Skip to main content


cisco模拟器中VPN的配置

2013-06-29 00:59 浏览:

注意:可能会存在一些错误,以测试过了VPN是可以通的。

网络拓扑见:http://down.51cto.com/data/854149

R1的配置

基本端口配置

Router>en

Router#conf t

Enter configuration commands, one per line.  End with CNTL/Z.

Router(config)#int fa 0/0

Router(config-if)#ip add 172.16.0.1 255.255.0.0

Router(config-if)#no shut

 

%LINK-5-CHANGED: Interface FastEthernet0/0, changed state to up

 

 

 

%LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/0, changed state to up

 

 

 

Router(config-if)#int fa 1/0

 

 

Router(config-if)#ip add 100.0.0.1 255.255.255.252

Router(config-if)#no shut

 

%LINK-5-CHANGED: Interface FastEthernet1/0, changed state to down

 

 

Router(config-if)#exit

Router(config)#host

Router(config)#hostname R1

R1(config)#

 

默认路由

 

 

R1(config)#ip route 0.0.0.0 0.0.0.0 100.0.0.2

 

NAT的配置

 

 

R1(config)#acc 1 per172.16.10.0 0.0.0.255

R1(config)#acc 1 deny 172.16.0.0 0.0.255.0

R1(config)#ip nat pool xinbin 100.0.0.1 100.0.0.1 netmask 255.255.255.252

R1(config)#ip nat inside source list 1 p

R1(config)#ip nat inside source list 1 pool xinbin o

R1(config)#ip nat inside source list 1 pool xinbin overload

R1(config)#int fa 0/0

R1(config-if)#ip nat inside

R1(config-if)#int fa 1/0

R1(config-if)#ip nat outside

R1(config-if)#exit

 

ACL的配置

 

 

R1(config)#acc 110 per ip 172.16.10.0 0.0.0.255 10.10.33.0 0.0.0.255

R1(config)#acc 110 deny ip 172.16.0.0 0.0.255.255 10.10.33.0 0.0.0.255

 

R1(config-if)#acc 110 per ip any any

 

 

R1(config)#int fa 0/0

R1(config-if)#ip acc 110 in

R1(config-if)#int fa 1/0

R1(config-if)#ip acc 110 out

 

VPN的配置

 

 

 

R1(config)#crypto isakmp p 1

 

 

R1(config-isakmp)#cry

R1(config-isakmp)#g 2

R1(config-isakmp)#a p

R1(config-isakmp)#exit

R1(config)#cry

R1(config)#crypto key xinbin add 200.0.0.1

                     ^

% Invalid input detected at '^' marker.

 

R1(config)#cry

 

 

R1(config)#crypto is

R1(config)#crypto isakmp key xinbin add 200.0.0.1

R1(config)#cry

R1(config)#cry ip

R1(config)#cry ipsec t

R1(config)#cry ipsec transform-set ah-m

R1(config)#cry ipsec transform-set ah-m

R1(config)#cry ipsec transform-set ah-md

R1(config)#cry ipsec transform-set vpntag ha

R1(config)#cry ipsec transform-set vpntag ah-m

R1(config)#cry ipsec transform-set vpntag ah-md5-hmac esp-des

R1(config)#cry ipsec transform-set vpntag ah-md5-hmac esp-des

R1(config)#access-list 10 per 172.16.10.0 0.0.0.255

R1(config)#cry map vpndemo 10 ipsec

% NOTE: This new crypto map will remain disabled until a peer

       and a valid access list have been configured.

R1(config-crypto-map)#set peer 200.0.0.1

R1(config-crypto-map)#set transform-set vpntag

R1(config-crypto-map)#match address 101

R1(config-crypto-map)#exit

 

R1(config)#int t 0

 

 

%LINK-5-CHANGED: Interface Tunnel0, changed state to up

R1(config-if)#ip add 192.168.1.1 255.255.255.0

R1(config-if)#tunn s fa 1/0

R1(config-if)#tun d 200.0.0.1

R1(config-if)#exit

R1(config)#

 

R1(config)#int fa 0/0

 

 

R1(config-if)#cry map vpndemo

*Jan  3 07:16:26.785: %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is ON

R1(config-if)#exit\

                 ^

% Invalid input detected at '^' marker.

