思科路由器EzVPN解决地址重叠测试
2016-1-21 0:0:0 wondial思科路由器EzVPN解决地址重叠测试
思科路由器EzVPN解决地址重叠测试一.概述:
EzVPN,如果硬件客户端身后的地址,与EzVPN server身后的地址重叠,即使是client模式的单向访问也无法实现,需要配置静态NAT,为了不影响总部上公网,需要把静态NAT与动态PAT分开。
二.基本思路:
A.EzVPN Client模式:
----这种只是分支机构单向访问总部,在总部配置静态NAT,使得分支机构访问总部主机时认为是另外一个网段的地址
----为了能够使得总部配置静态NAT还能上公网,总部路由器的内网口和外网口作为ip nat enable的一对口,配置PAT;将loopback和外网口分别配置ip nat inside和ip nat outside,作为一对口,配置静态NAT,同时为了使流量能够到达loopback口,在内网口配置PBR,将需要VPN的流量打到loopback口,流量在进行VPN之前就进行静态NAT。
B.EzVPN network-extension或network-plus模式:
----这两种种方式,因为可以双方向互访,为了实现双方向互访,需要总部配置对内和对外的两条静态NAT,同时为了能把静态NAT和动态PAT上公网的流量分开,采用不同的NAT配置方法来实现。
三.测试拓扑:
四.基本配置:
A.总部Server路由器:
interface Ethernet0/0
ip address 10.1.1.2 255.255.255.0
no shut
ip route 0.0.0.0 0.0.0.0 10.1.1.1
B.总部Center路由器:
interface Ethernet0/0
ip address 10.1.1.1 255.255.255.0
no shut
interface Ethernet0/1
ip address 202.100.1.1 255.255.255.0
no shut
ip route 0.0.0.0 0.0.0.0 202.100.1.10
C.Internet路由器:
interface Ethernet0/0
ip address 202.100.1.10 255.255.255.0
no shut
interface Ethernet0/1
ip address 202.100.2.10 255.255.255.0
no shut
D.Branch路由器:
interface Ethernet0/0
ip address 10.1.1.1 255.255.255.0
no shut
interface Ethernet0/1
ip address 202.100.2.1 255.255.255.0
no shut
ip route 0.0.0.0 0.0.0.0 202.100.2.10
E.分支inside路由器:
interface Ethernet0/0
ip address 10.1.1.2 255.255.255.0
no shut
ip route 0.0.0.0 0.0.0.0 10.1.1.1
五.EzVPN配置:
A.EzVPN Server总部Center路由器:
①第一阶段:
crypto isakmp policy 10
authentication pre-share
en des
group 2
hash md5
crypto isakmp client configuration group ipsecgroup
key cisco
②第1.5阶段XAUTH配置:
aaa new-model
aaa authentication login noacs line none
line console 0
login authentication noacs
line aux 0
login authentication noacs
username xll password xll
aaa authentication login xauth-authen local
③第1.5阶段MODE-CFG配置:
ip local pool ippool 123.1.1.100 123.1.1.200
ip access-list extended split
permit ip 172.16.1.0 0.0.0.255 any
aaa authorization network mcfg-author local
crypto isakmp client configuration group ipsecgroup
pool ippool
acl split
④第2阶段转换集与动态map配置:
crypto ipsec transform-set ezvpnset esp-des esp-md5-hmac
crypto dynamic-map dymap 10
set transform-set ezvpnset
reverse-route
⑤第2阶段crypto map配置:
crypto map cry-map client authentication list xauth-authen
crypto map cry-map isakmp authorization list mcfg-author
crypto map cry-map client configuration address respond
crypto map cry-map 10 ipsec-isakmp dynamic dymap
interface E0/1
crypto map cry-map
B.EzVPN硬件客户端Branch路由器配置:
①EzVPN基本配置:
crypto ipsec client ezvpn Ez-Client
connect manual
group ipsecgroup key cisco
mode client
peer 202.100.1.1
interface e0/0
crypto ipsec client ezvpn Ez-Client inside
interface e0/1
crypto ipsec client ezvpn Ez-Client outside
②手动触发EzVPN连接:
crypto ipsec client ezvpn connect
crypto ipsec client ezvpn xauth
Username: xll
Password: xll
Branch#
