公司间VPN内网通信

一、基本配置

1、R1配置：

en

conf t

int f0/0

ip add 192.168.10.1 255.255.255.0

no sh

int f0/1

ip add 202.100.10.1 255.255.255.0

no sh

exit

ip route 0.0.0.0 0.0.0.0 202.100.10.2

do wr

2、R2配置

en

conf t

int f0/0

ip add 202.100.10.2 255.255.255.0

no sh

int f0/1

ip add 202.100.20.2 255.255.255.0

no sh

do wr

3、R3配置

en

conf t

int f0/1

ip add 202.100.20.1 255.255.255.0

no sh

int f0/0

ip add 192.168.20.1 255.255.255.0

no sh

ip route 0.0.0.0 0.0.0.0 202.100.20.2

do wr

二、NAT及NAT豁免配置

R1总体配置：

1、定义NAT的ACL列表

ip access-list extended nat

deny ip 192.168.10.0 0.0.0.255 192.168.20.0 0.0.0.255

permit ip any any

2、配置PAT，应用ACL列表

ip nat inside source list nat int f0/1 overload

3、定义内部，外部接口：

int f0/1

ip nat outside

int f0/0

ip nat inside

三、VPN配置：

1，配置阶段1的ISAKMP（IKE）安全策略：

用于建立VPN同行的管理连接

crypto isakmp policy 1

authentication pre-share

encryption 3des

hash sha

group 2

exit

crypto isakmp key 6 benet-key address 202.100.20.1 255.255.255.0

show crypto isakmp key

2、配置阶段2的数据传输集：

用于定义VPN通信数据传输连接的加密协议、加密算法、散列算法、VPN的连接模式

crypto ipsec transform-set benet-set esp-3des esp-sha-hmac

mode tunnel 默认

3、定义进行VPN通信的数据流量：

ip access-list extended VPN

permit ip 192.168.10.0 0.0.0.255 192.168.20.0 0.0.0.255

deny ip any any

4、配置阶段2的映射：

crypto map benet-map 1 ipsec-isakmp

match address VPN

set peer 202.100.20.1

set transform-set benet-set

set pfs group2

5、将阶段2的映射应用到外网接口

int f 0/1

crypto map benet-map

R3总体配置：

ip access-list extended nat

deny ip 192.168.20.0 0.0.0.255 192.168.10.0 0.0.0.255

permit ip any any

ip nat inside source list nat int f0/1 overload

int f0/1

ip nat outside

int f0/0

ip nat inside

crypto isakmp policy 1

authentication pre-share

encryption 3des

hash sha

group 2

exit

crypto isakmp key 6 benet-key address 202.100.10.1 255.255.255.0

show crypto isakmp key

crypto ipsec transform-set benet-set esp-3des esp-sha-hmac

ip access-list extended VPN

permit ip 192.168.20.0 0.0.0.255 192.168.10.0 0.0.0.255

deny ip any any

crypto map benet-map 1 ipsec-isakmp

match address VPN

set peer 202.100.10.1

set transform-set benet-set

set pfs group2

int f0/1

crypto map benet-map