一.概述: 在博客中收到一位朋友的提问,经过电话沟通后,了解到大概情况是:A.总部有一条专线到合作伙伴B.合作伙伴侧不方便加回指路由,总部访问合作伙伴时做PATC.现在想要分支L2L ×××连接到总
...一.概述:.. 在博客中收到一位朋友的提问,经过电话沟通后,了解到大概情况是:..A.总部有一条专线到合作伙伴..B.合作伙伴侧不方便加回指路由,总部访问合作伙伴时做PAT..C.现在想要分支L2L ×××连接到总部之后,也PAT到合作伙伴.. 之前是用策略路由的方式将分支到合作伙伴的流量打到loopback口,并配置NAT,后来QQ群里有朋友提出使用GRE over IPSEC的方式,于是打算验证一下。..
..二.基本思路:....A.如果合作伙伴方便加回指路由,其实只需把合作伙伴当作总部内网即可,不需要配置PAT。..B.分支机构想要×××连接总部之后,再PAT到合作伙伴,则需要在总部路由器上配置loopback口,并且公网接口配置策略路由,将分支到合作伙伴的流量打到loopback,并进行PAT。..----这个已经在上一篇博文中验证过,http://333234.blog.51cto.com/323234/1309446..C.用SVTI的方式,在总部路由器与分支路由器直接建立L2L ×××,并且在总部路由器的tunnel接口和连接合作伙伴的专线接口配置NVI,使得分支去往合作伙伴的流量被PAT。..----因为ASA不支持VTI,所以这种方式如果分支或总部一方用的是ASA防火墙,则不适用..三.测试拓扑:..
..四.基本配置:..A.Branch_Inside路由器:..interface Ethernet0/0
ip address 10.1.1.1 255.255.255.0
no shut
ip route 0.0.0.0 0.0.0.0 10.1.1.2..B.Branch路由器:..interface Ethernet0/0
ip address 10.1.1.2 255.255.255.0
ip nat inside
. no shut.interface Ethernet0/1
ip address 202.100.1.2 255.255.255.0
ip nat outside.. no shut..ip route 0.0.0.0 0.0.0.0 202.100.1.3..ip access-list extended PAT
deny ip 10.1.1.0 0.0.0.255 192.168.1.0 0.0.0.255
deny ip 10.1.1.0 0.0.0.255 160.1.1.0 0.0.0.255
permit ip 10.1.1.0 0.0.0.255 any..ip nat inside source list PAT interface Ethernet0/1 overload..C.Internet路由器:..interface Ethernet0/0
ip address 202.100.1.3 255.255.255.0
. no shut.interface Ethernet0/1
ip address 202.100.2.3 255.255.255.0
. no shut...D.Center路由器:..interface Ethernet0/0
ip address 192.168.1.4 255.255.255.0
ip nat inside... no shut.interface Ethernet0/1
ip address 202.100.2.4 255.255.255.0
ip nat outside
. no shut.interface Ethernet0/2
ip address 172.16.1.2 255.255.255.252
. no shut...ip route 0.0.0.0 0.0.0.0 202.100.2.3..ip route 160.1.1.0 255.255.255.0 172.16.1.1..ip access-list extended PAT
deny ip 192.168.1.0 0.0.0.255 10.1.1.0 0.0.0.255
deny ip 192.168.1.0 0.0.0.255 160.1.1.0 0.0.0.255
permit ip 192.168.1.0 0.0.0.255 any..ip nat inside source list PAT interface Ethernet0/1 overload..E.Center_Inside路由器:..interface Ethernet0/0.. ip address 192.168.1.5 255.255.255.0
. no shut...ip route 0.0.0.0 0.0.0.0 192.168.1.4..F.Partner路由器:..interface Loopback0.. ip address 160.1.1.6 255.255.255.0
interface Ethernet0/0
ip address 172.16.1.1 255.255.255.252
. no shut...----注意:没有配置路由..五.总部内网到合作伙伴进行PAT配置:..----在Center总部路由器上配置..A.配置:..interface Ethernet0/0
ip nat enable..interface Ethernet0/2
ip nat enable..ip access-list extended Center-to-partner-PAT
permit ip 192.168.1.0 0.0.0.255 160.1.1.0 0.0.0.255..ip nat source list Center-to-partner-PAT interface Ethernet0/2 overload..B.验证:..Center_Inside#telnet 160.1.1.6
Trying 160.1.1.6 ... Open
User Access Verification
Password:
Partner>show users
Line User Host(s) Idle Location
0 con 0 idle 00:00:42
*130 vty 0 idle 00:00:00 172.16.1.2
Interface User Mode Idle Peer Address
Partner>..六.分支到总部的L2L ×××配置:..----以SVTI的方式建立site-to-site ×××..A.Branch路由器:..crypto isakmp policy 10
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp key cisco address 202.100.2.4
crypto ipsec transform-set transet esp-des esp-md5-hmac ..crypto ipsec profile Ipsec_prfile
set transform-set transet
interface Tunnel0
ip address 123.1.1.1 255.255.255.0
tunnel source Ethernet0/1
tunnel destination 202.100.2.4.. tunnel protection ipsec profile Ipsec_prfile..ip route 160.1.1.0 255.255.255.0 Tunnel0
ip route 192.168.1.0 255.255.255.0 Tunnel0..B.Center路由器:..crypto isakmp policy 10
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp key cisco address 202.100.1.2
crypto ipsec transform-set transet esp-des esp-md5-hmac..crypto ipsec profile Ipsec_prfile
set transform-set transet ..interface Tunnel0
ip address 123.1.1.2 255.255.255.0
tunnel source Ethernet0/1
tunnel destination 202.100.1.2
tunnel protection ipsec profile Ipsec_prfile
ip route 10.1.1.0 255.255.255.0 Tunnel0..C.验证:..Branch_Inside#ping 192.168.1.5
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.1.5, timeout is 2 seconds:
.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 120/182/264 ms
Branch_Inside#..Center_Inside#
*Mar 1 10:07:25.293: ICMP: echo reply sent, src 192.168.1.5, dst 10.1.1.1
*Mar 1 10:07:25.561: ICMP: echo reply sent, src 192.168.1.5, dst 10.1.1.1
*Mar 1 10:07:25.701: ICMP: echo reply sent, src 192.168.1.5, dst 10.1.1.1
*Mar 1 10:07:25.809: ICMP: echo reply sent, src 192.168.1.5, dst 10.1.1.1..七.配置分支到合作伙伴的PAT:..-----都是在Center路由器上配置..A.配置PAT:..interface Tunnel0.. ip nat enable..interface Ethernet0/2
ip nat enable...ip access-list extended Branch-to-partner
permit ip 10.1.1.0 0.0.0.255 160.1.1.0 0.0.0.255...ip nat source list Branch-to-partner interface Ethernet0/2 overload..D.验证:..Branch_Inside#telnet 160.1.1.6
Trying 160.1.1.6 ... Open
User Access Verification
Password:
Partner>show users
Line User Host(s) Idle Location
0 con 0 idle 09:00:47
*130 vty 0 idle 00:00:00 172.16.1.2
Interface User Mode Idle Peer Address
Partner>...
