扫一扫
分享文章到微信
扫一扫
关注官方公众号
至顶头条
例子:
本实例研究中路由器NATRTR的配置
Router#write terminal
hostname NATRTR
crypto map test 10 IPsec-isakmp
set peer 1.1.1.1
set transform-set transform
match address 100
This is the loopback the traffic will be routed to in order to change the order of events on the router
interface Loopback1
ip address 10.2.2.2 255.255.255.252
interface Ethernet0/0
ip address 1.1.1.2 255.255.255.0
ip nat outside
crypto map test
interface Ethernet0/1
ip address 10.1.1.1 255.255.255.0
ip nat inside
ip route-cache policy
The policy route map below is used to force the IPsec interesting traffic to the loopback interface.
ip policy route-map nonat
This is the dynamic NAT configuration we are trying to bypass.
ip nat inside source access-list 1 interface Ethernet0/0 overload
access-list 1 permit 10.0.0.0 0.255.255.255
The access list below defines IPsec interesting traffic.
access-list 100 permit ip 10.1.1.0 0.0.0.255 10.1.2.0 0.0.0.255
The access list below defines the traffic that is to be used by the route map nonat to route to the loopback interface.
access-list 120 permit ip 10.1.1.0 0.0.0.255 10.1.2.0 0.0.0.255
Below is the route map used to route the traffic matching access list 120 to the loopback interface.
route-map nonat permit 10
match ip address 120
set ip next-hop 10.2.2.1
8 IPsec隧道终点发现(TED)
本实例研究包括了CISCO路由器实现中提供的特殊属性.TED允许路由器动态配置其IPsec对等体地址而不用在路由调协中手动配置.这种可扩展特性很有用,它使创建数目众多的对等体仅需定义一个它们感兴趣的流量访问列表并允许TED找出这些对等体窨是哪能些即可.重要的是,如果VPN创建在INTERNET上,那么感兴趣的流量必须使用全局可路由地址定义.这是必须的,因为TED使用一般路由以计算出IPsec对等体的位置.
TED靠发送一个分组,该探测分组的目的地址为定义感兴趣流量的访问控制列表中的目的地址.这个探测分组终止于目的IP地址前的IPsec路由器.该路由器收集关于代理ID的必须信息,并返回一个探测应答,应答中包含相同代理和自己的IP地址.发起者收到该响应消息后就开始IKE的协商.
如果您非常迫切的想了解IT领域最新产品与技术信息,那么订阅至顶网技术邮件将是您的最佳途径之一。