思科防火墙PIX8.0 L2LVPN解决地址重叠测试（2）(2)

ip address 202.100.1.10 255.255.255.0
no shut      
interface Ethernet0/1
ip address 202.100.2.10 255.255.255.0
no shut
D.PIX80_Branch防火墙:
interface Ethernet0
nameif Inside
security-level 100
ip address 172.16.1.1 255.255.255.0 
no shut 
interface Ethernet1
nameif Outside
security-level 0
ip address 202.100.2.1 255.255.255
no shut 
route Outside 0.0.0.0 0.0.0.0 202.100.2.10
access-list OUTSIDE extended permit icmp any any 
access-group OUTSIDE in interface Outside
E.ERP_Branch路由器：
interface Ethernet0/0
ip address 172.16.1.3 255.255.255.0 secondary
ip address 172.16.1.2 255.255.255.0
no shut 
ip route 0.0.0.0 0.0.0.0 172.16.1.1
五.防火墙NAT配置：
A.PIX80_HQ防火墙：
①PAT:
access-list PAT extended permit ip 172.16.1.0 255.255.255.0 any 
nat (Inside) 1 access-list PAT
global (Outside) 1 interface
②NAT免除：
access-list NAT0 extended permit ip host 172.16.1.2 host 10.1.2.2 
nat (Inside) 0 access-list NAT0
B.PIX80_Branch防火墙:
①PAT:
access-list PAT extended permit ip 172.16.1.0 255.255.255.0 any 
nat (Inside) 1 access-list PAT
global (Outside) 1 interface
②静态策略NAT:
access-list VPN-NAT extended permit ip host 172.16.1.2 host 10.1.1.2
static (Inside,Outside) 10.1.2.2  access-list VPN-NAT 
③outside的NAT:
static (Outside,Inside) 10.1.1.2 172.16.1.2 netmask 255.255.255.255 
----这样当总部未经NAT转换的172.16.1.2到底分别outside接口解密之后，进入内网地址就转换为10.1.1.2
六.L2L VPN配置：
A.PIX80_HQ防火墙：
①第一阶段策略：
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash md5
group 2
tunnel-group 202.100.2.1 type ipsec-l2l
tunnel-group 202.100.2.1 ipsec-attributes
pre-shared-key cisco
②第二阶段转换：
crypto ipsec transform-set transet esp-des esp-md5-hmac 
③感兴趣流：
access-list VPN extended permit ip 172.16.1.0 255.255.255.0 10.1.2.0 255.255.0.0