沈阳电脑维修网,沈阳上门维修电脑服务
当前位置: 主页 > 网络设备故障>思科路由器EzVPN解决地址重叠测试 >

思科路由器EzVPN解决地址重叠测试

时间:2017-5-23来源:www.sypcwx.cn 作者: 沈阳电脑维修网点击:
沈阳电脑维修,上门维修电脑
  沈阳电脑维修上门服务13889116605: 一.概述:EzVPN,如果硬件客户端身后的地址,与EzVPNserver身后的地址重叠,即使是client模式的单向访问也无法实现,需要配置静态NAT,为了不影响总部上公网,需要把静态... 一.概述:  EzVPN,如果硬件客户端身后的地址,与EzVPNserver身后的地址重叠,即使是client模式的单向访问也无法实现,需要配置静态NAT,为了不影响总部上公网,需要把静态NAT与动态PAT分开。 二.基本思路: A.EzVPNClient模式: ----这种只是分支机构单向访问总部,在总部配置静态NAT,使得分支机构访问总部主机时认为是另外一个网段的地址 ----为了能够使得总部配置静态NAT还能上公网,总部路由器的内网口和外网口作为ipnatenable的一对口,配置PAT;将loopback和外网口分别配置ipnatinside和ipnatoutside,作为一对口,配置静态NAT,同时为了使流量能够到达loopback口,在内网口配置PBR,将需要VPN的流量打到loopback口,流量在进行VPN之前就进行静态NAT。 B.EzVPNnetwork-extension或network-plus模式: ----这两种种方式,因为可以双方向互访,为了实现双方向互访,需要总部配置对内和对外的两条静态NAT,同时为了能把静态NAT和动态PAT上公网的流量分开,采用不同的NAT配置方法来实现。 三.测试拓扑:   四.基本配置: A.总部Server路由器: interfaceEthernet0/0 ipaddress10.1.1.2255.255.255.0 noshut iproute0.0.0.00.0.0.010.1.1.1 B.总部Center路由器: interfaceEthernet0/0 ipaddress10.1.1.1255.255.255.0 noshut interfaceEthernet0/1 ipaddress202.100.1.1255.255.255.0 noshut iproute0.0.0.00.0.0.0202.100.1.10 C.Internet路由器: interfaceEthernet0/0 ipaddress202.100.1.10255.255.255.0 noshut interfaceEthernet0/1 ipaddress202.100.2.10255.255.255.0 noshut D.Branch路由器: interfaceEthernet0/0 ipaddress10.1.1.1255.255.255.0 noshut interfaceEthernet0/1 ipaddress202.100.2.1255.255.255.0 noshut iproute0.0.0.00.0.0.0202.100.2.10 E.分支inside路由器: interfaceEthernet0/0 ipaddress10.1.1.2255.255.255.0 noshut iproute0.0.0.00.0.0.010.1.1.1 五.EzVPN配置: A.EzVPNServer总部Center路由器: ①第一阶段: cryptoisakmppolicy10 authenticationpre-share endes group2 hashmd5 cryptoisakmpclientconfigurationgroupipsecgroup keycisco ②第1.5阶段XAUTH配置: aaanew-model aaaauthenticationloginnoacslinenone lineconsole0  loginauthenticationnoacs lineaux0  loginauthenticationnoacs usernamexllpasswordxll aaaauthenticationloginxauth-authenlocal ③第1.5阶段MODE-CFG配置: iplocalpoolippool123.1.1.100123.1.1.200 ipaccess-listextendedsplit permitip172.16.1.00.0.0.255any aaaauthorizationnetworkmcfg-authorlocal cryptoisakmpclientconfigurationgroupipsecgroup  poolippool  aclsplit ④第2阶段转换集与动态map配置: cryptoipsectransform-setezvpnsetesp-desesp-md5-hmac cryptodynamic-mapdymap10 settransform-setezvpnset reverse-route ⑤第2阶段cryptomap配置: cryptomapcry-mapclientauthenticationlistxauth-authen cryptomapcry-mapisakmpauthorizationlistmcfg-author cryptomapcry-mapclientconfigurationaddressrespond cryptomapcry-map10ipsec-isakmpdynamicdymap interfaceE0/1 cryptomapcry-map B.EzVPN硬件客户端Branch路由器配置: ①EzVPN基本配置: cryptoipsecclientezvpnEz-Client connectmanual groupipsecgroupkeycisco modeclient peer202.100.1.1 interfacee0/0 