cisco 路由器 EZvpn 总结_cisco路由器总结

2020-02-27 其他工作总结下载本文

cisco 路由器 EZvpn 总结由刀豆文库小编整理，希望给你工作、学习、生活带来方便，猜你可能喜欢“cisco路由器总结”。

实验拓扑图：

PC2192.168.150.2/24分支机构PC1192.168.100.0/24E0/3:.1R1192.168.100.2/24192.168.1.0/24E0/0:.1公司总部192.168.150.0/24192.168.2.0/24E0/3:.1E0/1:.2E0/0:.1E0/1:.2192.168.200.0/24E0/3:.1PC3R2R3192.168.200.2/24

实现目标

分支机构为不固定IP地址，分支机构和公司总部实现VPN互联。分支机构能够获取公司总部的网络资源。

基本配置：

EZvpn network-extension 模式 R1基本配置： R1# R1#show run

Building configuration...Current configuration : 1010 bytes!version 12.4 service timestamps debug datetimemsec service timestamps log datetimemsec no service paword-encryption!hostname R1!boot-start-marker boot-end-marker！noaaa new-model memory-sizeiomem 5！ipcef noip domain lookup！ipauth-proxy max-nodata-conns 3 ip admiion max-nodata-conns 3！！！！！！！！！！！interface Ethernet0/0 ip addre 192.168.1.1 255.255.255.0 ipnat outside ip virtual-reaembly half-duplex!interface Ethernet0/1 noip addre shutdown half-duplex!interface Ethernet0/2 noip addre shutdown half-duplex!interface Ethernet0/3 ip addre 192.168.100.1 255.255.255.0 ipnat inside ip virtual-reaembly half-duplex!ip http server noip http secure-server!ip forward-protocol nd ip route 0.0.0.0 0.0.0.0 192.168.1.2!ipnat inside source list 1 interface Ethernet0/0 overload!acce-list 1 permit any！!control-plane！！！！！line con 0 exec-timeout 0 0 line aux 0 linevty 0 4 login！end

R1#

R2的基本配置： R2# R2#show run

Building configuration...Current configuration : 825 bytes!version 12.4 service timestamps debug datetimemsec service timestamps log datetimemsec no service paword-encryption!hostname R2!boot-start-marker boot-end-marker！noaaa new-model memory-sizeiomem 5！ipcef noip domain lookup！ipauth-proxy max-nodata-conns 3 ip admiion max-nodata-conns 3！！！！！！！！！！！interface Ethernet0/0 ip addre 192.168.2.1 255.255.255.0 half-duplex!interface Ethernet0/1 ip addre 192.168.1.2 255.255.255.0 half-duplex!interface Ethernet0/2 noip addre shutdown half-duplex!interface Ethernet0/3 ip addre 192.168.150.1 255.255.255.0 half-duplex!ip http server noip http secure-server!ip forward-protocol nd！!

！control-plane！！！！！line con 0 exec-timeout 0 0 line aux 0 linevty 0 4 login！end R2#

R3的基本配置： R3# *Mar 1 00:13:56.891: %SYS-5-CONFIG_I: Configured from console by console R3# R3#show run Building configuration...Current configuration : 1010 bytes!version 12.4 service timestamps debug datetimemsec service timestamps log datetimemsec no service paword-encryption!hostname R3!boot-start-marker boot-end-marker！noaaa new-model memory-sizeiomem 5！ipcef noip domain lookup！ipauth-proxy max-nodata-conns 3 ip admiion max-nodata-conns 3！！！！！！！！！！！interface Ethernet0/0 noip addre shutdown half-duplex!interface Ethernet0/1 ip addre 192.168.2.2 255.255.255.0 ipnat outside ip virtual-reaembly half-duplex!interface Ethernet0/2 noip addre shutdown half-duplex!interface Ethernet0/3 ip addre 192.168.200.1 255.255.255.0 ipnat inside ip virtual-reaembly half-duplex!ip http server noip http secure-server!ip forward-protocol nd ip route 0.0.0.0 0.0.0.0 192.168.2.1!ipnat inside source list 1 interface Ethernet0/1 overload!acce-list 1 permit any！!control-plane！！！！！line con 0 exec-timeout 0 0 line aux 0 linevty 0 4 login！end

联通性测试：在R1上测试：

在R3上测试：

在PC1上测试

在PC2上测试

在PC3上测试

设定公司总部R3为Ezvpn Server，则R3上配置如下 R3# R3#show run

Building configuration...Current configuration : 1505 bytes!version 12.4 service timestamps debug datetimemsec service timestamps log datetimemsec no service paword-encryption!hostname R3!boot-start-marker boot-end-marker！aaa new-model！aaa authorization network ezvpnauthor local!aaa seion-id common memory-sizeiomem 5！ipcef noip domain lookup！ipauth-proxy max-nodata-conns 3 ip admiion max-nodata-conns 3！！！！！！！！！

