Dynamic LAN-to-LAN ××× 之 Router-to-Router
生活随笔
收集整理的這篇文章主要介紹了
Dynamic LAN-to-LAN ××× 之 Router-to-Router
小編覺得挺不錯的,現在分享給大家,幫大家做個參考.
Router-to-Router?Dynamic?LAN-to-LAN?×××
1.拓撲 2.步驟 2.1基本連通性配置: R5: interface?FastEthernet0/0 ip?address?15.15.15.5?255.255.255.0 ip?route?0.0.0.0?0.0.0.0?15.15.15.1 R1: interface?FastEthernet0/0 ip?address?15.15.15.1?255.255.255.0 interface?FastEthernet1/0 ip?address?16.16.16.1?255.255.255.0 ip?route?0.0.0.0?0.0.0.0?16.16.16.6 R6: ip?dhcp?excluded-address?36.36.36.6 ip?dhcp?pool?net36 network?36.36.36.0?255.255.255.0 default-router?36.36.36.6 interface?FastEthernet0/0 ip?address?36.36.36.6?255.255.255.0 interface?FastEthernet1/0 ip?address?16.16.16.6?255.255.255.0 interface?Serial2/0 ip?address?26.26.26.6?255.255.255.0 R2: interface?FastEthernet0/0 ip?address?27.27.27.2?255.255.255.0 interface?Serial2/0 ip?address?26.26.26.2?255.255.255.0 ip?route?0.0.0.0?0.0.0.0?26.26.26.6 R7: interface?FastEthernet0/0 ip?address?27.27.27.7?255.255.255.0 ip?route?0.0.0.0?0.0.0.0?FastEthernet0/0 R3: interface?FastEthernet0/0 ip?address?dhcp interface?FastEthernet0/1 ip?address?38.38.38.3?255.255.255.0 ip?route?0.0.0.0?0.0.0.0?FastEthernet0/0 R8: interface?FastEthernet1/0 ip?address?38.38.38.8?255.255.255.0 ip?route?0.0.0.0?0.0.0.0?FastEthernet1/0 2.2測試連通性: R1到R2和R3的連通性: R1#ping?36.36.36.1 Type?escape?sequence?to?abort. Sending?5,?100-byte?ICMP?Echos?to?36.36.36.1,?timeout?is?2?seconds: .!!!. Success?rate?is?60?percent?(3/5),?round-trip?min/avg/max?=?76/120/200?ms R1#ping?26.26.26.2 Type?escape?sequence?to?abort. Sending?5,?100-byte?ICMP?Echos?to?26.26.26.2,?timeout?is?2?seconds: !!!!! Success?rate?is?100?percent?(5/5),?round-trip?min/avg/max?=?8/66/100?ms R1# 測試R1到北京內網和廣州內網的連通性: R1#ping?27.27.27.7 Type?escape?sequence?to?abort. Sending?5,?100-byte?ICMP?Echos?to?27.27.27.7,?timeout?is?2?seconds: U.U.U Success?rate?is?0?percent?(0/5) R1#ping?38.38.38.8 Type?escape?sequence?to?abort. Sending?5,?100-byte?ICMP?Echos?to?38.38.38.8,?timeout?is?2?seconds: U.U.U Success?rate?is?0?percent?(0/5) R1# 說明:雖然R1有指向R6的默認路由,但R6只有公網路由26.26.26.0、36.36.36.0和16.16.16.0, 只能保證R1、R2、R3之間的通信,所以R1無法與北京和廣州的分公司內網通信。 同理:R5不能到達北京和廣州內網: R5#??ping?27.27.27.2 Type?escape?sequence?to?abort. Sending?5,?100-byte?ICMP?Echos?to?27.27.27.2,?timeout?is?2?seconds: ..... Success?rate?is?0?percent?(0/5) R5#ping?38.38.38.3 Type?escape?sequence?to?abort. Sending?5,?100-byte?ICMP?Echos?to?38.38.38.3,?timeout?is?2?seconds: ..... Success?rate?is?0?percent?(0/5) R5# 查看R6的路由表: R6#?show?ip?route Codes:?C?-?connected,?S?-?static,?R?-?RIP,?M?-?mobile,?B?-?BGP D?-?EIGRP,?EX?-?EIGRP?external,?O?