十年网站开发经验 + 多家企业客户 + 靠谱的建站团队
量身定制 + 运营维护+专业推广+无忧售后,网站问题一站解决
1、实验拓扑
成都创新互联服务项目包括成安网站建设、成安网站制作、成安网页制作以及成安网络营销策划等。多年来,我们专注于互联网行业,利用自身积累的技术优势、行业经验、深度合作伙伴关系等,向广大中小型企业、政府机构等提供互联网行业的解决方案,成安网站推广取得了明显的社会效益与经济效益。目前,我们服务的客户以成都为中心已经辐射到成安省份的部分城市,未来相信会继续扩大服务区域并继续获得客户的支持与信任!
2、基础网络配置
R1配置:
ip dhcp excluded-address 13.1.1.1 13.1.1.2
ip dhcp pool net13
network 13.1.1.0 255.255.255.0
default-router 13.1.1.1
interface FastEthernet0/0
ip address 12.1.1.1 255.255.255.0
interface FastEthernet1/0
ip address 13.1.1.1 255.255.255.0
R2配置:
interface FastEthernet0/0
ip address 12.1.1.2 255.255.255.0
interface FastEthernet1/0
ip address 172.16.1.254 255.255.255.0
ip route 0.0.0.0 0.0.0.0 12.1.1.1
R3配置:
interface Loopback0
ip address 3.3.3.3 255.255.255.0
interface FastEthernet0/0
ip address dhcp
interface FastEthernet1/0
ip address 192.168.1.254 255.255.255.0
ip route 0.0.0.0 0.0.0.0 13.1.1.1
R4配置:
interface FastEthernet0/0
ip address 172.16.1.1 255.255.255.0
ip route 0.0.0.0 0.0.0.0 172.16.1.254
R5配置:
interface FastEthernet0/0
ip address 192.168.1.1 255.255.255.0
ip route 0.0.0.0 0.0.0.0 192.168.1.254
3、配置Dynamic p2p GRE over IPsec
3.1、配置GRE
R2配置:
interface Tunnel2
ip address 1.1.1.1 255.255.255.0
tunnel source 12.1.1.2
tunnel destination 3.3.3.3
ip route 3.3.3.3 255.255.255.255 12.1.1.1
这条路由必须配置,这是配置规则要求的
R3配置:
interface Tunnel3
ip address 1.1.1.2 255.255.255.0
tunnel source Loopback0
tunnel destination 12.1.1.2
3.2、R2配置Dynamic LAN-to-LAN ×××(相对普通的Dynamic LAN-to-LAN ×××多了一条指令)
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp key cisco123 address 0.0.0.0 0.0.0.0
crypto ipsec transform-set ccie esp-3des esp-sha-hmac
crypto dynamic-map dymap 1
set transform-set ccie
crypto map mymap 1 ipsec-isakmp dynamic dymap (经测试,这条指令可以不写)
crypto map mymap local-address FastEthernet0/0
interface FastEthernet0/0
crypto map mymap
3.3、R3配置LAN-to-LAN ×××(与普通LAN-to-LAN ×××的ACL不同,多了一条指令)
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp key cisco123 address 12.1.1.2
crypto ipsec transform-set ccie esp-3des esp-sha-hmac
access-list 100 permit gre 3.3.3.0 0.0.0.255 12.1.1.0 0.0.0.255
crypto map mymap 1 ipsec-isakmp
set peer 12.1.1.2
set transform-set ccie
match address 100
crypto map mymap local-address FastEthernet0/0(经测试,这条指令可以不写)
interface FastEthernet0/0
crypto map mymap
3.4、配置动态路由协议(此时私网流量走的都是隧道。)
R2配置:
router ospf 1
network 1.1.1.0 0.0.0.255 area 0
network 172.16.1.0 0.0.0.255 area 0
R3配置:
router ospf 1
network 1.1.1.0 0.0.0.255 area 0
network 192.168.1.0 0.0.0.255 area 0
4、NAT对Dynamic p2p GRE over IPsec的影响与NAT对Static p2p GRE over IPsec的影响一样