cryptoipsecclientezvpnEz-Clientinside interfacee0/1 cryptoipsecclientezvpnEz-Clientoutside ②手动触发EzVPN连接: cryptoipsecclientezvpnconnect cryptoipsecclientezvpnxauth Username:xll Password:xll Branch# *Mar 100:05:21.047:%CRYPTO-6-EZVPN_CONNECTION_UP:(Client) User= Group=ipsecgroup Client_public_addr=202.100.2.1 Server_public_addr=202.100.1.1 Assigned_client_addr=123.1.1.100  Branch#showcryptoipsecclientezvpn EasyVPNRemotePhase:4 Tunnelname:Ez-Client Insideinterfacelist:Ethernet0/0 Outsideinterface:Ethernet0/1 CurrentState:IPSEC_ACTIVE LastEvent:SOCKET_UP Address:123.1.1.100 Mask:255.255.255.255 SavePassword:Disallowed SplitTunnelList:1    Address  :172.16.1.0    Mask   :255.255.255.0    Protocol :0x0    SourcePort:0    DestPort :0 CurrentEzVPNPeer:202.100.1.1 ----这时虽然VPN能连接上去但是,无法连接内网 六.NAT及策略路由配置: A.动态PAT配置: ①总部Center路由器配置: interfaceEthernet0/0 ipnatenable interfaceEthernet0/1 ipnatenable ipaccess-listextendedInternet deny ip10.1.1.00.0.0.255123.1.1.00.0.0.255 permitip10.1.1.00.0.0.255any ipnatsourcelistInternetinterfaceEthernet0/1overload 测试: Server#ping202.100.1.10  Typeescapesequencetoabort. Sending5,100-byteICMPEchosto202.100.1.10,timeoutis2seconds: !!!!! Successrateis100percent(5/5),round-tripmin/avg/max=48/105/216ms Server# ②分支branch路由器配置: interfaceEthernet0/0 ipnatenable interfaceEthernet0/1 ipnatenable ipaccess-listextendedInternet deny ip10.1.1.00.0.0.255172.16.1.00.0.0.255 permitip10.1.1.00.0.0.255any ipnatsourcelistInternetinterfaceEthernet0/1overload 测试: Inside#ping202.100.2.1 Typeescapesequencetoabort. Sending5,100-byteICMPEchosto202.100.2.1,timeoutis2seconds: !!!!! Successrateis100percent(5/5),round-tripmin/avg/max=20/60/120ms B.静态NAT及策略路由配置: ---只需在总部Center路由器上配置 interfaceLoopback0 ipaddress1.1.1.1255.255.255.252 ipnatinside interfaceEthernet0/1 ipnatoutside ipnatinsidesourcestaticnetwork10.1.1.0172.16.1.0/24 ipaccess-listextendedVPN permitip10.1.1.00.0.0.255123.1.1.00.0.0.255 route-mapVPNpermit10 matchipaddressVPN setinterfaceLoopback0 interfaceEthernet0/0 ippolicyroute-mapVPN C.测试: clearcryptoipsecclientezvpn cryptoipsecclientezvpnconnect cryptoipsecclientezvpnxauth Username:xll Password:xll *Mar 100:09:33.803:%CRYPTO-6-EZVPN_CONNECTION_UP:(Client) User= Group=ipsecgroup Client_public_addr=202.100.2.1 Server_public_addr=202.100.1.1 Assigned_client_addr=123.1.1.101  Branch# Inside#ping172.16.1.2 Typeescapesequencetoabort. Sending5,100-byteICMPEchosto172.16.1.2,timeoutis2seconds: !!!!! Successrateis100percent(5/5),round-tripmin/avg/max=196/265/392ms Inside# 七.后记: ----如果EzVPN采用的是网络拓展模式或者网络拓展加模式,因为两边都可以主动发起访问,配置的方式跟上面有所不同,跟L2LIPSECVPN类似: A.