-?OSPF,?IA?-?OSPF?inter?area N1?-?OSPF?NSSA?external?type?1,?N2?-?OSPF?NSSA?external?type?2 E1?-?OSPF?external?type?1,?E2?-?OSPF?external?type?2 i?-?IS-IS,?su?-?IS-IS?summary,?L1?-?IS-IS?level-1,?L2?-?IS-IS?level-2 ia?-?IS-IS?inter?area,?*?-?candidate?default,?U?-?per-user?static?route o?-?ODR,?P?-?periodic?downloaded?static?route Gateway?of?last?resort?is?not?set 16.0.0.0/24?is?subnetted,?1?subnets C???????16.16.16.0?is?directly?connected,?FastEthernet1/0 36.0.0.0/24?is?subnetted,?1?subnets C???????36.36.36.0?is?directly?connected,?FastEthernet0/0 26.0.0.0/24?is?subnetted,?1?subnets C???????26.26.26.0?is?directly?connected,?Serial2/0 R6# 2.3配置Dynamic?LAN-to-LAN?×××: 1.在R1上配置IKE策略: R1(config)#crypto?isakmp?policy?1 R1(config-isakmp)#encryption?3des R1(config-isakmp)#authentication?pre-share R1(config-isakmp)#hash?sha R1(config-isakmp)#group?2 R1(config-isakmp)#ex 2.在R1上配置通配符認證方法: R1(config)#crypto?keyring?abc R1(conf-keyring)#pre-shared-key?address?0.0.0.0?0.0.0.0?key?cisco123 R1(config)#crypto?isakmp?profile?ppp %?A?profile?is?deemed?incomplete?until?it?has?match?identity?statements R1(conf-isa-prof)#keyring?abc R1(conf-isa-prof)#match?identity?address?0.0.0.0 R1(conf-isa-prof)#ex 3.在R1上配置IPSec?transform: R1(config)#crypto?ipsec?transform-set?myset?esp-3des?esp-sha-hmac R1(cfg-crypto-trans)#ex 4.在R1上定義Dynamic?map: R1(config)#crypto?dynamic-map?mydyn?5 R1(config-crypto-map)#set?transform-set?myset R1(config-crypto-map)#set?isakmp-profile?ppp R1(config-crypto-map)#ex R1(config)# 5.在R1上創建crypto?map: R1(config)#crypto?map?mymap?10?ipsec-isakmp?dynamic?mydyn R1(config)# 6.在R1上將crypto?map應用到出接口: R1(config)#int?f1/0 R1(config-if)#crypto?map?mymap R1(config-if)# *Mar??1?01:36:23.111:?%CRYPTO-6-ISAKMP_ON_OFF:?ISAKMP?is?ON R1(config-if)#ex R1(config)# 7.使用常規LAN-to-LAN?×××的方式配置R2: R2(config)#crypto?isakmp?policy?1 R2(config-isakmp)#en?3 R2(config-isakmp)#ha?s R2(config-isakmp)#au?p R2(config-isakmp)#gr?2 R2(config-isakmp)#ex R2(config)#crypto?isakmp?key?0?cisco123?address?16.16.16.1 R2(config)#crypto?ipsec?transform-set?myset?esp-3des?esp-sha-hmac R2(cfg-crypto-trans)#ex R2(config)#access-list?100?permit?ip?27.27.27.0?0.0.0.255?15.15.15.0?0.0.0.255 R2(config)#crypto?map?l2l?1?ipsec-isakmp %?NOTE:?This?new?crypto?map?will?remain?disabled?until?a?peer and?a?valid?access?list?have?been?configured. R2(config-crypto-map)#set?peer?16.16.16.1 R2(config-crypto-map)#set?transform-set?myset R2(config-crypto-map)#match?address?100 R2(config-crypto-map)#ex R2(config)#int?s2/0 R2(config-if)#crypto?map?l2l R2(config-if)# *Mar??1?01:56:13.811:?