|
論壇說明 |
歡迎您來到『史萊姆論壇』 ^___^ 您目前正以訪客的身份瀏覽本論壇,訪客所擁有的權限將受到限制,您可以瀏覽本論壇大部份的版區與文章,但您將無法參與任何討論或是使用私人訊息與其他會員交流。若您希望擁有完整的使用權限,請註冊成為我們的一份子,註冊的程序十分簡單、快速,而且最重要的是--註冊是完全免費的! 請點擊這裡:『註冊成為我們的一份子!』 |
|
主題工具 | 顯示模式 |
2003-12-13, 07:05 PM | #1 |
榮譽會員
|
兩個私網可以同時上INTERNET和在私網這間通過IP SEC VPN通訊
剛用7400做了測試,讓兩個私網的IP可以上INTERNET和保證兩個私網的私有通訊。
LAN(192.168.2.0)--(G0/1)7400(G0/0)-----------(G0/0)7400--(G0/1)------LAN 7400的版本c7400-jk8o3s-mz.122-4.B7.bin VPN-SERVER-R的配置如下: ! version 12.2 service timestamps debug uptime service timestamps log uptime no service password-encryption ! hostname VPN_SERVER_R ! enable secret 5 $1$/xUJ$FPUpACBRvHlu3GuShRfAS1 enable password cisco ! ip subnet-zero ! ! ! ip audit notify log ip audit po max-events 100 ip ssh time-out 120 ip ssh authentication-retries 3 ! crypto isakmp policy 10 authentication pre-share crypto isakmp key abc2001 address 10.72.200.102 ! ! crypto ipsec transform-set abc-des esp-des esp-sha-hmac crypto mib ipsec flowmib history tunnel size 200 ! crypto map abc 20 ipsec-isakmp set peer 10.72.200.102 set transform-set abc-des match address 105 ! ! ! ! interface GigabitEthernet0/0 ip address 10.72.200.124 255.255.255.240 ip nat outside duplex auto speed auto media-type rj45 crypto map abc ! interface GigabitEthernet0/1 ip address 192.168.2.1 255.255.255.0 ip nat inside duplex auto speed auto media-type rj45 ! ip nat inside source route-map abc interface GigabitEthernet0/0 overload ip classless ip route 0.0.0.0 0.0.0.0 10.72.200.113 no ip http server ip pim bidir-enable ! access-list 105 permit ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255 access-list 150 deny ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255 access-list 150 permit ip 192.168.2.0 0.0.0.255 any dialer-list 1 protocol ip permit dialer-list 1 protocol ipx permit ! route-map abc permit 10 match ip address 150 ! ! ! call rsvp-sync ! ! mgcp profile default ! dial-peer cor custom ! ! ! ! gatekeeper shutdown ! ! line con 0 line aux 0 line vty 0 4 password cisco login ! ! end VPN-SEVER的配置如下: ! version 12.2 no parser cache no service single-slot-reload-enable service timestamps debug uptime service timestamps log uptime no service password-encryption ! hostname vpn_server ! logging rate-limit console 10 except errors enable secret 5 $1$oOeg$gKas7oy5fsdCRLob2YQ/m1 ! ip subnet-zero ! ! ! ip audit notify log ip audit po max-events 100 ip ssh time-out 120 ip ssh authentication-retries 3 no ip dhcp-client network-discovery ! crypto isakmp policy 10 authentication pre-share crypto isakmp key abc2001 address 10.72.200.124 ! ! crypto ipsec transform-set abc-des esp-des esp-sha-hmac ! crypto map abc 20 ipsec-isakmp set peer 10.72.200.124 set transform-set abc-des match address 105 ! call rsvp-sync ! ! ! ! interface GigabitEthernet0/0 ip address 10.72.200.102 255.255.255.240 ip nat outside duplex auto speed auto media-type rj45 crypto map abc ! interface GigabitEthernet0/1 ip address 192.168.1.1 255.255.255.0 ip nat inside duplex auto speed auto media-type rj45 ! ip nat inside source route-map abc interface GigabitEthernet0/0 overload ip classless ip route 0.0.0.0 0.0.0.0 10.72.200.97 no ip http server ! access-list 105 permit ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255 access-list 150 deny ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255 access-list 150 permit ip 192.168.1.0 0.0.0.255 any ! ! route-map abc permit 10 match ip address 150 ! ! ! ! ! gatekeeper shutdown ! ! line con 0 line aux 0 line vty 0 4 password cisco login line vty 5 15 login ! ! end 這種方式比較適合大規模多分支機構的集團服務機構的通訊。 VPN-SERVER的配置: 注意:我把一端的ABC改為了N0_NAT一樣可以互通 ! version 12.2 no parser cache no service single-slot-reload-enable service timestamps debug uptime service timestamps log uptime no service password-encryption ! hostname vpn_server ! logging rate-limit console 10 except errors enable secret 5 $1$oOeg$gKas7oy5fsdCRLob2YQ/m1 ! ip subnet-zero ! ! ! ip audit notify log ip audit po max-events 100 ip ssh time-out 120 ip ssh authentication-retries 3 no ip dhcp-client network-discovery ! crypto isakmp policy 10 authentication pre-share crypto isakmp key abc2001 address 10.72.200.124 ! ! crypto ipsec transform-set abc-des esp-des esp-sha-hmac mode transport ! crypto map no_nat 200 ipsec-isakmp set peer 10.72.200.124 set transform-set abc-des match address 105 ! call rsvp-sync ! ! ! ! ! ! ! ! ! interface GigabitEthernet0/0 ip address 10.72.200.102 255.255.255.240 ip nat outside duplex auto speed auto media-type rj45 crypto map no_nat ! interface GigabitEthernet0/1 ip address 192.168.1.1 255.255.255.0 ip nat inside duplex auto speed auto media-type rj45 ! ip nat inside source route-map no_nat interface GigabitEthernet0/0 overload ip classless ip route 0.0.0.0 0.0.0.0 10.72.200.97 no ip http server ! access-list 105 permit ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255 access-list 150 deny ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255 access-list 150 permit ip 192.168.1.0 0.0.0.255 any ! ! route-map no_nat permit 10 match ip address 150 ! ! ! ! ! gatekeeper shutdown ! ! line con 0 line aux 0 line vty 0 4 password cisco login line vty 5 15 login ! ! end |
送花文章: 3,
|
|
|
相似的主題 | ||||
主題 | 主題作者 | 討論區 | 回覆 | 最後發表 |
菜鳥成長手冊:新手必讀,主板術語詳解 | superxboy | 系統 & 硬體安裝及故障判斷技術文件 | 0 | 2006-05-06 01:56 PM |
sec master hard disk :smart command failed | rongyun | 硬體疑難使用問題討論區 | 3 | 2005-09-20 07:40 AM |
各種硬碟的介面頻寛比較 | 飛鳥 | 硬體疑難使用問題討論區 | 0 | 2003-07-15 01:18 PM |