VIP:
乾颐堂军哥HCNA综合-PPPoE-NAT和IPSEC ***在企业网实战应用
本文档包含3大部分:PPPoE、NAT和IPSEC ×××实施,是企业网接入互联网以及广域网互联重要的技术,本文档实现了综合运用
1.PPPoE
PPP over ethernet(以太网上的PPP协议)
PPP即点到点协议,是一种2层封装协议,工作串行链路(默认情况不能工作在以太

网上)
以太网的优势:以太网非常流行,速率很高,同时成本小
PPP的优势:公有协议的封装,支持认证(扩展到流量统计以及计费)
两者结合引出了PPPoE
PPPoE的3个阶段:1)发现阶段 2)会话建立 3)会话结束
PPPOE的服务器:
aaa
local-user qyt password cipher %$%$T;;MX@,(.6yB!SBS[MN(rZIB%$%$
local-user qyt service-type ppp //创建用于客户端认证的用户名和密码
ip pool PPPoE1
network 202.100.1.0 mask 255.255.255.252 //给客户端下发的网络地址段,华

为从较高地址开始下发
excluded-ip-address 202.100.1.2 //拍错202.100.1.2的地址
dns-list 114.114.114.114
[R2-ip-pool-PPPoE1]dns-list 114.114.114.114
[R2]int Virtual-Template 1 //创建虚拟模版接口
[R2-Virtual-Template1]remote address pool PPPoE1 //客户端地址从地址池

PPPoE1中获得
[R2-Virtual-Template1]ip address 202.100.1.1 30
[R2-Virtual-Template1]ppp authentication-mode chap //开启认证
[R2-Virtual-Template1]int g0/0/0
[R2-GigabitEthernet0/0/0]pppoe-server bind virtual-template 1 //把虚拟

模版接口和物理接口一起结合使用,把物理接口绑定到PPPoE中去
[R2-GigabitEthernet0/0/0]

客户端:
dialer-rule
dialer-rule 1 ip permit
interface Dialer1
link-protocol ppp
ppp chap user qyt
ppp chap password cipher %$%$#\/D5=%dXNcA,zAF)}M7,'<Z%$%$
ip address ppp-negotiate
dialer user QYT
dialer bundle 10
dialer-group 1
interface GigabitEthernet0/0/0
pppoe-client dial-bundle-number 10

Dec 13 2017 20:20:59.935.1-08:00 R1 PPPOE-

CLIENT/7/debugging:GigabitEthernet0/0/0: PPPoE Client OUT Discovery

data (PADI), Len = 30

[R1-GigabitEthernet0/0/0]
Dec 13 2017 20:20:59.975.1-08:00 R1 PPPOE-

CLIENT/7/debugging:GigabitEthernet0/0/0: PPPoE Client IN Discovery data

(PADO), Len = 60

[R1-GigabitEthernet0/0/0]
Dec 13 2017 20:20:59.975.2-08:00 R1 PPPOE-

CLIENT/7/debugging:GigabitEthernet0/0/0: PPPoE Client OUT Discovery

data (PADR), Len = 48

[R1-GigabitEthernet0/0/0]
Dec 13 2017 20:21:00.55.1-08:00 R1 PPPOE-

CLIENT/7/debugging:GigabitEthernet0/0/0: PPPoE Client IN Discovery data

(PADS), Len = 60, Session ID = 1

[R1]display pppoe-client session summary
PPPoE Client Session:
ID Bundle Dialer Intf Client-MAC Server-MAC State

1 10 1 GE0/0/0 00e0fc840ba5 00e0fc8f08d4 UP
<R2>display pppoe-server session all //验证PPPoE会话是否建立
SID Intf State OIntf RemMAC

LocMAC
1 Virtual-Template1:0 UP GE0/0/0 00e0.fc84.0ba5

00e0.fc8f.08d4
[R1]dis ip routing-table protocol direct
Route Flags: R - relay, D - download to fib


