1、实验拓扑2、基础网络配置。R1配置:interface FastEthernet0/0ip address 12.1.1.1 255.255.255.0interface FastEthernet
.
1、实验拓扑
2、基础网络配置。
R1配置:
interface FastEthernet0/0
ip address 12.1.1.1 255.255.255.0
interface FastEthernet1/0
ip address 13.1.1.1 255.255.255.0
R2配置:
interface FastEthernet0/0
ip address 12.1.1.2 255.255.255.0
interface FastEthernet1/0
ip address 172.16.1.254 255.255.255.0
ip route 0.0.0.0 0.0.0.0 12.1.1.1
R3配置:
interface FastEthernet0/0
ip address 13.1.1.3 255.255.255.0
interface FastEthernet1/0
ip address 192.168.1.254 255.255.255.0
ip route 0.0.0.0 0.0.0.0 13.1.1.1
R4配置:
interface FastEthernet0/0
ip address 172.16.1.1 255.255.255.0
ip route 0.0.0.0 0.0.0.0 172.16.1.254
R5配置:
interface FastEthernet0/0
ip address 192.168.1.1 255.255.255.0
ip route 0.0.0.0 0.0.0.0 192.168.1.254
3、IPSec LAN-TO-LAN ×××配置
R2配置:
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp key 0 cisco address 13.1.1.3
crypto ipsec transform-set cisco esp-3des esp-sha-hmac
access-list 100 permit ip 172.16.1.0 0.0.0.255 192.168.1.0 0.0.0.255
crypto map cisco 1 ipsec-isakmp
set peer 13.1.1.3
set transform-set cisco
match address 100
interface FastEthernet0/0
crypto map cisco
R3配置:
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp key cisco address 12.1.1.2
crypto ipsec transform-set cisco esp-3des esp-sha-hmac
crypto map cisco 1 ipsec-isakmp
set peer 12.1.1.2
set transform-set cisco
match address 100
access-list 100 permit ip 192.168.1.0 0.0.0.255 172.16.1.0 0.0.0.255
interface FastEthernet0/0
crypto map cisco
4、R4与R5通过私网IP互访
5、在R2上测试NAT影响
5.1未启用NAT前的PING情况
5.2启用NAT后的PING情况
interface FastEthernet0/0
ip nat outside
interface FastEthernet1/0
ip nat inside
access-list 1 permit any
ip nat inside source list 1 interface FastEthernet0/0 overload
5.3修改ACL后的PING情况
access-list 1 deny 172.16.1.0 0.0.0.255
access-list 1 permit any
修改ACL后一定有记得在R2上执行这条指令
clear ip nat translation *