动态PAT配置: ①总部Center路由器配置: interfaceEthernet0/0 ipnatenable interfaceEthernet0/1 ipnatenable ipaccess-listextendedInternet deny ip10.1.1.00.0.0.255192.168.1.00.0.0.255 permitip10.1.1.00.0.0.255any ipnatsourcelistInternetinterfaceEthernet0/1overload ②分支branch路由器配置: interfaceEthernet0/0 ipnatenable interfaceEthernet0/1 ipnatenable ipaccess-listextendedInternet deny ip10.1.1.00.0.0.255172.16.1.00.0.0.255 permitip10.1.1.00.0.0.255any ipnatsourcelistInternetinterfaceEthernet0/1overload B.静态NAT及策略路由配置: ①总部Center路由器: interfaceLoopback0 ipaddress1.1.1.1255.255.255.252 ipnatinside interfaceEthernet0/1 ipnatoutside ipnatinsidesource staticnetwork10.1.1.0172.16.1.0/24 ipnatOutsidesource staticnetwork10.1.1.0192.168.1.0/24 ipaccess-listextendedVPN permitip10.1.1.00.0.0.255192.168.1.0 0.0.0.255 route-mapVPNpermit10 matchipaddressVPN setinterfaceLoopback0 interfaceEthernet0/0 ippolicyroute-mapVPN ②分支Branch路由器 interfaceLoopback0 ipaddress192.168.1.1255.255.255.0 cryptoipsecclientezvpnEz-Clientinside ----这个将分支机构被NAT的网络通过反向路由注入的方式注入到总部Center路由器 ----测试时发现如果Server不配置反向路由注入,即使配置了隧道分离,客户端还是把VPN流量送到了互联网。 C.测试: clearcryptoipsecclientezvpn cryptoipsecclientezvpnconnect cryptoipsecclientezvpnxauth Username:xll Password:xll Branch# *Mar 100:11:53.395:%CRYPTO-6-EZVPN_CONNECTION_UP:(Client) User= Group=ipsecgroup Client_public_addr=202.100.2.1 Server_public_addr=202.100.1.1 NEM_Remote_Subnets=10.1.1.0/255.255.255.0 192.168.1.0/255.255.255.0   Inside#ping172.16.1.2 Typeescapesequencetoabort. Sending5,100-byteICMPEchosto172.16.1.2,timeoutis2seconds: !!!!! Successrateis100percent(5/5),round-tripmin/avg/max=192/258/348ms Inside# ----ping的同时在对方debugipicmp,可以看到回包 Server# *Mar 222:11:07.472:ICMP:echoreplysent,src10.1.1.2,dst192.168.1.2 *Mar 222:11:07.740:ICMP:echoreplysent,src10.1.1.2,dst192.168.1.2 *Mar 222:11:07.972:ICMP:echoreplysent,src10.1.1.2,dst192.168.1.2 *Mar 222:11:08.160:ICMP:echoreplysent,src10.1.1.2,dst192.168.1.2 *Mar 222:11:08.412:ICMP:echoreplysent,src10.1.1.2,dst192.168.1.2 反过来也能通: Server#ping192.168.1.2 Typeescapesequencetoabort. Sending5,100-byteICMPEchosto192.168.1.2,timeoutis2seconds: !!!!! Successrateis100percent(5/5),round-tripmin/avg/max=176/248/372ms Inside# *Mar 219:21:54.933:ICMP:echoreplysent,src10.1.1.2,dst172.16.1.2 *Mar 219:21:55.273:ICMP:echoreplysent,src10.1.1.2,dst172.16.1.2 *Mar 219:21:55.481:ICMP:echoreplysent,src10.1.1.2,dst172.16.1.2 *Mar 219:21:55.669:ICMP:echoreplysent,src10.1.1.2,dst172.16.1.2 *Mar 219:21:55.857:ICMP:echoreplysent,src10.1.1.2,dst172.16.1.2
上一篇:BGP路由汇总问题
查看[思科路由器EzVPN解决地址重叠测试]所有评论
发表评论
请自觉遵守互联网相关的政策法规,严禁发布色情、暴力、反动的言论。
用户名: 验证码:
推荐内容
关于我们 服务价格 联系我们 企业网站优化 沈阳网站建设 沈阳维修电脑