CISCO路由器×××實例配置方案－中文註解

Router:sam-i-am(××× Server)

Current configuration:

!

version 12.2

service timestamps debug uptime

service timestamps log up time

no service password-encryption

!

hostname sam-i-am

!

ip subnet-zero

!--- IKE配置



sam-i-am(config)#crypto isakmp policy 1 //定義策略爲1

sam-i-am(isakmp)#hash md5 //定義MD5散列算法

sam-i-am(isakmp)#authentication pre-share //定義爲預共享密鑰認證方式

sam-i-am(config)#crypto isakmp key cisco123 address 0.0.0.0 0.0.0.0

!--- 配置預共享密鑰爲cisco123,對等端爲全部IP

!--- IPSec協議配置

sam-i-am(config)#crypto ipsec transform-set rtpset esp-des esp-md5-hmac

!--- 建立變換集 esp-des esp-md5-hmac

sam-i-am(config)#crypto dynamic-map rtpmap 10 //建立動態保密圖rtpmap 10

san-i-am(crypto-map)#set transform-set rtpset //使用上面的定義的變換集rtpset

san-i-am(crypto-map)#match address 115 //援引訪問列表肯定受保護的流量

sam-i-am(config)#crypto map rtptrans 10 ipsec-isakmp dynamic rtpmap

!--- 將動態保密圖集加入到正規的圖集中

!

interface Ethernet0

ip address 10.2.2.3 255.255.255.0

no ip directed-broadcast

ip nat inside

no mop enabled

!

interface Serial0

ip address 99.99.99.1 255.255.255.0

no ip directed-broadcast

ip nat outside

crypto map rtptrans //將保密映射應用到S0接口上

!

ip nat inside source route-map nonat interface Serial0 overload

!--- 這個NAT配置啓用了路由策略，內容爲10.2.2.0到10.1.1.0的訪問不進行地址翻譯

!--- 到其餘網絡的訪問都翻譯成SO接口的IP地址ip classless

ip route 0.0.0.0 0.0.0.0 Serial0 //配置靜態路由協議

no ip http server

!

access-list 115 permit ip 10.2.2.0 0.0.0.255 10.1.1.0 0.0.0.255

access-list 115 deny ip 10.2.2.0 0.0.0.255 any

!

access-list 120 deny ip 10.2.2.0 0.0.0.255 10.1.1.0 0.0.0.255

access-list 120 permit ip 10.2.2.0 0.0.0.255 any

!

sam-i-am(config)#route-map nonat permit 10 //使用路由策略

sam-i-am(router-map)#match ip address 120

!

line con 0

transport input none

line aux 0

line vty 0 4

password ww

login

!

end

Router:dr_whoovie(××× Client)

Current configuration:

!

version 12.2

service timestamps debug uptime

service timestamps log uptime

no service password-encryption

!

hostname dr_whoovie

!

ip subnet-zero

!

dr_whoovie(config)#crypto isakmp policy 1 //定義策略爲1

dr_whoovie(isakmp)#hash md5 //定義MD5散列算法

dr_whoovie(isakmp)#authentication pre-share //定義爲預共享密鑰認證方式

dr_whoovie(config)#crypto isakmp key cisco123 address 99.99.99.1

!--- 配置預共享密鑰爲cisco123,對等端爲服務器端IP99.99.99.1

!--- IPSec協議配置

dr_whoovie(config)#crypto ipsec transform-set rtpset esp-des esp-md5-hmac

!--- 建立變換集 esp-des esp-md5-hmac

dr_whoovie(config)#crypto map rtp 1 ipsec-isakmp



!--- 使用IKE建立保密圖rtp 1

dr_whoovie(crypto-map)#set peer 99.99.99.1 //肯定遠程對等端


dr_whoovie(crypto-map)#set transform-set rtpset //使用上面的定義的變換集rtpset

dr_whoovie(crypto-map)#match address 115 //援引訪問列表肯定受保護的流量

!

interface Ethernet0
ip address 10.1.1.1 255.255.255.0

no ip directed-broadcast

ip nat inside

no mop enabled

!

interface Serial0

ip address negotiated //IP地址自動獲取

no ip directed-broadcast

ip nat outside

encapsulation ppp //S0接口封裝ppp協議

no ip mroute-cache

no ip route-cache

crypto map rtp //將保密映射應用到S0接口上

!

ip nat inside source route-map nonat interface Serial0 overload

!--- 這個NAT配置啓用了路由策略，內容爲10.1.1.0到10.2.2.0的訪問不進行地址翻譯

!--- 到其餘網絡的訪問都翻譯成SO接口的IP地址

ip classless

ip route 0.0.0.0 0.0.0.0 Serial0 //配置靜態路由協議

no ip http server

!

access-list 115 permit ip 10.1.1.0 0.0.0.255 10.2.2.0 0.0.0.255

access-list 115 deny ip 10.1.1.0 0.0.0.255 any

access-list 120 deny ip 10.1.1.0 0.0.0.255 10.2.2.0 0.0.0.255

access-list 120 permit ip 10.1.1.0 0.0.0.255 any

!

dialer-list 1 protocol ip permit

dialer-list 1 protocol ipx permit

route-map nonat permit 10 //使用路由策略

match ip address 120

!

line con 0

transport input none

line aux 0

line vty 0 4

password ww

login

!

end

 

出自:[url]http://bbs.315safe.com/thread-3576-1-1.html[/url]

本文出自 51CTO.COM技術博客