Cisco Network part 45 pptx

Mô tả: Bài lab thực hiện quá trình tạo một tunnel giữa 2 LAN của 2 chi nhánh qua một môi trường public vớI router Gateway làm router giả lập ISP.. Kết hợp ta sử dụng NAT để cho các host

VPN Router To Router With NAT

Tác giả Lê Anh Đức

Ta có sơ đồ sau:

Error!

Mô tả:

Bài lab thực hiện quá trình tạo một tunnel giữa 2 LAN của 2 chi nhánh qua một môi trường public vớI router Gateway làm router giả lập ISP Kết hợp ta sử dụng NAT để cho các host bên trong nôi bộ mạng ra internet trừ những traffic được gửI từ 2 LAN để tạo private tunnel

Cấu hình:

RA:

Building configuration

*Mar 1 00:33:37.207: %SYS-5-CONFIG_I: Configured from console by console

Current configuration : 1344 bytes

version 12.2

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

hostname RA

memory-size iomem 10

ip subnet-zero

crypto isakmp policy 10

hash md5

authentication pre-share

crypto isakmp key cisco address 95.95.95.2 crypto ipsec transform-set vnpro esp-des crypto map lee 10 ipsec-isakmp

set peer 95.95.95.2

set transform-set vnpro

match address 115

voice call carrier capacity active

mta receive maximum-recipients 0

interface FastEthernet0/0

ip address 10.50.50.50 255.255.255.0

ip nat inside

duplex auto

speed auto

interface Serial0/0

ip address 99.99.99.2 255.255.255.0

ip nat outside

no fair-queue

crypto map lee

interface FastEthernet0/1

no ip address

shutdown

duplex auto

speed auto

interface Serial0/1

no ip address

shutdown

ip nat inside source route-map nonat interface Serial0/0 overload ßtất cả đều NAT khi đi ra ngoài trừ traffic trong tunnel

ip classless

ip route 0.0.0.0 0.0.0.0 99.99.99.1

ip http server

access-list 110 deny ip 10.50.50.0 0.0.0.255 10.103.1.0 0.0.0.255

access-list 110 permit ip any any

access-list 115 permit tcp 10.50.50.0 0.0.0.255 10.103.1.0 0.0.0.255 route-map nonat permit 10

match ip address 110

call rsvp-sync

mgcp profile default

dial-peer cor custom

line con 0

line aux 0

line vty 0 4

end

RB

Building configuration

Current configuration : 1203 bytes

version 12.2

service timestamps debug datetime msec service timestamps log datetime msec

no service password-encryption

hostname RB

memory-size iomem 10

ip subnet-zero

crypto isakmp policy 10

hash md5

authentication pre-share

crypto isakmp key cisco address 99.99.99.2 crypto ipsec transform-set vnpro esp-des crypto map lee 10 ipsec-isakmp

set peer 99.99.99.2

set transform-set vnpro

match address 115

voice call carrier capacity active

mta receive maximum-recipients 0

interface Ethernet0/0

ip address 10.103.1.75 255.255.255.0

ip nat inside

half-duplex

interface Serial0/0

ip address 95.95.95.2 255.255.255.0

ip nat outside

no fair-queue

crypto map lee

ip nat inside source route-map nonat interface Serial0/0 overload

ip classless

ip route 0.0.0.0 0.0.0.0 95.95.95.1

ip http server

access-list 110 deny ip 10.103.1.0 0.0.0.255 10.50.50.0 0.0.0.255 access-list 110 permit ip any any

access-list 115 permit tcp 10.103.1.0 0.0.0.255 10.50.50.0 0.0.0.255 route-map nonat permit 10

match ip address 110

call rsvp-sync

mgcp profile default

dial-peer cor custom

line con 0

line aux 0

line vty 0 4

end

RI(Gateway)

Building configuration

00:33:46: %SYS-5-CONFIG_I: Configured from console by console Current configuration:

version 12.1

service timestamps debug uptime

service timestamps log uptime

no service password-encryption

hostname RI

ip subnet-zero

interface Ethernet0

no ip address

shutdown

interface Serial0

ip address 99.99.99.1 255.255.255.0

clockrate 64000

interface Serial1

ip address 95.95.95.1 255.255.255.0

clockrate 64000

interface BRI0

no ip address

shutdown

ip classless

ip route 10.50.50.0 255.255.255.0 99.99.99.2

ip route 10.103.1.0 255.255.255.0 95.95.95.2

no ip http server

line con 0

transport input none

line aux 0

line vty 0 4

end

Thực hiện:

Sau khi đã thực hiện cấu hình các mạng thấy được nhau, ta bắt đầu tạo VPN vớI NAT:

1 Bước đầu tiên, ta thực hiện cấu hình VPN trên các router (Tương

tự như bài VPN basic):

RA:

RA(config)#crypto isakmp policy 10

RA(config-isakmp)#hash md5

RA(config-isakmp)#authentication pre-share

RA(config-isakmp)#exit

RA(config)#crypto isakmp key cisco address 95.95.95.2

RA(config)#crypto ipsec transform-set vnpro esp-des

RA(cfg-crypto-trans)#exit

RA(config)#crypto map lee 10 ipsec-isakmp

% NOTE: This new crypto map will remain disabled until a peer and a valid access list have been configured

RA(config-crypto-map)#set peer 95.95.95.2

RA(config-crypto-map)#set transform-set vnpro

RA(config-crypto-map)#match address 115

RA(config-crypto-map)#exit

RA(config)#int s0/0

RA(config-if)#crypto map lee

RA(config)#access-list 115 permit tcp 10.50.50.0 0.0.0.255 10.103.1.0

0.0.0.255ß cho phép traffic được mã hóa

RB:

RB(config)#crypto isakmp policy 10

RB(config-isakmp)#hash md5

RB(config-isakmp)#authentication pre-share

RB(config)#crypto isakmp key cisco address 99.99.99.2

RB(config)#crypto ipsec transform-set vnpro esp-des

RB(cfg-crypto-trans)#exit

RB(config)#crypto map lee 10 ipsec-isakmp

% NOTE: This new crypto map will remain disabled until a peer and a valid access list have been configured

RB(config-crypto-map)#set peer 99.99.99.2

RB(config-crypto-map)#set transform-set vnpro

RB(config-crypto-map)#match address 115

RB(config)#int s0/0

RB(config-if)#crypto map lee

RB(config)#access-list 115 permit tcp 10.103.1.0 0.0.0.255 10.50.50.0 0.0.0.255

2 Sau khi đã thực hiện tạo VPN, ta thực hiện NAT trên router:

Ta thực hiện NAT overload trên interface nốI vớI Gateway, trừ traffic trong tunnel, để thực hiện điều này, ta phảI sử dụng một route-map để chặn dòng traffic trong tunnel không bị NAT:

RA:

RA(config)#access-list 110 deny ip 10.50.50.0 0.0.0.255 10.103.1.0 0.0.0.255

RA(config)#access-list 110 permit ip any any

RA(config)#route-map nonat

RA(config-route-map)#match ip address 110

RA(config)#ip nat inside source route-map nonat interface s0/0 overload RA(config)#int s0/0

RA(config-if)#ip nat outside

RA(config)#int fa0/0

RA(config-if)#ip nat inside

RA(config-if)#exit

RB

RB(config)#access-list 110 deny ip 10.103.1.0 0.0.0.255 10.50.50.50 0.0.0.255

RB(config)#access-list 110 permit ip any any

RB(config)#route-map nonat permit 10

RB(config-route-map)#match ip address 110

RB(config)#ip nat inside source route-map nonat interface s0/0 overload RB(config)#int s0/0

RB(config-if)#ip nat outside

RB(config-if)#int e0/0

RB(config-if)#ip nat inside

RB(config-if)#exit

Kiểm tra:

1 Ta sử dụng các lệnh show trên các router:

RA#sh crypto isakmp policy

Protection suite of priority 10

encryption algorithm: DES - Data Encryption Standard (56 bit keys) hash algorithm: Message Digest 5

authentication method: Pre-Shared Key

Diffie-Hellman group: #1 (768 bit)

lifetime: 86400 seconds, no volume limit

Default protection suite

encryption algorithm: DES - Data Encryption Standard (56 bit keys) hash algorithm: Secure Hash Standard

authentication method: Rivest-Shamir-Adleman Signature

Diffie-Hellman group: #1 (768 bit)

lifetime: 86400 seconds, no volume limit

RA#sh crypto ipsec transform-set

Transform set vnpro: { esp-des }

will negotiate = { Tunnel, },

RA#sh crypto map

Crypto Map "lee" 10 ipsec-isakmp

Peer = 95.95.95.2

Extended IP access list 115

access-list 115 permit tcp 10.50.50.0 0.0.0.255 10.103.1.0 0.0.0.255

Current peer: 95.95.95.2

Security association lifetime: 4608000 kilobytes/3600 seconds

PFS (Y/N): N

Transform sets={ vnpro, }

Interfaces using crypto map lee:

