求助丶关于VPN+动态NAT转换使两端的私网能互通的问题

qq894336007 · 发表于 2013-11-2 15:52:53

拓扑

问题：
总部路由器和分部路由器都使能了动态NAT使内网能访问公网
在做完IPsec VPN后两边的私网还是不能互通，就连公网都不能访问了

实验.pkt (59.1 KB, 下载次数: 8)

------------------------------------------------zongbu---------------------------------
zongbu#sh run
Building configuration...

Current configuration : 1530 bytes
!
version 12.4
no service timestamps log datetime msec
no service timestamps debug datetime msec
no service password-encryption
!
hostname zongbu
!
!
!
!
!
!
!
!
crypto isakmp policy 10
encr 3des
hash md5
authentication pre-share
!
crypto isakmp key tom address 202.102.190.2
!
!
crypto ipsec transform-set jizhen esp-3des esp-md5-hmac
!
crypto map tom 10 ipsec-isakmp
set peer 202.102.190.2
set transform-set jizhen
match address 101
!
!
!
!
!
!
!
!
!
interface FastEthernet0/0
ip address 192.168.50.2 255.255.255.0
ip nat inside
duplex auto
speed auto
!
interface FastEthernet0/1
no ip address
duplex auto
speed auto
shutdown
!
interface Serial1/0
ip address 202.102.192.1 255.255.255.0
ip nat outside
crypto map tom
!
interface Serial1/1
no ip address
shutdown
!
interface Serial1/2
no ip address
shutdown
!
interface Serial1/3
no ip address
shutdown
!
interface Vlan1
no ip address
shutdown
!
ip nat pool txw 202.102.192.1 202.102.192.1 netmask 255.255.255.0
ip nat inside source list 101 pool txw
ip nat inside source static 192.168.88.88 202.102.192.68
ip classless
ip route 192.168.10.0 255.255.255.0 192.168.50.1
ip route 192.168.20.0 255.255.255.0 192.168.50.1
ip route 192.168.30.0 255.255.255.0 192.168.50.1
ip route 192.168.40.0 255.255.255.0 192.168.50.1
ip route 192.168.88.0 255.255.255.0 192.168.50.1
ip route 192.168.68.0 255.255.255.0 192.168.50.1
ip route 0.0.0.0 0.0.0.0 202.102.192.2
!
!
access-list 101 permit ip any any
!
!
!
!
!
line con 0
line vty 0 4
login
!
!
!
end

-------------------------------------------------------ISP--------------------------------
ISP#sh run
Building configuration...

Current configuration : 710 bytes
!
version 12.4
no service timestamps log datetime msec
no service timestamps debug datetime msec
no service password-encryption
!
hostname ISP
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
interface FastEthernet0/0
ip address 202.102.88.1 255.255.255.0
duplex auto
speed auto
!
interface FastEthernet0/1
ip address 202.102.30.1 255.255.255.0
duplex auto
speed auto
!
interface Serial1/0
ip address 202.102.192.2 255.255.255.0
clock rate 9600
!
interface Serial1/1
ip address 202.102.190.1 255.255.255.0
!
interface Serial1/2
no ip address
shutdown
!
interface Serial1/3
no ip address
shutdown
!
interface Vlan1
no ip address
shutdown
!
ip classless
!
!
!
!
!
!
!
line con 0
line vty 0 4
login
!
!
!
end

--------------------------------------------------------fenbu----------------------------------
fenbu#sh run
Building configuration...