*Mar 1 00:05:21.047: %CRYPTO-6-EZVPN_CONNECTION_UP: (Client) User= Group=ipsecgroup Client_public_addr=202.100.2.1 Server_public_addr=202.100.1.1 Assigned_client_addr=123.1.1.100
Branch#show crypto ipsec client ezvpn
Easy VPN Remote Phase: 4
Tunnel name : Ez-Client
Inside interface list: Ethernet0/0
Outside interface: Ethernet0/1
Current State: IPSEC_ACTIVE
Last Event: SOCKET_UP
Address: 123.1.1.100
Mask: 255.255.255.255
Save Password: Disallowed
Split Tunnel List: 1
Address : 172.16.1.0
Mask : 255.255.255.0
Protocol : 0x0
Source Port: 0
Dest Port : 0
Current EzVPN Peer: 202.100.1.1
----这时虽然VPN能连接上去但是,无法连接内网
六.NAT及策略路由配置:
A.动态PAT配置:
①总部Center路由器配置:
interface Ethernet0/0
ip nat enable
interface Ethernet0/1
ip nat enable
ip access-list extended Internet
deny ip 10.1.1.0 0.0.0.255 123.1.1.0 0.0.0.255
permit ip 10.1.1.0 0.0.0.255 any
ip nat source list Internet interface Ethernet0/1 overload
测试:
Server#ping 202.100.1.10
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 202.100.1.10, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 48/105/216 ms
Server#
②分支branch路由器配置:
interface Ethernet0/0
ip nat enable
interface Ethernet0/1
ip nat enable
ip access-list extended Internet
deny ip 10.1.1.0 0.0.0.255 172.16.1.0 0.0.0.255
permit ip 10.1.1.0 0.0.0.255 any
ip nat source list Internet interface Ethernet0/1 overload
测试:
Inside#ping 202.100.2.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 202.100.2.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 20/60/120 ms
B.静态NAT及策略路由配置:
---只需在总部Center路由器上配置
interface Loopback0
ip address 1.1.1.1 255.255.255.252
ip nat inside
interface Ethernet0/1
ip nat outside
ip nat inside source static network 10.1.1.0 172.16.1.0 /24
ip access-list extended VPN
permit ip 10.1.1.0 0.0.0.255 123.1.1.0 0.0.0.255
route-map VPN permit 10
match ip address VPN
set interface Loopback0
interface Ethernet0/0
ip policy route-map VPN
C.测试:
clear crypto ipsec client ezvpn
crypto ipsec client ezvpn connect
crypto ipsec client ezvpn xauth
Username: xll
Password: xll
*Mar 1 00:09:33.803: %CRYPTO-6-EZVPN_CONNECTION_UP: (Client) User= Group=ipsecgroup Client_public_addr=202.100.2.1 Server_public_addr=202.100.1.1 Assigned_client_addr=123.1.1.101
Branch#
Inside#ping 172.16.1.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.1.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 196/265/392 ms
Inside#
七.后记:
----如果EzVPN采用的是网络拓展模式或者网络拓展加模式,因为两边都可以主动发起访问,配置的方式跟上面有所不同,跟L2L IPSEC VPN类似:
A.动态PAT配置:
①总部Center路由器配置:
interface Ethernet0/0
ip nat enable
interface Ethernet0/1
ip nat enable
ip access-list extended Internet
deny ip 10.1.1.0 0.0.0.255 192.168.1.0 0.0.0.255
permit ip 10.1.1.0 0.0.0.255 any
ip nat source list Internet interface Ethernet0/1 overload
②分支branch路由器配置:
interface Ethernet0/0
ip nat enable
interface Ethernet0/1
ip nat enable
ip access-list extended Internet
deny ip 10.1.1.0 0.0.0.255 172.16.1.0 0.0.0.255
