用户端NAT远程拨号接入
2013-02-01 16:10
211 查看
一、 实验拓朴图
二、 实验目的:
1、 RT4上实现PAT设置
2、 RT3上实现NAT设置
3、 PC远程接入总部RT1,与RT1之间建立传输隧道
三、 实验实现:
RT1:
aaa new-model //启用AAA服务
!
aaa authentication login default local //认证默认本地登录
aaa authentication login nauguy local //认证从nauguy登录
aaa authorization network nauguy local //授权从nauguy登录
!
username cisco password 0 cisco //配置AAA认证的用户名和密码
!
crypto isakmp policy 1 //配置第一阶段的策略
hash md5
authentication pre-share
group 2
!
crypto isakmp client configuration group nauguy //配置1.5阶段策略,组名为nauguy
key 1234 //密钥为1234
pool nauguy //本地地址池为naugy
acl 101 //分裂通道
!
crypto ipsec transform-set cisco esp-des esp-md5-hmac //配置第二阶段策略
mode transport
!
crypto dynamic-map cisco 10
set transform-set cisco
!
crypto map hqh client authentication list nauguy //绑定认证列表nauguy
crypto map hqh isakmp authorization list nauguy //绑定授权列表nauguy
crypto map hqh client configuration address respond //配置地址下发回复
crypto map hqh 10 ipsec-isakmp dynamic cisco //绑定动态加密图
!
interface Loopback0
ip address 192.168.3.1 255.255.255.0
!
interface Ethernet0/0
ip address 192.168.1.1 255.255.255.0
crypto map hqh
!
ip local pool nauguy 192.168.20.1 192.168.20.20 //本地地址池
ip route 0.0.0.0 0.0.0.0 192.168.1.2
!
access-list 101 permit ip 192.168.3.0 0.0.0.255 any
!
RT3:
interface Ethernet0/0
ip address 202.103.95.112 255.255.255.0
ip nat outside
!
!
interface Ethernet1/0
ip address 192.168.2.1 255.255.255.0
ip nat inside
!
ip route 0.0.0.0 0.0.0.0 202.103.95.111
!
ip nat inside source list 100 interface Ethernet0/0 overload //静态NAT配置
!
access-list 100 permit ip 192.168.2.0 0.0.0.255 any
!
RT4:
!
interface Ethernet0/0
ip address 202.103.96.112 255.255.255.0
ip nat outside
!
interface Ethernet0/1
ip address 192.168.1.2 255.255.255.0
ip nat inside
!
ip route 0.0.0.0 0.0.0.0 202.103.96.111
!
ip nat inside source static udp 192.168.1.1 500 202.103.96.112 500 extendable
//静态PAT,放通isakmp流量
ip nat inside source static udp 192.168.1.1 4500 202.103.96.112 4500 extendable
//静态PAT,放通NAT-T后的4500端口的流量
!
RT1#show crypto engine connections active
ID Interface IP-Address State Algorithm Encrypt Decrypt
2 Ethernet0/0 192.168.1.1 set HMAC_MD5+DES_56_CB 0 0
2001 Ethernet0/0 192.168.1.1 set DES+MD5 4 0
2002 Ethernet0/0 192.168.1.1 set DES+MD5 0 4
C:\Documents and Settings\Administrator>ping 192.168.3.1
Pinging 192.168.3.1 with 32 bytes of data:
Reply from 192.168.3.1: bytes=32 time=88ms TTL=255
Reply from 192.168.3.1: bytes=32 time=65ms TTL=255
Reply from 192.168.3.1: bytes=32 time=72ms TTL=255
Reply from 192.168.3.1: bytes=32 time=74ms TTL=255
Ping statistics for 192.168.3.1:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 65ms, Maximum = 88ms, Average = 74ms
RT4#show ip nat translations
Pro Inside global Inside local Outside local Outside global
udp 202.103.96.112:500 192.168.1.1:500 --- ---
udp 202.103.96.112:4500 192.168.1.1:4500 202.103.95.112:1041 202.103.95.112:1041
udp 202.103.96.112:4500 192.168.1.1:4500 --- ---
RT4#
RT3#show ip nat translations
Pro Inside global Inside local Outside local Outside global
udp 202.103.95.112:1041 192.168.2.10:1041 202.103.96.112:4500 202.103.96.112:4500
本文出自 “坚持就是victory” 博客,请务必保留此出处http://nauguy.blog.51cto.com/2796009/1130813
二、 实验目的:
1、 RT4上实现PAT设置
2、 RT3上实现NAT设置
3、 PC远程接入总部RT1,与RT1之间建立传输隧道
三、 实验实现:
RT1:
aaa new-model //启用AAA服务
!
aaa authentication login default local //认证默认本地登录
aaa authentication login nauguy local //认证从nauguy登录
aaa authorization network nauguy local //授权从nauguy登录
!
username cisco password 0 cisco //配置AAA认证的用户名和密码
!
crypto isakmp policy 1 //配置第一阶段的策略
hash md5
authentication pre-share
group 2
!