%CRYPTO-6-ISAKMP_ON_OFF:?ISAKMP?is?ON R2(config-if)# 8.廣州供公司路由器R3(動態IP)的×××配置: R3(config)#crypto?isakmp?policy?1 R3(config-isakmp)#en?3 R3(config-isakmp)#au?p R3(config-isakmp)#ha?s R3(config-isakmp)#gr?2 R3(config-isakmp)#ex R3(config)#crypto?isakmp?key?0?cisco123?add?16.16.16.1 R3(config)#crypto?ipsec?trans?myset?esp-3?esp-sha-h R3(cfg-crypto-trans)#ex R3(config)#access-list?100?per?ip?38.38.38.0?0.0.0.255?15.15.15.0?0.0.0.255 R3(config)#crypto?map?l2l?1?ipsec-isakmp %?NOTE:?This?new?crypto?map?will?remain?disabled?until?a?peer and?a?valid?access?list?have?been?configured. R3(config-crypto-map)#set?peer?16.16.16.1 R3(config-crypto-map)#set?trans?myset R3(config-crypto-map)#match?add?100 R3(config-crypto-map)#ex R3(config)#int?f0/0 R3(config-if)#cry?map?l2l R3(config-if)# *Oct?18?19:30:46.219:?%CRYPTO-6-ISAKMP_ON_OFF:?ISAKMP?is?ON R3(config-if)# 3.驗證 3.1首先驗證北京和上海公司的×××連通性: 1.從Hub端上海公司R5向spoke端北京公司27.27.27.0發送流量: R5#ping?27.27.27.7 Type?escape?sequence?to?abort. Sending?5,?100-byte?ICMP?Echos?to?27.27.27.7,?timeout?is?2?seconds: ..... Success?rate?is?0?percent?(0/5) R5# 說明:Dynamic?LAN-to-LAN?×××中,hub端是不能事先向spoke端發起流量來觸發自己的SA建立的,所以上海到北京的流量不能通過。Hub端的SA只能有spoke端發送流量來觸發。 2.從spoke端北京公司27.27.27.0向hub端上海公司R5發送流量: R7#ping?15.15.15.5 Type?escape?sequence?to?abort. Sending?5,?100-byte?ICMP?Echos?to?15.15.15.5,?timeout?is?2?seconds: .!!!! Success?rate?is?80?percent?(4/5),?round-trip?min/avg/max?=?132/174/248?ms R7# 說明:spoke端向hub端發送的流量成功穿越×××隧道。 3.再次從hub端R5向spoke端27.27.27.0發送流量: R5#ping?27.27.27.7 Type?escape?sequence?to?abort. Sending?5,?100-byte?ICMP?Echos?to?27.27.27.7,?timeout?is?2?seconds: !!!!! Success?rate?is?100?percent?(5/5),?round-trip?min/avg/max?=?60/119/244?ms R5# 說明:當從spoke端向hub端發送流量初始化后,hub端到spoke端的流量才能正常通過×××。 4.查看R1上的IKE?SA的peers: R1(config)#do?show?crypto?isakmp?peer Peer:?26.26.26.2?Port:?500?Local:?16.16.16.1 Phase1?id:?26.26.26.2 R1(config)# 5.查看R1上的IKE?SA: R1(config)#do?show?crypto?isakmp?sa dst?????????????src?????????????state??????????conn-id?slot?status 16.16.16.1??????26.26.26.2??????QM_IDLE??????????????1????0?ACTIVE R1(config)# 6.查看R1上的IPSec?SA: R1(config)#do?show?crypto?ipsec?sa interface:?FastEthernet1/0 Crypto?map?tag:?mymap,?local?addr?16.16.16.1 protected?vrf:?(none) local??ident?(addr/mask/prot/port):?(15.15.15.0/255.255.255.0/0/0) remote?ident?(addr/mask/prot/port):?(27.27.27.0/255.255.255.0/0/0) current_peer?26.26.26.2?port?500 PERMIT,?flags={} #pkts?encaps:?9,?#pkts?encrypt:?9,?#pkts?digest:?9 #pkts?decaps:?9,?#pkts?decrypt:?9,?#pkts?verify:?9 #pkts?compressed:?0,?#pkts?decompressed:?0 #pkts?not?compressed:?0,?