分支机构L2L *** 到总部再PAT通过专线到合作伙伴(SVTI建立***)
生活随笔
收集整理的這篇文章主要介紹了
分支机构L2L *** 到总部再PAT通过专线到合作伙伴(SVTI建立***)
小編覺得挺不錯的,現(xiàn)在分享給大家,幫大家做個參考.
一.概述: 在博客中收到一位朋友的提問,經(jīng)過電話溝通后,了解到大概情況是:A.總部有一條專線到合作伙伴B.合作伙伴側(cè)不方便加回指路由,總部訪問合作伙伴時做PATC.現(xiàn)在想要分支L2L ***連接到總部之后,也PAT到合作伙伴 之前是用策略路由的方式將分支到合作伙伴的流量打到loopback口,并配置NAT,后來QQ群里有朋友提出使用GRE over IPSEC的方式,于是打算驗證一下。
二.基本思路:A.如果合作伙伴方便加回指路由,其實(shí)只需把合作伙伴當(dāng)作總部內(nèi)網(wǎng)即可,不需要配置PAT。B.分支機(jī)構(gòu)想要***連接總部之后,再PAT到合作伙伴,則需要在總部路由器上配置loopback口,并且公網(wǎng)接口配置策略路由,將分支到合作伙伴的流量打到loopback,并進(jìn)行PAT。----這個已經(jīng)在上一篇博文中驗證過,http://333234.blog.51cto.com/323234/1309446C.用SVTI的方式,在總部路由器與分支路由器直接建立L2L ***,并且在總部路由器的tunnel接口和連接合作伙伴的專線接口配置NVI,使得分支去往合作伙伴的流量被PAT。----因為ASA不支持VTI,所以這種方式如果分支或總部一方用的是ASA防火墻,則不適用三.測試拓?fù)?#xff1a;四.基本配置:A.Branch_Inside路由器:interface Ethernet0/0
ip address 10.1.1.1 255.255.255.0
no shut
ip route 0.0.0.0 0.0.0.0 10.1.1.2B.Branch路由器:interface Ethernet0/0
ip address 10.1.1.2 255.255.255.0
ip nat inside
no shutinterface Ethernet0/1
ip address 202.100.1.2 255.255.255.0
ip nat outside no shutip route 0.0.0.0 0.0.0.0 202.100.1.3ip access-list extended PAT
deny ip 10.1.1.0 0.0.0.255 192.168.1.0 0.0.0.255
deny ip 10.1.1.0 0.0.0.255 160.1.1.0 0.0.0.255
permit ip 10.1.1.0 0.0.0.255 anyip nat inside source list PAT interface Ethernet0/1 overloadC.Internet路由器:interface Ethernet0/0
ip address 202.100.1.3 255.255.255.0
no shutinterface Ethernet0/1
ip address 202.100.2.3 255.255.255.0
no shutD.Center路由器:interface Ethernet0/0
ip address 192.168.1.4 255.255.255.0
ip nat inside no shutinterface Ethernet0/1
ip address 202.100.2.4 255.255.255.0
ip nat outside
no shutinterface Ethernet0/2
ip address 172.16.1.2 255.255.255.252
no shutip route 0.0.0.0 0.0.0.0 202.100.2.3ip route 160.1.1.0 255.255.255.0 172.16.1.1ip access-list extended PAT
deny ip 192.168.1.0 0.0.0.255 10.1.1.0 0.0.0.255
deny ip 192.168.1.0 0.0.0.255 160.1.1.0 0.0.0.255
permit ip 192.168.1.0 0.0.0.255 anyip nat inside source list PAT interface Ethernet0/1 overloadE.Center_Inside路由器:interface Ethernet0/0 ip address 192.168.1.5 255.255.255.0
no shutip route 0.0.0.0 0.0.0.0 192.168.1.4F.Partner路由器:interface Loopback0 ip address 160.1.1.6 255.255.255.0
interface Ethernet0/0
ip address 172.16.1.1 255.255.255.252
no shut----注意:沒有配置路由五.總部內(nèi)網(wǎng)到合作伙伴進(jìn)行PAT配置:----在Center總部路由器上配置A.配置:interface Ethernet0/0
ip nat enableinterface Ethernet0/2
ip nat enableip access-list extended Center-to-partner-PAT
permit ip 192.168.1.0 0.0.0.255 160.1.1.0 0.0.0.255ip nat source list Center-to-partner-PAT interface Ethernet0/2 overloadB.驗證:Center_Inside#telnet 160.1.1.6
Trying 160.1.1.6 ... Open
User Access Verification
Password:
Partner>show users
Line User Host(s) Idle Location
0 con 0 idle 00:00:42
*130 vty 0 idle 00:00:00 172.16.1.2
Interface User Mode Idle Peer Address
Partner>六.分支到總部的L2L ***配置:----以SVTI的方式建立site-to-site ***A.Branch路由器:crypto isakmp policy 10
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp key cisco address 202.100.2.4
crypto ipsec transform-set transet esp-des esp-md5-hmac crypto ipsec profile Ipsec_prfile
set transform-set transet
interface Tunnel0
ip address 123.1.1.1 255.255.255.0