Public routing table : Direct
Destinations : 6 Routes : 6

Direct routing table status : <Active>
Destinations : 6 Routes : 6

Destination/Mask Proto Pre Cost Flags NextHop

Interface

202.100.1.1/32  Direct  0    0           D   127.0.0.1       

Dialer1
202.100.1.2/32 Direct 0 0 D 202.100.1.2

Dialer1
现在client获得了202.100.1.254的地址,202.100.1.254<---> 202.100.1.2直

连通信?
0 不能
1 能

2.NAT转换
经常有同学说:华为的NAT做不成功,这是完全错误的观点!!
2种最常用的NAT
2.1 NAT server
把内网的一台设备的服务应用(端口)映射到公网的一个端口(可以和内部服务器

的端口相同或者不同),使得外部网络的设备可以通过访问公网的端口,其实就可

以访问内网的应用(端口)
[R1-Dialer1]nat server protocol tcp global 202.100.1.1 2323 inside

10.1.10.15 23
Error: The address conflicts with interface or ARP IP //不能直接使用

公网地址
[R1-Dialer1]nat server protocol tcp global current-interface 2323

inside 10.1.10.15 23 //请使用当前接口参数,然后把公网地址的2323端口应用

转发为内网地址10.1.10.15的23端口
[R1]dis nat server
Nat Server Information:
Interface : Dialer1
Global IP/Port : current-interface/2323 (Real IP : 202.100.1.1)
Inside IP/Port : 10.1.10.15/23(telnet)
Protocol : 6(tcp)
××× instance-name : ----
Acl number : ----
Description : ----

Total : 1
测试:
<R2>telnet 202.100.1.1 2323 //从外网测试成功,因为NAT服务器就是为外网提

供服务的
Press CTRL_] to quit telnet mode
Trying 202.100.1.1 ...
Connected to 202.100.1.1 ...

Login authentication

Password:
Info: The max number of VTY users is 5, and the number
of current VTY users on line is 1.
The current login time is 2017-12-13 21:16:51.
<SW1>

<R1>display nat session protocol tcp //查看NAT转换的会话。也可以通过抓取

报文来验证华为的NAT
NAT Session Table Information:

 Protocol          : TCP(6)
 SrcAddr  Port *** : 202.100.1.2     65473                          

 DestAddr Port *** : 202.100.1.1     4873                           

 NAT-Info
   New SrcAddr     : ----
   New SrcPort     : ----
   New DestAddr    : 10.1.10.15     
   New DestPort    : 5888 

 Protocol          : TCP(6)
 SrcAddr  Port *** : 202.100.1.2     23233                          

 DestAddr Port *** : 202.100.1.1     4873                           

 NAT-Info
   New SrcAddr     : ----
   New SrcPort     : ----
   New DestAddr    : 10.1.10.15     
   New DestPort    : 5888 

2.2 EASY IP(PAT)
可以和NAT服务器一起使用!可以把指定的内部网络的不同应用转化为一个公网地址

的对应的应用(地址和端口一起转换,即复用!)
acl name NAT 3999
rule 5 permit ip source 10.1.10.0 0.0.0.31 //定义的网络通过NAT转化去访

问互联网,意味着其他网络不做NAT转化
[R1-acl-adv-NAT]int dial 1
[R1-Dialer1]nat outbound 3999 //实施easy IP
[R1]dis nat outbound //验证easy IP(华为这个验证实在不靠谱)
NAT Outbound Information:



Interface Acl Address-group/IP/Interface

Type



Dialer1 3999 202.100.1.1

easyip



Total : 1
测试:
PC>ping 202.100.1.2 //注意此时R2(模拟internet设备)并没有除了直连路由之

外的路由条目,但是依旧可以实现通信,因为做了NAT转换,是202.100.1.1和1.2

在通信

Ping 202.100.1.2: 32 data bytes, Press Ctrl_C to break
From 202.100.1.2: bytes=32 seq=1 ttl=254 time=63 ms
From 202.100.1.2: bytes=32 seq=2 ttl=254 time=47 ms
From 202.100.1.2: bytes=32 seq=3 ttl=254 time=47 ms
From 202.100.1.2: bytes=32 seq=4 ttl=254 time=47 ms
From 202.100.1.2: bytes=32 seq=5 ttl=254 time=46 ms

--- 202.100.1.2 ping statistics ---
5 packet(s) transmitted
5 packet(s) received
0.00% packet loss
round-trip min/avg/max = 46/50/63 ms
[R1]dis acl all //华为的ENSP上,在实施EASY IP的时候不能看到报文的匹配!

