|
兩個私網可以同時上INTERNET和在私網這間通過IP SEC VPN通訊
剛用7400做了測試,讓兩個私網的IP可以上INTERNET和保證兩個私網的私有通訊。
LAN(192.168.2.0)--(G0/1)7400(G0/0)-----------(G0/0)7400--(G0/1)------LAN 7400的版本c7400-jk8o3s-mz.122-4.B7.bin VPN-SERVER-R的配置如下: ! version 12.2 service timestamps debug uptime service timestamps log uptime no service password-encryption ! hostname VPN_SERVER_R ! enable secret 5 $1$/xUJ$FPUpACBRvHlu3GuShRfAS1 enable password cisco ! ip subnet-zero ! ! ! ip audit notify log ip audit po max-events 100 ip ssh time-out 120 ip ssh authentication-retries 3 ! crypto isakmp policy 10 authentication pre-share crypto isakmp key abc2001 address 10.72.200.102 ! ! crypto ipsec transform-set abc-des esp-des esp-sha-hmac crypto mib ipsec flowmib history tunnel size 200 ! crypto map abc 20 ipsec-isakmp set peer 10.72.200.102 set transform-set abc-des match address 105 ! ! ! ! interface GigabitEthernet0/0 ip address 10.72.200.124 255.255.255.240 ip nat outside duplex auto speed auto media-type rj45 crypto map abc ! interface GigabitEthernet0/1 ip address 192.168.2.1 255.255.255.0 ip nat inside duplex auto speed auto media-type rj45 ! ip nat inside source route-map abc interface GigabitEthernet0/0 overload ip classless ip route 0.0.0.0 0.0.0.0 10.72.200.113 no ip http server ip pim bidir-enable ! access-list 105 permit ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255 access-list 150 deny ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255 access-list 150 permit ip 192.168.2.0 0.0.0.255 any dialer-list 1 protocol ip permit dialer-list 1 protocol ipx permit ! route-map abc permit 10 match ip address 150 ! ! ! call rsvp-sync ! ! mgcp profile default ! dial-peer cor custom ! ! ! ! gatekeeper shutdown ! ! line con 0 line aux 0 line vty 0 4 password cisco login ! ! end VPN-SEVER的配置如下: ! version 12.2 no parser cache no service single-slot-reload-enable service timestamps debug uptime service timestamps log uptime no service password-encryption ! hostname vpn_server ! logging rate-limit console 10 except errors enable secret 5 $1$oOeg$gKas7oy5fsdCRLob2YQ/m1 ! ip subnet-zero ! ! ! ip audit notify log ip audit po max-events 100 ip ssh time-out 120 ip ssh authentication-retries 3 no ip dhcp-client network-discovery ! crypto isakmp policy 10 authentication pre-share crypto isakmp key abc2001 address 10.72.200.124 ! ! crypto ipsec transform-set abc-des esp-des esp-sha-hmac ! crypto map abc 20 ipsec-isakmp set peer 10.72.200.124 set transform-set abc-des match address 105 ! call rsvp-sync ! ! ! ! interface GigabitEthernet0/0 ip address 10.72.200.102 255.255.255.240 ip nat outside duplex auto speed auto media-type rj45 crypto map abc ! interface GigabitEthernet0/1 ip address 192.168.1.1 255.255.255.0 ip nat inside duplex auto speed auto media-type rj45 ! ip nat inside source route-map abc interface GigabitEthernet0/0 overload ip classless ip route 0.0.0.0 0.0.0.0 10.72.200.97 no ip http server ! access-list 105 permit ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255 access-list 150 deny ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255 access-list 150 permit ip 192.168.1.0 0.0.0.255 any ! ! route-map abc permit 10 match ip address 150 ! ! ! ! ! gatekeeper shutdown ! ! line con 0 line aux 0 line vty 0 4 password cisco login line vty 5 15 login ! ! end 這種方式比較適合大規模多分支機構的集團服務機構的通訊。 VPN-SERVER的配置: 注意:我把一端的ABC改為了N0_NAT一樣可以互通 ! version 12.2 no parser cache no service single-slot-reload-enable service timestamps debug uptime service timestamps log uptime no service password-encryption ! hostname vpn_server ! logging rate-limit console 10 except errors enable secret 5 $1$oOeg$gKas7oy5fsdCRLob2YQ/m1 ! ip subnet-zero ! ! ! ip audit notify log ip audit po max-events 100 ip ssh time-out 120 ip ssh authentication-retries 3 no ip dhcp-client network-discovery ! crypto isakmp policy 10 authentication pre-share crypto isakmp key abc2001 address 10.72.200.124 ! ! crypto ipsec transform-set abc-des esp-des esp-sha-hmac mode transport ! crypto map no_nat 200 ipsec-isakmp set peer 10.72.200.124 set transform-set abc-des match address 105 ! call rsvp-sync ! ! ! ! ! ! ! ! ! interface GigabitEthernet0/0 ip address 10.72.200.102 255.255.255.240 ip nat outside duplex auto speed auto media-type rj45 crypto map no_nat ! interface GigabitEthernet0/1 ip address 192.168.1.1 255.255.255.0 ip nat inside duplex auto speed auto media-type rj45 ! ip nat inside source route-map no_nat interface GigabitEthernet0/0 overload ip classless ip route 0.0.0.0 0.0.0.0 10.72.200.97 no ip http server ! access-list 105 permit ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255 access-list 150 deny ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255 access-list 150 permit ip 192.168.1.0 0.0.0.255 any ! ! route-map no_nat permit 10 match ip address 150 ! ! ! ! ! gatekeeper shutdown ! ! line con 0 line aux 0 line vty 0 4 password cisco login line vty 5 15 login ! ! end |
| 所有時間均為台北時間。現在的時間是 06:35 PM。 |
Powered by vBulletin® 版本 3.6.8
版權所有 ©2000 - 2024, Jelsoft Enterprises Ltd.
『服務條款』
* 有問題不知道該怎麼解決嗎?請聯絡本站的系統管理員 *