#pkts?compr.?failed:?0 #pkts?not?decompressed:?0,?#pkts?decompress?failed:?0 #send?errors?0,?#recv?errors?0 local?crypto?endpt.:?16.16.16.1,?remote?crypto?endpt.:?26.26.26.2 path?mtu?1500,?ip?mtu?1500,?ip?mtu?idb?FastEthernet1/0 current?outbound?spi:?0x41F65F0(69166576) inbound?esp?sas: spi:?0xAC742101(2893291777) transform:?esp-3des?esp-sha-hmac?, in?use?settings?={Tunnel,?} conn?id:?2001,?flow_id:?SW:1,?crypto?map:?mymap sa?timing:?remaining?key?lifetime?(k/sec):?(4395614/2615) IV?size:?8?bytes replay?detection?support:?Y Status:?ACTIVE inbound?ah?sas: inbound?pcp?sas: outbound?esp?sas: spi:?0x41F65F0(69166576) transform:?esp-3des?esp-sha-hmac?, in?use?settings?={Tunnel,?} conn?id:?2002,?flow_id:?SW:2,?crypto?map:?mymap sa?timing:?remaining?key?lifetime?(k/sec):?(4395614/2612) IV?size:?8?bytes replay?detection?support:?Y Status:?ACTIVE outbound?ah?sas: outbound?pcp?sas: R1(config)# 7.查看R1上的dynamic?map相關參數: R1(config)#do?show?crypto?dynamic-map Crypto?Map?Template"mydyn"?5 ISAKMP?Profile:?ppp No?matching?address?list?set. Security?association?lifetime:?4608000?kilobytes/3600?seconds PFS?(Y/N):?N Transform?sets={ myset, } R1(config)# 3.2查看R2上的相關參數(參照R1): R2#show?cry?isakmp?peers Peer:?16.16.16.1?Port:?500?Local:?26.26.26.2 Phase1?id:?16.16.16.1 R2#show?cry?isakmp?sa dst?????????????src?????????????state??????????conn-id?slot?status 16.16.16.1??????26.26.26.2??????QM_IDLE??????????????1????0?ACTIVE R2#show?cry?ipsec?sa interface:?Serial2/0 Crypto?map?tag:?l2l,?local?addr?26.26.26.2 protected?vrf:?(none) local??ident?(addr/mask/prot/port):?(27.27.27.0/255.255.255.0/0/0) remote?ident?(addr/mask/prot/port):?(15.15.15.0/255.255.255.0/0/0) current_peer?16.16.16.1?port?500 PERMIT,?flags={origin_is_acl,} #pkts?encaps:?9,?#pkts?encrypt:?9,?#pkts?digest:?9 #pkts?decaps:?9,?#pkts?decrypt:?9,?#pkts?verify:?9 #pkts?compressed:?0,?#pkts?decompressed:?0 #pkts?not?compressed:?0,?#pkts?compr.?failed:?0 #pkts?not?decompressed:?0,?#pkts?decompress?failed:?0 #send?errors?1,?#recv?errors?0 local?crypto?endpt.:?26.26.26.2,?remote?crypto?endpt.:?16.16.16.1 path?mtu?1500,?ip?mtu?1500,?ip?mtu?idb?Serial2/0 current?outbound?spi:?0xAC742101(2893291777) inbound?esp?sas: spi:?0x41F65F0(69166576) transform:?esp-3des?esp-sha-hmac?, in?use?settings?={Tunnel,?} conn?id:?2001,?flow_id:?SW:1,?crypto?map:?l2l sa?timing:?remaining?key?lifetime?(k/sec):?(4432449/2370) IV?size:?8?bytes replay?detection?support:?Y Status:?ACTIVE inbound?ah?sas: inbound?pcp?sas: outbound?esp?sas: spi:?0xAC742101(2893291777) transform:?esp-3des?esp-sha-hmac?, in?use?settings?={Tunnel,?