-
IPSEC VXN 及 NAT BYPASS配置及详解
实验目的
1、熟悉NAT的工作原理。
2、熟悉IPSEC VXN 的工作原理。
3、利用NAT 帮助内网(即ospf 2区域)设备访问公网(ospf 1),同时利用VXN 保护内网通讯。
实验拓扑
接口IP配置
- R1(config)#interface loopback 0
- R1(config-if)#ip address 1.1.1.1 255.255.255.0
- R1(config)#interface e0/1
- R1(config-if)#ip address 12.12.12.1 255.255.255.0
- R1(config-if)#no shutdown
- R1(config-if)#interface e0/0
- R1(config-if)#ip address 192.168.15.1 255.255.255.0
- R1(config-if)#no shutdown
- R2(config)#interface loopback 0
- R2(config-if)#ip address 2.2.2.2 255.255.255.0
- R2(config)#interface e0/1
- R2(config-if)#ip address 12.12.12.2 255.255.255.0
- R2(config-if)#no shutdown
- R2(config-if)#interface e0/2
- R2(config-if)#ip address 23.23.23.2 255.255.255.0
- R2(config-if)#no shutdown
- R2(config-if)#interface e0/3
- R2(config-if)#ip address 24.24.24.2 255.255.255.0
- R2(config-if)#no shutdown
- R3(config)#interface loopback 0
- R3(config-if)#ip address 3.3.3.3 255.255.255.0
- R3(config)#interface e0/2
- R3(config-if)#ip address 23.23.23.3 255.255.255.0
- R3(config-if)#no shutdown
- R3(config-if)#interface e0/0
- R3(config-if)#ip address 192.168.36.3 255.255.255.0
- R3(config-if)#no shutdown
- R4(config-if)#interface e0/3
- R4(config-if)#ip address 24.24.24.4 255.255.255.0
- R4(config-if)#no shutdown
- R4(config-if)#interface e0/0
- R4(config-if)#ip address 192.168.47.4 255.255.255.0
- R4(config-if)#no shutdown
- R4(config)#interface loopback 0
- R4(config-if)#ip address 4.4.4.4 255.255.255.0
- R5(config)#interface loopback 0
- R5(config-if)#ip address 10.5.5.5 255.255.255.0
- R5(config)#interface e0/0
- R5(config-if)#ip address 192.168.15.5 255.255.255.0
- R5(config-if)#no shutdown
- R6(config)#interface e0/0
- R6(config-if)#ip address 192.168.36.6 255.255.255.0
- R6(config-if)#no shutdown
- R6(config)#interface loopback 0
- R6(config-if)#ip address 10.6.6.6 255.255.255.0
- R7(config)#interface e0/0
- R7(config-if)#ip address 192.168.47.7 255.255.255.0
- R7(config-if)#no shutdown
- R7(config)#interface loopback 0
- R7(config-if)#ip address 10.7.7.7 255.255.255.0
底层协议配置:
- R1(config)#router ospf 2
- R1(config-router)#network 192.168.15.0 0.0.0.255 area 0
- R1(config-router)#router ospf 1
- R1(config-router)#network 12.12.12.0 0.0.0.255 area 0
- R2(config)#router ospf 1
- R2(config-router)#network 2.2.2.2 0.0.0.0 area 0
- R2(config-router)#network 23.23.23.0 0.0.0.255 area 0
- R2(config-router)#network 24.24.24.0 0.0.0.255 area 0
- R2(config-router)#network 12.12.12.0 0.0.0.255 area 0
- R3(config)#router ospf 1
- R3(config-router)#net 23.23.23.0 0.0.0.255 area 0
- R3(config-router)#router ospf 2
- R3(config-router)#network 192.168.36.0 0.0.0.255 area 0
- R4(config)#router ospf 1
- R4(config-router)#network 24.24.24.0 0.0.0.255 area 0
- R4(config-router)#router ospf 2
- R4(config-router)#network 192.168.47.0 0.0.0.255 area 0
- R5(config)#router ospf 1
- R5(config-router)#network 192.168.15.0 0.0.0.255 area 0
- R5(config-router)#network 10.5.5.5 0.0.0.0 area 0
- R6(config)#router ospf 2
- R6(config-router)#network 10.6.6.6 0.0.0.0 area 0
- R6(config-router)#network 192.168.36.0 0.0.0.255 area 0
- R7(config)#router ospf 1
