拓扑图如下:
说明:ISP之间使用OSPF动态路由协议,R1和R3模拟边界路由,并启用PAT,PC1和PC2模拟内网主机。
要求:PC1和PC2能够使用私有IP加密互访,其他Internet流量使用常规PAT访问。
各设备配置如下:
PC1:
conf t int f0/0 ip add 192.168.0.1 255.255.255.0 no shut exit no ip routing ip default-gateway 192.168.0.2 end wr
PC2:
conf t int f0/0 ip add 172.16.0.1 255.255.255.0 no shut exit no ip routing ip default-gateway 172.16.0.2 end wr
R1:
conf t int e0/0 ip add 192.168.0.2 255.255.255.0 duplex full ip nat inside no shut int e0/1 ip add 1.0.0.1 255.255.255.252 duplex full ip nat outside no shut exit access-list 1 permit any ip nat inside source list 1 interface e0/1 overload ip route 0.0.0.0 0.0.0.0 1.0.0.2 crypto isakmp enable crypto isakmp policy 1 encryption aes hash sha group 2 authentication pre-share exit crypto isakmp key 0 IPSEC-TUNNEL address 2.0.0.1 access-list 100 permit gre host 1.0.0.1 host 2.0.0.1 access-list 100 permit ip 192.168.0.0 0.0.0.255 172.16.0.0 0.0.0.255 crypto ipsec transform-set myset ah-sha-hmac esp-md5-hmac esp-3des mode tunnel exit crypto map mymap 1 ipsec-isakmp match address 100 set transform-set myset set peer 2.0.0.1 exit int e0/1 crypto map mymap int tunnel 0 ip add 100.0.0.1 255.255.255.252 tunnel source 1.0.0.1 tunnel destination 2.0.0.1 crypto map mymap keepalive 2 3 no shutdown exit ip route 172.16.0.0 255.255.255.0 tunnel 0 do wr
R3:
conf t int e0/1 ip add 172.16.0.2 255.255.255.0 duplex full ip nat inside no shut int e0/0 ip add 2.0.0.1 255.255.255.252 duplex full ip nat outside no shut exit access-list 1 permit any ip nat inside source list 1 interface e0/0 overload ip route 0.0.0.0 0.0.0.0 2.0.0.2 crypto isakmp enable crypto isakmp policy 1 encryption aes hash sha group 2 authentication pre-share exit crypto isakmp key 0 IPSEC-TUNNEL address 1.0.0.1 access-list 100 permit gre host 2.0.0.1 host 1.0.0.1 access-list 100 permit ip 172.16.0.0 0.0.0.255 192.168.0.0 0.0.0.255 crypto ipsec transform-set myset ah-sha-hmac esp-md5-hmac esp-3des mode tunnel exit crypto map mymap 1 ipsec-isakmp match address 100 set transform-set myset set peer 1.0.0.1 exit int e0/0 crypto map mymap int tunnel 0 ip add 100.0.0.2 255.255.255.252 tunnel source 2.0.0.1 tunnel destination 1.0.0.1 crypto map mymap keepalive 2 3 no shutdown exit ip route 192.168.0.0 255.255.255.0 tunnel 0 do wr
ISP1:
conf t int e0/1 ip add 1.0.0.2 255.255.255.252 duplex full no shut int e0/0 ip add 12.0.0.1 255.255.255.252 duplex full no shut exit router ospf 100 network 1.0.0.0 0.0.0.3 area 0 network 12.0.0.0 0.0.0.3 area 0 exit do wr
ISP2:
conf t int e0/0 ip add 12.0.0.2 255.255.255.252 duplex full no shut int e0/1 ip add 2.0.0.2 255.255.255.252 duplex full no shut exit router ospf 100 network 2.0.0.0 0.0.0.3 area 0 network 12.0.0.0 0.0.0.3 area 0 exit do wr