} conn?id:?2002,?flow_id:?SW:2,?crypto?map:?l2l sa?timing:?remaining?key?lifetime?(k/sec):?(4432449/2368) IV?size:?8?bytes replay?detection?support:?Y Status:?ACTIVE outbound?ah?sas: outbound?pcp?sas: R2# 3.3下面是廣州公司路由器R3與上海路由器R1之間×××連通性的驗證: 1.從hub端(上海公司路由器R5)向spoke端(廣州公司38.38.38.0)發流量: R5#ping?38.38.38.8 Type?escape?sequence?to?abort. Sending?5,?100-byte?ICMP?Echos?to?38.38.38.8,?timeout?is?2?seconds: ..... Success?rate?is?0?percent?(0/5) R5# 說明:和預期的一樣,hub端不能事先向spoke端發起流量建立SA。 2.從spoke端(廣州公司38.38.38.0)向hub端(上海公司R5)發送×××觸發流量: R8#ping?15.15.15.5 Type?escape?sequence?to?abort. Sending?5,?100-byte?ICMP?Echos?to?15.15.15.5,?timeout?is?2?seconds: ...!. Success?rate?is?20?percent?(1/5),?round-trip?min/avg/max?=?204/204/204?ms R8# R8#ping?15.15.15.5 Type?escape?sequence?to?abort. Sending?5,?100-byte?ICMP?Echos?to?15.15.15.5,?timeout?is?2?seconds: !.!.! Success?rate?is?60?percent?(3/5),?round-trip?min/avg/max?=?128/186/240?ms R8#ping?15.15.15.5 Type?escape?sequence?to?abort. Sending?5,?100-byte?ICMP?Echos?to?15.15.15.5,?timeout?is?2?seconds: !.!.. Success?rate?is?40?percent?(2/5),?round-trip?min/avg/max?=?164/196/228?ms R8# 說明:從spoke端(廣州公司38.38.38.0)的流量成功穿越×××到達hub端。 3.再次從hub端(上海公司路由器R5)向spoke端(廣州公司38.38.38.0)發流量: R5#ping?38.38.38.8 Type?escape?sequence?to?abort. Sending?5,?100-byte?ICMP?Echos?to?38.38.38.8,?timeout?is?2?seconds: !.!.! Success?rate?is?60?percent?(3/5),?round-trip?min/avg/max?=?204/217/228?ms R5#ping?38.38.38.8 Type?escape?sequence?to?abort. Sending?5,?100-byte?ICMP?Echos?to?38.38.38.8,?timeout?is?2?seconds: !.!.! Success?rate?is?60?percent?(3/5),?round-trip?min/avg/max?=?148/220/272?ms R5# 說明:當從spoke端向hub端觸發流量后,hub端與spoke端的流量才能通過×××。 4.查看R1上的相關參數: R1#show?cry?isakmp?peer Peer:?26.26.26.2?Port:?500?Local:?16.16.16.1 Phase1?id:?26.26.26.2 Peer:?36.36.36.1?Port:?500?Local:?16.16.16.1 Phase1?id:?36.36.36.1 R1#show?cry?isakmp?sa dst?????????????src?????????????state??????????conn-id?slot?status 16.16.16.1??????26.26.26.2??????QM_IDLE??????????????1????0?ACTIVE 16.16.16.1??????36.36.36.1??????QM_IDLE??????????????2????0?ACTIVE R1#show?cry?ipsec?sa interface:?FastEthernet1/0 Crypto?map?tag:?mymap,?local?addr?16.16.16.1 protected?vrf:?(none) local??ident?(addr/mask/prot/port):?(15.15.15.0/255.255.255.0/0/0) remote?ident?(addr/mask/prot/port):?(27.27.27.0/255.255.255.0/0/0) current_peer?26.26.26.2?port?500 PERMIT,?flags={} #pkts?encaps:?14,?#pkts?encrypt:?14,?#pkts?digest:?14 #pkts?decaps:?14,?#pkts?decrypt:?14,?#pkts?verify:?14 #pkts?compressed:?0,?#pkts?decompressed:?0 #pkts?not?compressed:?0,?#pkts?compr.?failed:?0 #pkts?not?decompressed:?0,?#pkts?decompress?failed:?0 #send?errors?0,?