Configuring a Router IPSec Tunnel Private-to-Private Network with NAT and a Static -

Cấu hình Router R1

 

 

Building configuration...

 

Current configuration : 2342 bytes

!

version 12.3

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname R1

!

!

no aaa new-model

!

ip subnet-zero

!

ip cef

!

no ip domain lookup

!

no ftp-server write-enable

!

crypto isakmp policy 10

 authentication pre-share

crypto isakmp key ciscokey address 100.1.1.2

no crypto isakmp ccm

!

crypto ipsec transform-set to_fred esp-des esp-md5-hmac

!

crypto map myvpn 10 ipsec-isakmp

 set peer 100.1.1.2

 set transform-set to_fred

 match address 101

!

interface FastEthernet0/0

 ip address 200.1.1.2 255.255.255.0

 ip nat outside

 ip virtual-reassembly

 duplex auto

 speed auto

 crypto map myvpn

!

interface FastEthernet0/1

 ip address 192.168.1.254 255.255.255.0

 ip nat inside

 ip virtual-reassembly

 ip route-cache policy

 ip policy route-map nonat

 duplex auto

 speed auto

!

interface Serial0/2/0

 no ip address

 shutdown

 clockrate 2000000

!

no ip address

 shutdown

 hold-queue 60 out

!

ip classless

ip route 0.0.0.0 0.0.0.0 200.1.1.1 permanent

!

!

ip http server

no ip http secure-server

ip nat inside source list 122 interface FastEthernet0/0 overload

!

access-list 101 permit ip 192.168.1.0 0.0.0.255 1.1.1.0 0.0.0.255

access-list 101 deny   ip 192.168.1.0 0.0.0.255 any

access-list 122 deny   ip 192.168.1.0 0.0.0.255 1.1.1.0 0.0.0.255

access-list 122 deny   ip host 192.168.1.3 any

access-list 122 permit ip 192.168.1.0 0.0.0.255 any

access-list 123 permit ip host 192.168.1.3 1.1.1.0 0.0.0.255

!

route-map nonat permit 10

 match ip address 123

 set ip next-hop 1.1.1.2

!

control-plane

!

!

End

 

 

Cấu hình Router R2:

 

 

Building configuration...

 

Current configuration : 1258 bytes

!

version 12.3

!

hostname R2

!

!

no aaa new-model

ip subnet-zero

ip cef

!

no ip domain lookup

!

ip audit po max-events 100

!

crypto isakmp policy 10

 authentication pre-share

crypto isakmp key ciscokey address 200.1.1.2

!

!

crypto ipsec transform-set to_fred esp-des esp-md5-hmac

!

crypto map myvpn 10 ipsec-isakmp

set transform-set to_fred

 match address 101

!

interface Loopback0

 ip address 1.1.1.1 255.255.255.0

!

interface Ethernet0/0

 ip address 100.1.1.2 255.255.255.0

 ip nat outside

 half-duplex

 crypto map myvpn

!

ip nat inside source list 175 interface Ethernet0/0 overload

ip http server

no ip http secure-server

ip classless

ip route 0.0.0.0 0.0.0.0 100.1.1.1

!

access-list 101 permit ip 1.1.1.0 0.0.0.255 192.168.1.0 0.0.0.255

access-list 175 deny   ip 1.1.1.0 0.0.0.255 192.168.1.0 0.0.0.255

access-list 175 permit ip 1.1.1.0 0.0.0.255 any

!

dial-peer cor custom

!

line con 0

 exec-timeout 0 0

 logging synchronous

line aux 0

line vty 0 4

 privilege level 15

 no login

 

Ghi chú: Trong mô hình đám mây Internet là Switch Layer 3 hoặc Router chỉ cấu hình IP kết nối với các Router R1, R2.