!cryptoisakmp policy 1 authentication pre-share group 2!cryptoisakmp client configuration group group1 key cisco！cryptoipsec transform-set mysetesp-des esp-md5-hmac!crypto dynamic-map dymap 1 set transform-set myset reverse-route！crypto map vpnmapisakmp authorization list ezvpnauthor crypto map vpnmap client configuration addre respond crypto map vpnmap 1 ipsec-isakmp dynamic dymap！！

interface Ethernet0/0 noip addre shutdown half-duplex!interface Ethernet0/1 ip addre 192.168.2.2 255.255.255.0 ipnat outside ip virtual-reaembly half-duplex crypto map vpnmap!interface Ethernet0/2 noip addre shutdown half-duplex!interface Ethernet0/3 ip addre 192.168.200.1 255.255.255.0 ipnat inside ip virtual-reaembly half-duplex!

ip http server noip http secure-server!ip forward-protocol nd ip route 0.0.0.0 0.0.0.0 192.168.2.1!ipnat inside source list 1 interface Ethernet0/1 overload!acce-list 1 permit any！!control-plane！！！！！

line con 0 exec-timeout 0 0 line aux 0 linevty 0 4！End

公司分部R1为remote角色，在Ezvpn Remote 上面配置 R1# R1#sho run

Building configuration...Current configuration : 1244 bytes!version 12.4 service timestamps debug datetimemsec service timestamps log datetimemsec no service paword-encryption!hostname R1!boot-start-marker boot-end-marker！noaaa new-model memory-sizeiomem 5！ipcef noip domain lookup！ipauth-proxy max-nodata-conns 3 ip admiion max-nodata-conns 3！！！！！！！！！！！!

cryptoipsec client ezvpn client1 connect auto group group1 key cisco mode network-extension peer 192.168.2.2 xauthuserid mode interactive！！!interface Ethernet0/0 ip addre 192.168.1.1 255.255.255.0 ipnat outside ip virtual-reaembly half-duplex cryptoipsec client ezvpn client1!interface Ethernet0/1 noip addre shutdown half-duplex!

interface Ethernet0/2 noip addre shutdown half-duplex!interface Ethernet0/3 ip addre 192.168.100.1 255.255.255.0 ipnat inside ip virtual-reaembly half-duplex cryptoipsec client ezvpn client1 inside!ip http server noip http secure-server!ip forward-protocol nd ip route 0.0.0.0 0.0.0.0 192.168.1.2!ipnat inside source list 1 interface Ethernet0/0 overload!acce-list 1 permit any！

!control-plane！！！！！line con 0 exec-timeout 0 0 line aux 0 linevty 0 4 login！end

R1#

查看R1的vpn状态

在PC1上测试

我们发现，vpn隧道虽然建立起来了，但是，外网和总部内网都ping不通了。这是由于PC1的数据都经由隧道了，包括访问公网的数据包，都被导入隧道中。我们将隧道进行分离，让访问公网的数据能正常被NAT成R1的公网地址。

R3#

show run Building configuration...Current configuration : 1568 bytes!version 12.4 service timestamps debug datetimemsec service timestamps log datetimemsec no service paword-encryption!hostname R3!boot-start-marker boot-end-marker！aaa new-model！aaa authorization network ezvpnauthor local!aaa seion-id common memory-sizeiomem 5！ipcef noip domain lookup！ipauth-proxy max-nodata-conns 3 ip admiion max-nodata-conns 3！！！！！！！！！

!cryptoisakmp policy 1 authentication pre-share group 2!cryptoisakmp client configuration group group1 key cisco acl 100！cryptoipsec transform-set mysetesp-des esp-md5-hmac!crypto dynamic-map dymap 1 set transform-set myset reverse-route！crypto map vpnmapisakmp authorization list ezvpnauthor crypto map vpnmap client configuration addre respond crypto map vpnmap 1 ipsec-isakmp dynamic dymap！!