#recv?errors?0 local?crypto?endpt.:?16.16.16.1,?remote?crypto?endpt.:?26.26.26.2 path?mtu?1500,?ip?mtu?1500,?ip?mtu?idb?FastEthernet1/0 current?outbound?spi:?0x41F65F0(69166576) inbound?esp?sas: spi:?0xAC742101(2893291777) transform:?esp-3des?esp-sha-hmac?, in?use?settings?={Tunnel,?} conn?id:?2001,?flow_id:?SW:1,?crypto?map:?mymap sa?timing:?remaining?key?lifetime?(k/sec):?(4395613/1046) IV?size:?8?bytes replay?detection?support:?Y Status:?ACTIVE inbound?ah?sas: inbound?pcp?sas: outbound?esp?sas: spi:?0x41F65F0(69166576) transform:?esp-3des?esp-sha-hmac?, in?use?settings?={Tunnel,?} conn?id:?2002,?flow_id:?SW:2,?crypto?map:?mymap sa?timing:?remaining?key?lifetime?(k/sec):?(4395613/1043) IV?size:?8?bytes replay?detection?support:?Y Status:?ACTIVE outbound?ah?sas: outbound?pcp?sas: protected?vrf:?(none) local??ident?(addr/mask/prot/port):?(15.15.15.0/255.255.255.0/0/0) remote?ident?(addr/mask/prot/port):?(38.38.38.0/255.255.255.0/0/0) current_peer?36.36.36.1?port?500 PERMIT,?flags={} #pkts?encaps:?16,?#pkts?encrypt:?16,?#pkts?digest:?16 #pkts?decaps:?12,?#pkts?decrypt:?12,?#pkts?verify:?12 #pkts?compressed:?0,?#pkts?decompressed:?0 #pkts?not?compressed:?0,?#pkts?compr.?failed:?0 #pkts?not?decompressed:?0,?#pkts?decompress?failed:?0 #send?errors?0,?#recv?errors?0 local?crypto?endpt.:?16.16.16.1,?remote?crypto?endpt.:?36.36.36.1 path?mtu?1500,?ip?mtu?1500,?ip?mtu?idb?FastEthernet1/0 current?outbound?spi:?0x23231BC(36843964) inbound?esp?sas: spi:?0xDA7CCED8(3665612504) transform:?esp-3des?esp-sha-hmac?, in?use?settings?={Tunnel,?} conn?id:?2003,?flow_id:?SW:3,?crypto?map:?mymap sa?timing:?remaining?key?lifetime?(k/sec):?(4419243/3185) IV?size:?8?bytes replay?detection?support:?Y Status:?ACTIVE inbound?ah?sas: inbound?pcp?sas: outbound?esp?sas: spi:?0x23231BC(36843964) transform:?esp-3des?esp-sha-hmac?, in?use?settings?={Tunnel,?} conn?id:?2004,?flow_id:?SW:4,?crypto?map:?mymap sa?timing:?remaining?key?lifetime?(k/sec):?(4419242/3181) IV?size:?8?bytes replay?detection?support:?Y Status:?ACTIVE outbound?ah?sas: outbound?pcp?sas: R1# 5.查看廣州路由器R3上的相關參數: R3#show?cry?isakmp?peers Peer:?16.16.16.1?Port:?500?Local:?36.36.36.1 Phase1?id:?16.16.16.1 R3#show?cry?isakmp?sa IPv4?Crypto?ISAKMP?SA dst?????????????src?????????????state??????????conn-id?slot?status 16.16.16.1??????36.36.36.1??????QM_IDLE???????????1001????0?ACTIVE IPv6?Crypto?ISAKMP?SA R3#show?cry?ipsec?sa interface:?FastEthernet0/0 Crypto?map?tag:?l2l,?local?addr?36.36.36.1 protected?vrf:?(none) local??ident?(addr/mask/prot/port):?(38.38.38.0/255.255.255.0/0/0) remote?ident?(addr/mask/prot/port):?