装备带NAT的点到多点的***51CTO博客 - 众发娱乐

装备带NAT的点到多点的***51CTO博客

2019年02月25日10时54分53秒 | 作者: 访烟 | 标签: 装备,加密,设置 | 浏览: 371

    这个试验是我上IE课做的。我把它做了一遍并按试验报告的方法写了出来,阐明的很具体,不是以show run 方式出现的,以便我们更容易地看懂。呵呵,写写这些东西花了两个多小时。我觉得这种关于点数少仍是比较有用的。假如多的话最好仍是用DM***,这样便于今后更好的办理和扩展。   试验意图:
1、把握点到多点的***装备     2、让一切NAT下的私网都能上internet(在R4上用loopback模仿)   试验要求:
1、装备R1—R2,R1—R3*** 2、R1R2运用DES加密,R1—R3运用3DES加密
3、让一切NAT下的私网都能上internet
一、拓扑图:

二、试验的具体装备:
1、装备各路由器的IP(略)。为确保网络的连通性,R1R2R3装备默许路由:
R1(config)#ip route 0.0.0.0 0.0.0.0 192.168.14.4   R2(config)#ip route 0.0.0.0 0.0.0.0 192.168.24.4   R3(config)#ip route 0.0.0.0 0.0.0.0 192.168.34.4   R4(config)#ip route 192.168.1.0 255.255.255.0 192.168.14.1 R4(config)#ip route 192.168.2.0 255.255.255.0 192.168.24.2 R4(config)#ip route 192.168.3.0 255.255.255.0 192.168.34.3
  2、依据拓扑装备R1—R2R1—R3的点到多点的***,需求阐明一下,装备***的时分,依照先界说感兴趣数据流(主张用扩展ACL来做,由于一般的ACL删掉一项的话会把整个ACL全删掉),下一步是装备ISAKMP、再就是IPSEC的装备,最终相关到加密图里去:
R1(config)#ip access-list extended ***12(运用扩展ACL界说R1—R2的感兴趣流) R1(config-ext-nacl)#permit ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255 R1(config-ext-nacl)#exit R1(config)#ip access-list extended ***13 (运用扩展ACL界说R1—R3的感兴趣流) R1(config-ext-nacl)#permit ip 192.168.1.0 0.0.0.255 192.168.3.0 0.0.0.255   R1(config)#crypto isakmp key 0 CISCO12 address 192.168.24.2 (界说对R2的预同享密钥) R1(config)#crypto isakmp key 0 CISCO13 address 192.168.34.3(界说对R3的预同享密钥) R1(config)#crypto isakmp policy 12(界说R1-R2ISAKMP战略) R1(config-isakmp)#authentication pre-share (选用预同享认证形式) R1(config-isakmp)#encryption des (运用DES加密) R1(config-isakmp)#hash md5 R1(config-isakmp)#group 2 (运用Diffie-Hellman group 2办理)   R1(config)#crypto isakmp policy 13 (界说R1-R3ISAKMP战略) R1(config-isakmp)#authentication pre-share R1(config-isakmp)#encryption 3des R1(config-isakmp)#hash md5 R1(config-isakmp)#group 2   R1(config)#crypto ipsec transform-set ***12 esp-3des esp-md5-hmac(装备R1-R2 IPSEC改换集) R1(cfg-crypto-trans)#exit R1(config)#crypto ipsec transform-set ***13 esp-3des esp-md5-hmac(装备R1-R3 IPSEC改换集)   R1(config)#crypto map *** 12 ipsec-isakmp(针对R1-R2的加密图映射表) R1(config-crypto-map)#set peer 192.168.24.2 设置对等体) R1(config-crypto-map)#match add ***12 (匹配扩展的ACL名为***12 R1(config-crypto-map)#set transform-set ***12(引证对R1-R2设置的IPSEC的改换集) R1(config-crypto-map)#exit R1(config)#crypto map *** 13 ipsec-isakmp (针对R1-R3的加密图映射表) R1(config-crypto-map)#set peer 192.168.34.3 R1(config-crypto-map)#match add ***13(匹配扩展的ACL名为***13 R1(config-crypto-map)#set transform-set ***13(引证对R1-R3设置的IPSEC的改换集) R1(config-crypto-map)#int s0/0 R1(config-if)#crypto map *** (挂接加密图到接口)   R2(config)#ip access-list extended ***12 R2(config-ext-nacl)#permit ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255(在R2上界说ACL R2(config)#crypto isakmp key 0 CISCO12 address 192.168.14.1(界说对R1的预同享) R2(config)#crypto isakmp policy 12 (同理和R1R2设置的对应) R2(config-isakmp)#authentication pre-share   R2(config-isakmp)#encryption des R2(config-isakmp)#hash md5 R2(config-isakmp)#group 2 R2(config-isakmp)#exit   R2(config)#crypto ipsec transform-set ***12 esp-3des esp-md5-hmacR1R2间的改换集) R2(cfg-crypto-trans)#exit R2(config)#crypto map *** 12 ipsec-isakmp (装备加密图映射表) R2(config-crypto-map)#match add ***12(匹配ACL R2(config-crypto-map)#set transform-set ***12 (引证之前设置的改换集) R2(config-ext-nacl)#int s0/0 R2(config-if)#crypto map ***(挂接加密图到接口)   R3(config)#ip access-list extended ***13 R3(config-ext-nacl)#permit ip 192.168.3.0 0.0.0.255 192.168.1.0 0.0.0.255 R3(config)#crypto isakmp key 0 CISCO13 address 192.168.14.1 R3(config)#crypto isakmp policy 13 (同理和R1R3共同) R3(config-isakmp)#authentication pre R3(config-isakmp)#authentication pre-share R3(config-isakmp)#en R3(config-isakmp)#encryption 3des R3(config-isakmp)#hash md5 R3(config-isakmp)#group 2 R3(config-isakmp)#exit   R3(config)#crypto ipsec transform-set ***13 esp-3des esp-md5-hmac (设置ipsec改换集) R3(cfg-crypto-trans)#exit   R3(config)#crypto map *** 13 IPSec-isakmp (在R3上设置加密图映射表) R3(config-crypto-map)#set peer 192.168.14.1(设置对等体) R3(config-crypto-map)#match add ***13 (匹配ACL R3(config-crypto-map)#set transform-set ***13(引证之前设置的改换集) R3(config-crypto-map)#int s0/0 R3(config-if)#crypto map ***(挂接加密图到接口)
