R1:主要配置: R2 配置一样crypto isakmp policy 10 --策略基本一样encr 3deshash md5authentication pre-sharegroup 2cryp
.
R1:主要配置: R2 配置一样
crypto isakmp policy 10 --策略基本一样
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp key cisco address 200.200.200.2 --×××的密钥
!
!
crypto ipsec transform-set myset ah-md5-hmac esp-3des esp-md5-hmac --转换集加密
!
crypto map mymap 10 ipsec-isakmp --加密图设置
set peer 200.200.200.2
set transform-set myset
match address ×××-192.168.10.0-to-172.24.10.0 --匹配感兴趣流量 走×××
interface FastEthernet0/0
ip address 200.100.100.2 255.255.255.0
ip nat outside
crypto map mymap
!
interface FastEthernet0/1.10
encapsulation dot1Q 10
ip address 192.168.10.254 255.255.255.0
ip nat inside
interface FastEthernet0/1.20
encapsulation dot1Q 20
ip address 192.168.20.254 255.255.255.0
ip nat inside
ip route 0.0.0.0 0.0.0.0 200.100.100.1
!
ip nat pool NAT-POOL 200.100.100.100 200.100.100.120 netmask 255.255.255.0
ip nat inside source list inside-to-out pool NAT-POOL overload
!
!
ip access-list extended ×××-192.168.10.0-to-172.24.10.0 --×××感兴趣流量
permit ip 192.168.10.0 0.0.0.255 172.24.10.0 0.0.0.255
ip access-list extended inside-to-out --做 NAT ACL
deny ip 192.168.10.0 0.0.0.255 172.24.10.0 0.0.0.255 --通过×××就不能做NAT 转换
permit ip 192.168.10.0 0.0.0.255 any
permit ip 192.168.20.0 0.0.0.255 any
.
