在CISCO路由器上配置×××(站点对站点)
网络拓朴图:
R1、R4分别是公司的总部和分公司。中间的代表互联网。
1、路由的基本配置
Router(config)#host R4
R4(config)#no ip domain-loo
R4(config)#line co 0
R4(config-line)#logg sy
R4(config-line)#no exec-t
R4(config-line)#exit
R4(config)#int f1/0
R4(config-if)#ip add 200.200.34.4 255.255.255.0   //配IP
R4(config-if)#ip nat out    //把接口配置成NAT的出接口
R4(config-if)#no sh
R4(config-if)#int f0/0
R4(config-if)#ip add 192.168.11.1 255.255.255.0
R4(config-if)#ip nat in   //把接口配置成NAT的入接口
R4(config-if)#no sh
R4(config-if)#exit
R4(config)#ip route 0.0.0.0 0.0.0.0 f1/0   //配置缺省路由
R4(config)#ip access-list extended   for_nat   //建立允许NAT的列表
R4(config-ext-nacl)#deny ip 192.168.11.0 0.0.0.255 192.168.10.0 0.0.0.255   //把要通过×××访问的流量拒绝出来,要不然通过×××进行访问时数据会通过NAT来进行传输;
R4(config-ext-nacl)#pe ip any any     //允许NAT的用户;
R4(config-ext-nacl)#exit
R4(config)#ip nat inside source list for_nat interface f1/0   overload    //配置NAT
R4(config)#ip access-list ex for_***
R4(config-ext-nacl)#per ip 192.168.11.0 0.0.0.255 192.168.10.0 0.0.0.255   // //建立允许×××的控制列表
R4(config-ext-nacl)#exit
R4(config)#end
测试:用自己内网的接口PING对端路由的外网IP,测试NAT配置有没有问题;
R4#ping 200.200.12.1 source 192.168.11.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 200.200.12.1, timeout is 2 seconds:
Packet sent with a source address of 192.168.11.1
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 184/316/392 ms
2、配置IKE的协商
R4(config)#cry isak po 1    //建立IKE协商策略
R4(config-isakmp)#hash md5   //设置密钥认证算法(×××链路对端的也要使用同样的算法)
R4(config-isakmp)#authentication pre-share   //使用预先共享的密钥(×××链路对端的也要使用同样的算法)
R4(config-isakmp)#encryption 3des    //设置加密所使用的算法(×××链路对端的也要使用同样的算法)
R4(config-isakmp)#group 2    //密钥使用1024位密钥,低端路由用默认就OK了;
R4(config-isakmp)#exit
R4(config)#cry isa key 6 password add 200.200.12.1(对方路由的外网IP)   //设置共享密钥(密码要和×××链路对端的一样;)和对端IP
3、定义IPSEC 
R4(config)#crypto ipsec transform-set   ***   esp-3des esp-md5-hmac //定义转换集,***为传输模式名称,esp-3des为ESP加密参数,esp-md5-hmac为ESP验证参数;
R4(cfg-crypto-trans)#mode tunnel   //设定用tunnel 传输;
4、定义加密图
R4(config)#crypto map ***_map(名字) 1 ipsec-isakmp //IPSEC_ISAKMP关键字表示自动的方法 R4(config-crypto-map)#set transform-set ***   //指定传输模式名称
R4(config-crypto-map)#set peer 200.200.12.1    //指定×××链路对端的IP地址;
R4(config-crypto-map)#match address for_***   //指定Crypto Map使用的控制列表
R4(config-crypto-map)#exit
R4(config)#int f1/0    //到外部接口就用加密图
R4(config-if)#crypto map ***_map
测试
R4#ping 192.168.10.1 so 192.168.11.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.10.1, timeout is 2 seconds:
Packet sent with a source address of 192.168.11.1
..!!!
Success rate is 60 percent (3/5), round-trip min/avg/max = 400/440/476 ms
这是R1的配置:R1#sh run
Building configuration...
Current configuration : 1347 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname R1
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
memory-size iomem 5
!
!
ip cef
no ip domain lookup
!
!
!
crypto isakmp policy 1
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp key 6 kylove address 200.200.34.4
!
!        
crypto ipsec transform-set *** esp-3des esp-md5-hmac
!
crypto map ***_map 1 ipsec-isakmp
set peer 200.200.34.4
set transform-set ***
match address for_***
!
!
!
!
interface FastEthernet0/0
ip address 192.168.10.1 255.255.255.0
ip nat inside
ip virtual-reassembly
duplex auto
speed auto
!
interface FastEthernet1/0
ip address 200.200.12.1 255.255.255.0
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
crypto map ***_map
!
ip http server
no ip http secure-server
!
ip route 0.0.0.0 0.0.0.0 FastEthernet1/0
!
ip nat inside source list for_nat interface FastEthernet1/0 overload
!
!
ip access-list extended for_nat
deny   ip 192.168.10.0 0.0.0.255 192.168.11.0 0.0.0.255
permit ip any any
ip access-list extended for_***
permit ip 192.168.10.0 0.0.0.255 192.168.11.0 0.0.0.255
!
!
control-plane
!
!
!
!
line con 0
exec-timeout 0 0
logging synchronous
line aux 0
line vty 0 4
login
!
!
end
这是R4的配置:R4#sh run
Building configuration...
Current configuration : 1347 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname R4
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
memory-size iomem 5
!
!
ip cef
no ip domain lookup
!
!
!
!
!
!
!
!
!
crypto isakmp policy 1
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp key 6 kylove address 200.200.12.1
!
!        
crypto ipsec transform-set *** esp-3des esp-md5-hmac
!
crypto map ***_map 1 ipsec-isakmp
set peer 200.200.12.1
set transform-set ***
match address for_***
!
!
!
!
interface FastEthernet0/0
ip address 192.168.11.1 255.255.255.0
ip nat inside
ip virtual-reassembly
duplex auto
speed auto
!
interface FastEthernet1/0
ip address 200.200.34.4 255.255.255.0
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
crypto map ***_map
!
ip http server
no ip http secure-server
!
ip route 0.0.0.0 0.0.0.0 FastEthernet1/0
!
ip nat inside source list for_nat interface FastEthernet1/0 overload
!
!
ip access-list extended for_nat
deny   ip 192.168.11.0 0.0.0.255 192.168.10.0 0.0.0.255
permit ip any any
ip access-list extended for_***
permit ip 192.168.11.0 0.0.0.255 192.168.10.0 0.0.0.255
!
!
control-plane
!
!
!
!
line con 0
exec-timeout 0 0
logging synchronous
line aux 0
line vty 0 4
login
!
!
end