!interface Ethernet0/0 noip addre shutdown half-duplex!interface Ethernet0/1 ip addre 192.168.2.2 255.255.255.0 ipnat outside ip virtual-reaembly half-duplex crypto map vpnmap!interface Ethernet0/2 noip addre shutdown half-duplex!interface Ethernet0/3 ip addre 192.168.200.1 255.255.255.0 ipnat inside ip virtual-reaembly half-duplex!ip http server noip http secure-server!ip forward-protocol nd ip route 0.0.0.0 0.0.0.0 192.168.2.1!ipnat inside source list 1 interface Ethernet0/1 overload!acce-list 1 permit any acce-list 100 permit ip 192.168.200.0 0.0.0.255 any！!control-plane！！！！

！line con 0 exec-timeout 0 0 line aux 0 linevty 0 4！end

R3#

在R1上重建VPN

在R1上查看Vpn状态，我们发现，隧道被成功分离，只有去往192.168.200.0/24的数据才会经由隧道。

这个时候，我们在PC1上进行测试

发现，可以正常访问公网，但是还不能访问vpn对端内网，怎么回事呢？我们查看R3的NAT表。

在R3上面查看NAT表

发现，R3内网192.168.200.2机器icmp reply 全部被NAT成R3的公网接口192.168.2.2地址了。

在R3上修正NAT问题 R3# R3#show run Building configuration...Current configuration : 1678 bytes!version 12.4 service timestamps debug datetimemsec service timestamps log datetimemsec no service paword-encryption!hostname R3!boot-start-marker boot-end-marker！aaa new-model！aaa authorization network ezvpnauthor local!aaa seion-id common memory-sizeiomem 5！ipcef noip domain lookup！ipauth-proxy max-nodata-conns 3 ip admiion max-nodata-conns 3！！！！！！！！！

!interface Ethernet0/0 noip addre shutdown half-duplex!interface Ethernet0/1 ip addre 192.168.2.2 255.255.255.0 ipnat outside ip virtual-reaembly half-duplex crypto map vpnmap!interface Ethernet0/2 noip addre shutdown half-duplex!interface Ethernet0/3 ip addre 192.168.200.1 255.255.255.0 ipnat inside ip virtual-reaembly half-duplex!ip http server noip http secure-server!ip forward-protocol nd ip route 0.0.0.0 0.0.0.0 192.168.2.1!ipnat inside source list 111 interface Ethernet0/1 overload!acce-list 1 permit any acce-list 100 permit ip 192.168.200.0 0.0.0.255 any acce-list 111 deny

ip 192.168.200.0 0.0.0.255 192.168.100.0 0.0.0.255 acce-list 111 permit ip any any！!control-plane！！！

！！line con 0 exec-timeout 0 0 line aux 0 linevty 0 4！end

R3#

我们通过ACL，先限制源地址192.168.200.0去往192.168.100.0地址进行NAT转换，然后允许其它流量转换。在PC1上重新测试

在PC3上进行测试

OK，VPN实现成功，总部和分支机构内部访问外网和对端网络都正常。

Ezvpn Client模式 R3上配置 R3# R3#show run

Building configuration...Current configuration : 1811 bytes!version 12.4 service timestamps debug datetimemsec service timestamps log datetimemsec no service paword-encryption!hostname R3!boot-start-marker boot-end-marker！aaa new-model！aaa authorization network ezvpnauthor local!aaa seion-id common memory-sizeiomem 5！ipcef noip domain lookup！ipauth-proxy max-nodata-conns 3 ip admiion max-nodata-conns 3！！！！！！！！！

!cryptoisakmp policy 1 authentication pre-share group 2!cryptoisakmp client configuration group group1 key cisco poolezvpnpool acl 100！cryptoipsec transform-set set1 esp-des esp-md5-hmac!crypto dynamic-map dymap 1 set transform-set set1 reverse-route！crypto map vpnmapisakmp authorization list ezvpnauthor crypto map vpnmap client configuration addre respond crypto map vpnmap 1 ipsec-isakmp dynamic dymap！

！interface Ethernet0/0 noip addre shutdown half-duplex!interface Ethernet0/1 ip addre 192.168.2.2 255.255.255.0 ipnat outside ip virtual-reaembly half-duplex crypto map vpnmap!interface Ethernet0/2 noip addre shutdown half-duplex!interface Ethernet0/3 ip addre 192.168.200.1 255.255.255.0 ipnat inside ip virtual-reaembly half-duplex!ip local pool ezvpnpool 10.10.10.1 10.10.10.100 ip http server noip http secure-server!ip forward-protocol nd ip route 0.0.0.0 0.0.0.0 192.168.2.1!ipnat inside source list 111 interface Ethernet0/1 overload!acce-list 1 permit any acce-list 100 permit ip 192.168.200.0 0.0.0.255 any acce-list 111 deny

ip 192.168.200.0 0.0.0.255 10.10.10.0 0.0.0.255 acce-list 111 deny

ip 192.168.200.0 0.0.0.255 192.168.100.0 0.0.0.255 acce-list 111 permit ip any any！!control-plane！!