permit ip 10.1.1.0 0.0.0.255 any
ip nat source list Internet interface Ethernet0/1 overload
B.静态NAT及策略路由配置:
①总部Center路由器:
interface Loopback0
ip address 1.1.1.1 255.255.255.252
ip nat inside
interface Ethernet0/1
ip nat outside
ip nat inside source static network 10.1.1.0 172.16.1.0 /24
ip nat Outside source static network 10.1.1.0 192.168.1.0 /24
ip access-list extended VPN
permit ip 10.1.1.0 0.0.0.255 192.168.1.0 0.0.0.255
route-map VPN permit 10
match ip address VPN
set interface Loopback0
interface Ethernet0/0
ip policy route-map VPN
②分支Branch路由器
interface Loopback0
ip address 192.168.1.1 255.255.255.0
crypto ipsec client ezvpn Ez-Client inside
----这个将分支机构被NAT的网络通过反向路由注入的方式注入到总部Center路由器
----测试时发现如果Server不配置反向路由注入,即使配置了隧道分离,客户端还是把VPN流量送到了互联网。
C.测试:
clear crypto ipsec client ezvpn
crypto ipsec client ezvpn connect
crypto ipsec client ezvpn xauth
Username: xll
Password: xll
Branch#
*Mar 1 00:11:53.395: %CRYPTO-6-EZVPN_CONNECTION_UP: (Client) User= Group=ipsecgroup Client_public_addr=202.100.2.1 Server_public_addr=202.100.1.1 NEM_Remote_Subnets=10.1.1.0/255.255.255.0 192.168.1.0/255.255.255.0
Inside#ping 172.16.1.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.1.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 192/258/348 ms
Inside#
----ping的同时在对方debug ip icmp,可以看到回包
Server#
*Mar 2 22:11:07.472: ICMP: echo reply sent, src 10.1.1.2, dst 192.168.1.2
*Mar 2 22:11:07.740: ICMP: echo reply sent, src 10.1.1.2, dst 192.168.1.2
*Mar 2 22:11:07.972: ICMP: echo reply sent, src 10.1.1.2, dst 192.168.1.2
*Mar 2 22:11:08.160: ICMP: echo reply sent, src 10.1.1.2, dst 192.168.1.2
*Mar 2 22:11:08.412: ICMP: echo reply sent, src 10.1.1.2, dst 192.168.1.2
反过来也能通:
Server#ping 192.168.1.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.1.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 176/248/372 ms
Inside#
*Mar 2 19:21:54.933: ICMP: echo reply sent, src 10.1.1.2, dst 172.16.1.2
*Mar 2 19:21:55.273: ICMP: echo reply sent, src 10.1.1.2, dst 172.16.1.2
*Mar 2 19:21:55.481: ICMP: echo reply sent, src 10.1.1.2, dst 172.16.1.2
*Mar 2 19:21:55.669: ICMP: echo reply sent, src 10.1.1.2, dst 172.16.1.2
*Mar 2 19:21:55.857: ICMP: echo reply sent, src 10.1.1.2, dst 172.16.1.2
如果您的问题还没有解决,可以到 T+搜索>>上找一下答案
相关阅读
- 用友T3用友通系统重装后,没有账套备份,如何恢复账套2019-4-29 8:0:0
- 明细账权限设置时提示“没有操作员”?2019-4-29 8:0:0
- 用友t3用友通填制凭证时报“运行时错误429”2019-4-23 8:0:0
- 用友T3用友通填制凭证带出存货档案2019-4-23 8:0:0
- 用友T3用友通填制凭证中数量单价不符2019-4-23 8:0:0
- 用友T3用友通基金结余结转时报错,错误号为‘运行时错误3021’2019-4-23 8:0:0
- 用友T3用友通基础档案导入2019-4-23 8:0:0
- 用友T3用友通基础信息的删除2019-4-23 8:0:0
- 用友T3用友通基本科目设置和控制科目设置分别是什么-2019-4-23 8:0:0
- 用友T3用友通基本工资参数问题2019-4-23 8:0:0
最新信息
T+12.0销售可以控制价格为0的时候不能保存吗?急急急 T+12.0销售可以控制价格为0的时候不能保存吗?急急急[]
赠品价格为0是可以保存的,但是如果不是赠品要怎么控制?您好,没有控制价格为0不许保存的,变通的话可以设置存货的最低售价控制,这样也可以避免0价格保存的情况。
U8查询客户科目余额表的权限在哪里设置 _0U8查询客户科目余额表的权限在哪里设置''
应该在左上角设置里在左上角设置里
左上角,你认真找一下。在左上角??你查一下在左上角设置