验证easy IP请抓包
Total quantity of nonempty ACL number is 1

Advanced ACL NAT 3999, 1 rule
Acl's step is 5
rule 5 permit ip source 10.1.10.0 0.0.0.31
<R2>dis ip routing-table
Route Flags: R - relay, D - download to fib


Routing Tables: Public
Destinations : 8 Routes : 8

Destination/Mask Proto Pre Cost Flags NextHop

Interface

   202.100.1.0/30  Direct  0    0           D   202.100.1.2     

Virtual-Template1
202.100.1.1/32 Direct 0 0 D 202.100.1.1

Virtual-Template1
202.100.1.2/32 Direct 0 0 D 127.0.0.1

Virtual-Template1
202.100.1.3/32 Direct 0 0 D 127.0.0.1

Virtual-Template1
255.255.255.255/32 Direct 0 0 D 127.0.0.1

InLoopBack0
从内网到外网先路由然后NAT转换,反之先转换再NAT!
3.站点到站点的IPSEC ×××
SPD:ACL(即定义哪些流量进行IPSEC ×××处理)
IPSEC的组成:ESP(封装安全负载)、AH(认证头部)、ISAKMP(IKE,互联网秘
钥交换)
2种SA(安全关联):IKE SA;IPSEC SA
在路由的基础上加一层“安全外壳”
加解密点的路由(最少的3条路由):
1)需要有到本地通信设备的路由
2)需要有到远端加密点的路由
3)需要有到远端通信点的路由
SPD:
acl name ×××
rule 5 permit ip source 10.1.10.0 0.0.0.31 destination 10.1.20.0

0.0.0.15

[R2-acl-adv-×××]rule 5 permit ip source 10.1.20.0 0.0.0.15 destination

10.1.10.0 0.0.0.31

ipsec proposal QYT
esp authentication-algorithm sha1

ipsec policy QYT 10 manual
security acl 3998
proposal QYT
tunnel local 202.100.1.1
tunnel remote 202.100.1.2
sa spi inbound esp 12345
sa string-key inbound esp simple huawei
sa spi outbound esp 54321
sa string-key outbound esp simple huawei

ipsec policy QYT 10 manual
security acl 3999
proposal QYT
tunnel local 202.100.1.2
tunnel remote 202.100.1.1
sa spi inbound esp 54321
sa string-key inbound esp simple huawei
sa spi outbound esp 12345
sa string-key outbound esp simple huawei
在一个NAT的环境下实施IPSEC ×××必须在NAT的ACL中拿掉×××流量
acl name NAT 3999
rule 5 deny ip source 10.1.10.0 0.0.0.31 destination 10.1.20.0

0.0.0.15 //用×××处理的流量不做NAT,不能去访问互联网
rule 10 permit ip source 10.1.10.0 0.0.0.31 //访问互联网的流量
[R2-ospf-1]default-route-advertise always
[R2]dis ipsec statistics esp
Inpacket count : 15
Inpacket auth count : 0
Inpacket decap count : 0
Outpacket count : 4
Outpacket auth count : 0
Outpacket encap count : 0
Inpacket drop count : 0
Outpacket drop count : 0
BadAuthLen count : 0
AuthFail count : 0
InSAAclCheckFail count : 0
PktDuplicateDrop count : 0
PktSeqNoTooSmallDrop count: 0
PktInSAMissDrop count : 0
[R2]display ipsec sa brief

Number of SAs:2
Src address Dst address SPI ××× Protocol

Algorithm


202.100.1.1     202.100.1.2      54321      0    ESP   E:DES 

A:SHA1-96
202.100.1.2 202.100.1.1 12345 0 ESP E:DES

A:SHA1-96