  3、装备完之后,来看一下***的连通性:
R1#ping ip Target IP address: 192.168.2.2 Repeat count [5]: Datagram size [100]: Timeout in seconds [2]: Extended commands [n]: y Source address or interface: 192.168.1.1 Type of service [0]: Set DF bit in IP header? [no]: Validate reply data? [no]: Data pattern [0xABCD]: Loose, Strict, Record, Timestamp, Verbose[none]: Sweep range of sizes [n]: Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 192.168.2.2, timeout is 2 seconds: Packet sent with a source address of 192.168.1.1 .!!!!   R1#ping ip Target IP address: 192.168.3.3 Repeat count [5]: Datagram size [100]: Timeout in seconds [2]: Extended commands [n]: y Source address or interface: 192.168.1.1 Type of service [0]: Set DF bit in IP header? [no]: Validate reply data? [no]: Data pattern [0xABCD]: Loose, Strict, Record, Timestamp, Verbose[none]: Sweep range of sizes [n]: Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 192.168.3.3, timeout is 2 seconds: Packet sent with a source address of 192.168.1.1 .!!!!
  4、装备R1R2R3NAT,让它们都能上internet(R4上的loopback接口模仿出来的网段),在此要注意一下: A:数据包流入路由器的处理进程:ACL—***的解密—NAT—战略路由规范路由 B:数据包流出路由器的处理进程:NAT—***的加密—ACL— 所以在装备NAT的时分一定要deny 掉界说的***数据流,否则的话数据流会先走NAT,overload之后 ***将会不通:
R1(config)#ip access-list extended NAT R1(config-ext-nacl)#deny ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255 R1(config-ext-nacl)#deny ip 192.168.1.0 0.0.0.255 192.168.3.0 0.0.0.255 R1(config-ext-nacl)#permit ip 192.168.1.0 0.0.0.255 any R1(config-ext-nacl)#exit R1(config)#ip nat inside source list NAT interface s0/0 overload R1(config)#int s0/0 R1(config-if)#ip nat outside R1(config-if)#int lo0 R1(config-if)#ip nat inside   R2(config)#ip access-list extended NAT R2(config-ext-nacl)#deny ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255 R2(config-ext-nacl)#permit ip 192.168.2.0 0.0.0.255 any R2(config)#ip nat inside source list NAT interface s0/0 overload R2(config)#int s0/0 R2(config-if)#ip nat outside R2(config-if)#int lo0 R2(config-if)#ip nat inside   R3(config)#ip access-list extended NAT R3(config-ext-nacl)#deny ip 192.168.3.0 0.0.0.255 192.168.1.0 0.0.0.255 R3(config-ext-nacl)#permit ip 192.168.3.0 0.0.0.255 any R3(config)#ip nat inside source list NAT interface s0/0 overload R3(config)#int s0/0 R3(config-if)#ip nat outside R3(config-if)#int lo0 R3(config-if)#ip nat inside
  5、再来看一下各路由器的私网能否上internet
R1#ping ip  Target IP address: 4.4.4.4 Repeat count [5]: Datagram size [100]: Timeout in seconds [2]:  Extended commands [n]: y Source address or interface: 192.168.1.1 Type of service [0]: Set DF bit in IP header? [no]: Validate reply data? [no]: Data pattern [0xABCD]: Loose, Strict, Record, Timestamp, Verbose[none]: Sweep range of sizes [n]: Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 4.4.4.4, timeout is 2 seconds: Packet sent with a source address of 192.168.1.1 !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 8/37/84 ms R1#   R2#ping ip Target IP address: 4.4.4.4 Repeat count [5]: Datagram size [100]: Timeout in seconds [2]: Extended commands [n]: y Source address or interface: 192.168.2.2 Type of service [0]: Set DF bit in IP header? [no]: Validate reply data? [no]: Data pattern [0xABCD]: Loose, Strict, Record, Timestamp, Verbose[none]: Sweep range of sizes [n]: Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 4.4.4.4, timeout is 2 seconds: Packet sent with a source address of 192.168.2.2 !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 8/38/76 ms R2#     R3#ping ip Target IP address: 4.4.4.4 Repeat count [5]: Datagram size [100]: Timeout in seconds [2]: Extended commands [n]: y Source address or interface: 192.168.3.3 Type of service [0]: Set DF bit in IP header? [no]: Validate reply data? [no]: Data pattern [0xABCD]: Loose, Strict, Record, Timestamp, Verbose[none]: Sweep range of sizes [n]: Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 4.4.4.4, timeout is 2 seconds: Packet sent with a source address of 192.168.3.3 !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 4/34/76 ms R3#

 

 

版权声明
本文来源于网络,版权归原作者所有,其内容与观点不代表众发娱乐立场。转载文章仅为传播更有价值的信息,如采编人员采编有误或者版权原因,请与我们联系,我们核实后立即修改或删除。

猜您喜欢的文章