Tài liệu hạn chế xem trước, để xem đầy đủ mời bạn chọn Tải xuống
1
/ 14 trang
THÔNG TIN TÀI LIỆU
Thông tin cơ bản
Định dạng
Số trang
14
Dung lượng
157,33 KB
Nội dung
VPN Router To Router With NAT Tác giả Lê Anh Đức Ta có sơ đồ sau: Error! Mô tả: Bài lab thực hiện quá trình tạo một tunnel giữa 2 LAN củ a 2 chi nhánh qua một môi trường public vớI router Gateway làm router giả lập ISP. Kết hợp ta sử dụng NAT để cho các host bên trong nôi bộ mạng ra internet trừ những traffic được gửI từ 2 LAN để tạo private tunnel. Cấu hình: RA: Building configuration *Mar 1 00:33:37.207: %SYS-5-CONFIG_I: Configured from console by console Current configuration : 1344 bytes version 12.2 service timestamps debug datetime msec service timestamps log datetime msec no service password-encryption hostname RA memory-size iomem 10 ip subnet - zero crypto isakmp policy 10 hash md5 authentication pre-share crypto isakmp key cisco address 95.95.95.2 crypto ipsec transform-set vnpro esp-des crypto map lee 10 ipsec-isakmp set peer 95.95.95.2 set transform-set vnpro match address 115 voice call carrier capacity active mta receive maximum-recipients 0 interface FastEthernet0/0 ip address 10.50.50.50 255.255.255.0 ip nat inside duplex auto speed auto interface Serial0/0 ip address 99.99.99.2 255.255.255.0 ip nat outside no fair-queue crypto map lee interface FastEthernet0/1 no ip address shutdown duplex auto speed auto interface Serial0/1 no ip address shutdown ip nat inside source route-map nonat interface Serial0/0 overload ßtất cả đều NAT khi đi ra ngoài trừ traffic trong tunnel ip classless ip route 0.0.0.0 0.0.0.0 99.99.99.1 ip http server access-list 110 deny ip 10.50.50.0 0.0.0.255 10.103.1.0 0.0.0.255 access-list 110 permit ip any any access-list 115 permit tcp 10.50.50.0 0.0.0.255 10.103.1.0 0.0.0.255 route-map nonat permit 10 match ip address 110 call rsvp-sync mgcp profile default dial-peer cor custom line con 0 line aux 0 line vty 0 4 end RB Building configuration Current configuration : 1203 bytes version 12.2 service timestamps debug datetime msec service timestamps log datetime msec no service password-encryption hostname RB memory-size iomem 10 ip subnet-zero crypto isakmp policy 10 hash md5 authentication pre-share crypto isakmp key cisco address 99.99.99.2 crypto ipsec transform-set vnpro esp-des crypto map lee 10 ipsec-isakmp set peer 99.99.99.2 set transform-set vnpro match address 115 voice call carrier capacity active mta receive maximum-recipients 0 interface Ethernet0/0 ip address 10.103.1.75 255.255.255.0 ip nat inside half-duplex interface Serial0/0 ip address 95.95.95.2 255.255.255.0 ip nat outside no fair-queue crypto map lee ip nat inside source route-map nonat interface Serial0/0 overload ip classless ip route 0.0.0.0 0.0.0.0 95.95.95.1 ip http server access-list 110 deny ip 10.103.1.0 0.0.0.255 10.50.50.0 0.0.0.255 access-list 110 permit ip any any access-list 115 permit tcp 10.103.1.0 0.0.0.255 10.50.50.0 0.0.0.255 route-map nonat permit 10 match ip address 110 call rsvp-sync mgcp profile default dial-peer cor custom line con 0 line aux 0 line vty 0 4 end RI(Gateway) Building configuration 00:33:46: %SYS-5-CONFIG_I: Configured from console by console Current configuration: version 12.1 service timestamps debug uptime service timestamps log uptime no service password-encryption hostname RI ip subnet-zero interface Ethernet0 no ip address shutdown interface Serial0 ip address 99.99.99.1 255.255.255.0 clockrate 64000 interface Serial1 ip address 95.95.95.1 255.255.255.0 clockrate 64000 interface BRI0 no ip address shutdown ip classless ip route 10.50.50.0 255.255.255.0 99.99.99.2 ip route 10.103.1.0 255.255.255.0 95.95.95.2 no ip http server line con 0 transport input none line aux 0 line vty 0 4 end Thực hiện: Sau khi đã thực hiện cấu hình các mạng thấy được nhau, ta bắt đầu tạo VPN vớI NAT: 1. Bước đầu tiên, ta thực hiện cấu hình VPN trên các router (Tương tự như bài VPN basic): RA: RA(config)#crypto isakmp policy 10 RA(config-isakmp)#hash md5 RA(config-isakmp)#authentication pre-share RA(config-isakmp)#exit RA(config)#crypto isakmp key cisco