多平台统一管理软件接口,如何实现多平台统一管理软件接口
276
2022-09-21
CCNP(ISCW)实验:用命令行配置GRE OVER IPSEC VPN
R3(config)#int tunnel 1R3(config-if)#ip add 10.0.0.2 255.255.255.252R3(config-if)#tu so f0/1R3(config-if)#tu de 12.0.0.1//上面三行分别是:
定义tunnel的ip地址 定义隧道的源地址,可以写接口 定义隧道的目标地址
第三步:配置路由协议R3(config)#ip route 0.0.0.0 0.0.0.0 f0/1R1(config)#ip route 0.0.0.0 0.0.0.0 f0/0
R1(config)#router ei 1R1(config-router)#no auR1(config-router)#net 129.168.1.1R1(config-router)#net 10.0.0.0
R3(config)#router ei 1R3(config-router)#no auR3(config-router)#net 10.0.0.0R3(config-router)#net 172.16.1.1//R2 为ISP不能运行路由协议,这是因为运营商不可能将大量的路由信息转发到本地路由
第四步:配置IPSEC VPNR1(config)#crypto isakmp enable R1(config)#crypto isakmp key 6 ccie address 23.0.0.3
R1(config)#crypto isakmp policy 10R1(config-isakmp)#authentication pre-share R1(config-isakmp)#encryption 3des R1(config-isakmp)#group 2R1(config-isakmp)#hash md5
R1(config)#crypto ipsec transform-set r1 esp-3des esp-sha-hmac R1(cfg-crypto-trans)#mode transport
R1(config)#access-list 100 permit ip 192.168.1.0 0.0.0.255 172.16.1.0 0.0.0.255 R1(config)#int tunnel 1R1(config-if)#crypto map libo1
R1(config)#crypto map libo1 1 ipsec-isakmp R1(config-crypto-map)#set peer 23.0.0.3R1(config-crypto-map)#set transform-set r1R1(config-crypto-map)#match add 100//以上步骤为IPSEC VPN的全部过程
R2上的配置与之对应
第五步:测试R1#ping 172.16.1.1 so 192.168.1.1 repeat 20
Type escape sequence to abort.Sending 20, 100-byte ICMP Echos to 172.16.1.1, timeout is 2 seconds:Packet sent with a source address of 192.168.1.1 .!!!!!!!!!!!!!!!!!!!Success rate is 95 percent (19/20), round-trip min/avg/max = 12/55/148 ms//这里通了19个包,我们猜想会用19个包加密
R1#sh crypto engine connections active
ID Interface IP-Address State Algorithm Encrypt Decrypt1 Tunnel1 10.0.0.1 set HMAC_MD5+3DES_56_C 0 02 Tunnel1 10.0.0.1 set HMAC_MD5+3DES_56_C 0 02001 Tunnel1 12.0.0.1 set 3DES+SHA 19 02002 Tunnel1 12.0.0.1 set 3DES+SHA 0 19
//这里看到有19个包加密
第六步:为了使公司内部的 pc有一个良好的上网环境,我们组R1与R3做PATR1(config)#access-list 111 deny ip 192.168.1.0 0.0.0.255 172.16.1.0 0.0.0.255R1(config)#access-list 111 permit ip 192.168.1.0 0.0.0.255 any
R3(config)#access-list 111 deny ip 172.16.1.0 0.0.0.255 192.168.1.0 0.0.0.255R3(config)#access-list 111 permit ip 172.16.1.0 0.0.0.255 any
R1(config)#ip nat inside source list 111 interface f0/0 overload//这里注意的是,出接口要在f0/0
第七步:定义inside和outside接口R1(config)#int f0/1R1(config-if)#ip nat inside R1(config-if)#int f0/0R1(config-if)#ip nat outside
第八步:综合测试包括PAT和VPN
先测试PATpc1#ping 2.2.2.2
Type escape sequence to abort.Sending 5, 100-byte ICMP Echos to 2.2.2.2, timeout is 2 seconds:!!!!! //ping正常Success rate is 100 percent (5/5), round-trip min/avg/max = 32/46/92 mspc1#2.2.2.2Trying 2.2.2.2 ... Open
R2#exi //这里显示成功
[Connection to 2.2.2.2 closed by foreign host]
R1#sh ip nat translations Pro Inside global Inside local Outside local Outside globalicmp 12.0.0.1:1 192.168.1.2:1 2.2.2.2:1 2.2.2.2:1tcp 12.0.0.1:11000 192.168.1.2:11000 2.2.2.2:23 2.2.2.2:23//这里表明pat成功
再测试GRE OVER IPSEC VPNpc1#ping 172.16.1.1
Type escape sequence to abort.Sending 5, 100-byte ICMP Echos to 172.16.1.1, timeout is 2 seconds:!!!!!Success rate is 100 percent (5/5), round-trip min/avg/max = 108/143/204 ms
R1#sh crypto engine connections active
ID Interface IP-Address State Algorithm Encrypt Decrypt2 Tunnel1 10.0.0.1 set HMAC_MD5+3DES_56_C 0 02001 Tunnel1 12.0.0.1 set 3DES+SHA 24 02002 Tunnel1 12.0.0.1 set 3DES+SHA 0 24//加上上面19个一共为24个包被加密
版权声明:本文内容由网络用户投稿,版权归原作者所有,本站不拥有其著作权,亦不承担相应法律责任。如果您发现本站中有涉嫌抄袭或描述失实的内容,请联系我们jiasou666@gmail.com 处理,核实后本网站将在24小时内删除侵权内容。
发表评论
暂时没有评论,来抢沙发吧~