Current configuration : 1392 bytes
!
version 12.4
no service timestamps log datetime msec
no service timestamps debug datetime msec
no service password-encryption
!
hostname fenbu
!
!
!
!
!
!
!
!
crypto isakmp policy 10
encr 3des
hash md5
authentication pre-share
!
crypto isakmp key tom address 202.102.192.1
!
!
crypto ipsec transform-set jizhen esp-3des esp-md5-hmac
!
crypto map tom 10 ipsec-isakmp
set peer 202.102.192.1
set transform-set jizhen
match address 101
!
!
!
!
!
!
!
!
!
interface FastEthernet0/0
ip address 192.168.90.1 255.255.255.0
ip nat inside
duplex auto
speed auto
!
interface FastEthernet0/1
no ip address
duplex auto
speed auto
shutdown
!
interface Serial1/0
no ip address
shutdown
!
interface Serial1/1
ip address 202.102.190.2 255.255.255.0
ip nat outside
clock rate 9600
crypto map tom
!
interface Serial1/2
no ip address
shutdown
!
interface Serial1/3
no ip address
shutdown
!
interface Vlan1
no ip address
shutdown
!
ip nat pool txw 202.102.190.2 202.102.190.2 netmask 255.255.255.0
ip nat inside source list 101 pool txw
ip classless
ip route 192.168.100.0 255.255.255.0 192.168.90.2
ip route 192.168.110.0 255.255.255.0 192.168.90.2
ip route 192.168.120.0 255.255.255.0 192.168.90.2
ip route 192.168.130.0 255.255.255.0 192.168.90.2
ip route 0.0.0.0 0.0.0.0 202.102.190.1
!
!
access-list 101 permit ip any any
!
!
!
!
!
line con 0
line vty 0 4
login
!
!
!
end

{:soso_e101:}求助，实训要用。谢谢

qq894336007 · 发表于 2013-11-2 15:53:47

今天弄了一天毫无所获

b573129968 · 发表于 2013-11-2 18:27:33

你好，你的问题我已经解决了，请加上关键词overload，一切都搞定，但是你为了省事使用101 permit ip any n any，这会掩盖了很多问题，比如说IPsec究竟是加密哪些流量？如果你要加密具体的流量怎么写access-list？因为这里涉及到NAT，所以情况会变化一点，之前还以为是NAT-T的问题，但是你的IPsec建立是成功的，唯一失败的原因死NAT转换的失败

b573129968 · 发表于 2013-11-2 18:36:03

我修改好的你看看吧

qq894336007 · 发表于 2013-11-2 19:09:12

b573129968 发表于 2013-11-2 18:36
我修改好的你看看吧

麻烦问一下你用的是什么版本的？怎么打不开文件？

b573129968 · 发表于 2013-11-2 19:18:04

qq894336007 发表于 2013-11-2 19:09
麻烦问一下你用的是什么版本的？怎么打不开文件？

version:6.0.1.0011

qq894336007 · 发表于 2013-11-2 19:22:20

b573129968 发表于 2013-11-2 19:18
version:6.0.1.0011

能留个QQ吗？

qq894336007 · 发表于 2013-11-2 19:31:02

b573129968 发表于 2013-11-2 19:18
version:6.0.1.0011

你的那个版本下不到能加个QQ传给我吗？
我QQ894336007 谢谢

qq894336007 · 发表于 2013-11-2 19:41:34

qq894336007 发表于 2013-11-2 19:22
能留个QQ吗？

两边的私网还是不能通啊怎么办？

在路上 · 发表于 2013-11-2 20:09:07

参考：
思科设备的各类vpn基本配置实验(有详细批注及说明）
http://bbs.hh010.com/forum.php?m ... 8&fromuid=73433

宇宙飞侠cwb · 发表于 2013-11-3 17:15:56

做tunnel 一切解决

b573129968 · 发表于 2013-11-6 20:46:19

不好意思，现在才回你！后来我看了看不能通私网的问题，其实还是NAT的问题，只要NAT转换成功就能够ping通，但是你要注意不能转换目的地址202.102.192.1 和202.102.190.2 ，所以你需要在访问列表里排出这两个转换地址，然而这一切的问题都被你的permit ip any any所覆盖，packet的bug特别多，我后来用GNS3模拟了你的试验，关键点就是你的NAT转换地址里不能包括202.102.192.1 和202.102.190.2，二次转换可能会造成UDP端口号丢失而不可达。建议不要偷懒写permit iP any any，老实点写符合标准的列表，这样你才能学到更多的东西。

账号		自动登录	找回密码
密码			论坛注册

[已解决] 求助丶关于VPN+动态NAT转换使两端的私网能互通的问题

相关帖子

评分

浏览过的版块

客服中心

投诉建议