(15.15.15.0/255.255.255.0/0/0) current_peer?16.16.16.1?port?500 PERMIT,?flags={origin_is_acl,} #pkts?encaps:?13,?#pkts?encrypt:?13,?#pkts?digest:?13 #pkts?decaps:?16,?#pkts?decrypt:?16,?#pkts?verify:?16 #pkts?compressed:?0,?#pkts?decompressed:?0 #pkts?not?compressed:?0,?#pkts?compr.?failed:?0 #pkts?not?decompressed:?0,?#pkts?decompress?failed:?0 #send?errors?1,?#recv?errors?0 local?crypto?endpt.:?36.36.36.1,?remote?crypto?endpt.:?16.16.16.1 path?mtu?1500,?ip?mtu?1500,?ip?mtu?idb?FastEthernet0/0 current?outbound?spi:?0xDA7CCED8(3665612504) inbound?esp?sas: spi:?0x23231BC(36843964) transform:?esp-3des?esp-sha-hmac?, in?use?settings?={Tunnel,?} conn?id:?1,?flow_id:?1,?crypto?map:?l2l sa?timing:?remaining?key?lifetime?(k/sec):?(4576678/3065) IV?size:?8?bytes replay?detection?support:?Y Status:?ACTIVE inbound?ah?sas: inbound?pcp?sas: outbound?esp?sas: spi:?0xDA7CCED8(3665612504) transform:?esp-3des?esp-sha-hmac?, in?use?settings?={Tunnel,?} conn?id:?2,?flow_id:?2,?crypto?map:?l2l sa?timing:?remaining?key?lifetime?(k/sec):?(4576679/3065) IV?size:?8?bytes replay?detection?support:?Y Status:?ACTIVE outbound?ah?sas: outbound?pcp?sas: R3# 4.測試NAT對Dynamic?LAN-to-LAN?×××的影響: 4.1在R3上配置NAT: R3(config)#int?f0/0 R3(config-if)#ip?nat?outside *Oct?18?20:19:27.023:?%LINEPROTO-5-UPDOWN:?Line?protocol?on?Interface?NVI0,?changed?state?to?up R3(config-if)#int?f0/1 R3(config-if)#ip?nat?inside R3(config-if)#ex R3(config)#access-list?110?permit?ip?any?any R3(config)#ip?nat?inside?source?list?110?interface?f0/0?overload 4.2測試hub端R5發往北京公司(沒有NAT)和廣州公司(有NAT)的流量情況: R5#ping?27.27.27.7 Type?escape?sequence?to?abort. Sending?5,?100-byte?ICMP?Echos?to?27.27.27.7,?timeout?is?2?seconds: !!!!! Success?rate?is?100?percent?(5/5),?round-trip?min/avg/max?=?136/157/208?ms R5#ping?38.38.38.8 Type?escape?sequence?to?abort. Sending?5,?100-byte?ICMP?Echos?to?38.38.38.8,?timeout?is?2?seconds: ..... Success?rate?is?0?percent?(0/5) R5# 4.3查看廣州路由器R3上的NAT轉換情況: R3#show?ip?nat?translations Pro?Inside?global??????Inside?local???????Outside?local??????Outside?global icmp?36.36.36.1:5??????38.38.38.8:5???????15.15.15.5:5???????15.15.15.5:5 R3# 說明:可以看到廣州公司38.38.38.0去往上海15.15.15.0的流量唄NAT轉換了,所以最后沒能通過IPSec。 4.4在R3上配置ACL使感興趣流量繞過NAT: R3(config)#no?access-list?110 R3(config)#access-list?110?deny?ip?38.38.38.0?0.0.0.255?15.15.15.0?0.0.0.255 R3(config)#access-list?110?permit?ip?any?any R3(config)#exit R3#clear?ip?nat?translation?* R3# 4.5再次從上海15.15.15.0向廣州38.38.38.0和北京27.27.27.0發送流量: R5#ping?38.38.38.8 Type?escape?sequence?to?abort. Sending?5,?100-byte?ICMP?Echos?to?38.38.38.8,?timeout?is?2?seconds: !.!.! Success?rate?is?60?percent?