(1.1.1.1)R1(S1/1:12.12.12.1)-----------------(S1/0:12.12.12.2)R2(S1/1:23.23.23.2)------------------(S1/0:23.23.3)R3(3.3.3.3)
一:R1和R3之间建立site to site ×××
R1#sh running-config
crypto isakmp policy 10
authentication pre-share
crypto isakmp key cisco address 23.23.23.3
!
!
crypto ipsec transform-set wk esp-des esp-md5-hmac
!
crypto map vpn 10 ipsec-isakmp
set peer 23.23.23.3
set transform-set wk
match address 101!
!
!
interface Loopback0
ip address 1.1.1.1 255.255.255.0
!
interface Serial1/1
ip address 12.12.12.1 255.255.255.0
serial restart-delay 0
crypto map vpn
!
!
ip route 0.0.0.0 0.0.0.0 12.12.12.2
!
!
access-list 101 permit ip 1.1.1.0 0.0.0.255 3.3.3.0 0.0.0.255
R2#sh running-config
interface Serial1/0
ip address 12.12.12.2 255.255.255.0
serial restart-delay 0
!
interface Serial1/1
ip address 23.23.23.2 255.255.255.0
serial restart-delay 0
!
!
R3#sh running-config
crypto keyring ll
pre-shared-key address 12.12.12.1 key cisco
!
crypto isakmp policy 10
authentication pre-share
crypto isakmp profile isp
keyring ll
match identity address 12.12.12.1 255.255.255.255
!
!
crypto ipsec transform-set wk esp-des esp-md5-hmac
!
crypto map vpn 10 ipsec-isakmp
set peer 12.12.12.1
set transform-set wk
set isakmp-profile isp
match address 101
!
!
interface Loopback0
ip address 3.3.3.3 255.255.255.0
!
!
interface Serial1/0
ip address 23.23.23.3 255.255.255.0
serial restart-delay 0
crypto map vpn
!
!
ip classless
ip route 0.0.0.0 0.0.0.0 23.23.23.2
!
!
access-list 101 permit ip 3.3.3.0 0.0.0.255 1.1.1.0 0.0.0.255
R1#ping 3.3.3.3 source 1.1.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 3.3.3.3, timeout is 2 seconds:
Packet sent with a source address of 1.1.1.1
!!!!!
二:R1做PAT
access-list 102 permit ip 1.1.1.0 0.0.0.255 any
ip nat inside source list 102 interface Serial1/1 overload
interface Serial1/1
ip address 12.12.12.1 255.255.255.0
ip nat outside
interface Loopback0
ip address 1.1.1.1 255.255.255.0
ip nat inside
R1#ping 3.3.3.3 source 1.1.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 3.3.3.3, timeout is 2 seconds:
Packet sent with a source address of 1.1.1.1
U.U.U
三:做完NAT之后R1 ping不通R3.
分析:从R1出的包先NAT,后加密,原来的封装为src 1.1.1.1.1 des 3.3.3.3,NAT之后等装为src 12.12.12.1 des 3.3.3.3
R1#sh ip nat translations
Pro Inside global Inside local Outside local Outside global
icmp 12.12.12.1:2 1.1.1.1:2 3.3.3.3:2 3.3.3.3:2
改变封装之后的包不在是感兴趣流,所以不会再被加密,发送到R2后被丢弃。
解决方法:把从1.1.1.1 到3.3.3.3 的包不做NAT
access-list 102 deny ip 1.1.1.0 0.0.0.255 3.3.3.0 0.0.0.255
R1#ping 3.3.3.3 source 1.1.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 3.3.3.3, timeout is 2 seconds:
Packet sent with a source address of 1.1.1.1
!!!!!