address 95.95.95.2 RA(config)#crypto ipsec transform - set vnpro esp - des RA(cfg-crypto-trans)#exit RA(config)#crypto map lee 10 ipsec-isakmp % NOTE: This new crypto map will remain disabled until a peer and a valid access list have been configured. RA(config-crypto-map)#set peer 95.95.95.2 RA(config-crypto-map)#set transform-set vnpro RA(config-crypto-map)#match address 115 RA(config-crypto-map)#exit RA(config)#int s0/0 RA(config-if)#crypto map lee RA(config)#access-list 115 permit tcp 10.50.50.0 0.0.0.255 10.103.1.0 0.0.0.255ß cho phép traffic được mã hóa RB: RB(config)#crypto isakmp policy 10 RB(config-isakmp)#hash md5 RB(config-isakmp)#authentication pre-share RB(config)#crypto isakmp key cisco address 99.99.99.2 RB(config)#crypto ipsec transform-set vnpro esp-des RB(cfg-crypto-trans)#exit RB(config)#crypto map lee 10 ipsec-isakmp % NOTE: This new crypto map will remain disabled until a peer and a valid access list have been configured. RB(config - crypto - map)#set peer 99.99.99.2 RB(config-crypto-map)#set transform-set vnpro RB(config-crypto-map)#match address 115 RB(config)#int s0/0 RB(config-if)#crypto map lee RB(config)#access-list 115 permit tcp 10.103.1.0 0.0.0.255 10.50.50.0 0.0.0.255 2. Sau khi đã thực hiện tạo VPN, ta thực hiện NAT trên router: Ta thực hiện NAT overload trên interface nốI vớI Gateway, trừ traffic trong tunnel, để thực hiện điều này, ta phảI sử dụng một route-map để chặn dòng traffic trong tunnel không bị NAT: RA: RA(config)#access-list 110 deny ip 10.50.50.0 0.0.0.255 10.103.1.0 0.0.0.255 RA(config)#access-list 110 permit ip any any RA(config)#route-map nonat RA(config-route-map)#match ip address 110 RA(config)#ip nat inside source route-map nonat interface s0/0 overload RA(config)#int s0/0 RA(config-if)#ip nat outside RA(config)#int fa0/0 RA(config-if)#ip nat inside RA(config-if)#exit RB RB(config)#access-list 110 deny ip 10.103.1.0 0.0.0.255 10.50.50.50 0.0.0.255 RB(config)#access-list 110 permit ip any any RB(config)#route-map nonat permit 10 RB(config-route-map)#match ip address 110 RB(config)#ip nat inside source route-map nonat interface s0/0 overload RB(config)#int s0/0 RB(config-if)#ip nat outside RB(config-if)#int e0/0 RB(config-if)#ip nat inside RB(config-if)#exit Kiểm tra: 1. Ta sử dụng các lệnh show trên các router: RA#sh crypto isakmp policy Protection suite of priority 10 encryption algorithm: DES - Data Encryption Standard (56 bit keys). hash algorithm: Message Digest 5 authentication method: Pre-Shared Key Diffie-Hellman group: #1 (768 bit) lifetime: 86400 seconds, no volume limit Default protection suite encryption algorithm: DES - Data Encryption Standard (56 bit keys). hash algorithm: Secure Hash Standard [...]... [1764] *Mar 1 00:41:45.037: NAT*: s=10.103.1.1->95.95.95.2, d=95.95.95.1 [1765] *Mar 1 00:41:45.057: NAT*: s=95.95.95.1, d=95.95.95.2->10.103.1.1 [1765] *Mar 1 00:41 :46. 039: NAT*: s=10.103.1.1->95.95.95.2, d=95.95.95.1 [1766] *Mar 1 00:41 :46. 087: NAT*: s=95.95.95.1, d=95.95.95.2->10.103.1.1 [1766] *Mar 1 00:41:47.037: NAT*: s=10.103.1.1->95.95.95.2, d=95.95.95.1 [1767] *Mar 1 00:41:47.061: NAT*: s=95.95.95.1,... Crypto Map "lee" 10 ipsec-isakmp Peer = 95.95.95.2 Extended IP access list 115 access-list 115 permit tcp 10.50.50.0 0.0.0.255 10.103.1.0 0.0.0.255 Current peer: 95.95.95.2 Security association lifetime: 460 8000 kilobytes/3600 seconds PFS (Y/N): N Transform sets={ vnpro, } Interfaces using crypto map lee: Serial0/0 2 Thực hiện debug trên các router và ghi nhận kết quả: Ví dụ: trên RB:Ta thực hiện lệnh . s=95.95.95.1, d=95.95.95.2->10.103.1.1 [1765] *Mar 1 00:41 :46. 039: NAT*: s=10.103.1.1->95.95.95.2, d=95.95.95.1 [1766] *Mar 1 00:41 :46. 087: NAT*: s=95.95.95.1, d=95.95.95.2->10.103.1.1 [1766]. 10.50.50.0 0.0.0.255 10.103.1.0 0.0.0.255 Current peer: 95.95.95.2 Security association lifetime: 460 8000 kilobytes/3600 seconds PFS (Y/N): N Transform sets={ vnpro, } Interfaces using crypto. custom line con 0 line aux 0 line vty 0 4 end RI(Gateway) Building configuration 00:33 :46: %SYS-5-CONFIG_I: Configured from console by console Current configuration: version 12.1 service