在GNS3中模拟公网,利用×××进行两端私网之间的通信。即在×××不起作用的情况下,R1和R2的lo1端口(私网)无法Ping通。

R1路由器的配置
Current configuration : 1503 bytes
!
version 12.3
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname R1
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
ip subnet-zero
!
!
!
!
no ip domain lookup
ip ssh break-string
ip audit notify log
ip audit po max-events 100
no ftp-server write-enable
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
crypto isakmp policy 1
 encr aes
 hash md5
 authentication pre-share
crypto isakmp key cisco address 192.168.3.1
!
!
crypto ipsec transform-set benet ah-md5-hmac esp-aes
!
crypto map map1 1 ipsec-isakmp
 set peer 192.168.3.1
 set transform-set benet
 match address 101
!
!
!
!
!
interface Loopback1
 ip address 172.16.1.100 255.255.255.0
 ip nat inside
!
interface FastEthernet0/0
 ip address 192.168.2.1 255.255.255.0
 ip nat outside
 duplex auto
 speed auto
 crypto map map1
!
interface FastEthernet0/1
 no ip address
 shutdown
 duplex auto
 speed auto
!
router rip
 version 2
 network 192.168.2.0
!
ip nat pool nat-pool 192.168.2.1 192.168.2.1 netmask 255.255.255.0
ip nat inside source list 100 pool nat-pool overload
ip classless
ip route 0.0.0.0 0.0.0.0 FastEthernet0/0
!
no ip http server
no ip http secure-server
!
!
access-list 100 deny   ip 172.16.1.0 0.0.0.255 172.16.3.0 0.0.0.255
access-list 100 permit ip 172.16.1.0 0.0.0.255 any
access-list 101 permit ip host 172.16.1.100 host 172.16.3.100
!
!
!
!
control-plane
!
!
!
!
!
!
!
!
!
line con 0
 exec-timeout 0 0
 logging synchronous
line aux 0
line vty 0 4
 login
!
!
end

R3路由器的配置
Current configuration : 1503 bytes
!
version 12.3
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname R3
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
ip subnet-zero
!
!
!
!
no ip domain lookup
ip ssh break-string
ip audit notify log
ip audit po max-events 100
no ftp-server write-enable
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
crypto isakmp policy 2
 encr aes
 hash md5
 authentication pre-share
crypto isakmp key cisco address 192.168.2.1
!
!
crypto ipsec transform-set benet ah-md5-hmac esp-aes
!
crypto map map1 1 ipsec-isakmp
 set peer 192.168.2.1
 set transform-set benet
 match address 101
!
!
!
!
!
interface Loopback1
 ip address 172.16.3.100 255.255.255.0
 ip nat inside
!
interface FastEthernet0/0
 ip address 192.168.3.1 255.255.255.0
 ip nat outside
 duplex auto
 speed auto
 crypto map map1
!
interface FastEthernet0/1
 no ip address
 shutdown
 duplex auto
 speed auto
!
router rip
 version 2
 network 192.168.3.0
!
ip nat pool nat-pool 192.168.3.1 192.168.3.1 netmask 255.255.255.0
ip nat inside source list 100 pool nat-pool overload
ip classless
ip route 0.0.0.0 0.0.0.0 FastEthernet0/0
!
no ip http server
no ip http secure-server
!
!
access-list 100 deny   ip 172.16.3.0 0.0.0.255 172.16.1.0 0.0.0.255
access-list 100 permit ip 172.16.3.0 0.0.0.255 any
access-list 101 permit ip host 172.16.3.100 host 172.16.1.100
!
!
!
!
control-plane
!
!
!
!
!
!
!
!
!
line con 0
 exec-timeout 0 0
 logging synchronous
line aux 0
line vty 0 4
 login
!
!
end

R2路由器的配置
Current configuration : 836 bytes
!
version 12.3
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname R2
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
ip subnet-zero
!
!
!
!
no ip domain lookup
ip ssh break-string
ip audit notify log
ip audit po max-events 100
no ftp-server write-enable
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
no crypto isakmp enable
!
!
!
!
!
interface FastEthernet0/0
 ip address 192.168.2.2 255.255.255.0
 duplex auto
 speed auto
!
interface FastEthernet0/1
 ip address 192.168.3.2 255.255.255.0
 duplex auto
 speed auto
!
router rip
 version 2
 network 192.168.2.0
 network 192.168.3.0
!
ip classless
!
no ip http server
no ip http secure-server
!
!
!
!
!
!
control-plane
!
!
!
!
!
!
!
!
!
line con 0
 exec-timeout 0 0
 logging synchronous
line aux 0
line vty 0 4
 login
!
!
end

PS:模拟器中,***连接建立后,更改共享密匙或删除映射中的变换集等破坏***连接参数后,***依旧发生作用。必须重新启动GNS3才能拆除已建立的***连接。不知道有没有手工拆除已连接***连接的方法。

参考链接: