本文共 3153 字,大约阅读时间需要 10 分钟。
一.拓扑图:
二.基本接口配置:A.R1:int e0/0 ip add 10.1.1.1 255.255.2555.0 no shint l0 ip add 1.1.1.1 255.255.255.0B.FW1:int e0 ip add 10.1.1.10 255.255.255.0 nameif inside no shint e1 ip add 202.100.1.100 255.255.255.0 nameif outside no shC.R2:INT E0/0 ip add 202.100.1.2 255.255.255.0 no shint e0/1 ip add 202.100.2.2 255.255.255.0 no shD.R3:int e0/0 ip add 202.100.2.3 255.255.255.0 no sh ip add 3.3.3.3 255.255.255.0 no sh三.路由配置:R1(config)#ip route 0.0.0.0 0.0.0.0 10.1.1.10pixfirewall(config)# route outside 0.0.0.0 0.0.0.0 202.100.1.2R3(config)#ip route 0.0.0.0 0.0.0.0 202.100.2.2四.防火墙NAT及策略配置:access-list 10 permit ip 10.1.1.0 255.255.255.0 any nat (inside) 1 access-list 10global (outside) 1 interfacestatic (inside,outside) 202.100.1.101 10.1.1.1备注:NAT-T穿越pix防火墙时需要使用静态NAT,但如果穿越的路由器可以用PAT。pixfirewall(config)# access-list outside extended permit icmp any any pixfirewall(config)# access-list outside extended permit gre host 202.100.2.3 host 202.100.1.101pixfirewall(config-if)# access-group outside in interface outside
备注:从内网出去的GRE数据流无法做状态监控,需要在外边接口放行GRE流量。
五.GRE及动态路由配置A.R1:R1(config)#int tunnel 0R1(config-if)#ip add 192.168.0.1 255.255.255.0R1(config-if)#tunnel source ethernet 0/0R1(config-if)#tunnel destination 202.100.2.3R1(config)#router ospf 1R1(config-router)#router-id 1.1.1.1R1(config-router)#network 1.1.1.0 0.0.0.255 a 0R1(config-router)#network 192.168.0.0 0.0.0.255 a 0B.R3:R3(config)#int tunnel 0R3(config-if)#ip add 192.168.0.3 255.255.255.0R3(config-if)#tunnel source ethernet 0/0R3(config-if)#tunnel destination 202.100.1.101R3(config)#router ospf 1R3(config-router)#router-id 3.3.3.3R3(config-router)#network 3.3.3.0 0.0.0.255 a 0R3(config-router)#network 192.168.0.0 0.0.0.255 a 0---如果没有问题的话,OSPF邻居能够成建立。六.***配置R1:
A.感兴趣流配置:R1(config)#ip access-list extended *** R1(config-ext-nacl)#permit ip 1.1.1.0 0.0.0.255 3.3.3.0 0.0.0.255
B.第一阶段策略:R1(config)#crypto isakmp policy 10R1(config-isakmp)#grR1(config-isakmp)#group 2R1(config-isakmp)#ha mdR1(config-isakmp)#en deR1(config-isakmp)#au prR1(config-isakmp)#exitR1(config)#crypto isakmp key 0 cisco address 202.100.2.3C.第二阶段策略:R1(config)#crypto ipsec transform-set transet esp-des esp-md5-hmac Crypto MAP:R1(config)#crypto map crymap 10 ipsec-isakmp R1(config-crypto-map)#set peer 202.100.2.3R1(config-crypto-map)#set transform-set transetR1(config-crypto-map)#match address ***D.tunnel接口应用MAP:R1(config)#int tunnel 0R1(config-if)#crypto map crymapR3:A.感兴趣流配置:
R3(config)#ip access-list extended *** R3(config-ext-nacl)#permit ip 3.3.3.0 0.0.0.255 1.1.1.0 0.0.0.255B.第一阶段策略:R3(config)#crypto isakmp policy 10R3(config-isakmp)#group 2R3(config-isakmp)#ha mdR3(config-isakmp)#gr 2R3(config-isakmp)#au prR3(config-isakmp)#exitR3(config)#crypto isakmp key 0 cisco add 202.100.1.101C.第二阶段策略:R3(config)#crypto ipsec transform-set transet esp-des esp-md5-hmac Crypto MAP:R3(config)#crypto map crymap 10 ipsec-isakmp R3(config-crypto-map)#set peer 202.100.1.101R3(config-crypto-map)#set transform-set transetR3(config-crypto-map)#match address ***D.tunnel接口应用MAP:R3(config)#int tunnel 0R3(config-if)#crypto map crymap
转载地址:http://bnidx.baihongyu.com/