- R7(config-router)#network 10.7.7.7 0.0.0.0 area 0
- R7(config-router)#network 192.168.47.0 0.0.0.255 area 0
检查ospf邻接关系建立情况,确保R1 R3 R4 确保学到各自内网路由。此时R5 R6 R7 是没办法和公网的2.2.2.2通讯的。
- R1#show ip os neighbor
- Neighbor ID Pri State Dead Time Address Interface
- 2.2.2.2 1 FULL/BDR 00:00:36 12.12.12.2 Ethernet0/1
- 10.5.5.5 1 FULL/BDR 00:00:35 192.168.15.5 Ethernet0/0
- R3#show ip ospf neighbor
- Neighbor ID Pri State Dead Time Address Interface
- 10.6.6.6 1 FULL/BDR 00:00:35 192.168.36.6 Ethernet0/0
- 2.2.2.2 1 FULL/DR 00:00:36 23.23.23.2 Ethernet0/2
- R4#show ip ospf neighbor
- Neighbor ID Pri State Dead Time Address Interface
- 10.7.7.7 1 FULL/BDR 00:00:33 192.168.47.7 Ethernet0/0
- 2.2.2.2 1 FULL/DR 00:00:32 24.24.24.2 Ethernet0/3
- R1#show ip route ospf
- Gateway of last resort is not set
- 2.0.0.0/32 is subnetted, 1 subnets
- O 2.2.2.2 [110/11] via 12.12.12.2, 00:12:20, Ethernet0/1
- 10.0.0.0/32 is subnetted, 1 subnets
- O 10.5.5.5 [110/11] via 192.168.15.5, 00:10:20, Ethernet0/0
- 23.0.0.0/24 is subnetted, 1 subnets
- O 23.23.23.0 [110/20] via 12.12.12.2, 00:12:20, Ethernet0/1
- 24.0.0.0/24 is subnetted, 1 subnets
- O 24.24.24.0 [110/20] via 12.12.12.2, 00:12:20, Ethernet0/1
- R3#show ip route ospf
- Gateway of last resort is not set
- 2.0.0.0/32 is subnetted, 1 subnets
- O 2.2.2.2 [110/11] via 23.23.23.2, 00:12:19, Ethernet0/2
- 10.0.0.0/32 is subnetted, 1 subnets
- O 10.6.6.6 [110/11] via 192.168.36.6, 00:06:47, Ethernet0/0
- 12.0.0.0/24 is subnetted, 1 subnets
- O 12.12.12.0 [110/20] via 23.23.23.2, 00:12:19, Ethernet0/2
- 24.0.0.0/24 is subnetted, 1 subnets
- O 24.24.24.0 [110/20] via 23.23.23.2, 00:12:19, Ethernet0/2
- R4#show ip route ospf
- Gateway of last resort is not set
- 2.0.0.0/32 is subnetted, 1 subnets
- O 2.2.2.2 [110/11] via 24.24.24.2, 00:11:38, Ethernet0/3
- 10.0.0.0/32 is subnetted, 1 subnets
- O 10.7.7.7 [110/11] via 192.168.47.7, 00:06:26, Ethernet0/0
- 12.0.0.0/24 is subnetted, 1 subnets
- O 12.12.12.0 [110/20] via 24.24.24.2, 00:11:38, Ethernet0/3
- 23.0.0.0/24 is subnetted, 1 subnets
- O 23.23.23.0 [110/20] via 24.24.24.2, 00:11:38, Ethernet0/3
R1 R3 R4 配置静态缺省指向ISP,将其通过ospf发送给内网。
- R1(config)#ip route 0.0.0.0 0.0.0.0 12.12.12.2
- R1(config)#router ospf 2
- R1(config-router)#default-information originate
- R3(config)#ip route 0.0.0.0 0.0.0.0 23.23.23.2
- R3(config)#router ospf 2
- R3(config-router)#default-information originate
- R4(config)#ip route 0.0.0.0 0.0.0.0 24.24.24.2
- R4(config)#router ospf 2
- R4(config-router)#default-information originate
如上配置完成后,请校验R5 R6 R7 是否通过OSPF 获得缺省路由。
- R5#show ip route ospf
- Gateway of last resort is 192.168.15.1 to network 0.0.0.0
- O*E2 0.0.0.0/0 [110/1] via 192.168.15.1, 00:02:22, Ethernet0/0
- R6#show ip route ospf
- Gateway of last resort is 192.168.36.3 to network 0.0.0.0
- O*E2 0.0.0.0/0 [110/1] via 192.168.36.3, 00:01:30, Ethernet0/0
- R7#show ip route ospf
- Gateway of last resort is 192.168.47.4 to network 0.0.0.0
- O*E2 0.0.0.0/0 [110/1] via 192.168.47.4, 00:01:57, Ethernet0/0
同时我们发现R5 R6 R7 依旧无法访问公网,数据包能出去,但是无法返回。
- R6#ping 2.2.2.2
- Type escape sequence to abort.
- Sending 5, 100-byte ICMP Echos to 2.2.2.2, timeout is 2 seconds:
- .....
