NAT部分1、配置NAT匹配流量ip access-list extended nat-insidepermit ip host 10.16.8.1 192.169.0.0 0.0.255.2552、
.
NAT部分
1、配置NAT匹配流量
.ip access-list extended nat-inside
permit ip host 10.16.8.1 192.169.0.0 0.0.255.255
2、配置NAT Pool
.ip nat pool src-pool 192.168.29.10 192.168.29.20 prefix-length 24
.3、配置NAT转换
.ip nat inside source list nat-inside pool src-pool overload
.IPSEC 部分
1、配置isakmp policy
.crypto isakmp policy 1
encr aes
authentication pre-share
group 2
2、配置对端地址和密钥
.crypto isakmp key Passw0rd address 131.5.12.184
.3、配置隧道模式
.crypto ipsec security-association lifetime seconds 28800
crypto ipsec transform-set jieru esp-aes esp-sha-hmac
mode tunnel
4、配置感兴趣流
.注意:感兴趣流的源地址为NAT转换后的pool的地址
ip access-list extended dataflow
permit ip 192.168.29.0 0.0.0.255 192.169.0.0 0.0.255.255
5、配置ipsec-isakmp
.crypto map remote-jieru 10 ipsec-isakmp
set peer 131.5.12.184
set transform-set jieru
match address dataflow
6、关联接口
.int g0/0/0
crypto map remote-jieru
总结
通过这种方式让第三方平台配置后接入我端,我端的配置不会因为对端感兴趣流的调整而改变,能够减轻工作量。
.