tunnel source Ethernet0/1
tunnel destination 202.100.2.4 tunnel protection ipsec profile Ipsec_prfileip route 160.1.1.0 255.255.255.0 Tunnel0
ip route 192.168.1.0 255.255.255.0 Tunnel0B.Center路由器:crypto isakmp policy 10
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp key cisco address 202.100.1.2
crypto ipsec transform-set transet esp-des esp-md5-hmaccrypto ipsec profile Ipsec_prfile
set transform-set transet interface Tunnel0
ip address 123.1.1.2 255.255.255.0
tunnel source Ethernet0/1
tunnel destination 202.100.1.2
tunnel protection ipsec profile Ipsec_prfile
ip route 10.1.1.0 255.255.255.0 Tunnel0C.驗證:Branch_Inside#ping 192.168.1.5
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.1.5, timeout is 2 seconds:
.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 120/182/264 ms
Branch_Inside#Center_Inside#
*Mar 1 10:07:25.293: ICMP: echo reply sent, src 192.168.1.5, dst 10.1.1.1
*Mar 1 10:07:25.561: ICMP: echo reply sent, src 192.168.1.5, dst 10.1.1.1
*Mar 1 10:07:25.701: ICMP: echo reply sent, src 192.168.1.5, dst 10.1.1.1
*Mar 1 10:07:25.809: ICMP: echo reply sent, src 192.168.1.5, dst 10.1.1.1七.配置分支到合作伙伴的PAT:-----都是在Center路由器上配置A.配置PAT:interface Tunnel0 ip nat enableinterface Ethernet0/2
ip nat enableip access-list extended Branch-to-partner
permit ip 10.1.1.0 0.0.0.255 160.1.1.0 0.0.0.255ip nat source list Branch-to-partner interface Ethernet0/2 overloadD.驗證:Branch_Inside#telnet 160.1.1.6
Trying 160.1.1.6 ... Open
User Access Verification
Password:
Partner>show users
Line User Host(s) Idle Location
0 con 0 idle 09:00:47
*130 vty 0 idle 00:00:00 172.16.1.2
Interface User Mode Idle Peer Address
Partner>
二.基本思路:A.如果合作伙伴方便加回指路由,其實(shí)只需把合作伙伴當(dāng)作總部內(nèi)網(wǎng)即可,不需要配置PAT。B.分支機(jī)構(gòu)想要***連接總部之后,再PAT到合作伙伴,則需要在總部路由器上配置loopback口,并且公網(wǎng)接口配置策略路由,將分支到合作伙伴的流量打到loopback,并進(jìn)行PAT。----這個已經(jīng)在上一篇博文中驗證過,http://333234.blog.51cto.com/323234/1309446C.用SVTI的方式,在總部路由器與分支路由器直接建立L2L ***,并且在總部路由器的tunnel接口和連接合作伙伴的專線接口配置NVI,使得分支去往合作伙伴的流量被PAT。----因為ASA不支持VTI,所以這種方式如果分支或總部一方用的是ASA防火墻,則不適用三.測試拓?fù)?#xff1a;四.基本配置:A.Branch_Inside路由器:interface Ethernet0/0
ip address 10.1.1.1 255.255.255.0
no shut
ip route 0.0.0.0 0.0.0.0 10.1.1.2B.Branch路由器:interface Ethernet0/0
ip address 10.1.1.2 255.255.255.0
ip nat inside
no shutinterface Ethernet0/1
ip address 202.100.1.2 255.255.255.0
ip nat outside no shutip route 0.0.0.0 0.0.0.0 202.100.1.3ip access-list extended PAT
deny ip 10.1.1.0 0.0.0.255 192.168.1.0 0.0.0.255
deny ip 10.1.1.0 0.0.0.255 160.1.1.0 0.0.0.255
permit ip 10.1.1.0 0.0.0.255 anyip nat inside source list PAT interface Ethernet0/1 overloadC.Internet路由器:interface Ethernet0/0
ip address 202.100.1.3 255.255.255.0
no shutinterface Ethernet0/1
ip address 202.100.2.3 255.255.255.0
no shutD.Center路由器:interface Ethernet0/0
ip address 192.168.1.4 255.255.255.0
ip nat inside no shutinterface Ethernet0/1
ip address 202.100.2.4 255.255.255.0
ip nat outside
no shutinterface Ethernet0/2
ip address 172.16.1.2 255.255.255.252
no shutip route 0.0.0.0 0.0.0.0 202.100.2.3ip route 160.1.1.0 255.255.255.0 172.16.1.1ip access-list extended PAT