！！！!line con 0 exec-timeout 0 0 line aux 0 linevty 0 4！end

R3#

R1上的配置 R1#show run

Building configuration...Current configuration : 1396 bytes!version 12.4 service timestamps debug datetimemsec service timestamps log datetimemsec no service paword-encryption!hostname R1!boot-start-marker boot-end-marker！noaaa new-model memory-sizeiomem 5！ipcef noip domain lookup！ipauth-proxy max-nodata-conns 3 ip admiion max-nodata-conns 3！！！！！！！！！！！!

cryptoipsec client ezvpn client1 connect auto group group1 key cisco mode client peer 192.168.2.2 xauthuserid mode interactive cryptoipsec client ezvpn client connect auto mode network-extension xauthuserid mode interactive！！!interface Loopback0 ip addre 10.10.10.1 255.255.255.255!interface Ethernet0/0 ip addre 192.168.1.1 255.255.255.0 ipnat outside ip virtual-reaembly half-duplex cryptoipsec client ezvpn client1!interface Ethernet0/1 noip addre shutdown half-duplex!interface Ethernet0/2 noip addre shutdown half-duplex!interface Ethernet0/3 ip addre 192.168.100.1 255.255.255.0 ipnat inside ip virtual-reaembly half-duplex cryptoipsec client ezvpn client1 inside!ip http server noip http secure-server!ip forward-protocol nd ip route 0.0.0.0 0.0.0.0 192.168.1.2!ipnat inside source list 1 interface Ethernet0/0 overload!acce-list 1 permit any！!control-plane！！！！！line con 0 exec-timeout 0 0 line aux 0 linevty 0 4 login！end

R1#

在R1上查看vpn状态

我们看到，当R1为client模式的时候，它将获取地址池中的一个地址，为10.10.10.7，所有vpn流量，都会用这个地址进行nat转换。我们看R1上的show ipnat translation

在R1上测试网络连通性

在R3上测试联通性

由于R1内部机器地址都会被NAT成10.10.10.7，所以，对于R3内部用户来说是不可访问的。

配置xauth认证 R3的配置 R3# R3#show run

Building configuration...Current configuration : 1941 bytes!version 12.4 service timestamps debug datetimemsec service timestamps log datetimemsec no service paword-encryption!hostname R3!boot-start-marker boot-end-marker！aaa new-model！aaa authentication login ezvpnlogin local aaa authorization network ezvpnauthor local!aaa seion-id common memory-sizeiomem 5！

ipcef noip domain lookup！ipauth-proxy max-nodata-conns 3 ip admiion max-nodata-conns 3！！！！！！！!username cisco paword 0 cisco!

！!cryptoisakmp policy 1 authentication pre-share group 2!cryptoisakmp client configuration group group1 key cisco poolezvpnpool acl 100！cryptoipsec transform-set set1 esp-des esp-md5-hmac!crypto dynamic-map dymap 1 set transform-set set1 reverse-route！crypto map vpnmap client authentication list ezvpnlogin crypto map vpnmapisakmp authorization list ezvpnauthor crypto map vpnmap client configuration addre respond crypto map vpnmap 1 ipsec-isakmp dynamic dymap！！interface Ethernet0/0 noip addre shutdown half-duplex!interface Ethernet0/1 ip addre 192.168.2.2 255.255.255.0 ipnat outside ip virtual-reaembly half-duplex crypto map vpnmap!interface Ethernet0/2 noip addre shutdown half-duplex!interface Ethernet0/3 ip addre 192.168.200.1 255.255.255.0 ipnat inside ip virtual-reaembly half-duplex!ip local pool ezvpnpool 10.10.10.1 10.10.10.100 ip http server noip http secure-server!ip forward-protocol nd ip route 0.0.0.0 0.0.0.0 192.168.2.1!ipnat inside source list 111 interface Ethernet0/1 overload!acce-list 1 permit any acce-list 100 permit ip 192.168.200.0 0.0.0.255 any acce-list 111 deny

ip 192.168.200.0 0.0.0.255 10.10.10.0 0.0.0.255 acce-list 111 deny

ip 192.168.200.0 0.0.0.255 192.168.100.0 0.0.0.255 acce-list 111 permit ip any any！!control-plane！！！！！line con 0 exec-timeout 0 0 line aux 0 linevty 0 4！end

R3#

R1上的过程

提示输入crypto ipsec client ezvpnxauth，并输入用户名和密码，VPN则认证成功。另外，cisco VPN Clint 支持Ezvpn client模式。

新建连接信息如下图所示：

《cisco 路由器 EZvpn 总结.docx》

将本文的Word文档下载，方便收藏和打印

推荐度：

点击下载文档

相关专题 cisco路由器总结路由器 Cisco EZvpn cisco路由器总结路由器 Cisco EZvpn

[其他工作总结]相关推荐

[其他工作总结]热门文章