nat和ipsec在同一台设备上配置

only2010

今天做了一个ipsec-vpn的实验，nat和vpn在同一台边界设备上配置，我的想法是，将所有内网流量看做是需要加密的流量，而我做了pat，将所有内网流量的ip转换为了外网接口ip，所以我想着将感兴趣流直接配置为两个peer地址，但是没有成功，现把配置发出来，大家给分析一下。(不要回那种将感兴趣流在nat中deny的配置，这个我做过，我现在就是想测试一下我的这种想法可行不？，谢谢)

                               
登录/注册后可看大图

!
R1：
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname HOST-1
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
memory-size iomem 5
!
!
ip cef
no ip domain lookup
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
interface Loopback0
ip address 1.1.1.1 255.255.255.0
!
interface Ethernet0/0
ip address 12.1.1.1 255.255.255.0
half-duplex
!
interface Ethernet0/1
no ip address
shutdown
half-duplex
!
interface Ethernet0/2
no ip address
shutdown
half-duplex
!
interface Ethernet0/3
no ip address
shutdown
half-duplex
!
router ospf 1
log-adjacency-changes
network 0.0.0.0 255.255.255.255 area 0
!
ip http server
no ip http secure-server
!
!
!
!
!
!
control-plane
!
!
!
!
!
!
!
!
!
!
line con 0
logging synchronous
line aux 0
line vty 0 4
login
!
!
end
!
R2：
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname NAT-VPN-1
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
memory-size iomem 5
!
!
ip cef
no ip domain lookup
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
crypto isakmp policy 10
encr 3des
authentication pre-share
group 2
crypto isakmp key 6 cisco address 34.1.1.2
!
!
crypto ipsec transform-set cisco esp-3des esp-md5-hmac
mode transport
!
crypto map cisco 10 ipsec-isakmp
set peer 34.1.1.2
set transform-set cisco
match address 100
!
!
!
!
interface Ethernet0/0
ip address 12.1.1.2 255.255.255.0
ip nat inside
ip virtual-reassembly
half-duplex
!
interface Ethernet0/1
ip address 23.1.1.1 255.255.255.0
ip nat outside
ip virtual-reassembly
half-duplex
crypto map cisco
!
interface Ethernet0/2
no ip address
shutdown
half-duplex
!
interface Ethernet0/3
no ip address
shutdown
half-duplex
!
router ospf 1
log-adjacency-changes
network 0.0.0.0 255.255.255.255 area 0
!
ip http server
no ip http secure-server
!
!
ip nat inside source list 101 interface Ethernet0/1 overload
!
access-list 100 permit ip host 23.1.1.1 host 34.1.1.2
access-list 101 deny   ip 23.1.1.0 0.0.0.255 any
access-list 101 permit ip any any
!
!
!
control-plane
!
!
!
!
!
!
!
!
!
!
line con 0
logging synchronous
line aux 0
line vty 0 4
login
!
!
end
!
R3：
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname ISP
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
memory-size iomem 5
!
!
ip cef
no ip domain lookup
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
interface Loopback0
ip address 3.3.3.3 255.255.255.0
!
interface Ethernet0/0
no ip address
shutdown
half-duplex
!
interface Ethernet0/1
ip address 23.1.1.2 255.255.255.0
half-duplex
!
interface Ethernet0/2
ip address 34.1.1.1 255.255.255.0
half-duplex
!
interface Ethernet0/3
no ip address
shutdown
half-duplex
!
router ospf 1
log-adjacency-changes
network 0.0.0.0 255.255.255.255 area 0
!
ip http server
no ip http secure-server
!
!
!
!
!
!
control-plane
!
!
!
!
!
!
!
!
!
!
line con 0
logging synchronous
line aux 0
line vty 0 4
login
!
!
end
!
R4：
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname NAT-VPN-2
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
memory-size iomem 5
!
!
ip cef
no ip domain lookup
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
crypto isakmp policy 10
encr 3des
authentication pre-share
group 2
crypto isakmp key 6 cisco address 23.1.1.1
!
!
crypto ipsec transform-set cisco esp-3des esp-md5-hmac
mode transport
!
crypto map cisco 10 ipsec-isakmp
set peer 23.1.1.1
set transform-set cisco
match address 100
!
!
!
!
interface Ethernet0/0
no ip address
shutdown
half-duplex
!
interface Ethernet0/1
no ip address
shutdown
half-duplex
!
interface Ethernet0/2
ip address 34.1.1.2 255.255.255.0
ip nat outside
ip virtual-reassembly
half-duplex
crypto map cisco
!
interface Ethernet0/3
ip address 45.1.1.1 255.255.255.0
ip nat inside
ip virtual-reassembly
half-duplex
!
router ospf 1
log-adjacency-changes
network 0.0.0.0 255.255.255.255 area 0
!
ip http server
no ip http secure-server
!
!
ip nat inside source list 101 interface Ethernet0/2 overload
!
access-list 100 permit ip host 34.1.1.2 host 23.1.1.1
access-list 101 deny   ip 34.1.1.0 0.0.0.255 any
access-list 101 permit ip any any
!
!
!
control-plane
!
!
!
!
!
!
!
!
!
!
line con 0
logging synchronous
line aux 0
line vty 0 4
login
!
!
end
!
R5：
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname HOST-2
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
memory-size iomem 5
!
!
ip cef
no ip domain lookup
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
interface Loopback0
ip address 2.2.2.2 255.255.255.0
!
interface Ethernet0/0
no ip address
shutdown
half-duplex
!
interface Ethernet0/1
no ip address
shutdown
half-duplex
!
interface Ethernet0/2
no ip address
shutdown
half-duplex
!
interface Ethernet0/3
ip address 45.1.1.2 255.255.255.0
half-duplex
!
router ospf 1
log-adjacency-changes
network 0.0.0.0 255.255.255.255 area 0
!
ip http server
no ip http secure-server
!
!
!
!
!
!
control-plane
!
!
!
!
!
!
!
!
!
!
line con 0
logging synchronous
line aux 0
line vty 0 4
login
!
!
end

yin6535580

merenpuwu