这个文档说明了在路由器和思科防火墙之间的IPSec配置。在总部和分公司之间的流量使用的是私有IP地址,当分公司的局域网用户访问互联网时,需要进行地址转换。
网络拓扑
配置
定义去路由器的流量:
access-list ipsec permit ip 10.1.1.0 255.255.255.0 10.2.2.0 255.255.255.0
!--- 去路由器的流量不做地址转换
access-list nonat permit ip 10.1.1.0 255.255.255.0 10.2.2.0 255.255.255.0
ip address outside 172.17.63.213 255.255.255.240
ip address inside 10.1.1.1 255.255.255.0
global (outside) 1 172.17.63.210
!--- 去路由器的流量不做地址转换
nat (inside) 0 access-list nonat
nat (inside) 1 10.1.1.0 255.255.255.0 0 0
conduit permit icmp any any
route outside 0.0.0.0 0.0.0.0 172.17.63.209 1
!--- IPSec 策略:
sysopt connection permit-ipsec
crypto ipsec transform-set avalanche esp-des esp-md5-hmac
crypto ipsec security-association lifetime seconds 3600
crypto map forsberg 21 ipsec-isakmp
crypto map forsberg 21 match address ipsec
crypto map forsberg 21 set peer 172.17.63.230
crypto map forsberg 21 set transform-set avalanche
crypto map forsberg interface outside
!--- IKE 策略:
isakmp enable outside
isakmp key westernfinal2000 address 172.17.63.230 netmask 255.255.255.255
isakmp identity address
isakmp policy 21 authentication pre-share
isakmp policy 21 encryption des
isakmp policy 21 hash md5
isakmp policy 21 group 1
: end
Branch Router
hostname Branch_Router
!--- IKE策略:
crypto isakmp policy 11
hash md5
authentication pre-share
crypto isakmp key westernfinal2000 address 172.17.63.213
!--- IPSec策略:
crypto ipsec transform-set sharks esp-des esp-md5-hmac
crypto map nolan 11 ipsec-isakmp
set peer 172.17.63.213
set transform-set sharks
match address 120
!
interface Ethernet0
ip address 172.17.63.230 255.255.255.240
ip nat outside
crypto map nolan
!
interface Ethernet1
ip address 10.2.2.1 255.255.255.0
ip nat inside
!
ip nat pool branch 172.17.63.230 172.17.63.230 netmask 255.255.255.240
ip nat inside source route-map nonat pool branch overload
ip route 0.0.0.0 0.0.0.0 172.17.63.225
access-list 120 permit ip 10.2.2.0 0.0.0.255 10.1.1.0 0.0.0.255
access-list 130 deny ip 10.2.2.0 0.0.0.255 10.1.1.0 0.0.0.255
access-list 130 permit ip 10.2.2.0 0.0.0.255 any
route-map nonat permit 10
match ip address 130
end
更多内容请看路由器设置专题、交换机与路由器密码恢复、路由故障处理手册专题,或进入讨论组讨论。
相关专题
- 路由器设置专题 (2378篇文章)
- 交换机与路由器密码恢复 (3933篇文章)
- 路由故障处理手册 (2441篇文章)
- 路由安全配置专题 (11761篇文章)
- Cisco路由器配置手册 (4742篇文章)
- 无线宽带路由器 (7351篇文章)
- 防火墙软件应用 (1861篇文章)
- 电脑配置手册 (8308篇文章)
- 服务器配置专栏 (10894篇文章)
- Cisco防火墙专题 (4604篇文章)
- 端口·木马·安全·扫描应用知识 (980次浏览)
- FTP服务器-架设-配置-漏洞-管理-安全精通篇 (386次浏览)
- FTP服务器架设--安全篇 (189次浏览)
- Win2000安全设置手册 (84次浏览)
- Apache服务器的安全性及实现 (59次浏览)
- 全方位堵住Windows 2003的安全隐患 (51次浏览)
- 让我们认识病毒命名规则 (25次浏览)
- U盘病毒原理 (17次浏览)
- Windows系统用户摆脱黑客攻击的方法 (16次浏览)
- 反垃圾邮件技术:九个方法告别垃圾邮件 (16次浏览)