crypto isakmp client configuration group nauguy //配置1.5阶段策略,组名为nauguy
key 1234 //密钥为1234
pool nauguy //本地地址池为naugy
acl 101 //分裂通道
!
crypto ipsec transform-set cisco esp-des esp-md5-hmac //配置第二阶段策略
mode transport
!
crypto dynamic-map cisco 10
set transform-set cisco
!
crypto map hqh client authentication list nauguy //绑定认证列表nauguy
crypto map hqh isakmp authorization list nauguy //绑定授权列表nauguy
crypto map hqh client configuration address respond //配置地址下发回复
crypto map hqh 10 ipsec-isakmp dynamic cisco //绑定动态加密图
!
interface Loopback0
ip address 192.168.3.1 255.255.255.0
!
interface Ethernet0/0
ip address 192.168.1.1 255.255.255.0
crypto map hqh
!
ip local pool nauguy 192.168.20.1 192.168.20.20 //本地地址池
ip route 0.0.0.0 0.0.0.0 192.168.1.2
!
access-list 101 permit ip 192.168.3.0 0.0.0.255 any
!
RT3:
interface Ethernet0/0
ip address 202.103.95.112 255.255.255.0
ip nat outside
!
!
interface Ethernet1/0
ip address 192.168.2.1 255.255.255.0
ip nat inside
!
ip route 0.0.0.0 0.0.0.0 202.103.95.111
!
ip nat inside source list 100 interface Ethernet0/0 overload //静态NAT配置
!
access-list 100 permit ip 192.168.2.0 0.0.0.255 any
!
RT4:
!
interface Ethernet0/0
ip address 202.103.96.112 255.255.255.0
ip nat outside
!
interface Ethernet0/1
ip address 192.168.1.2 255.255.255.0
ip nat inside
!
ip route 0.0.0.0 0.0.0.0 202.103.96.111
!
ip nat inside source static udp 192.168.1.1 500 202.103.96.112 500 extendable
//静态PAT,放通isakmp流量
ip nat inside source static udp 192.168.1.1 4500 202.103.96.112 4500 extendable
//静态PAT,放通NAT-T后的4500端口的流量
!
RT1#show crypto engine connections active
ID Interface IP-Address State Algorithm Encrypt Decrypt
2 Ethernet0/0 192.168.1.1 set HMAC_MD5+DES_56_CB 0 0
2001 Ethernet0/0 192.168.1.1 set DES+MD5 4 0
2002 Ethernet0/0 192.168.1.1 set DES+MD5 0 4
C:\Documents and Settings\Administrator>ping 192.168.3.1
Pinging 192.168.3.1 with 32 bytes of data:
Reply from 192.168.3.1: bytes=32 time=88ms TTL=255
Reply from 192.168.3.1: bytes=32 time=65ms TTL=255
Reply from 192.168.3.1: bytes=32 time=72ms TTL=255
Reply from 192.168.3.1: bytes=32 time=74ms TTL=255
Ping statistics for 192.168.3.1:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 65ms, Maximum = 88ms, Average = 74ms
RT4#show ip nat translations
Pro Inside global Inside local Outside local Outside global
udp 202.103.96.112:500 192.168.1.1:500 --- ---
udp 202.103.96.112:4500 192.168.1.1:4500 202.103.95.112:1041 202.103.95.112:1041
udp 202.103.96.112:4500 192.168.1.1:4500 --- ---
RT4#
RT3#show ip nat translations
Pro Inside global Inside local Outside local Outside global
udp 202.103.95.112:1041 192.168.2.10:1041 202.103.96.112:4500 202.103.96.112:4500
本文出自 “坚持就是victory” 博客,请务必保留此出处http://nauguy.blog.51cto.com/2796009/1130813
相关文章推荐
- Fedora11下NAT用户接入IPv6实战
- RFC2866_RADIUS(远程用户拨号认证系统)记帐协议
- 用友U8远程接入解决方案用户手册下载
- Radius 远程用户拨号认证系统
- 小心?微软“黑屏”国内远程接入用户
- RADIUS(远程用户拨号认证系统)记帐协议
- 中兴f402 412等破解超级密码、破解用户限制、关闭远程控制、恢复路由器拨号
- 普通NAT用户接入ipv6的方法,体验IPv6
- RADIUS:远程用户拨号认证系统--网络大典
- 中兴ZXHN F412/F460/F660等破解超级密码、破解用户限制、关闭远程控制、恢复路由器拨号
- mysql 设置远程登陆以及新增用户
- linux下禁止root远程登录和添加新用户的方法
- mysql创建远程用户并授权
- Xshell远程工具通过ssh访问NAT网络模式下的linux虚拟机
- Windows 2008远程桌面多用户登陆的配置方法
- Windows 2008远程桌面多用户登陆的配置方法
- LifevV.COM,拟推出 用户广告发布接入服务,也是中国第一家提供此类服务的个人空间提供网站
- C# 调用API,实现注销远程登录本机的用户 以及 远程登录用户获得自己用户名(转+原);