Configuring Router
Bạn đang xem bản rút gọn của tài liệu. Xem và tải ngay bản đầy đủ của tài liệu tại đây (133.38 KB, 4 trang )
Configuring Router-to-Router Dynamic-to-
Static IPSec with NAT
Introduction
In this sample configuration, a remote router receives an IP address through Dynamic Host Configuration Protocol
(DHCP) and connects to a hub router. This configuration enables the hub router to accept dynamic IPSec
connections. The remote router uses network address translation (NAT) to "join" the privately addressed devices
behind it to the privately addressed network behind the hub router. The remote router can initiate connections to the
hub router (it knows the end-point) but the hub router cannot initiate connections to the remote router (it does not
know the endpoint).
In this sample configuration, Dr_whoovie is the remote router and Sam-i-am is the hub router. Even though we
know what Dr_whoovie's IP address, we configure Sam-I-am to dynamically accept connections from any router
knowing the wild-card, pre-shared key, instead of specifying Dr_whoovie's key on sam-i-am. Dr_whoovie knows
what traffic is to be encrypted (because it is specified by the access-list) and where the sam_i_am endpoint is
located. Dr_whoovie must initiate the connection. Both sides are doing NAT overload.
Hardware and Software Versions
To implement this configuration, you need the following:
• Cisco IOS
®
Software Release 12.0.7.T
• Cisco 2500 routers
Network Diagram
Configurations
Sam-i-am Configuration
Current configuration:
!
version 12.0
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname sam-i-am
!
enable secret 5 $1$7WP3$aEqtNjvRJ9Vy6i41x0RJf0
enable password ww
!
ip subnet-zero
!
isdn switch-type basic-5ess
isdn voice-call-failure 0
cns event-service server
!
!--- IKE policies
crypto isakmp policy 1
hash md5
authentication pre-share
crypto isakmp key cisco123 address 0.0.0.0
!--- IPSec policies
crypto ipsec transform-set rtpset esp-des esp-md5-hmac
crypto dynamic-map rtpmap 10
set transform-set rtpset
!--- Include the private-network-to-private-network
!--- traffic in the encryption process.
match address 115
crypto map rtptrans 10 ipsec-isakmp dynamic rtpmap
!
interface Ethernet0
ip address 10.2.2.3 255.255.255.0
no ip directed-broadcast
ip nat inside
no mop enabled
!
interface Serial0
ip address 99.99.99.1 255.255.255.0
no ip directed-broadcast
ip nat outside
crypto map rtptrans
!
!--- Except the private network from the NAT process.
ip nat inside source route-map nonat interface Serial0 overload
ip classless
ip route 0.0.0.0 0.0.0.0 99.99.99.2
no ip http server
!
!--- Include the private-network-to-private-network traffic
!--- in the encryption process.
access-list 115 permit ip 10.2.2.0 0.0.0.255 10.1.1.0 0.0.0.255
access-list 115 deny ip 10.2.2.0 0.0.0.255 any
!--- Except the private network from the NAT process.
access-list 120 deny ip 10.2.2.0 0.0.0.255 10.1.1.0 0.0.0.255
access-list 120 permit ip 10.2.2.0 0.0.0.255 any
dialer-list 1 protocol ip permit
dialer-list 1 protocol ipx permit
route-map nonat permit 10
match ip address 120
!
line con 0
transport input none
line aux 0
line vty 0 4
password ww
login
!
end
Dr_whoovie Configuration
Current configuration:
!
version 12.0
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname dr_whoovie
!
enable secret 5 $1$yP65$2FtxvqXPtuZy7hQBwaBoZ/
enable password ww
!
ip subnet-zero
!
cns event-service server
!
!--- IKE Policies
crypto isakmp policy 1
hash md5
authentication pre-share
crypto isakmp key cisco123 address 99.99.99.1
!
!--- IPSec policies
crypto ipsec transform-set rtpset esp-des esp-md5-hmac
!
crypto map rtp 1 ipsec-isakmp
set peer 99.99.99.1
set transform-set rtpset
!--- Include the private-network-to-private-network
!--- traffic in the encryption process.
match address 115
!
interface Ethernet0
ip address 10.1.1.1 255.255.255.0
no ip directed-broadcast
ip nat inside
no mop enabled
!
interface Serial0
!--- Because this example was set up in a lab, we assigned
!--- an IP address. If the router was getting a DHCP
!--- address, commands such as ip address negotiated and
!--- ip address dhcp would be used instead of this static
!--- assignment.
ip address 99.99.99.2 255.255.255.0
no ip directed-broadcast
ip nat outside
no ip mroute-cache
clockrate 4000000
crypto map rtp
!--- Except the private network from the NAT process.
ip nat inside source route-map nonat interface Serial0 overload
ip classless
ip route 0.0.0.0 0.0.0.0 99.99.99.1
no ip http server
!
!--- Include the private-network-to-private-network
!--- traffic in the encryption process.
access-list 115 permit ip 10.1.1.0 0.0.0.255 10.2.2.0 0.0.0.255
access-list 115 deny ip 10.1.1.0 0.0.0.255 any
!--- Except the private network from the NAT process.
access-list 120 deny ip 10.1.1.0 0.0.0.255 10.2.2.0 0.0.0.255
access-list 120 permit ip 10.1.1.0 0.0.0.255 any
dialer-list 1 protocol ip permit
dialer-list 1 protocol ipx permit
route-map nonat permit 10
match ip address 120
!
line con 0
transport input none
line aux 0
line vty 0 4
password ww
login
!
end
debug and show Commands
Before attempting any debug commands, please see Important Information on Debug Commands.
• debug crypto ipsec - Shows the IPSec negotiations of phase 2.
• debug crypto isakmp - Shows the ISAKMP negotiations of phase 1.
• debug crypto engine - Shows the traffic that is encrypted.
• debug ip nat det - (Optional) Verify the operation of the NAT feature by displaying information about
every packet that is translated by the router. Caution: This command generates a large amount of output; it
should be used only when traffic on the IP network is low.
• clear crypto isakmp - Clears the security associations related to phase 1.
• clear crypto sa - Clears the security associations related to phase 2.
• clear ip nat translation - Clears dynamic Network Address Translation (NAT) translations from the
translation table.
• show crypto ipsec sa - Shows the phase 2 security associations.
• show crypto isakmp sa - Shows the phase 1 security associations.