Serial0/0

2 Thực hiện debug trên các router và ghi nhận kết quả:

Ví dụ: trên RB:Ta thực hiện lệnh ping từ pc bên trong nộI bộ mạng ra

ngòai internet và ra chính LAN bên kia: và ghi nhận kết quả lệnh debug

ip nat:

RB#debug ip nat

IP NAT debugging is on

RB#debug cry

RB#debug crypto ipsec

Crypto IPSEC debugging is on

RB#debug crypto isakmp

Crypto ISAKMP debugging is on

RB#

*Mar 1 00:41:23.847: NAT: s=10.103.1.1->95.95.95.2, d=99.99.99.1 [1760]

*Mar 1 00:41:23.867: NAT*: s=99.99.99.1, d=95.95.95.2->10.103.1.1 [1760]

*Mar 1 00:41:24.848: NAT*: s=10.103.1.1->95.95.95.2, d=99.99.99.1 [1761]

*Mar 1 00:41:24.868: NAT*: s=99.99.99.1, d=95.95.95.2->10.103.1.1 [1761]

*Mar 1 00:41:25.850: NAT*: s=10.103.1.1->95.95.95.2, d=99.99.99.1 [1762]

*Mar 1 00:41:25.870: NAT*: s=99.99.99.1, d=95.95.95.2->10.103.1.1 [1762]

*Mar 1 00:41:26.847: NAT*: s=10.103.1.1->95.95.95.2, d=99.99.99.1 [1763]

*Mar 1 00:41:26.872: NAT*: s=99.99.99.1, d=95.95.95.2->10.103.1.1 [1763]

RB#

*Mar 1 00:41:44.040: NAT: s=10.103.1.1->95.95.95.2, d=95.95.95.1 [1764]

*Mar 1 00:41:44.064: NAT*: s=95.95.95.1, d=95.95.95.2->10.103.1.1

[1764]

*Mar 1 00:41:45.037: NAT*: s=10.103.1.1->95.95.95.2, d=95.95.95.1 [1765]

*Mar 1 00:41:45.057: NAT*: s=95.95.95.1, d=95.95.95.2->10.103.1.1 [1765]

*Mar 1 00:41:46.039: NAT*: s=10.103.1.1->95.95.95.2, d=95.95.95.1 [1766]

*Mar 1 00:41:46.087: NAT*: s=95.95.95.1, d=95.95.95.2->10.103.1.1 [1766]

*Mar 1 00:41:47.037: NAT*: s=10.103.1.1->95.95.95.2, d=95.95.95.1 [1767]

*Mar 1 00:41:47.061: NAT*: s=95.95.95.1, d=95.95.95.2->10.103.1.1 [1767]

RB#

*Mar 1 00:42:00.270: NAT: s=10.103.1.1->95.95.95.2, d=99.99.99.2 [1768]

*Mar 1 00:42:00.314: NAT*: s=99.99.99.2, d=95.95.95.2->10.103.1.1 [1768]

*Mar 1 00:42:01.272: NAT*: s=10.103.1.1->95.95.95.2, d=99.99.99.2 [1769]

*Mar 1 00:42:01.308: NAT*: s=99.99.99.2, d=95.95.95.2->10.103.1.1 [1769]

*Mar 1 00:42:02.274: NAT*: s=10.103.1.1->95.95.95.2, d=99.99.99.2 [1770]

*Mar 1 00:42:02.310: NAT*: s=99.99.99.2, d=95.95.95.2->10.103.1.1 [1770]

*Mar 1 00:42:03.271: NAT*: s=10.103.1.1->95.95.95.2, d=99.99.99.2

[1771]

*Mar 1 00:42:03.311: NAT*: s=99.99.99.2, d=95.95.95.2->10.103.1.1 [1771]

RB#

*Mar 1 00:42:26.874: NAT: expiring 95.95.95.2 (10.103.1.1) icmp 512 (512)

*Mar 1 00:42:47.063: NAT: expiring 95.95.95.2 (10.103.1.1) icmp 512 (512)

*Mar 1 00:43:03.314: NAT: expiring 95.95.95.2 (10.103.1.1) icmp 512 (512)

Error!