deny ip 192.168.1.0 0.0.0.255 10.1.1.0 0.0.0.255
deny ip 192.168.1.0 0.0.0.255 160.1.1.0 0.0.0.255
permit ip 192.168.1.0 0.0.0.255 anyip nat inside source list PAT interface Ethernet0/1 overloadE.Center_Inside路由器:interface Ethernet0/0 ip address 192.168.1.5 255.255.255.0
no shutip route 0.0.0.0 0.0.0.0 192.168.1.4F.Partner路由器:interface Loopback0 ip address 160.1.1.6 255.255.255.0
interface Ethernet0/0
ip address 172.16.1.1 255.255.255.252
no shut----注意:沒有配置路由五.總部內(nèi)網(wǎng)到合作伙伴進(jìn)行PAT配置:----在Center總部路由器上配置A.配置:interface Ethernet0/0
ip nat enableinterface Ethernet0/2
ip nat enableip access-list extended Center-to-partner-PAT
permit ip 192.168.1.0 0.0.0.255 160.1.1.0 0.0.0.255ip nat source list Center-to-partner-PAT interface Ethernet0/2 overloadB.驗證:Center_Inside#telnet 160.1.1.6
Trying 160.1.1.6 ... Open
User Access Verification
Password:
Partner>show users
Line User Host(s) Idle Location
0 con 0 idle 00:00:42
*130 vty 0 idle 00:00:00 172.16.1.2
Interface User Mode Idle Peer Address
Partner>六.分支到總部的L2L ***配置:----以SVTI的方式建立site-to-site ***A.Branch路由器:crypto isakmp policy 10
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp key cisco address 202.100.2.4
crypto ipsec transform-set transet esp-des esp-md5-hmac crypto ipsec profile Ipsec_prfile
set transform-set transet
interface Tunnel0
ip address 123.1.1.1 255.255.255.0
tunnel source Ethernet0/1
tunnel destination 202.100.2.4 tunnel protection ipsec profile Ipsec_prfileip route 160.1.1.0 255.255.255.0 Tunnel0
ip route 192.168.1.0 255.255.255.0 Tunnel0B.Center路由器:crypto isakmp policy 10
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp key cisco address 202.100.1.2
crypto ipsec transform-set transet esp-des esp-md5-hmaccrypto ipsec profile Ipsec_prfile
set transform-set transet interface Tunnel0
ip address 123.1.1.2 255.255.255.0
tunnel source Ethernet0/1
tunnel destination 202.100.1.2
tunnel protection ipsec profile Ipsec_prfile
ip route 10.1.1.0 255.255.255.0 Tunnel0C.驗證:Branch_Inside#ping 192.168.1.5
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.1.5, timeout is 2 seconds:
.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 120/182/264 ms
Branch_Inside#Center_Inside#
*Mar 1 10:07:25.293: ICMP: echo reply sent, src 192.168.1.5, dst 10.1.1.1
*Mar 1 10:07:25.561: ICMP: echo reply sent, src 192.168.1.5, dst 10.1.1.1
*Mar 1 10:07:25.701: ICMP: echo reply sent, src 192.168.1.5, dst 10.1.1.1
*Mar 1 10:07:25.809: ICMP: echo reply sent, src 192.168.1.5, dst 10.1.1.1七.配置分支到合作伙伴的PAT:-----都是在Center路由器上配置A.配置PAT:interface Tunnel0 ip nat enableinterface Ethernet0/2
ip nat enableip access-list extended Branch-to-partner
permit ip 10.1.1.0 0.0.0.255 160.1.1.0 0.0.0.255ip nat source list Branch-to-partner interface Ethernet0/2 overloadD.驗證:Branch_Inside#telnet 160.1.1.6
Trying 160.1.1.6 ... Open
User Access Verification
Password:
Partner>show users
Line User Host(s) Idle Location
0 con 0 idle 09:00:47
*130 vty 0 idle 00:00:00 172.16.1.2
Interface User Mode Idle Peer Address
Partner>
總結(jié)
以上是生活随笔為你收集整理的分支机构L2L *** 到总部再PAT通过专线到合作伙伴(SVTI建立***)的全部內(nèi)容,希望文章能夠幫你解決所遇到的問題。
- 上一篇: 对微软Microsoft Dynamic
- 下一篇: 6个精心整理的资源网站,送给正在努力的你