!
crypto ipsec transform-set abc-des esp-des esp-sha-hmac
!
crypto map abc 20 ipsec-isakmp
set peer 10.72.200.124
set transform-set abc-des
match address 105
!
call rsvp-sync
!
!
!
!
interface GigabitEthernet0/0
ip address 10.72.200.102 255.255.255.240
ip nat outside
duplex auto
speed auto
media-type rj45
crypto map abc
!
interface GigabitEthernet0/1
ip address 192.168.1.1 255.255.255.0
ip nat inside
duplex auto
speed auto
media-type rj45
!
ip nat inside source route-map abc interface GigabitEthernet0/0 overload
ip classless
ip route 0.0.0.0 0.0.0.0 10.72.200.97
no ip http server
!
access-list 105 permit ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
access-list 150 deny ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
access-list 150 permit ip 192.168.1.0 0.0.0.255 any
!
!
route-map abc permit 10
match ip address 150
!
!
!
!
!
gatekeeper
shutdown
!
!
line con 0
line aux 0
line vty 0 4
password cisco
login
line vty 5 15
login
!
!
end

這種方式比較適合大規模多分支機構的集團服務機構的通訊。
VPN-SERVER的配置:

注意:我把一端的ABC改為了N0_NAT一樣可以互通

!
version 12.2
no parser cache
no service single-slot-reload-enable
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname vpn_server
!
logging rate-limit console 10 except errors
enable secret 5 $1$oOeg$gKas7oy5fsdCRLob2YQ/m1
!
ip subnet-zero
!
!
!
ip audit notify log
ip audit po max-events 100
ip ssh time-out 120
ip ssh authentication-retries 3
no ip dhcp-client network-discovery
!
crypto isakmp policy 10
authentication pre-share
crypto isakmp key abc2001 address 10.72.200.124
!
!
crypto ipsec transform-set abc-des esp-des esp-sha-hmac
mode transport
!
crypto map no_nat 200 ipsec-isakmp
set peer 10.72.200.124
set transform-set abc-des
match address 105
!
call rsvp-sync
!
!
!
!
!
!
!
!
!
interface GigabitEthernet0/0
ip address 10.72.200.102 255.255.255.240
ip nat outside
duplex auto
speed auto
media-type rj45
crypto map no_nat
!
interface GigabitEthernet0/1
ip address 192.168.1.1 255.255.255.0
ip nat inside
duplex auto
speed auto
media-type rj45
!
ip nat inside source route-map no_nat interface GigabitEthernet0/0 overload
ip classless
ip route 0.0.0.0 0.0.0.0 10.72.200.97
no ip http server
!
access-list 105 permit ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
access-list 150 deny ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
access-list 150 permit ip 192.168.1.0 0.0.0.255 any
!
!
route-map no_nat permit 10
match ip address 150
!
!
!
!
!
gatekeeper
shutdown
!
!
line con 0
line aux 0
line vty 0 4
password cisco
login
line vty 5 15
login
!
!
end