- Success rate is 0 percent (0/5)
R1 R3 R4 配置NAT。
- R1(config)#interface e0/0
- R1(config-if)#ip nat inside
- R1(config-if)#interface e0/1
- R1(config-if)#ip nat outside
- R1(config)#access-list 105 deny ip 10.5.5.0 0.0.0.255 10.6.6.0 0.0.0.255
- R1(config)#access-list 105 deny ip 10.5.5.0 0.0.0.255 10.7.7.0 0.0.0.255
- R1(config)#access-list 105 permit ip 10.5.5.0 0.0.0.255 any
- R1(config)#ip nat inside source list 105 interface e0/1 overload
- R3(config)#interface e0/0
- R3(config-if)#ip nat inside
- R3(config-if)#interface e0/2
- R3(config-if)#ip nat outside
- R3(config)#access-list 106 deny ip 10.6.6.0 0.0.0.255 10.5.5.0 0.0.0.255
- R3(config)#access-list 106 permit ip 10.6.6.0 0.0.0.255 any
- R3(config)#ip nat inside source list 106 interface e0/2 overload
- R4(config)#interface e0/0
- R4(config-if)#ip nat inside
- R4(config-if)#interface e0/3
- R4(config-if)#ip nat outside
- R4(config)#access-list 107 deny ip 10.7.7.0 0.0.0.255 10.5.5.0 0.0.0.255
- R4(config)#access-list 107 permit ip 10.7.7.0 0.0.0.255 any
- R4(config)#ip nat inside source list 107 interface e0/3 overload
R1 R3 R4 上创建TUNNEL,完成路由信息的共享。
- R1(config)#interface tunnel 13
- R1(config-if)#ip address 172.16.13.1 255.255.255.0
- R1(config-if)#tunnel source e0/1
- R1(config-if)#tunnel destination 23.23.23.3
- R1(config-if)#tunnel mode gre ip
- R1(config-if)#ip ospf 2 area 0
- R1(config)#interface tunnel 14
- R1(config-if)#ip address 172.16.14.1 255.255.255.0
- R1(config-if)#tunnel source e0/1
- R1(config-if)#tunnel destination 24.24.24.4
- R1(config-if)#tunnel mode gre ip
- R1(config-if)#ip ospf 2 area 2
- R3(config)#interface tunnel 13
- R3(config-if)#ip address 172.16.13.3 255.255.255.0
- R3(config-if)#tunnel source e0/2
- R3(config-if)#tunnel destination 12.12.12.1
- R3(config-if)#tunnel mode gre ip
- R3(config-if)#ip ospf 2 area 0
- R4(config)#interface tunnel 14
- R4(config-if)#ip address 172.16.14.4 255.255.255.0
- R4(config-if)#tunnel source e0/3
- R4(config-if)#tunnel destination 12.12.12.1
- R4(config-if)#tunnel mode gre ip
- R4(config-if)#ip ospf 2 area 0
确认R5 R6 R7相互学习路由,且能PING 通。
- R5#show ip route ospf
- Gateway of last resort is 192.168.15.1 to network 0.0.0.0
- O*E2 0.0.0.0/0 [110/1] via 192.168.15.1, 00:38:13, Ethernet0/0
- 10.0.0.0/8 is variably subnetted, 4 subnets, 2 masks
- O 10.6.6.6/32 [110/1021] via 192.168.15.1, 00:06:20, Ethernet0/0
- O 10.7.7.7/32 [110/1021] via 192.168.15.1, 00:01:59, Ethernet0/0
- 172.16.0.0/24 is subnetted, 2 subnets
- O 172.16.13.0 [110/1010] via 192.168.15.1, 00:13:26, Ethernet0/0
- O 172.16.14.0 [110/1010] via 192.168.15.1, 00:01:59, Ethernet0/0
- O 192.168.36.0/24 [110/1020] via 192.168.15.1, 00:06:20, Ethernet0/0
- O 192.168.47.0/24 [110/1020] via 192.168.15.1, 00:01:59, Ethernet0/0
- R5#ping 10.6.6.6
- Type escape sequence to abort.
- Sending 5, 100-byte ICMP Echos to 10.6.6.6, timeout is 2 seconds:
- !!!!!
- Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms
- R5#ping 10.7.7.7
- Type escape sequence to abort.
- Sending 5, 100-byte ICMP Echos to 10.7.7.7, timeout is 2 seconds:
- !!!!!
- Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms
完成R1 R3 R4 上的IPSEC VPN 通讯。
- R1(config)#crypto isakmp enable
- R1(config)#crypto isakmp policy 1
- R1(config-isakmp)#authentication pre-share
- R1(config-isakmp)#encryption des
- R1(config-isakmp)#hash md5
- R1(config-isakmp)#group 1
- R1(config)#crypto isakmp key cisco address 172.16.13.3
- R1(config)#crypto isakmp key cisco address 172.16.14.4
- R1(config)#ip access-list extended vpn
- R1(config-ext-nacl)#permit ip 10.5.5.0 0.0.0.255 10.6.6.0 0.0.0.255
- R1(config-ext-nacl)#permit ip 10.5.5.0 0.0.0.255 10.7.7.0 0.0.0.255
- R1(config)#crypto ipsec transform-set r1-tr esp-des esp-md5-hmac
- R1(cfg-crypto-trans)#mode tunnel
- R1(config)#crypto map r1-map 1 ipsec-isakmp
- R1(config-crypto-map)#set peer 172.16.13.3
- R1(config-crypto-map)#set peer 172.16.14.4
- R1(config-crypto-map)#set transform-set r1-tr
- R1(config-crypto-map)#match address vpn
- R1(config)#interface tunnel 13
- R1(config-if)#crypto map r1-map
- R1(config-if)#interface tunnel 14
- R1(config-if)#crypto map r1-map
- R3(config)#crypto isakmp enable
- R3(config)#crypto isakmp policy 1
- R3(config-isakmp)#authentication pre-share
- R3(config-isakmp)#encryption des
- R3(config-isakmp)#hash md5
- R3(config-isakmp)#group 1
- R3(config)#crypto isakmp key cisco address 172.16.13.1
- R3(config)#ip access-list extended vpn
- R3(config-ext-nacl)#permit ip 10.6.6.0 0.0.0.255 10.5.5.0 0.0.0.255
- R3(config)#crypto ipsec transform-set r3-tr esp-des esp-md5-hmac
- R3(cfg-crypto-trans)#mode tunnel
- R3(config)#crypto map r3-map 1 ipsec-isakmp
- R3(config-crypto-map)#set peer 172.16.13.1
- R3(config-crypto-map)#set transform-set r3-tr
- R3(config-crypto-map)#match address vpn
- R3(config)#interface tunnel 13
- R3(config-if)#crypto map r3-map
- R4(config)#crypto isakmp enable
- R4(config)#crypto isakmp policy 1
- R4(config-isakmp)#authentication pre-share
- R4(config-isakmp)#encryption des
- R4(config-isakmp)#hash md5
- R4(config-isakmp)#group 1
- R4(config)#crypto isakmp key cisco address 172.16.14.1
- R4(config)#ip access-list extended vpn
- R4(config-ext-nacl)#permit ip 10.7.7.0 0.0.0.255 10.5.5.0 0.0.0.255
- R4(config)#crypto ipsec transform-set r4-tr esp-des esp-md5-hmac
- R4(cfg-crypto-trans)#mode tunnel
- R4(config)#crypto map r4-map 1 ipsec-isakmp
- R4(config-crypto-map)#set peer 172.16.14.1
- R4(config-crypto-map)#set transform-set r4-tr
- R4(config-crypto-map)#match address vpn
- R4(config)#interface tunnel 14
- R4(config-if)#crypto map r4-map
完成如上配置后,R5 R6,R5 R7 用PING 做连通性测试。
- R5#ping 10.6.6.6 source 10.5.5.5
- Type escape sequence to abort.
- Sending 5, 100-byte ICMP Echos to 10.6.6.6, timeout is 2 seconds:
- Packet sent with a source address of 10.5.5.5
- .!!!!
- Success rate is 80 percent (4/5), round-trip min/avg/max = 2/2/3 ms
- R5#ping 10.7.7.7 source 10.5.5.5
- Type escape sequence to abort.
- Sending 5, 100-byte ICMP Echos to 10.7.7.7, timeout is 2 seconds:
- Packet sent with a source address of 10.5.5.5
- !!!!!
- Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/2 ms
- R1#show crypto engine connections active
- Crypto Engine Connections
- ID Type Algorithm Encrypt Decrypt LastSeqN IP-Address
- 1 IPsec DES+MD5 0 9 9 172.16.13.1
- 2 IPsec DES+MD5 9 0 0 172.16.13.1
- 3 IPsec DES+MD5 0 5 5 172.16.14.1
- 4 IPsec DES+MD5 5 0 0 172.16.14.1
- 1001 IKE MD5+DES 0 0 0 172.16.13.1
- 1002 IKE MD5+DES 0 0 0 172.16.14.1
如上现象表明VXN 已经工作,且对传递数据进行了加密、解密。
-
相关阅读:
从一坨代码说起
不要动 WindowsApps 文件夹的权限以及更新 win10 版本
南大通用数据库-Gbase-8a-学习-21-Oracle到Gbase8a迁移工具orato8a
MySQL大表直接复制文件的copy方式
camtasia 2023怎么导出mp4
文献综述笔记
嵌入式图像处理机器视觉库YMCV使用
【Python深度学习】Python全栈体系(三十一)
Python压缩解压–tarfile
Vue组件的八个钩子函数
- 原文地址:https://blog.csdn.net/qq_43210022/article/details/125858669