 

R1(config-if)#exit

 

 

R1(config)#int fa 1/0

R1(config-if)#cry map vpndemo

R1(config-if)#exit

R1(config)#

Router(config)#ip route 0.0.0.0 0.0.0.0 100.0.0.2

Router(config)#ip route 10.10.33.0 255.255.255.0 192.168.1.2

Router(config)#access-list 101 permit gre host 100.0.0.1 host 200.0.0.1

 

R2的配置

 

 

 

Router>en

 

 

Router#conf t

Enter configuration commands, one per line.  End with CNTL/Z.

Router(config)#hos R2

R2(config)#int fa 4/0

R2(config-if)#ip add 100.0.0.2 255.255.255.252

R2(config-if)#no shut

 

%LINK-5-CHANGED: Interface FastEthernet4/0, changed state to up

 

 

 

%LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet4/0, changed state to up

 

 

 

R2(config)#int fa 5/0

 

 

R2(config-if)#ip add 200.0.0.2 255.255.255.252

R2(config-if)#no shut

 

%LINK-5-CHANGED: Interface FastEthernet5/0, changed state to up

 

 

 

%LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet5/0, changed state to up

 

 

 

R2(config-if)#

 

 

 

配置默认路由

 

 

R2(config)#ip route 172.16.0.0 255.255.0.0 100.0.0.1

R2(config)#ip route 10.10.33.0 255.255.255.0 200.0.0.1

 

R3的配置

 

 

 

Router>en

 

 

Router#conf t

Enter configuration commands, one per line.  End with CNTL/Z.

Router(config)#hos R3

R3(config)#int fa 0/0

R3(config-if)#ip add 10.10.33.1 255.255.255.0

R3(config-if)#no shut

 

%LINK-5-CHANGED: Interface FastEthernet0/0, changed state to up

 

 

 

%LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/0, changed state to up

 

 

 

R3(config-if)#exit

 

 

R3(config)#int fa 1/0

R3(config-if)#ip add 200.0.0.1 255.255.255.252

R3(config-if)#no shut

 

%LINK-5-CHANGED: Interface FastEthernet1/0, changed state to down

 

 

R3(config-if)#exit

R3(config)#ip route 0.0.0.0 0.0.0.0 200.0.0.2

R3(config)#

 

VPN的配置

 

 

 

R3(config)#crypto isa policy 1

 

 

R3(config-isakmp)#a p

R3(config-isakmp)#g 2

R3(config-isakmp)#exit

R3(config)#crypto is

R3(config)#crypto isakmp key xinbin address 100.0.0.1

R3(config)#crypto ipsec t

R3(config)#crypto ipsec transform-set vpntag ah-m

R3(config)#crypto ipsec transform-set vpntag ah-md5-hmac esp-des

R3(config)#access 10 per 10.10.33.0 0.0.0.255

R3(config)#crypto map vpndemo 10 ipsec

% NOTE: This new crypto map will remain disabled until a peer

       and a valid access list have been configured.

R3(config-crypto-map)#set pee 100.0.0.1

R3(config-crypto-map)#set t

R3(config-crypto-map)#set transform-set vpntag

R3(config-crypto-map)#match add 101

R3(config-crypto-map)#exit

R3(config)#

 

R3(config)#int t 0

 

 

%LINK-5-CHANGED: Interface Tunnel0, changed state to up

R3(config-if)#ip add 192.168.1.2 255.255.255.0

R3(config-if)#tunn s fa 1/0

R3(config-if)#tun d 100.0.0.1

R3(config-if)#exit

 

R3(config)#int fa 0/0

 

 

R3(config-if)#cry map vpndemo

*Jan  3 07:16:26.785: %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is ON

R3(config-if)#exit

R3(config)#int fa 1/0

R3(config-if)#cry

R3(config-if)#crypto ma

R3(config-if)#crypto map vpndemo

R3(config-if)#

 

Router(config)#ip route 0.0.0.0 0.0.0.0 200.0.0.2

 

 

Router(config)#ip route 172.16.10..0 255.255.255.0 192.168.1.1

Router(config)#access-list 101 permit gre host 200.0.0.1 host 100.0.0.1