(3/5),?round-trip?min/avg/max?=?212/261/340?ms R5# R5#ping?27.27.27.2 Type?escape?sequence?to?abort. Sending?5,?100-byte?ICMP?Echos?to?27.27.27.2,?timeout?is?2?seconds: !!!!! Success?rate?is?100?percent?(5/5),?round-trip?min/avg/max?=?100/137/216?ms R5# 說明:配置ACL繞過NAT,上海公司到北京和廣州的流量再次通過IPsec?×××隧道穿越了Internet。因此在IPSec?×××中,保證需要被IPSec保護的流量繞過NAT轉換,否則×××連通失敗。 5.發現一個疑問,請求高手指點。 為什么上海公司15.15.15.0和廣州公司R8?38.38.38.8之間互相ping的結果都是!.!.!??上海和R3的38.38.38.3之間ping的結果卻正常。 請看: R1#ping?38.38.38.8?so?15.15.15.1 Type?escape?sequence?to?abort. Sending?5,?100-byte?ICMP?Echos?to?38.38.38.8,?timeout?is?2?seconds: Packet?sent?with?a?source?address?of?15.15.15.1 .!... Success?rate?is?20?percent?(1/5),?round-trip?min/avg/max?=?156/156/156?ms R1# R5#ping?38.38.38.8 Type?escape?sequence?to?abort. Sending?5,?100-byte?ICMP?Echos?to?38.38.38.8,?timeout?is?2?seconds: !.!.! Success?rate?is?60?percent?(3/5),?round-trip?min/avg/max?=?212/261/340?ms R5# R8#ping?15.15.15.1 Type?escape?sequence?to?abort. Sending?5,?100-byte?ICMP?Echos?to?15.15.15.1,?timeout?is?2?seconds: !.!.! Success?rate?is?60?percent?(3/5),?round-trip?min/avg/max?=?172/184/196?ms R8# R8#ping?15.15.15.5 Type?escape?sequence?to?abort. Sending?5,?100-byte?ICMP?Echos?to?15.15.15.5,?timeout?is?2?seconds: !.!.! Success?rate?is?60?percent?(3/5),?round-trip?min/avg/max?=?160/197/260?ms R8# R3的38.38.38.3與上海15.15.15.0之間ping正常: R3#ping?15.15.15.5?so?38.38.38.3 Type?escape?sequence?to?abort. Sending?5,?100-byte?ICMP?Echos?to?15.15.15.5,?timeout?is?2?seconds: Packet?sent?with?a?source?address?of?38.38.38.3 !!!!! Success?rate?is?100?percent?(5/5),?round-trip?min/avg/max?=?128/235/340?ms R3# R3#ping?15.15.15.5?so?38.38.38.3 Type?escape?sequence?to?abort. Sending?5,?100-byte?ICMP?Echos?to?15.15.15.5,?timeout?is?2?seconds: Packet?sent?with?a?source?address?of?38.38.38.3 !!!!! Success?rate?is?100?percent?(5/5),?round-trip?min/avg/max?=?76/126/172?ms R3# R5#ping?38.38.38.3 Type?escape?sequence?to?abort. Sending?5,?100-byte?ICMP?Echos?to?38.38.38.3,?timeout?is?2?seconds: !!!!! Success?rate?is?100?percent?(5/5),?round-trip?min/avg/max?=?100/155/212?ms R5# R1#ping?38.38.38.3?so?15.15.15.1 Type?escape?sequence?to?abort. Sending?5,?100-byte?ICMP?Echos?to?38.38.38.3,?timeout?is?2?seconds: Packet?sent?with?a?source?address?of?15.15.15.1 !!!!! Success?rate?is?100?percent?(5/5),?round-trip?min/avg/max?=?88/110/144?ms R1# R3和R2的唯一區別就是R3的外部接口配置的IP是DHCP。轉載于:https://blog.51cto.com/henuxzy/1031007
總結
以上是生活随笔為你收集整理的Dynamic LAN-to-LAN ××× 之 Router-to-Router的全部內容,希望文章能夠幫你解決所遇到的問題。
- 上一篇: C/C++ 语言中表达式的求值
- 下一篇: 卡吞了怎么弄出来