取消
显示结果 
搜索替代 
您的意思是: 
cancel
3754
查看次数
0
有帮助
4
评论
碧云天
Spotlight
Spotlight
本帖最后由 碧云天 于 2019-11-15 16:57 编辑
一.概述
一般情况下,总部会有固定的公网IP,但是分支机构通过宽带上网,没有固定的公网IP,有时甚至是假的公网IP,实际ISP做一次PAT再出公网。另外分支网络一般比较简单,可能就一台路由器,一台交换机,这就需要在边界路由器上配置VPN。
二.测试拓扑
测试的拓扑如下,实际测试时,Branch路由器接口的DHCP由手工修改接口IP来实现,另外在Internet路由器配置动态PAT,目的是模拟Branch获取的不是实际公网IP的情况。同时,在Internet路由器配置DNS服务器,Branch为DNS客户端,通过同时修改DNS记录和Center公网口的IP,来模拟DDNS。164714kirk0vijozitho3o.png

三.配置步骤
1.基本配置
①PC路由器
hostname PC
interface Ethernet0/0
ip address 192.168.1.1 255.255.255.0
no shutdow
ip route 0.0.0.0 0.0.0.0 192.168.1.10
②Branch路由器
hostname Branch
interface Loopback0
ip address 11.1.1.1 255.255.255.255
interface Ethernet0/0
ip address 192.168.1.10 255.255.255.0
ip nat inside
no shutdow
interface Ethernet0/1
ip address 202.100.1.1 255.255.255.0
ip nat outside
no shutdown
ip route 0.0.0.0 0.0.0.0 202.100.1.10
③Internet路由器
hostname Internet
interface Ethernet0/0
ip address 202.100.1.10 255.255.255.0
ip nat inside
no shutdow
interface Ethernet0/1
ip address 61.128.1.10 255.255.255.0
ip nat outside
no shutdow
④Center路由器
hostname Center
interface Ethernet0/0
ip address 61.128.1.1 255.255.255.0
ip nat outside
no shutdow
interface Ethernet0/1
ip address 10.1.1.10 255.255.255.0
ip nat inside
no shutdow
ip route 0.0.0.0 0.0.0.0 61.128.1.10
⑤Center-VPN路由器
interface Loopback0
ip address 192.168.2.1 255.255.255.0
ip ospf network point-to-point
interface Ethernet0/0
ip address 10.1.1.1 255.255.255.0
no shutdow
ip route 0.0.0.0 0.0.0.0 10.1.1.10
2.DNS配置
①Internet路由器
ip dns server
ip host center.yuntian.com 61.128.1.1
②Branch路由器
ip name-server 202.100.1.10

3.GRE隧道配置
①Branch路由器
interface Tunnel0
ip address 172.16.1.1 255.255.255.0
tunnel source Loopback0
tunnel destination 10.1.1.1
②Center-VPN路由器
interface Tunnel0
ip address 172.16.1.100 255.255.255.0
tunnel source Ethernet0/0
tunnel destination 11.1.1.1
备注:tunnel目的地址必须为对方配置的tunnel源地址。
4.NAT配置
①Branch路由器
ip access-list extended pat
permit ip 192.168.1.0 0.0.0.255 any
ip nat inside source list pat interface Ethernet0/1 overload
②Internet路由器
ip access-list extended pat
permit ip 202.100.1.0 0.0.0.255 any
ip nat inside source list pat interface Ethernet0/1 overload
②Center路由器
ip nat inside source static udp 10.1.1.1 500 interface Ethernet0/0 500
ip nat inside source static udp 10.1.1.1 4500 interface Ethernet0/0 4500
5.VPN及动态路由配置
①Branch-VPN路由器
--第一阶段策略
crypto isakmp policy 10
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp key cisco address 0.0.0.0 0.0.0.0
--第二节阶段转换集
crypto ipsec transform-set transet esp-3des esp-md5-hmac
备注:实际测试发现,存在NAT的情况下,都会是tunnel模式,即使配置成transport模式
---配置感兴趣流
ip access-list extended gre
permit gre host 11.1.1.1 host 10.1.1.1
---配置静态crypto map
crypto map crymap 10 ipsec-isakmp
set peer center.yuntian.com dynamic
set transform-set transet
match address gre
---配置DPD
crypto isakmp keepalive 10
---物理口应用静态crypto map
interface Ethernet0/0
crypto map crymap
--配置动态路由
router ospf 1
passive-interface Ethernet0/0
network 172.16.1.0 0.0.0.255 area 0
network 192.168.1.10 0.0.0.0 area 0
②Center-VPN路由器
--第一阶段策略
crypto isakmp policy 10
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp key cisco address 0.0.0.0 0.0.0.0
--第二节阶段转换集
crypto ipsec transform-set transet esp-3des esp-md5-hmac
---配置动态及静态crypto map
crypto dynamic-map dymap 10
set transform-set transet
crypto map crymap 10 ipsec-isakmp dynamic dymap
---配置DPD
crypto isakmp keepalive 10
---物理口应用静态crypto map
interface Ethernet0/0
crypto map crymap
--配置动态路由
router ospf 1
passive-interface Loopback0
network 172.16.1.0 0.0.0.255 area 0
network 192.168.2.1 0.0.0.0 area 0
4.测试
1.通过ospf能够正常获取路由
Branch#show ip route ospf | beg Gate
Gateway of last resort is 202.100.1.10 to network 0.0.0.0
O 192.168.2.0/24 [110/1001] via 172.16.1.100, 00:20:49, Tunnel0

Center-VPN#show ip route ospf | beg Gate
Gateway of last resort is 10.1.1.10 to network 0.0.0.0
O 192.168.1.0/24 [110/1010] via 172.16.1.1, 00:22:40, Tunnel0



2.branch路由器修改公网接口地址测试
Center(config)#int e0/0
Center(config-if)#ip add 61.128.1.2 255.255.255.0



在修改地址回车之前,PC先ping 对端地址,可以看到修改地址会导致丢两个包

PC#ping 192.168.2.1 repeat 2000
Type escape sequence to abort.
Sending 2000, 100-byte ICMP Echos to 192.168.2.1, timeout is 2 seconds:
....中间省略
Success rate is 99 percent (1998/2000), round-trip min/avg/max = 1/1/13 ms
3.Center路由器修改公网接口地址
①修改修改dns记录
Internet(config)#ip host center.yuntian.com 61.128.1.2

②修改接口地址
Center(config)#int e0/0
Center(config-if)#ip add 61.128.1.2 255.255.255.0

③在修改地址回车之前,PC先ping 对端地址,可以看到修改地址会导致丢13个包
PC#ping 192.168.2.1 repeat 2000
Type escape sequence to abort.
Sending 2000, 100-byte ICMP Echos to 192.168.2.1, timeout is 2 seconds:
....中间省略
Success rate is 99 percent (1987/2000), round-trip min/avg/max = 1/1/11 ms

评论
one-time
Level 13
Level 13
感谢楼主分享,谢谢~
bo chen
Spotlight
Spotlight
很实用!{:2_27:}
wuhao0015
Spotlight
Spotlight
楼主图挂了。。。
Terry Qiu
Level 1
Level 1
谢谢楼主分享,收藏了
入门指南

使用上面的搜索栏输入关键字、短语或问题,搜索问题的答案。

我们希望您在这里的旅程尽可能顺利,因此这里有一些链接可以帮助您快速熟悉思科社区:









快捷链接