2003-12-13, 07:05 PM	#1
psac 榮譽會員榮譽勳章勳章總數19 UID - 3662 在線等級: 註冊日期: 2002-12-07 住址: 木柵市立動物園文章: 17381 精華: 2 現金: 5253 金幣資產: 33853 金幣	兩個私網可以同時上INTERNET和在私網這間通過IP SEC VPN通訊剛用7400做了測試，讓兩個私網的IP可以上INTERNET和保證兩個私網的私有通訊。 LAN（192.168.2.0)--（G0/1）7400（G0/0）-----------（G0/0）7400--（G0/1）------LAN 7400的版本c7400-jk8o3s-mz.122-4.B7.bin VPN-SERVER-R的配置如下： ! version 12.2 service timestamps debug uptime service timestamps log uptime no service password-encryption ! hostname VPN_SERVER_R ! enable secret 5 $1$/xUJ$FPUpACBRvHlu3GuShRfAS1 enable password cisco ! ip subnet-zero ! ! ! ip audit notify log ip audit po max-events 100 ip ssh time-out 120 ip ssh authentication-retries 3 ! crypto isakmp policy 10 authentication pre-share crypto isakmp key abc2001 address 10.72.200.102 ! ! crypto ipsec transform-set abc-des esp-des esp-sha-hmac crypto mib ipsec flowmib history tunnel size 200 ! crypto map abc 20 ipsec-isakmp set peer 10.72.200.102 set transform-set abc-des match address 105 ! ! ! ! interface GigabitEthernet0/0 ip address 10.72.200.124 255.255.255.240 ip nat outside duplex auto speed auto media-type rj45 crypto map abc ! interface GigabitEthernet0/1 ip address 192.168.2.1 255.255.255.0 ip nat inside duplex auto speed auto media-type rj45 ! ip nat inside source route-map abc interface GigabitEthernet0/0 overload ip classless ip route 0.0.0.0 0.0.0.0 10.72.200.113 no ip http server ip pim bidir-enable ! access-list 105 permit ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255 access-list 150 deny ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255 access-list 150 permit ip 192.168.2.0 0.0.0.255 any dialer-list 1 protocol ip permit dialer-list 1 protocol ipx permit ! route-map abc permit 10 match ip address 150 ! ! ! call rsvp-sync ! ! mgcp profile default ! dial-peer cor custom ! ! ! ! gatekeeper shutdown ! ! line con 0 line aux 0 line vty 0 4 password cisco login ! ! end VPN-SEVER的配置如下： ! version 12.2 no parser cache no service single-slot-reload-enable service timestamps debug uptime service timestamps log uptime no service password-encryption ! hostname vpn_server ! logging rate-limit console 10 except errors enable secret 5 $1$oOeg$gKas7oy5fsdCRLob2YQ/m1 ! ip subnet-zero ! ! ! ip audit notify log ip audit po max-events 100 ip ssh time-out 120 ip ssh authentication-retries 3 no ip dhcp-client network-discovery ! crypto isakmp policy 10 authentication pre-share crypto isakmp key abc2001 address 10.72.200.124 ! ! crypto ipsec transform-set abc-des esp-des esp-sha-hmac ! crypto map abc 20 ipsec-isakmp set peer 10.72.200.124 set transform-set abc-des match address 105 ! call rsvp-sync ! ! ! ! interface GigabitEthernet0/0 ip address 10.72.200.102 255.255.255.240 ip nat outside duplex auto speed auto media-type rj45 crypto map abc ! interface GigabitEthernet0/1 ip address 192.168.1.1 255.255.255.0 ip nat inside duplex auto speed auto media-type rj45 ! ip nat inside source route-map abc interface GigabitEthernet0/0 overload ip classless ip route 0.0.0.0 0.0.0.0 10.72.200.97 no ip http server ! access-list 105 permit ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255 access-list 150 deny ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255 access-list 150 permit ip 192.168.1.0 0.0.0.255 any ! ! route-map abc permit 10 match ip address 150 ! ! ! ! ! gatekeeper shutdown ! ! line con 0 line aux 0 line vty 0 4 password cisco login line vty 5 15 login ! ! end 這種方式比較適合大規模多分支機構的集團服務機構的通訊。 VPN-SERVER的配置: 注意:我把一端的ABC改為了N0_NAT一樣可以互通 ! version 12.2 no parser cache no service single-slot-reload-enable service timestamps debug uptime service timestamps log uptime no service password-encryption ! hostname vpn_server ! logging rate-limit console 10 except errors enable secret 5 $1$oOeg$gKas7oy5fsdCRLob2YQ/m1 ! ip subnet-zero ! ! ! ip audit notify log ip audit po max-events 100 ip ssh time-out 120 ip ssh authentication-retries 3 no ip dhcp-client network-discovery ! crypto isakmp policy 10 authentication pre-share crypto isakmp key abc2001 address 10.72.200.124 ! ! crypto ipsec transform-set abc-des esp-des esp-sha-hmac mode transport ! crypto map no_nat 200 ipsec-isakmp set peer 10.72.200.124 set transform-set abc-des match address 105 ! call rsvp-sync ! ! ! ! ! ! ! ! ! interface GigabitEthernet0/0 ip address 10.72.200.102 255.255.255.240 ip nat outside duplex auto speed auto media-type rj45 crypto map no_nat ! interface GigabitEthernet0/1 ip address 192.168.1.1 255.255.255.0 ip nat inside duplex auto speed auto media-type rj45 ! ip nat inside source route-map no_nat interface GigabitEthernet0/0 overload ip classless ip route 0.0.0.0 0.0.0.0 10.72.200.97 no ip http server ! access-list 105 permit ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255 access-list 150 deny ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255 access-list 150 permit ip 192.168.1.0 0.0.0.255 any ! ! route-map no_nat permit 10 match ip address 150 ! ! ! ! ! gatekeeper shutdown ! ! line con 0 line aux 0 line vty 0 4 password cisco login line vty 5 15 login ! ! end

	送花文章: 3, 收花文章: 1631 篇, 收花: 3205 次